You might not have to wonder just what data police can request from Amazon — some of those details just became public. TechCrunch has discovered that parts of Amazon’s law enforcement request portal are visible to anyone on the web without requiring a login. They show what officers need to make requests, and how relatively easy it is to make some demands.
Police can ask for a host of sensitive details, including order ID numbers, device serial numbers, payment details, and even Social Security numbers for delivery drivers. They can share domain names and IP addresses if they’re looking for Amazon Web Services data, too. You can’t access customer data or existing requests from the portal.
Investigators need logins for non-urgent requests. However, they only need to “declare and acknowledge” that they’re officers if there’s an emergency. We wouldn’t expect this to be widely abused (you could easily face legal trouble), but it’s theoretically possible to misuse the system.
We’ve asked Amazon for comment, although it hadn’t responded to TechCrunch inquiries as we wrote this.
This isn’t the first time a major tech firm’s police portal has been visible online. Motherboard found that anyone with an email address could reach Facebook’s portals. This does provide insight into how Amazon’s system works, though, and raises questions about security if the public can stumble across the request system.