Petraeus Affair Teaches Us About Online Surveillance

Tom Simonite

The FBI methods used to reveal the CIA director's affair are relevant to all Web users.

When the FBI started investigating harassing emails sent to a resident of Tampa Bay that organized parties for a local Air Force base, it soon became a much broader investigation that led to the uncovering of an affair between CIA director David Petraeus and his biographer Paula Broadwell. Now reports of how the FBI uncovered a series of online email accounts and figured out who was using them have revealed things about digital surveillance that will surprise many Web users, and even tidbits that have impressed experts. Here are five things we’ve learned so far:

• No judge-issued warrant is needed for authorities to ask a company for your emails or other electronic communication records that are six months old or more. That’s thanks to the 1986 Electronic Communications Privacy Act, which says that a federal prosecutor’s subpoena is enough. Privacy activists have long campaigned for this to change. Leading civil liberties lawyer Kevin Bankston today suggested the Petraeus affair could help those efforts by raising awareness of the current law.
• Communicating by saving draft emails in an online account for someone else to log in and see – as Petraeus and Broadwell did – doesn’t help escape surveillance. This tactic long-used by activists and terrorists, including “shoe bomber” Richard Reid in 2001, prevents emails lodging in personal accounts and other places. But the FBI or law enforcement can easily ask a provider to reveal the IP addresses people used to log into an account. Those IP addresses can be matched to physical locations, and to people's known addresses and movements.
• IP addresses can be used to pinpoint people very precisely, providing a crucial match between online and offline life. The WSJ reports that the FBI figured out it was Broadwell operating pseudonymous email accounts by matching IP addresses from emails they sent to particular hotels. Those matched with particular hotels and the dates she stayed in them on a book tour.
• Yahoo Mail and Microsoft’s Outlook make it extra easy for investigators to find out the IP address an email originated from – and hence where an email was sent from. When emails are sent extra data goes along with them known as “headers” containing technical data. In the case of Yahoo Mail and Outlook that includes the IP address of the connection used to send an email, so investigators don't need to subpoena a mail provider to trace its origin. It’s not known if Broadwell used Yahoo accounts in the events surrounding the Petraeus affair, but she’s known to have used the service before thanks to leaks by nebulous activist group Anonymous of account information from defense contractor Stratfor.

• Email and other services hosted online make life relatively easy for investigators. Google and other online providers have legitimate reasons to log which IP addresses log into accounts and when, for example to detect hacking attempts and keep their software running smoothly. But that data hangs around, and investigators aren't shy about asking for it. Google today published new figures on government requests for its data that show U.S. authorities tapped the company 26 percent more in the first half of 2012 than they did in the second half of 2011, a total of 7969 requests of which 90 percent were complied with.