Members of the U.S. Senate began to take note of reports of hackers’ urgent data requests to obtain data from tech companies such as Apple, and one of them began investigating privacy concerns. On March 29, a report revealed that hackers were using their captured government and police email accounts to enable them to pretend to be law enforcement officials. By using email accounts and connecting services, hackers have been able to request data from tech companies in some cases.
Specifically, the hackers abused “Emergency Data Requests” (EDRs) to demand data claiming there was an imminent threat of injury or death. EDRs can urgently provide data to law enforcement without requiring a court warrant or subpoena. However, since it was impossible to quickly verify the legitimacy of EDR, hackers saw success with this technique.
In the initial report and a follow-up confirmation from Bloomberg on March 30, confirming that Apple complied with some requirements, the issue has already caught the attention of lawmakers.
In a statement to KrebsOnSecurity on Thursday, Sen. Ron Wyden said the issue is “a huge threat to the safety and national security of Americans.” Weedon also expressed concern about the prospect that some EDRs “could originate from compromised foreign law enforcement agencies and then be used to target vulnerable individuals.”
Wieden said he is requesting information from tech companies and federal agencies to learn more about the issue. “No one wants a tech company to deny a legitimate emergency request when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” the senator said.
This isn’t the first time Wyden has looked into the issue of certification for court orders. In July 2021, Wyden and other senators introduced the Court Order Digital Authentication Act, which would require a fund for state and tribal courts to help them adopt digital signature technology, potentially reducing forged court orders.
Since current EDRs are sent through compromised legitimate email accounts with no real way to confirm identity, it now seems necessary for law enforcement to use a similar digital signature system to achieve similar results.