How does the police agency ask Facebook to provide criminal data?

Facebook designed a portal for law enforcement agencies such as police, courts, etc. to request user information. If you’re an individual account, you’re less likely to care, but if you’re in the investigative industry, this is the place to ask Facebook for your data.

Normal Facebook chose to review user data requests, manually, without screening email addresses of users requesting access to portals, which are only available to law enforcement agencies .

Anyone with an email address can access Facebook’s law enforcement portals, which are designed for law enforcement officers to submit requests regarding user data.

Access to a portal that provides criminal content does not give anyone access to any user information nor to any sensitive corporate information. But these ports are not designed to filter email addresses in any way, so they open the door for spammers to freely access the ports and send spoofed requests.

Address for police to ask Facebook for data

Last week, security researcher Jacob Riggs discovered that he had access to two portal providing criminal content to request data from Facebook using any email address. All he needs to do is enter his email address, then send it to the portal, then click on the confirmation link he received in his inbox.

After doing that, he can request access to user data using the information below.

RIggs reported the issue to Facebook, claiming it was due to a design flaw that needed to be fixed. However, Facebook told Riggs that this is a feature, not a bug (this sentence sounds familiar).

“Dedicated teams from Facebook carefully review each law enforcement request to ensure we only respond to valid legal processes as required by applicable law. While we always maintain policies to prevent spam abuse of the online request system, we choose to allow everyone to submit requests as we will conduct a review. Manually every request comes to our company,” the Facebook spokesperson said in a statement. “In the event of an emergency, requests related to real-time emergencies will be scrutinized by us more than manually requesting access using unfamiliar email domains such as email domains that the operator is not familiar with. security studies used”.

The spokesperson added that the system rejects some email domains and has other rules for blocking spam. In other words, Facebook will allow anyone to ask Facebook for data and then check if it is real and legitimate, rather than blocking them with automated systems or asking third parties to do so. three registrations.

“I guess it’s like a teenager trying to get into a nightclub. Their basic authentication is staff screening customers at the entrance. If a minor somehow gets in, they won’t consider it a security issue, as the bar will still check their ID when they try to order alcohol,” Riggs said. “In this context, they seem confident that their bar staff will recognize a fake ID.”

In any case, Facebook’s entire portal has notes to deter potential spammers, warning them that only “authorized government entities can collect evidence related to formal legal process” is allowed to submit a request.

“Unauthorized requests will be prosecuted,” the note reads. “By requesting access, you acknowledge that you are a government official making the request in an official capacity.”

In addition to asking Facebook to provide data, the police agency will also Tracing the criminal’s IP by requesting the services provided.

Google’s law enforcement portal, which only allows “verified” law enforcement to obtain user data, according to The company’s web site. In fact, Riggs was unable to enter the Google portal with his personal email address.

Technology companies regularly receive and process legitimate data requests through these portals. In its latest transparency report, which covers data requests for Facebook, Facebook Messenger, Instagram, WhatsApp and Oculus, and covers the last six months of 2019, the company revealed it received 140, 875 requests user data requirements.