Forging a judicial order is trivial. There is no way Verizon or anyone else knows if there is a specific form used in one of the 1700+ counties that comprise the US. Federal subpoenae are even easier because they are uniform and are filed under seal. Verizon can't call the Clerk's office and ask, "did the grand jury really issue a subpoena?" The documents are written on simple copy paper and lack any kind of security features. Expect more of these as word gets out. Also, it's easy enough to file a small claims case and have a subpoena issued. Usually, there's no one to quash the subpoena. Civil subpoenas take a little longer than criminal ones and you have to pay to have them served, but so what?
Wait, sorry, sorry, sorry, hold up, full stop...could you repeat that again?
These orders arrive AS GODDAMN PAPER PRINTOUTS?!?
Am I to understand that official orders that instruct telco providers to provide the private communication data of people, are transmitted as smushes of pigment on thin pieces of wood-paste, instead of a digitally signed file that the recipient can trivially verify with the ordering entities public key?
Yes. Or a PDF attachment on an e-mail, possibly scanned from something that was printed a few minutes earlier because someone had to sign it with a pen.
You're underestimating the complexity of establishing a PKI infrastructure to handle federal, state and local authorities, signalling which keys have what exact authority, revoking compromised keys, … and then doing tech support for some redneck judge that owns more guns than electronic devices.
Having a cert from a validated *.gov CA doesn’t seem that complicated, or at least, should be “just as complicated” as setting up properly TLs certs.
Getting the tech adopted might be difficult (like you say some judges may not see the point of it) but the PKI doesn’t have to be super complicated…
Having different authorities provide signatures for different types of documents may or may not be needed, in theory it is more secure, but just checking the domain name suffix should be a good start. And every tech literate person has a general idea how to tell “valid” domain names from phishing sites, so the scheme translates well
You're not wrong, but you are overestimating the tech skill level of the average non techie.
I'm travelling right now, and a surprising fraction of restaurant websites here aren't https.
Yes, but we're talking about the judiciary here, not restaurants... Surely they'd have a minimal IT department...
That is horrifically underfunded, so the pay is low, so the employees get poached all the time. I have a bit more insider information here than most as I had family that has worked in the court system and law enforcement 20+ years, and was good friends with IT at the county.
These counties are generally so busy fixing past problems there is zero time, budget, and manpower to implement new technology like you're talking about. Seriously recovering encrypted systems is a major part of their time. As to the poaching, the number one 'company' that poached good IT people in the county was the feds. They tend to pay a lot more, and they too are generally critically understaffed.
Most IT people simply don't want to work for county/state/fed at the end of the day because pay isn't great, and for that not great pay there are a lot of restrictions.
I pointed this out in a previous post elsewhere but there are places out there with little to no manpower, period.
https://www.wwnytv.com/2023/11/15/st-lawrence-county-struggl...
A single judge, and likely, a single court clerk, are the only people in many, many rural courthouses. And sometimes, that judge themselves might have been able to get into the job with one vote as a joke. Neither of them could have any IT support, just a couple laptops from the county if that to help them out.
These courts out there run a lot more on paper and fax and occasionally normal email (https is 'secure email' right? /s). They'd have zero clue what a CA even is, other than the Golden State.
You might hope so, but I have no reason to think they are magically more ept than anyone else.
I don't know much about the American ones, but the British ones are complaining about the ceilings falling down due to chronic underfunding of basic maintenance; getting the digital infrastructure right is probably lower down their wish list than ceilings that don't collapse:
https://www.standard.co.uk/news/london/courtroom-shut-ceilin...
But you also assume they wouldn't give up using it due to frustration.
This is an unnecessary dig. Not all "rednecks" are dumb. They got us to the moon. Not all people who resist tech "innovation" in their space are "rednecks" or "dumb". They probably know a whole hell of a lot more about their domain than you do.
Be cautious of the toxic sense of superiority tech people have that they somehow know better than the unwashed masses, even before immersing themselves in the domain to understand and then solve problems.
Take delivery apps that have somehow made the previously thriving small business of delivering food a giant industry that loses money for everyone involved.
Adding a tech doesn't automatically make things better. When people resist your shiny new (and likely ill conceived) tech that doesn't mean they are dumb. They might just recall the sting from last time.
I agree with everything you said but this. It seems like an industry with sustainability problems where the consumers are winning big. It also seems like it ignores the small businesses that could never support delivery drivers in the first place. I'm not super familiar with this industry but I hear similar arguments against ride sharing which is at worst 10x better on the consumer side than it was before.
The problem with the big tech trying to fix problem in one country can turn out destroying something that actually works better in some other country. Here in Sweden we have had something called e-invoices for a very long time. You just ordered something and the invoice ended up automatically on your bank. Just a few clicks to pay all your invoices no matter how many.
Now there are several different payment apps that wants to fight for the customers and they all require you to get their app. Or you will have to jump through five hoops to get to pay the invoice. It's called rentseeking I believe...
I didn't call anyone dumb. Why did you jump to that?
If I translate "redneck" to my native language, the result is roughly "someone who lives away from civilization", "lacking higher education", "anti-progressive and behind the times". Those are exactly what I was aiming for, as that's the kind of person that will (by definition, essentially) have the most & worst IT support issues.
(Also—what's your definition of "redneck" when you say "rednecks got us to the moon"? By my understanding, at the point you start working on the space program you're not a "redneck" anymore…)
It’s amusing how much HN expects from “the outer world”.
Companies can adopt new tech in 1-2 years. Industries have around 5-10 years inertia. Bureaucracies like courts still live in the past millenia. You should be happy that they are using email.
The best security measure they will implement after this article going wide is something like “only emails from @<domain> are valid, but we’ll destroy you anyway in case a judge mistakenly sends you an order from his own gmail”.
This is a feature. We don't want courts to "move fast" because the consequence of breaking is far more severe than losing a few files on Google Drive.
If you don't move fast with new tech, you are broken. E.g. the article in this post.
The implied assumption here is that everything needs to adopt new tech. Lots of things are essentially "as perfect as we're going to get them" and everything new is a very marginal improvement or a big step backwards.
The only thing broken is Verizon’s lawyer’s phone.
They wouldn't want that, because they don't want it to be easy to prove that they demanded surrender either.
Why not?
Yeah this sounds like fringe government boogeyman stuff.
Oh wow! In my country, legal documents like this arrive with a QR code or confirmation code attached that can be used to verify legitimacy of the document on the official e-government internet site.
Every valid warrant has a verification authority contact. You are allowed to withhold access until verification can be made, and generally it can be done in 5-30mins.
I worked in a data center once, and we would have FBI contacts that would come in regularly to access criminal data (CP, terrorist communique, heavy piracy, etc). We would verify the warrant before secure entry+accompany them to the specific requested entity. I know procedures are similar + even more stringent for the medical field. Things get even more complex for small local authorities, but the idea that "just having a slip of paper" is enough is ridiculous; unless the person accepting the request is dumb/lazy/uninformed/undertrained/etc, as in any social engineering feat (in your case, the responsible person decides to not bother with the QR because their phone connection is bad, it takes too long, etc; for example).
So it's not like on TV where if they have the paper they can just show it to you and barge past you by force?
For arrest warrants that makes sense, but they portray search warrants the same way.
Yes, and until we pass real consequences for data breaches - protections for individuals - none of this will change.
I think their point is that the fault here is on the system that requires people comply with non verifiable warrants, as opposed to the people handing over the data.
The point of sending a letter, compared to an email, isn’t only about proving who issued the subpoena, but also being able to prove it was received. You can’t really prove an email was received, but you can send a verified letter proving it was delivered.
I mean digital signatures have really only been a thing for like 20 years, and barely because people only started caring about it more in the past 10.
While the US has been around for nearly 250 years.
And truthfully, despite a highly technical crowd, how many of y’all have actually ever sent or received a digitally signed email? If you’ve tried, you know why no one ever does it.
The much-derided SnOOPEr'S CHarteR in the UK (which actually formalised and regulated stuff that was already being done) means that while it's not a judge signing off warrants for comms data, it involves police gatekeepers (and believe me, getting a warrant to blow someone's door off is a piece of piss compared to writing up a comms data application), who then send it to an independent decision making body who then return it to the police who then upload the request to CSP systems using a pre-agreed portal with appropriate authentication.
This touchstone of 'judicial oversight' is frequently nonsense. You can't tell me that every judge who has to give a warrant for a DUI blood draw at 3am in smalltown US is giving the matter any kind of scrutiny, nor that that judge has any legal or judicial experience at all.
Was honestly having a difficult time determining (a) if this was sarcasm or (b) you just have no idea of the technical competence of many of these jurisdictions, not to mention the complexity of managing this type of public key verification system for the number of jurisdictions involved.
What, gmail is better?
At one place I worked for we used to get them via fax! That said, you could call and verify that the person the document claimed to send it actually did.
I'm always torn about this kind of exploit. On the one hand it's obviously vulnerable. On the other hand, securing it would require centralization of authority. I think I'm actually okay with accepting the tradeoff of insecure verification of "legitimacy," in exchange for decentralization of police power.
But it's also worth noting that the "vulnerable" system is not the centuries old system of policing. If you get arrested by a fake cop, that system affords you legal remedies - it might take a few days but you'll see justice. The vulnerable system here is Verizon's process for responding to inbound messages claiming to be search warrants. And when this system fails, the victim has effectively no remedy - their stalker already read the data that Verizon sent him.
So that's even less of a reason to increase centralization of the policing system. It won't solve the problem because the problem is with a different system.
Sorry who do you want having the right to subpoena these records besides the government?
There's more than one "government," that's what I mean by decentralization. There are thousands of courts throughout the country. I don't want some federal agency to be responsible for verifying the legitimacy of every warrant sent from every court.
How about having the federal government be responsible for publishing a list of public keys for each court jurisdiction?
Does the court in each jurisdiction need to submit their public key for inclusion? Who in the federal government is responsible for verifying that a legitimate court submitted the key?
What if the head of the agency responsible for verifying these courts institutes a policy that courts will lose their verification for rulings against abortion?
What if two courts in neighboring jurisdictions claim to be the same court? They each submit a different public key, but both can verify they hold the private key that pairs with the public key they submitted. How does the federal agency even verify the identity of a courthouse? Do they need to physically visit them and meet with the judge to tap a Yubikey?
What if somebody steals the YubiKey from the judge? What if a referendum dissolves a jurisdiction?
What is the process for revocation of verification?
Most of the concerns you raised are either non-issues or can be resolved a minor amount of legal legwork. Even if the system isn't perfect and there are edge cases that it can't handle, having any sort of key registry is better than the current system where anyone can claim to be a judge, and it's up to some lowly corporate employee to do the verification themselves.
As a non American it's pretty comical watching Americans make mountains out of molehills for problems that are solved in other countries.
Which country has such systems?
A national id system, for one.
I've never looked into this specific issue but I would imagine that the Estonian e-Identity system has solved this specific problem among many others.
https://e-estonia.com/solutions/e-identity/id-card/
That's what I was thinking... Why can't we solve this with non-repudiation crypto that is already available?
every judiciary authorized to issue warrants should simply put them on their own website, put some id on the paper, folks can verify. what else is needed? these aren't supposed to be secret anyway
I believe warrants are frequently sealed (secret, at least temporarily) to prevent people from destroying evidence/fleeing...
Right, but I can imagine a system where you can enter a "subpoena ID" and it can tell you if it's valid and when it was issued, possibly even which jurisdiction.
That should be enough info where folks can verify the validity of their subpoena w/o revealing too much data. Including date of issuance and jurisdiction should help prevent using stale IDs to scare someone.
If the subpoena is not sealed, the ID would show all the subpoena info, further narrowing down the ability to replay stale IDs.
I'm definitely missing something obvious though because technical solutions are often not a panacea in cases like this
no, I don't there's anything missing, other than the usual apathy toward systems reforms in most societies.
this would probably work pretty well for these "utility-like big gatekeeper corps" which handle a shitton of subpoena requests, of course it doesn't help if a SWAT team is executing a someone-shout-and-knock-with-that-huge-doorfucker-implement on the wrong house.
in many countries there are state-managed online id systems allowing sending documents to legal persons ... which would make it really really trivial. send the warrant to the department executing it and to the department handling these at Verizon. (I wouldn't be surprised to learn that most of the US states already have something like this, but not used like this.)
it can be optional/voluntary for natural persons, it can be mandatory for companies above some size, etc.
That's the least bad solution available IMO, since the Internet and DNS is the closest thing to decentralized we have available to us. But it requires a special TLD available exclusively to courts, which would make the TLD registry a centralized authority. What if a political activist refuses to validate the TLD of a court in the middle of Texas because of a disagreement with a ruling?
The .gov domain already exists: https://beta.get.gov/domains/before/
There's a solution for this, which is relatively easy to implement, if we dare to. Recognize data privacy as a right. Enable the victim to sue the leaking party, with easy recovery and costs, for any bad subpoena accepted, and pay substantial fine for violating the rights. Very heavily substantial if it leads to subsequent other damage (such as stalking or violence). Miraculously, the data hoarders would find ways to verify subpoenas (and design protocols and pay for development of necessary tools) very quickly, I think.
Of course, this would require such law to actually survive the lobbying block of the data hoarders in the first place, and that's not likely to happen, alas.
We need an embarrassing data leak on Congress before they will be motivated. They covered their asses quick when Bork's video rentals were publicized.
Even then they might likely just pass a law that makes it illegal to leak the data of a member of congress while leaving the rest of the American public screwed.
Shouldn't the remedy be the guy goes to jail for a long time for forging a search warrant?
You're assuming the perpetrator can be identified, the US government gives a shit enough to pursue the matter (unless the victim is someone economically or politically elite, they won't), and the perp is somewhere our government can reach them in terms of extradition.
The most relevant example I can think of would be a CCP hacker forging a search warrant for a US-based political activist. The government would probably care, but good luck identifying some random Chinese Army hacker, much less extraditing them.
Cryptographic signatures exist. This is a trivial exploit to solve...
They could just come up with a standard hologram sticker that certifies all govt orders..
Why can't the police come to one of the Verizon stores in person and have a manager there verify by calling back the officially posted number of the department they are from?
A search warrant is not a sealed subpoena, and you should always at least be able verify the people who issued it exist and have the authority to do so. I would hope you can also verify some identification number and major details, but I only know the German legal system, not the US one.
Literally nothing stops these companies from having a staff member look up the courthouse's contact info on the official court website, call a clerk, and verify the warrant....except they don't want to pay for the labor to do so.
Perhaps they should be reimbursed for the cost
Perhaps if they can't operate without being a danger to society they shouldn't be allowed to exist
Is offering phone services to the public being a danger to society?
Responding to legal requests is part of operating a phone service, and apparently they failed to do that without seriously endangering a stalking victim.
I have no idea what exact laws and liabilities apply here, but my feeling is there's very likely going to be an undisclosed civil settlement between Verizon and the victim, and maybe some laughable fine (let's say ≤$10k) for violating privacy laws on the criminal side.
If the law is "you will hand over this data in response to a warrant", how did they fail?
The fact that the US warrant system has holes capable of driving a truck through isn't the fault of Verizon - there exists no sensible way of validating a warrant.
If there's no way to validate a warrant how does Verizon validate compliance?
There is a way, that’s the whole point. They can contact the issuing authority, just like you do when you get any letter or email asking you for sensitive information.
Yes, exactly.
Just because a piece of paper claims to be a warrant, doesn't mean it is one. Warrants and subpoenas contain contact information for the person that issued them. It is on verizon to verify that the warrant the received was legitimate and if it wasn't, to report to the DA that someone is issuing fake warrants (which is a crime all by itself).
Subpoenas (like verizon was issued) are never immediately actionable. You have a right to appeal subpoenas. If the subpoena had a "You must respond right now" trigger it'd eliminate that right. Something I'm CERTAIN verizon knows because they file motions to quash all the time [1].
[1] https://casetext.com/case/in-re-verizon-internet-services-in...
Oh, if only there were such a thing as GDPR (or the victim sues in Cali).
The perp is an individual, GDPR only applies for organizations.
We're talking about Verizon's liability here, not the stalker.
I don't think it'd actually be a GDPR case in EU; it's more of a wiretapping case - note some of the victims communication was revealed. (GDPR violations might be a secondary charge, but wiretapping would be way more significant.)
That said it really depends on the exact legal framework (which I have no clue about) and eagerness of a prosecutor to make a case. Hence my "maybe".
FWIW I have a side job at a small community ISP in the EU and the GDPR was a no-op for us. The requirements for anyone operating in the telco space were already stricter. If I remember correctly the GDPR fines are higher though, whereas wiretapping (& co.) laws are much more likely to land you personally in jail.
(I was being intentionally vague with "privacy laws"; I do include wiretapping charges in that but, again, I don't know the US legal situation.)
Law enforcement should be free, or at least paid for by generic taxes.
If I host a movie night with some friends, and an altercation occurs between them, then it's unjust for the police to create unreasonable cost on me as a host. They shouldn't tear up the house or create lots of time consuming paperwork without compensation.
You may think that my movie nights are inherently a danger to society. But even if that's correct, we should create direct legislation to discourage this dangerous activity rather than using search processes/warrants to impose cost in an approximate and roundabout way.
You’re not a company, if you host a movie night privately its different than a company that handles and has the responsibility of the personal data of millions of people, I am not even sure wtf I am reading, do you guys even consider scale and contexts when writing things or just throw random examples around
But also the cost for you would be the time to call law enforcement, for them is the time to verify the validity of a document, so its just nonsense
Generally speaking, when you get a subpoena you can demand "conduct money" precisely to reimburse this cost. Otherwise the subpoena is unenforceable. Not sure exactly how warrants work
I doubt it wouldn't have cost them anything more than what they're already paying to staff their legal department.
I don't think that would have helped in this case since although it was based on an affidavit from a fake police officer, the name of a real judge was used to approve the fake warrant.
What would have helped is Verizon calling the court and verifying that they issued the warrant.
Yes, they actually can. There should be contact information associated with a subpoena that verizon can both verify are legitimate and then directly contact to validate the subpoena.
This comes up in the medical field and, due to much higher penalties if they respond to a fake, medical staff get trained to do just this [1]. HIPAA doesn't care if you are tricked into revealing HIPAA information.
[1] https://www.hipaaexams.com/blog/medical-record-subpoena
If the subpoena is fake, and contains fake contact info (like a phone number), how does the receiver verify it is actually a real number from the courts? I guess the phone numbers are public record?
The phone company can't validate a phone number?
Who pays for the phone number may not have anything to do with who's using the phone number. It's not like the old days where everything has a copper wire going to one particular place.
I mean if the registered owner says "TXSTRGCT" is that the "Texas State Regional Court" or something a spammer setup over some VOIP service?
Independently validate contact information! don't use what's on the letter/form/email. This is basic security for everything, from Grandma's savings account on up.
The State/Fed have public official websites with this information.
Much like when you receive mail from your bank, you call them via a known number. Never trust user input, even irl.
Oddly enough this is more complex in places with multiple jurisdictional overlap.
Imagine a city with police force of 6,000 combined with country, federal, state, and university LE. You might have a total of 20 neighboring or overlapping agencies ranging from 6 to 6,000 employees.
Personal cellphone numbers are used in LE sometimes, whatever one might think of that practice or implications for discovery and preservation.
That's like saying forging a plea from a Nigerian prince is trivial. Verizon should be deeply embarrassed by this - I mean the initial request came from a proton account with misspellings and grammar mistakes of a child.
I don't know how Verizon does it, but I have a friend who works in the "respond-to-law-enforcement department" at one of the FAANGs. Given the company, they get tons of legal requests for info, but also tons of fraudulent ones, not to mention ones from real governmental organizations but that are dubious that they challenge. Point being they have extremely detailed processes and technology to respond to these requests. Verizon is the biggest cell phone company in the US, they can afford to not look like a total clown show in this regard.
Many phishing attempts are shockingly bad like this - but that doesn't make it difficult to not have mispellings and grammar mistakes and come from a vaguely plausible domain (gmail?). If your defense against phishing relies on your adversary not knowing what a legitimate request looks like - it's not a very good defense.
Two points:
"Normal" phishing is a bad example, because many phishing emails notoriously use misspellings and bad grammar on purpose because scammers don't want to waste their time on people with half a brain, they only want people dumb enough to respond in spite of the ludicrous misspellings. But in this Verizon case, that logic doesn't apply, because there was only a single targeted recipient.
With respect to "If your defense against phishing relies on your adversary not knowing what a legitimate request looks like - it's not a very good defense", I wholeheartedly agree. My point was only that the fact that Verizon responded to this fake subpoena despite the reddest of red flags makes me think that they must have horrible procedures generally for verifying these types of requests.
Companies have no feelings, only pockets.
Make carelessness expensive enough and they will care.
Verizon can't call the Clerk's office and ask, "did the grand jury really issue a subpoena?"
Says who? I'm not aware of any rule or statute that prohibits the recipient of a subpoena from confirming with the court that it is legitimate?
Usually, there's no one to quash the subpoena.
There's always someone who can move to quash - the recipient. There's usually two people - the recipient and the opposing party.
A federal subpoena includes the rule on how to do it right on the subpoena. https://www.uscourts.gov/sites/default/files/ao088b.pdf
As a side note, there are a myriad of potentially applicable statutes and case law relating to obtaining phone records. Depending on what was requested, a subpoena may not be required.
Usually subpoenas and search warrants come with a stamp, and more importantly records are returned to the court registrar, not handed over directly to the person claiming to be servicing a court order. The registrar would presumably say "wtf we didn't order this" and then the gig is up.
cryptome has been reporting on this shit for a long time. here's a document from 2010 that was the first result for for my first search:
https://cryptome.org/isp-spy/le-tel-spy.pdf