Risk
11/16/2012
02:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Petraeus Snoop: 7 Privacy Facts

Investigation of former CIA director Petraeus introduces some tough privacy questions. The good news: it could lead to tighter protections for everyone.

4. ECPA Amendments Proposed, Again

Improved privacy protections, however, may be on the way. Thursday, Senate Judiciary Committee announced that on November 29, it plans to vote on amendments proposed to ECPA in September by the chairman of the committee, Sen. Patrick Leahy (D-Vt.), who was also the lead Senate author of the bill itself, which was enacted in 1986. As with a search of a car or house, Leahy's ECPA amendments would require the government to obtain a probable cause warrant before being able to access any email stored in the cloud.

"The legislation will make commonsense changes to existing law to improve privacy protections for consumers' electronic communications, and clarifies the legal standards for the government to obtain this information," read a statement released by Leahy.

Right now, ECPA doesn't always require a probable cause warrant to force service providers to turn over the contents of users' private emails, instant messages, and social networking messages, according to EFF's analysis of Leahy's proposals, which it has endorsed. "Nor does the government need a warrant if an email message is older than 180 days. This low threshold to electronic messages is in stark contrast to the Fourth Amendment protections for physical letters."

5. Email Privacy Protections Expire After 180 Days

Remember the innovative Gmail archive feature, through which no email need ever be deleted? Turns out it's a smorgasbord for any law enforcement agencies that are conducting surveillance. That's because the Justice Department currently maintains that any emails that have been read by the receiver and left in a mailbox--for example, on Gmail or Hotmail -- as well as saved drafts or copies of sent messages, and emails that are more than 180 days old, aren't covered by the Stored Communications Act.

But wait, there's more: "The government's view of the law was rejected by the Ninth Circuit Court of Appeals, the federal appellate court that covers the western United States, including California, and the home to many online email companies and the servers that host their messages." As a result, the Department of Justice has instructed any investigators accessing emails that are older than 180 days, without a subpoena, to make sure they do so outside of the jurisdiction of the Ninth Circuit Court of Appeals.

6. Email "Minimization" Requirements Vague

Another privacy issue is that once investigators access an email account, they can review any of the messages they find. "The government is required to 'minimize' its collection of some electronic information," said EFF -- for example, when conducting wiretaps. "But when it comes to email, such minimization requirements aren't as strong. The DOJ Manual suggests that agents 'exercise great caution' and 'avoid unwarranted intrusions into private areas,' when searching email on ISPs but is short on specifics."

7. Incident Could Happen All Over Again

Did the Petraeus investigation break any laws? Apparently not, and that fact -- as well as the prospect that the FBI could similarly investigate anyone on what seems to be the flimsiest of pretexts -- has privacy advocates demanding that Congress finally extend the nation's privacy laws to cover people's personal electronic communications. As noted in the EFF email privacy primer, "If we learn nothing else from the Petraeus scandal, it should be that our private digital lives can become all too public when over-eager federal agents aren't held to rigorous legal standards."

Organizations challenged by meeting the requirements of multiple regulatory mandates are increasingly looking at the alignment of governance, risk, and compliance under a unified framework, GRC. In our report, A Security Pro's Guide To GRC, we examine where the security professionals figure into the mix and recommend the steps organizations should take to align IT GRC with existing security programs and processes. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dean S
50%
50%
Dean S,
User Rank: Apprentice
11/19/2012 | 12:56:23 PM
re: Petraeus Snoop: 7 Privacy Facts
The head of the CIA does not have email privacy issues. As a member of the CIA, they are contractually and lawfully spied upon as part of their job. The CIA must and will investigate any and all infractions of policy, to include reviewing all personal communication. The FBI conducts these investigations and only need notify the court dealing with intelligence that it will do so, as the CIA employee has already signed away privacy rights by contract. This is not a privacy issue. It is a national security issue.

Mrs. Broadwell had classified information on a personal computer and the whereabouts of information on that computer is now the real question unmentioned in the press. Yes, she had clearance. So what? She has been briefed annually to handle classified material properly and she deliberately failed to do so.

There has been discussion in the press that the General had passed on some of this information to her. The question is why. Later, the press reported the General did not pass on information to her. I do not believe this investigation is over. And, it smells really fishy from a national security perspective. Why throw parties with top brass all the time? Why the classified material on a PC? Where was that information going? Who was receiving it? Why was the head of the CIA repeatedly invited to her home? Think of all of these questions in terms of national security and the conversation changes course very quickly. The General is not a target of the investigation primarily. It is Mrs. Broadwell. The General properly resigned. He put himself at risk.
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
11/18/2012 | 8:42:50 AM
re: Petraeus Snoop: 7 Privacy Facts
I hope this story generates enough public interest to pressure lawmakers into fixing this mess. I'm pessimistic, though. The "series of tubes" heritage remains strong in Congress. I'm still dispirited by all the representatives who admitted IT ignorance while also condescendingly characterizing computer experts as "nerds." That would be obnoxious on its own, but it's ridiculous when one considers that many of the lawmakers who made these comments also tried to justify SOPA in the same breath. Whatever the solution, the laws are outdated and/or flawed -- like the 180-day limit Mathew notes in the article. It's also troubling that the Department of Justice has argued messages stored as drafts don't qualify for "electronic storage" privacy protections. Yes, draft folders have been used to hide messages and avoid detection. The tactic was used by not only the Petraeus players but also terrorists. It's of course important that the government be empowered to collect intelligence and thwart threats. But I suspect sinister spam folder uses represent a minority of all uses. And I also know that tools designed for one purpose often bleed into other purposes. As a culture, are we okay making billions of people subject to privacy policies that are intended for a few dangerous individuals? Are we concerned that these policies' restraints are too nebulously defined? Congress talks about the need for parallels between the virtual and physical worlds' respective laws. No argument here. But data mining tools being what they are, warrant-less access to draft folders go way beyond what can be surveilled in the physical realm. If we're gonna go there, we need to talk about it. A lot of active legislation was either written too long ago to apply or passed without sufficient thought. This is the latest point in case.

Michael Endler
InformationWeek Associate Editor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.