Anyone can access parts of a web portal used by law enforcement agencies to request customer information from Amazon, although the portal is said to require a verified email address and password.
Through Amazon's Law Enforcement Inquiry Portal, police and federal agents can submit formal requests for customer information along with a jurisdiction such as a subpoena, search warrant, or court order. The portal is publicly accessible on the Internet. However, law enforcement agencies must register an account on the website so Amazon can "authenticate" the inquiring officer 's credentials before making inquiries.
Only time-critical emergency inquiries can be submitted without an account. However, this requires the user to "declare and confirm" that they are an authorized law enforcement officer before submitting a request.
The portal does not display any customer data and does not allow access to existing law enforcement requests. However, parts of the website will continue to load without you having to log in, including the dashboard and the "standard" request form used by law enforcement agencies to request customer information.
The portal offers a rare glimpse into how Amazon processes law enforcement inquiries.
This form allows law enforcement agencies to request customer information through a variety of data points, including Amazon order numbers, serial numbers from Amazon Echo and Fire devices, credit card details and bank account numbers, gift cards, delivery and shipping numbers, and even the social security number of delivery drivers.
Law enforcement agencies can also access Amazon Web Services records Accounts by submitting domain names or IP addresses in connection with the request.
Assuming this was a bug, we sent Amazon several emails before posting but received no response.
Amazon isn't the only tech company with a law enforcement inquiry portal. Many of the larger technology companies with millions or even billions of users around the world, such as Google and Twitter, have set up portals to allow law enforcement agencies to request customer and user data.
Motherboard reported a similar issue earlier this month where anyone with an email address could access law enforcement portals set up by Facebook and WhatsApp.