Emergency Disclosure Requests (EDRs), Explained: For Law Enforcement
Emergency Disclosure Requests (EDRs) explained for law enforcement: the 18 U.S.C. 2702 good-faith standard, how to submit one, platform channels and forgery risk.
When a life is on the line — a credible suicide note, an active abduction, a hostage situation, a missing child whose phone is still pinging a tower — an investigator rarely has the days or weeks a warrant takes. An Emergency Disclosure Request (EDR) is the lawful shortcut built for exactly that moment: a mechanism that lets an online provider hand over user data voluntarily, without a warrant or court order, when there is a good-faith belief that someone faces an imminent risk of death or serious physical injury. This guide explains what an EDR is, the legal standard that governs it, how to submit one cleanly, how platforms now verify requests, and the abuse problem that has made every provider far more sceptical of the requests it receives. It is written for law-enforcement officers as general information, not legal advice. The Ministry of Cyber Affairs is an independent cyber-safety publisher, not a government body; follow your own agency's policy and your jurisdiction's law.
- An EDR asks a provider to disclose data voluntarily because of an emergency. It does not compel anything and is never guaranteed.
- The trigger is an imminent danger of death or serious physical injury, not the general usefulness of the data to a case.
- In the US it rests on 18 U.S.C. § 2702(b)(8) for content and § 2702(c)(4) for non-content records.
- Forged EDRs sent from compromised police email are a known, ongoing problem. Expect callbacks and verification, and welcome them.
- Use the official portal, articulate the specific imminent harm, ask only for what the emergency justifies, and document everything.
What an Emergency Disclosure Request actually is
An EDR is a request from a government or law-enforcement agency asking a service provider to disclose user information because of an emergency, rather than under compulsion of legal process. Two features define it.
- It is voluntary. The law permits the provider to disclose; it does not force it to. The decision rests entirely with the company.
- The trigger is imminence. Danger of death or serious physical injury that requires disclosure without delay, not data that would merely help an investigation.
An EDR is not a substitute for a subpoena, a court order or a warrant. It is the narrow exception for the cases where waiting for one of those could get someone killed. Once the emergency passes, you are back to ordinary legal process.
The US legal basis: the Stored Communications Act
In the United States, EDRs sit inside the Stored Communications Act. Two provisions matter, and they cover different kinds of data.
- 18 U.S.C. § 2702(b)(8) — content. A provider may divulge the contents of a communication to a governmental entity if it, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.
- 18 U.S.C. § 2702(c)(4) — non-content records. The parallel provision for subscriber and customer records — name, address, IP logs, billing and login data — applies the same emergency standard to "a record or other information pertaining to a subscriber or customer."
Both are permissive, both hinge on the provider's good-faith belief, and both are reported: the Attorney General submits an annual count of these voluntary disclosures to Congress. Knowing which subsection covers what you are asking for helps you scope a request the provider can actually action.
The good-faith standard and provider discretion
The hinge of the whole mechanism is the provider's good-faith belief that an emergency exists. The statute shields the provider that discloses in good faith from liability. It does not require any provider to disclose at all. That has two consequences for investigators.
- Compliance is never guaranteed. A company can decline, ask for more detail, or insist you obtain legal process if it is not satisfied the emergency is genuine.
- Your articulation is what unlocks it. Because the company relies on the good-faith standard, a specific, fact-rich emergency basis is not box-ticking. It is what lets the provider justify acting without a court order.
Many providers also set internal thresholds stricter than the statutory floor, and they retain discretion to disclose proactively when they identify an emergency.
How to submit one
The disciplined sequence is the same whatever the platform. Confirm the emergency is real and imminent, use the official emergency lane, articulate the basis with specific facts, expect to be verified, and document.
- Assess that it is a genuine, imminent emergency. Confirm there is a real danger of death or serious physical injury and that you cannot wait for legal process. If the threat is not imminent, an EDR is the wrong tool — use a preservation request plus a subpoena, order or warrant instead.
- Use your official agency email and the platform's official portal. Providers require the request to originate from a verifiable government or law-enforcement domain, and most now require you to be registered on their portal before you can file. Personal email is rejected.
- Articulate the imminent-harm basis, not just the ask. Identify the specific person at risk, the nature and immediacy of the threat, why the data you want relates to that emergency, and why waiting for process is not viable. Scope it tightly: ask for location, recent logins or contact details relating to the emergency, not a full historical account dump. Vague "urgent" framing without facts is exactly what providers are trained to push back on.
- Expect verification and document everything. The provider may call you back on a published agency number or route the request through an identity-verification service before disclosing. Cooperate. Then record who authorised the request, the factual basis, the time sent, and what was disclosed — because an EDR bypasses the usual judicial paper trail, your internal documentation is what later demonstrates good faith.
Platform law-enforcement channels
Every major platform runs a dedicated law-enforcement channel, usually the same system used for routine legal process but with the emergency lane flagged separately for fast triage. The table summarises where to go. Always reach the live portal from the platform's official safety or legal-process page rather than a saved link, because these URLs change.
| Platform | Law-enforcement channel | Emergency route |
|---|---|---|
| Meta (Facebook, Instagram, WhatsApp) | Law Enforcement Online Request System | Emergency request option within the portal |
| Google and YouTube | Law Enforcement Request System (LERS) | Emergency disclosure request form in LERS |
| Apple | Law-enforcement team per Apple's Legal Process Guidelines | Emergency request to Apple's law-enforcement team |
| Microsoft | Law Enforcement Request portal | Emergency request lane within the portal |
| X (formerly Twitter) | Legal Request portal | Emergency disclosure request form |
| Snap (Snapchat) | Law Enforcement Service Site | EDR from a sworn officer on an official domain |
| Discord | Government and Law Enforcement Request portal (via Kodex) | Emergency request flagged in the portal |
How platforms verify EDRs now
After the forgeries described below, providers hardened verification rather than abandon the mechanism. For a legitimate officer this means an occasional extra check is now normal, and the cleaner your request, the faster it clears. Common safeguards include:
- Agency-domain and portal registration. Requests must come from a verified government email, and many platforms only accept filings from officers pre-registered and vetted on their portal.
- Callback verification. The provider calls you back on a published agency number, not one supplied in the request, to confirm you sent it.
- Third-party request-management platforms. Several major companies route law-enforcement requests through services such as Kodex, founded by a former FBI agent, which verifies officers against a network of thousands of agencies and offers a real-time check on whether a requesting email is legitimate. The model treats impersonation as a shared threat across all the platforms on the network.
The forged-EDR problem
The features that make EDRs fast — no court in the loop, trust placed in a law-enforcement email, pressure to act within hours — also make them a target.
In 2022, reporting revealed that companies including Apple, Meta and Discord had handed over user data in response to forged emergency data requests sent during 2021. The attackers, linked to groups such as Lapsus$ and the "Recursion Team" and including minors, frequently sent the requests from genuine but compromised law-enforcement email accounts, which made them very hard to distinguish from the real thing. The data — names, addresses, phone numbers, IP addresses — was used for harassment, doxxing and financial fraud.
The problem did not go away. In November 2024 the FBI's Internet Crime Complaint Center (IC3) issued a public advisory warning that cybercriminals were still submitting fraudulent EDRs using compromised US and foreign government email accounts, noting forum posts in which criminals advertised access to police inboxes and government email credentials. The FBI urged providers to apply critical thinking to every emergency request and to verify authenticity before complying.
India and other jurisdictions
Voluntary emergency disclosure is not unique to the US. Many providers run a single global emergency channel and apply a comparable imminent-risk-to-life standard wherever the requesting agency sits, which is why overseas police still use a US-platform's emergency lane for genuine emergencies.
In India, the framework leans on intermediary obligations rather than a bespoke voluntary-emergency clause. Under Rule 3(1)(j) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, an intermediary must provide information in its control to a lawfully authorised government agency within 72 hours of a written order, for purposes including the prevention, detection and investigation of offences and for cybersecurity. Broader production of stored data is sought under criminal procedure law (historically Section 91 CrPC, now under the Bharatiya Nagarik Suraksha Sanhita).
Note on the 2025 amendment: the IT Amendment Rules gazetted on 22 October 2025 (in force from 15 November 2025) restructured Rule 3(1)(d), the content-takedown procedure, and did not change the Rule 3(1)(j) 72-hour data-provision timeline. Treat the specific mechanics in any non-US jurisdiction as something to confirm against current local law and the platform's own guidelines, as these provisions are amended frequently.
Frequently asked questions
Does an EDR replace a warrant? No. It is a narrow exception for imminent threats to life or limb. The provider may disclose voluntarily, but once the emergency passes — or if the provider declines — you are back to subpoena, court order or warrant. Do not use an EDR for routine data because it is faster.
Can a provider refuse my emergency request? Yes. Disclosure is voluntary and rests on the provider's good-faith belief that a genuine emergency exists. A company can decline, ask for more facts, or require legal process. A specific, well-documented imminent-harm basis is what makes it possible for them to say yes.
Why is the platform calling me back before releasing data? Because forged EDRs, often sent from compromised police email, are a known and ongoing problem the FBI has formally warned about. Callback and identity verification are the safeguards that protect real victims. Expect them and cooperate.
What is the difference between § 2702(b)(8) and § 2702(c)(4)? Both are US emergency provisions with the same danger-of-death standard. The (b)(8) route covers the contents of communications; the (c)(4) route covers non-content subscriber and customer records such as identity, IP logs and billing data.
This guide is part of our Guides for Investigators & Police reference series, covering Foundations, Mobile, Web & Social, Crypto, Cloud and AI.