Surveillance and Security Lessons From the Petraeus Scandal

When the CIA director cannot hide his activities online, what hope is there for the rest of us? In the unfolding sex scandal that has led to the resignation of David Petraeus, the FBI’s electronic surveillance and tracking of Petraeus and his mistress Paula Broadwell is more than a side show—it's a key component of the story. More importantly, there are enough interesting tidbits (some of which change by the hour, as new details are leaked), to make this story an excellent lesson on the government’s surveillance powers—as well as a reminder of the need to reform those powers.

Metadata is king

Ms. Broadwell apparently attempted to shield her identity by using anonymous email accounts. However, it appears that her efforts were thwarted by sloppy operational security and the data retention practices of the companies to whom she entrusted her private data.

The New York Times reported that “[b]ecause the sender’s account had been registered anonymously, investigators had to use forensic techniques—including a check of what other e-mail accounts had been accessed from the same computer address—to identify who was writing the e-mails.”

Webmail providers like Google, Yahoo and Microsoft retain login records (typically for more than a year) that reveal the particular IP addresses a consumer has logged in from. Although these records reveal sensitive information, including geo-location data associated with the target, US law currently permits law enforcement agencies to obtain these records with a mere subpoena—no judge required.

Although Ms. Broadwell took steps to disassociate herself from at least one particular email account, by logging into other email accounts from the same computer (and IP address), she created a data trail that agents were able to use to link the accounts.

The Wall Street Journal similarly revealed that “agents spent weeks piecing together who may have sent [the emails]. They used metadata footprints left by the emails to determine what locations they were sent from. They matched the places, including hotels, where Ms. Broadwell was during the times the emails were sent.” NBC added further details, revealing that “it took agents a while to figure out the source. They did that by finding out where the messages were sent from—which cities, which Wi-Fi locations in hotels. That gave them names, which they then checked against guest lists from other cities and hotels, looking for common names.”

Based on these reports, it seems that Ms. Broadwell did at least avoid the common mistake of sending sensitive emails from her residential Internet connection. However, she did not, it seems, take affirmative steps to shield her IP address (such as by using Tor or a privacy-preserving VPN service). Instead, she apparently logged in to her email accounts from public WiFi networks, such as those in hotels. Had she sent just one email, she might have been able to at least maintain plausible deniability. However, each new hotel (and associated IP login record) reduced the anonymity set of potential suspects. By the second or third hotel, it is likely that the list of intersecting names from the various guest lists contained just a single name: Ms. Broadwell’s.

While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.

The guest lists from hotels, IP login records, as well as the creative request to email providers for “information about other accounts that have logged in from this IP address” are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the “what” being communicated; the government’s powers to determine “who” communicated remain largely unchecked.

Digital “dead drops” don’t protect you from government surveillance

For more than a decade, a persistent myth in Washington DC, fueled by several counterterrorism experts, has been that it is possible to hide a communications trail by sharing an email inbox, and instead saving emails in a “draft” folder. This technique has been used by Khaled Sheikh Mohammed, Richard Reid (the shoe bomber), the 2004 Madrid train bombers, terrorists in Germany, as well as some domestic “eco-terrorists.” This technique has appeared in federal court documents as early as 2003, and was described in a law journal article written by a DOJ official in 2004. It is hardly a state secret.

Apparently, this method was also used by General Petraeus. According to the Associated Press, “[r]ather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic ‘dropbox,’ the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace.”

The problem is, like so many other digital security methods employed by terrorists, it doesn’t work. Emails saved in a draft folder are stored just like emails in any other folder in a cloud service, and further, the providers can be compelled, prospectively, to save copies of everything (so that deleting the messages after reading them won’t actually stop investigators from getting a copy).

Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications. This is because the Department of Justice has argued that emails in the “draft” or “sent mail” folder are not in “electronic storage” (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.

I hope that this scandal will finally kill off this inaccurate myth about hiding emails from the government. General Petraeus should have known better—placing documents in an email “drafts” folder is not an effective way to hide things from the government. It wasn’t 10 years ago, and it certainly isn’t anymore.

More broadly, this scandal centers around email, and it’s a reminder that the legal protections for email fall far short of what they should be. We need to modernize our privacy laws—for example by passing the proposal that is now before the Senate Judiciary Committee—and we need protections that cover metadata of the kind that was apparently so central in this scandal.

Add a comment (14)
Read the Terms of Use

Anonymous

P*R*I*V*A*C*Y

Anonymous

privacy

Marcel

If the law does not protect us, we have to protect ourselves. How?
Do:
- use encryption to send/store information (use GPG, Truecrypt)
- use Tor (preferred) or a VPN to hide your location
- setup your own mail server (use old laptop + Linux + mailserver)
- support ACLU and EFF

Don't:
- use webmail or communication services such as Google, Hotmail, Facebook, Twitter since they are easily persuaded by people flashing badges to hand over all your personal info

Jon Matonis

Chris,

Great article. True, the 'what' is protected more than the 'who' but only slightly more so and why depend on surveillance laws being adhered to in the first place? That seems like misplaced trust.

As an additional precaution, email encryption can protect the 'what' from 'preservation orders' and data retention policies provided that you aren't subsequently tricked into revealing your password ( via java applet spoofing for web-based) or giving up access to your PGP private key (via keyloggers, cameras used against point-to-point).

Secure Communic...

The FBI Headquarters building in Washington, D.C. is named after J. Edgar Hoover. His legacy is alive and sick in the bureau today.

Some people react to the sight of FBI credentials as if they were some form of Jedi mind trick. Agents are often given access to private records without any subpoena or "letter" being necessary. After all, how could a true patriot refuse the FBI?

To be fair, we must understand that in many cases improper requests are not a result of bureau policy. They result from the actions of an individual agent who is either lazy, self important, or possessed by a "snoops" mentality that over rides regulations, procedures or common decency.

The FBI over the years has attracted individuals with bizarre notions of what is "right or wrong." Their personal political beliefs dictate their actions and they do not hesitate to ignore the law in their zealous pursuit of citizens they don't think are 100% American.

The FBI is embarrassed by the Petraeus fiasco. They are being blamed for taking down the CIA Director and ruining a brilliant career. When the FBI is attacked, they retaliate quickly. I would not want to be Ms. Broadwell right now. The FBI is going to shift the blame to somebody and she looks like she is in the cross-hairs. Hoover would have mixed emotions over the sight of agents carrying boxes of records and computers out of Ms. Broadwell's home. He would love the boxes of personal belongings but he would not live seeing agents in blue jeans and sneakers.

Ariel

Great read. When the WSJ article mentions that they were "monitoring" the accounts, it isn't clear to me how much access the government had. Specifically, did the government have access to the actual drafts saved in the shared Gmail account used by Petraeus and Broadwell? Otherwise, how did the government make the link to Petraeus if they only had the Gmail account name and a list of IP addresses used to access it? How much information does the subpoena reveal?

R Elliott

It should be clarified that this scenario has nothing to do with e-mail per se, but instead relates to any data stored on a Google (or other vendor) server and accessed via the Web. As such, Google Docs and "cloud" business data (including customer, financial, and medical records) are just as exposed and just as much a "dead drop" as an e-mail drafts folder. The ramifications of "cloud" data searched for one purpose cascading into hundreds or thousands of adjacent unrelated records is a vastly greater danger.

Anonymous

I think someone should go after the FBI for broadcasting people's private lives all over the media, using privileged information gathered during an investigation to humiliate not only those being investigated, but also their families and friends!!! Yes, investigate that there were no crimes or leaks as that is what keeps us safe, but what we are seeing today has gone beyond the most extreme lack of professionalism, it is making a mockery of our rights to privacy.
The FBI had a very clear mission- to find out of there was a breach of national security, not produce episode after episode of "entertainment tonight" using privileged information- this turned into a massive slander using people's real lives as 'entertainment'!! When was acceptable for the FBI to broadcast every detail of an on-going investigation (as is with Gen Allan) or disclose personal private information gained using privileges given to the agency only to protect us, in a case that has been closed where it was deemed that no crime has been committed (as in the Petraeus case)?? What does this mean to the rest of us?
One of the consequences of this fiasco in addition to stepping all over our rights as Americans, it is forcing anyone with a brain to not go to the FBI when being harassed, meaning, in the long run, to end the problem, they would have to take the law into their own hands.
I will also point out that the FBI has failed time and time again to identify those who are leaking highly classified information to the press in what could very well be called treason over the past 4 years (I don't belong to either party, but the FBI never identified exactly who told the Pakistanis about the doctor that helped us get Bin Ladin for instance? or the double agent who infiltrated Al-Qaida in Yemen? among other top secret classified information to the press, aiding our enemies.)
If someone does not put a stop to this ASAP, or if the FBI cant control their people, there should be very significant legal consequences for these buffoons to face-as they are beyond 'out of line" and have over stepped their boundaries so far, they have gone off the edge of a cliff, as have everyone involved in this cases' civil rights!
Last, how quickly do we give lip service "supporting our troops" to feel good about ourselves, but cant wait to drag them and their families through the muck, disregarding their years (that are probably factors in this mess in the first place,) fighting for the horrific wars our elected officials decided to throw us in. Gen Petraeus fixed an impossible situation in Iraq that is a direct result of our broken policies, and Gen Allan is IN Afghanistan right now, trying to keep as many Americans and Afghans alive until we can get out. Will anyone have a shred of respect for their sacrifices, even if they might be human and make mistakes like the rest of us? Just some food for the thought.

Anonymous

watch the video on google or bing or utube invisible military gear the one that has the Army tank and go from there you will see how our world is screwed!

Anonymous

"Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications. This is because the Department of Justice has argued that emails in the “draft” or “sent mail” folder are not in “electronic storage” (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena."

When did the Department of Justice make this argument? Can you provide more information or a cite? Thank you.

Pages

Sign Up for Breaking News