When the CIA director cannot hide his activities online, what hope is there for the rest of us? In the unfolding sex scandal that has led to the resignation of David Petraeus, the FBI鈥檚 electronic surveillance and tracking of Petraeus and his mistress Paula Broadwell is more than a side show鈥攊t's a key component of the story. More importantly, there are enough interesting tidbits (some of which change by the hour, as new details are leaked), to make this story an excellent lesson on the government鈥檚 surveillance powers鈥攁s well as a reminder of the need to those powers.
Metadata is king
Ms. Broadwell apparently attempted to shield her identity by using anonymous email accounts. However, it appears that her efforts were thwarted by sloppy operational security and the data retention practices of the companies to whom she entrusted her private data.
The New York Times 鈥淸b]ecause the sender鈥檚 account had been registered anonymously, investigators had to use forensic techniques鈥攊ncluding a check of what other e-mail accounts had been accessed from the same computer address鈥攖o identify who was writing the e-mails.鈥
Webmail providers like Google, Yahoo and Microsoft retain login records (typically for more than a year) that reveal the particular IP addresses a consumer has logged in from. Although these records reveal sensitive information, including geo-location data associated with the target, US law currently permits law enforcement agencies to obtain these records with a mere subpoena鈥攏o judge required.
Although Ms. Broadwell took steps to disassociate herself from at least one particular email account, by logging into other email accounts from the same computer (and IP address), she created a data trail that agents were able to use to link the accounts.
The Wall Street Journal similarly 鈥渁gents spent weeks piecing together who may have sent [the emails]. They used metadata footprints left by the emails to determine what locations they were sent from. They matched the places, including hotels, where Ms. Broadwell was during the times the emails were sent.鈥 NBC , revealing that 鈥渋t took agents a while to figure out the source. They did that by finding out where the messages were sent from鈥攚hich cities, which Wi-Fi locations in hotels. That gave them names, which they then checked against guest lists from other cities and hotels, looking for common names.鈥
Based on these reports, it seems that Ms. Broadwell did at least avoid the common mistake of sending sensitive emails from her residential Internet connection. However, she did not, it seems, take affirmative steps to shield her IP address (such as by using Tor or a privacy-preserving VPN service). Instead, she apparently logged in to her email accounts from public WiFi networks, such as those in hotels. Had she sent just one email, she might have been able to at least maintain plausible deniability. However, each new hotel (and associated IP login record) reduced the anonymity set of potential suspects. By the second or third hotel, it is likely that the list of intersecting names from the various guest lists contained just a single name: Ms. Broadwell鈥檚.
While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.
The guest lists from hotels, IP login records, as well as the creative request to email providers for 鈥渋nformation about other accounts that have logged in from this IP address鈥 are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the 鈥渨hat鈥 being communicated; the government鈥檚 powers to determine 鈥渨ho鈥 communicated remain largely unchecked.
Digital 鈥渄ead drops鈥 don鈥檛 protect you from government surveillance
For more than a decade, a persistent myth in Washington DC, fueled by several counterterrorism experts, has been that it is possible to hide a communications trail by sharing an email inbox, and instead saving emails in a 鈥渄raft鈥 folder. This technique has been used by , (the shoe bomber), the 2004 , terrorists , as well as some domestic 鈥.鈥 This technique has appeared in as early as 2003, and was described in a written by a DOJ official in 2004. It is hardly a state secret.
Apparently, this method was also used by General Petraeus. the Associated Press, 鈥淸r]ather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic 鈥榙ropbox,鈥 the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace.鈥
The problem is, like so many other employed by terrorists, it doesn鈥檛 work. Emails saved in a draft folder are stored just like emails in any other folder in a cloud service, and further, the providers can be , prospectively, to save copies of everything (so that deleting the messages after reading them won鈥檛 actually stop investigators from getting a copy).
Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications. This is because the Department of Justice that emails in the 鈥渄raft鈥 or 鈥渟ent mail鈥 folder are not in 鈥渆lectronic storage鈥 (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.
I hope that this scandal will finally kill off this inaccurate myth about hiding emails from the government. General Petraeus should have known better鈥攑lacing documents in an email 鈥渄rafts鈥 folder is not an effective way to hide things from the government. It wasn鈥檛 10 years ago, and it certainly isn鈥檛 anymore.
More broadly, this scandal centers around email, and it鈥檚 a reminder that the legal protections for email fall far short of what they should be. We need to modernize our privacy laws鈥攆or example by that is now before the Senate Judiciary Committee鈥攁nd we need protections that cover metadata of the kind that was apparently so central in this scandal.