
Google Voice CLEC Provider: Law Enforcement Guide - tshtf
http://www.bandwidth.com/law-enforcement-guide
======
advisedwang
> ...IF THEY ARE ASSIGNED TO A WHOLESALE CUSTOMER OF OURS, WE MAY BE ABLE TO
> PROVIDE THAT WHOLESALE CUSTOMER’S COMPLIANCE INFORMATION WITHOUT LEGAL
> PROCESS... Our wholesale customer then would make its own independent
> assessment of the request, including, without limitation, any subpoena
> subsequently delivered

It sounds like if you give them a telephone number used by Google Voice then
they will give you Google's contact info, rather than end user info. That
seems benign and logical to me.

~~~
yuubi
Sounds like if Acme Telecom resells Google's service, and a cop has the number
of an Acme subscriber, Google will put the cop in touch with Acme.

------
rdegges
This looks pretty bad at first glance. Unless I'm misunderstanding something,
what Bandwidth is saying is this: we don't care about receiving subpoenas for
information: we'll happily give it to you anytime upon request for us or any
of our customers.

~~~
mattzito
Well, it's really hard to say since it's clearly addressing a target audience
(LEAs/LEOs) with a specific set of needs, and we are not those people.

However, as I read it, they're saying that if you just need confirmation that
someone owns a particular number, they'll do that via email - usually for
things like wiretaps or warrants, iirc, the LEO has to attest that they
validated that so-and-so that made a harassing phone call to whoever owns
number XXX-XXX-XXXX that the call originated from, ergo, this is probable
cause to search them, etc.

So in this case, instead of generating a subpoena for records that a lawyer
will have to review for $$$, the LEO sends an email from their work address
that says, "I'm investigating Y, does So-and-so own XXX-XXX-XXXX?", bandwidth
emails back with a "Yes" or "No" (obviously I assume there's a slightly more
formal response for documentation purposes).

Saves legal time, doesnt' expose meaningful info, there's got to be some sort
of validation step (if I emailed from a gmail account I'm sure I won't get
very far, but hey, why doesn't someone try?). I don't see a huge issue here,
assuming this is how it works.

~~~
woodman
Email is an incredibly weak form of validation. Mix a lack of DMARC policy
with some social engineering and you have a dox.

~~~
toast0
Ok, so you spoof mail from totallyanofficer@yourlocalpoliceforce.gov, and they
respond with 'yeah, that number is totally a google number, you should serve
them any requests at legal at google dot com (or whatever it)' and
totallyandofficer is confused and you didn't get your information.

~~~
woodman
An email has at least three fields that can both influence the address to
which a reply goes and isn't necessarily visible to the recipient's MUA. Even
if the recipient where to look into the headers, there are plenty of games to
play with deceptively constructed international domain names. There is also
the social engineering aspect I mentioned.

