|
gawker.com |
“Hell has no wrath like a woman scorned.” The saying took on a new
meaning, with wrath being source of the “Petraeus-gate” that started
when a general’s mistress believed he was cheating her.
The fact that Jill Kelley, a friend of the Petraeus family, received
what she felt were threatening emails was apparently enough to bring the
FBI into the case, prodded along by an agent-friend of the recipient.
The FBI started the investigation under the authority of the 1986
United States Electronic Communications Privacy Act (ECPA). The act
allows for “government entities” to acquire a warrant to access email
records less than 180 days old “if there is reasonable cause to believe a
crime has been committed.” For email older than six months, a federal
agency only needs to get a subpoena signed by a federal prosecutor, not a
judge, to obtain the messages.
Because of the wording of the law, Americans have fewer privacy
protections for their electronic emails than would for those same
messages than if they were printed out and stuck in a drawer.
In the eyes of the law, email kept on an individual’s hard drive in
their home computer has the same protection as one’s personal papers,
which require a search warrant. Emails stored on a remote server “in the
cloud” do not have the same protection.
The writers of the law also did not envision the cloud. Email stored
in the cloud has the same legal protection as documents in a public
warehouse: the government can obtain them with a simple subpoena; no
court procedure is required.
To make things really confusing, the government’s interpretation of
the ECPA was rejected by the Ninth Circuit Court of Appeals, the federal
appellate court that covers the western United States, including
California, and the home to many online email companies and the servers
that host their messages. As a result, the DOJ advises “Agents outside
of the Ninth Circuit can therefore obtain such email (and other stored
electronic or wire communications in ‘electronic storage’ more than 180
days) using a subpoena…” but reminds agents in the Ninth Circuit to get a
warrant.
Cloud email servers use the power of many different servers across
the Internet. It does not reside in one place. Mail services such as
those offered by Google (gmail) will store email messages (from your
inbox, draft, and deleted folders) long after you have forgotten them.
FBI and other investigating agencies routinely gain access to electronic
inboxes and information about email accounts offered by Google, and
other Internet mail providers.
The Associated Press and The Wall Street Journal report that Jill
Kelley contacted the FBI about “five to ten” anonymous emails that
started in May and reportedly warned Kelley to “stay away” from an
unnamed man. In the resulting investigation, the FBI discovered
electronic paper trail eventually led to an “anonymous” account that was
used by Paula Broadwell and her husband.
In examining this and other accounts, agents uncovered sexually
explicit emails that Broadwell exchanged with another party who also
used what has been reported to be a Gmail account. Eventually,
investigators were able to determine that the other party was CIA
Director David Petraeus using an assumed name.
While it hasn’t been specified exactly how the FBI were able to track
the emails back to Broadwell, anyone with knowledge of how email works
can make an intelligent assessment.
Petraeus and Broadwell used anonymous accounts with fake names that
they set up for the purpose of their illicit affair. While they knew
enough to cover some of their tracks, they weren’t sophisticated enough
to take sufficient steps to completely protect their identity.
There are some services, such as
Tor Project that can hinder tracing attempts. Other services such as
Hotspot Shield and
LogMeIn Hamachi
can create a virtual private network to help preserve privacy. But this
system is not fool-proof. Many of these services still use U.S. based
servers that may have logs that can be read by investigating agencies or
hackers.
Any email messages that are sent leave a trail. Many email services
contain hidden codes called “metadata” that will contain the IP address
of the sender’s computer’s internet connection device called a “router.”
Other services, such as Gmail, will only include the IP address and
Internet name of the servers that pass along the email.
The FBI spent weeks tracing the route these messages took. The FBI
cross-referenced the IP addresses of the email’s origins against hotel
guest lists, looking for common names. The messages were traced back not
only to the Broadwell home, but also to the hotels where she was
staying while sending some of the messages. (The travel patterns
revealed by the emails coincided with her travel to promote her
biography of Petraeus.)
The FBI could also request email data from the email service without
the knowledge of the user. In fact, the email service is prohibited by
law in notifying the user that the records were accessed.
Google is routinely approached by investigating agencies for email information. In fact, they issue what they call a
“Transparency Report”
every six months, to provide users with statistics about government
requests for data and takedowns. For the period of January to June 2012,
Google fulfilled 35,000 government requests for email information,
16,000 from the United States alone. How many of these requests were
accompanied by a warrant is never disclosed.
Armed with the metadata and information from the email service, the
FBI now had Broadwell’s name and in the course of the investigation
uncovered another disturbing element, the possibility that classified
information was being sent to Broadwell, who is also a reporter.
Federal prosecutors now had the probable cause they needed to request
a warrant to monitor Broadwell’s other email accounts. Through this
warrant they were able to determine that Broadwell and another person
had set up a private email account to exchange messages.
A little more digging uncovered that fact that anonymous person Broadwell was communicating with was Petraeus.
(In a bizarre twist, another Army general, John Allen, the U.S.
commander in Afghanistan, was also caught up in the investigation, being
suspected of exchanging 20,000 to 30,000 pages of potentially
inappropriate communications with Jill Kelley, the woman who sparked the
investigation in the first place.)
The investigators also discovered that Broadwell and Petraeus had
used a technique that is common among terrorist organizations and
organized crime. They used the oft-neglected draft folder.
In this technique, one person will write a message and rather than
send the message, they will save it to their draft folder. The other
person will then log into the account, usually through a web browser and
read the message in the folder.
Ironically, storing emails in a draft folder, rather than an inbox,
may make it easier for the government to intercept their communications.
This is because the Department of Justice has argued that emails in the
“draft” or “sent mail” folder are not in “electronic storage” (as
defined by the Stored Communications Act), and thus not deserving of
warrant protection. Instead, the government has argued it should be able
to get such messages with just subpoena rather than a warrant.
Some of the techniques the FBI user to track down Broadwell, Gen.
Petraeus and later, Gen. Allen can also be utilized by any computer
user.
For example, for a Gmail account, a person can see this metadata by doing the following:
- Log into the Gmail account and open a message.
- In the upper right corner of the message, next to the “reply” button, click on the “down” button.
- Then click on the “Show original” selection.
- A new window will open showing all the data that was hidden in the message.
A guide is available to
download that will give instructions for looking at metadata for 19 different type of email accounts.
With this metadata, the IP address of the sender can be determined and then use an IP address locator such as
WhatIsMyIPAddress
to find out the ISP where the email account is registered as well as
its geographic location. This is good information to have if a computer
user is getting attacked by multiple spam messages coming from one
sender.
It is also interesting to look up your own email address to see what information is available on you.
So far, the results of the investigation are varied: the
distinguished military careers of two long-serving servicemen are
effectively ended, three marriages damaged, perhaps irreparably, and the
insecurity of our electronic communication has been exposed.
Congress is supposed to be looking into the antiquated communications
law, but don’t hold your breath. The Justice Department has warned that
updating that telephone-modem-era law would have an “adverse impact” on
investigations. The White House, for its part, does not seem to be in a
hurry to secure an individual’s rights against having their privacy
violated.
Interestingly, in congressional testimony, James A. Baker, associate
deputy attorney general for the Department of Justice, has suggested
that people’s online privacy is enhanced if the government has easier
access to private data. “By authorizing law enforcement officers to
obtain evidence from communications providers, ECPA enables the
government to investigate and prosecute hackers, identity thieves, and
other online criminals. Pursuant to ECPA, the government obtains
evidence critical to prosecuting these privacy-related crimes.”
Sen. Patrick Leahy, D-Vt., said, “With the explosion of cloud
computing, social networking sites, and other new technologies,
determining how best to bring this privacy law into the digital age will
be one of Congress’s greatest challenges.”
That email invisibility cloak many Americans think they have is full of holes.
--------------------------------
* Steve Elwart, P.E.,
Ph.D., is the executive research analyst with the Koinonia Institute and
a subject matter expert for the Department of Homeland Security.