cross-posted from: https://lemmy.world/post/10984512

Full text from the Electronic Frontier Foundation (EFF) article:

Companies Make it Too Easy for Thieves to Impersonate Police and Steal Our Data

By Matthew Guariglia and Eva Galperin

~3 minutes

For years, people have been impersonating police online in order to get companies to hand over incredibly sensitive personal information. Reporting by 404 Media recently revealed that Verizon handed over the address and phone logs of an individual to a stalker pretending to be a police officer who had a PDF of a fake warrant. Worse, the imposter wasn’t particularly convincing. His request was missing a form that is required for search warrants from his state. He used the name of a police officer that did not exist in the department he claimed to be from. And he used a Proton Mail account, which any person online can use, rather than an official government email address.

Likewise, bad actors have used breached law enforcement email accounts or domain names to send fake warrants, subpoenas, or “Emergency Data Requests” (which police can send without judicial oversight to get data quickly in supposedly life or death situations). Impersonating police to get sensitive information from companies isn’t just the realm of stalkers and domestic abusers; according to Motherboard, bounty hunters and debt collectors have also used the tactic.

We have two very big entwined problems. The first is the “collect it all” business model of too many companies, which creates vast reservoirs of personal information stored in corporate data servers, ripe for police to seize and thieves to steal. The second is that too many companies fail to prevent thieves from stealing data by pretending to be police.

Companies have to make it harder for fake “officers” to get access to our sensitive data. For starters, they must do better at scrutinizing warrants, subpoenas, and emergency data requests when they come in. These requirements should be spelled out clearly in a public-facing privacy policy, and all employees who deal with data requests from law enforcement should receive training in how to adhere to these requirements and spot fraudulent requests. Fake emergency data requests raise special concerns, because real ones depend on the discretion of both companies and police—two parties with less than stellar reputations for valuing privacy.

  • will_a113@lemmy.ml
    link
    fedilink
    English
    arrow-up
    18
    ·
    10 months ago

    A lack of real penalties for these companies just means they have no incentive. If they can make $1B on your data and then maaaaayyybeeeee have to pay a $50M fine because of a breach, why wouldn’t they continue doing that?

    • WHYAREWEALLCAPS@kbin.social
      link
      fedilink
      arrow-up
      4
      ·
      10 months ago

      Fines need to stop being set amounts and start being percentages of revenue. We live in a world with companies that can make almost nothing and others that make more money than God does. This requires a more flexible solution. It’d also incentivize the government agencies to go after companies, especially big ones.

  • tutus@links.hackliberty.org
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    2
    ·
    10 months ago

    The headline is incorrect. It should be ‘Bad management and lack of proper process makes it easy for thieves to steal data’.

    This is a case of bad processes, procedures, management and lack of care. It’s nothing else.

    • AFaithfulNihilist@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      10 months ago

      What on earth is a company if not management and the processes it uses?

      In other words, If they have bad management and they lack proper processes to safeguard client data, are they not a bad company?!

      • tutus@links.hackliberty.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        What on earth is a company if not management and the processes it uses?

        The most important part - people.

        In other words, If they have bad management and they lack proper processes to safeguard client data, are they not a bad company?!

        A company encompasses the people who work there. Like the person on the end of the phone in the article. They are not responsible for bad management and bad processes. They are a victim in this having to deal with it.

    • treefrog@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      10 months ago

      That’s the headline in the article.

      Unless you’re being pedantic about ‘Companies’ not being specific enough. Because bad management and lack of proper process is inclusive under the word ‘Companies’ when used in the context of this sentence.

      • tutus@links.hackliberty.org
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        10 months ago

        That’s not the headline in the article.

        A company includes the people working on those calls. Like the person in the article who gave out the information and I don’t blame them for this. I’m blame bad management and bad processes.

        A call handler shouldn’t have to make a snap decision on handing over private data. It should all be written down for them to follow. Including passing a court order over to the legal team who, you’d hope, have the expertise to determine a good one from a bad one, or at least have a way to validate it.

        I’m not being pedantic. I’m trying to ensure that the people on the end of the phone are not getting the blame for a failure of management. Which is why I made the distinction.

        • treefrog@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          9 months ago

          I clicked on the article before I replied a week ago, and before I replied just now.

          The article title does not include the word bad, management, or processes and the word companies is inclusive of those things so it doesn’t matter that it doesn’t.

          I’m all for blaming management over rank and file employees. But generally, when I see the word companies I think managers (it’s inclusive of management and processes, as I stated earlier). And it’s not inclusive of employees, who are not the company but work for the company.

          In other words, I think we agree outside of you being pedantic :P