Companies like Apple, Google, and Snapchat complied with requests for data from police emails used by criminals, which used the obtained data to harass and extort sexual content from minors.
Emergency Data Requests made via stolen police credentials like email have led to tech companies sharing sensitive user data with the criminals. Since Emergency Data Requests are usually made in good faith, tech companies can sometimes respond without an official subpoena, though, those have been known to be forged too.
According to a report from Bloomberg, the stolen data was used to extort people using various tactics based on the person involved. Sources cited in the report said the fake requests appeared to be used primarily for financial fraud, but an unknown percentage were being used for sexual extortion of women and minors.
The data provided varies by company, but generally includes the name, IP address, email address, and physical address. Some companies provide more than others, but the general rule of thumb is to provide only what data is needed within the scope of the request.
For example, if a criminal gets the name, address, and user name of a person, they can contact them directly and threaten harm, have the police show up to their home on false charges (colloquially known as swatting), or even suggest they already have explicit images for blackmail. This can lead to various forms of extortion, manipulation, and control over the victim.
"I know that emergency data requests get used for in real life-threatening emergencies every day, and it is tragic that this mechanism is being abused to sexually exploit children," said Alex Stamos, a former chief security officer at Facebook. "Police departments are going to have to focus on preventing account compromises with multifactor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers."
Google, Discord, and Facebook responded to the report, saying that they each have verification processes for incoming requests. Twitter and Apple declined to comment on the matter, though Apple does offer a detailed document on how they handle government data requests.
Government officials are looking into various ways to prevent such attacks from happening. Nicholas Weaver of the University of California, Berkeley, suggests using the FBI as a sole identity provider for all state and local law enforcement. But, even that suggestion is mired with problems around identity verification, especially in time-sensitive investigations.
U.S. lawmakers have previously introduced a bill, in July 2021, that could provide funding for state and tribal courts to adopt a digital signature technology. This would cut down on fraudulent requests from occurring since the criminal would need access to specialized signing software.
"I'm particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals," U.S. Senator Ron Wyden said. "No one wants tech companies to refuse legitimate emergency requests when someone's safety is at stake, but the current system has clear weaknesses that need to be addressed."