Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Dangerous Waters: How the Police Get Information from Amazon

September 30, 2020

TechCrunch had an interesting (and scary) post on September 27 about how easy it is for the police to get data from Amazon. Actually, anyone can access portions of a web portal used by law enforcement to request customer data from Amazon, even though the portal is supposed to require a verified email address and password.

Amazon's law enforcement request portal allows police and federal agents to submit formal requests for customer data along with a legal order, like a subpoena, a search warrant, or a court order. The portal is publicly accessible from the internet, but law enforcement must register an account with the site in order to allow Amazon to "authenticate" the requesting officer's credentials before they can make requests.

Only time-sensitive emergency requests can be submitted without an account, but the user must "declare and acknowledge" that they are an authorized law enforcement officer before they can make a request.

The portal does not display customer data or allow access to existing law enforcement requests. But parts of the website still load without needing to log in, including its dashboard and the "standard" request form used by law enforcement to request customer data.

You really need to go to the post so you can see the actual form. It provides a rare glimpse into how Amazon handles law enforcement requests.

The form permits law enforcement to request customer data using a broad variety of data points, including Amazon order numbers, serial numbers of Amazon Echo and Fire devices, credit card details and bank account numbers, gift cards, delivery and shipping numbers, and even the Social Security number of delivery drivers.

It also allows law enforcement to obtain records related to Amazon Web Services accounts by submitting domain names or IP addresses related to the request.

TechCrunch, assuming that this was a bug, sent several emails to Amazon prior to publishing the post but did not hear back.

Many of the bigger tech companies with millions or even billions of users around the world, like Google and Twitter, have built portals to allow law enforcement to request customer and user data.

Motherboard reported a similar issue earlier this month that allowed anyone with an email address to access law enforcement portals set up by Facebook and WhatsApp.

Remarkable how simple it is for law enforcement (and perhaps someone pretending to be part of law enforcement) to get to a treasure trove of otherwise private data.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson