Yes, the call back mechanism is a pretty good one but it has limitations too. It requires the switchboard operator at the police station to be trustable. Indeed, that human needs to actually pick up the phone. In many cases, the 911 line is the only one that's routinely answered.
I'm thinking that the number of "Gun to victim's head; we need secrets from $Corporation_Name now!!!" situations which a typical small police dept. would actually experience, even over a decade, is ~ZERO. And the chance that a small police dept. would have the skill set, familiarity with the procedure, etc., so that they could correctly request the right data, from the right part of the right corporation, is about the same.
SO - move the power to make such requests up to (say) State Police departments, or even somewhere in the DHS. Those guys have (or should have) sufficient resources to secure their e-mail, staff call-back phone lines 24/7, etc. And in the other direction, they should be far better able to vet alleged local police officers who contact them with emergency requests.
Require police stations to register their callback number for EDRs. Require a response before releasing information.
You still have the issue of vetting each police station, but you can do that once before the EDR comes in. Then when the EDR comes in, you call that number, confirm the details.
It can still be hacked, but not nearly as easily as a random officer's email account.
