What Petraeus affair reveals about your emails

WND/ Steve Elwart*

gawker.com

“Hell has no wrath like a woman scorned.” The saying took on a new meaning, with wrath being source of the “Petraeus-gate” that started when a general’s mistress believed he was cheating her.

The fact that Jill Kelley, a friend of the Petraeus family, received what she felt were threatening emails was apparently enough to bring the FBI into the case, prodded along by an agent-friend of the recipient.

The FBI started the investigation under the authority of the 1986 United States Electronic Communications Privacy Act (ECPA). The act allows for “government entities” to acquire a warrant to access email records less than 180 days old “if there is reasonable cause to believe a crime has been committed.” For email older than six months, a federal agency only needs to get a subpoena signed by a federal prosecutor, not a judge, to obtain the messages.

Because of the wording of the law, Americans have fewer privacy protections for their electronic emails than would for those same messages than if they were printed out and stuck in a drawer.

In the eyes of the law, email kept on an individual’s hard drive in their home computer has the same protection as one’s personal papers, which require a search warrant. Emails stored on a remote server “in the cloud” do not have the same protection.

The writers of the law also did not envision the cloud. Email stored in the cloud has the same legal protection as documents in a public warehouse: the government can obtain them with a simple subpoena; no court procedure is required.

To make things really confusing, the government’s interpretation of the ECPA was rejected by the Ninth Circuit Court of Appeals, the federal appellate court that covers the western United States, including California, and the home to many online email companies and the servers that host their messages. As a result, the DOJ advises “Agents outside of the Ninth Circuit can therefore obtain such email (and other stored electronic or wire communications in ‘electronic storage’ more than 180 days) using a subpoena…” but reminds agents in the Ninth Circuit to get a warrant.

Cloud email servers use the power of many different servers across the Internet. It does not reside in one place. Mail services such as those offered by Google (gmail) will store email messages (from your inbox, draft, and deleted folders) long after you have forgotten them. FBI and other investigating agencies routinely gain access to electronic inboxes and information about email accounts offered by Google, and other Internet mail providers.

The Associated Press and The Wall Street Journal report that Jill Kelley contacted the FBI about “five to ten” anonymous emails that started in May and reportedly warned Kelley to “stay away” from an unnamed man. In the resulting investigation, the FBI discovered electronic paper trail eventually led to an “anonymous” account that was used by Paula Broadwell and her husband.

In examining this and other accounts, agents uncovered sexually explicit emails that Broadwell exchanged with another party who also used what has been reported to be a Gmail account. Eventually, investigators were able to determine that the other party was CIA Director David Petraeus using an assumed name.

While it hasn’t been specified exactly how the FBI were able to track the emails back to Broadwell, anyone with knowledge of how email works can make an intelligent assessment.

Petraeus and Broadwell used anonymous accounts with fake names that they set up for the purpose of their illicit affair. While they knew enough to cover some of their tracks, they weren’t sophisticated enough to take sufficient steps to completely protect their identity.

There are some services, such as Tor Project that can hinder tracing attempts. Other services such as Hotspot Shield and LogMeIn Hamachi can create a virtual private network to help preserve privacy. But this system is not fool-proof. Many of these services still use U.S. based servers that may have logs that can be read by investigating agencies or hackers.

Any email messages that are sent leave a trail. Many email services contain hidden codes called “metadata” that will contain the IP address of the sender’s computer’s internet connection device called a “router.” Other services, such as Gmail, will only include the IP address and Internet name of the servers that pass along the email.

The FBI spent weeks tracing the route these messages took. The FBI cross-referenced the IP addresses of the email’s origins against hotel guest lists, looking for common names. The messages were traced back not only to the Broadwell home, but also to the hotels where she was staying while sending some of the messages. (The travel patterns revealed by the emails coincided with her travel to promote her biography of Petraeus.)

The FBI could also request email data from the email service without the knowledge of the user. In fact, the email service is prohibited by law in notifying the user that the records were accessed.

Google is routinely approached by investigating agencies for email information. In fact, they issue what they call a “Transparency Report” every six months, to provide users with statistics about government requests for data and takedowns. For the period of January to June 2012, Google fulfilled 35,000 government requests for email information, 16,000 from the United States alone. How many of these requests were accompanied by a warrant is never disclosed.

Armed with the metadata and information from the email service, the FBI now had Broadwell’s name and in the course of the investigation uncovered another disturbing element, the possibility that classified information was being sent to Broadwell, who is also a reporter.

Federal prosecutors now had the probable cause they needed to request a warrant to monitor Broadwell’s other email accounts. Through this warrant they were able to determine that Broadwell and another person had set up a private email account to exchange messages.

A little more digging uncovered that fact that anonymous person Broadwell was communicating with was Petraeus.

(In a bizarre twist, another Army general, John Allen, the U.S. commander in Afghanistan, was also caught up in the investigation, being suspected of exchanging 20,000 to 30,000 pages of potentially inappropriate communications with Jill Kelley, the woman who sparked the investigation in the first place.)

The investigators also discovered that Broadwell and Petraeus had used a technique that is common among terrorist organizations and organized crime. They used the oft-neglected draft folder.

In this technique, one person will write a message and rather than send the message, they will save it to their draft folder. The other person will then log into the account, usually through a web browser and read the message in the folder.

Ironically, storing emails in a draft folder, rather than an inbox, may make it easier for the government to intercept their communications. This is because the Department of Justice has argued that emails in the “draft” or “sent mail” folder are not in “electronic storage” (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with just subpoena rather than a warrant.

Some of the techniques the FBI user to track down Broadwell, Gen. Petraeus and later, Gen. Allen can also be utilized by any computer user.

For example, for a Gmail account, a person can see this metadata by doing the following:

1. Log into the Gmail account and open a message.
2. In the upper right corner of the message, next to the “reply” button, click on the “down” button.
3. Then click on the “Show original” selection.
4. A new window will open showing all the data that was hidden in the message.

A guide is available to download that will give instructions for looking at metadata for 19 different type of email accounts.

With this metadata, the IP address of the sender can be determined and then use an IP address locator such as WhatIsMyIPAddress to find out the ISP where the email account is registered as well as its geographic location. This is good information to have if a computer user is getting attacked by multiple spam messages coming from one sender.

It is also interesting to look up your own email address to see what information is available on you.

So far, the results of the investigation are varied: the distinguished military careers of two long-serving servicemen are effectively ended, three marriages damaged, perhaps irreparably, and the insecurity of our electronic communication has been exposed.

Congress is supposed to be looking into the antiquated communications law, but don’t hold your breath. The Justice Department has warned that updating that telephone-modem-era law would have an “adverse impact” on investigations. The White House, for its part, does not seem to be in a hurry to secure an individual’s rights against having their privacy violated.

Interestingly, in congressional testimony, James A. Baker, associate deputy attorney general for the Department of Justice, has suggested that people’s online privacy is enhanced if the government has easier access to private data. “By authorizing law enforcement officers to obtain evidence from communications providers, ECPA enables the government to investigate and prosecute hackers, identity thieves, and other online criminals. Pursuant to ECPA, the government obtains evidence critical to prosecuting these privacy-related crimes.”

Sen. Patrick Leahy, D-Vt., said, “With the explosion of cloud computing, social networking sites, and other new technologies, determining how best to bring this privacy law into the digital age will be one of Congress’s greatest challenges.”

That email invisibility cloak many Americans think they have is full of holes.

--------------------------------

* Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security.