Risk
11/13/2012
06:43 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The Petraeus Affair: Surveillance State Stopper?

Lawmakers, now reminded of their own vulnerability, need to strengthen email privacy protections. Companies need to do more to help customers protect content.

When the Director of the Central Intelligence Agency can't maintain his privacy, nobody else has a chance.

The only way to win the self-surveillance game -- played by everyone who uses a network-connected computer -- is not to play. That's why U.S. Homeland Security Secretary Janet Napolitano doesn't use email.

David H. Petraeus resigned as head of the CIA, according to reports, because of an FBI inquiry into confrontational emails sent by his biographer and mistress, Paula Broadwell, to Jill Kelly, a friend of Petraeus and a rival in Broadwell's eyes.

[ Do you know how to protect yourself when using free email services? Read Petraeus Fallout: 5 Gmail Security Facts. ]

The FBI's investigation appears to be more the result of Kelly's friendship with an agent than the content of the messages. According to The Daily Beast, the FBI could barely muster a legal justification for opening an investigation. The agency would have to hire a lot more agents if it routinely investigated every email message deemed to be mildly harassing.

Nevertheless, in this course of its investigation, the agency discovered that Petraeus and Broadwell had been communicating covertly, by saving messages as unsent drafts in a single Gmail account, so they could login to the account and read what the other had written.

Petraeus evidently failed to consider the privacy implications of a change Google made to Gmail in 2008. That was when the company began providing Gmail users with the ability to track the IP address used to access accounts as a way to improve online security. As I noted at the time, "The information listed includes the Gmail user's type of access (browser, mobile, POP3), IP address, date and time. Not only will this new feature improve Gmail security, but it's also likely to please law enforcement authorities. In cases where a suspect's Gmail use is an issue, investigators who might otherwise have to request or subpoena log data from Google may only need access to the Gmail account itself."

What's more, now we're learning that the same inquiry -- which is unlikely to result in any criminal charges -- has claimed another victim. On Monday, the Department of Defense said it had been informed that the FBI's investigation had identified issues that affect Gen. John R. Allen, the commander of U.S. and NATO troops in Afghanistan. The Washington Post reports that the FBI found some 20,000 to 30,000 pages of "potentially inappropriate" email messages between Allen and Kelly, the woman who sought the FBI inquiry in the first place.

There are conflicting accounts about whether or not the FBI obtained a warrant for its inquiry.

"This is a surveillance state run amok," writes Glenn Greenwald in The Guardian. "It also highlights how any remnants of Internet anonymity have been all but obliterated by the union between the state and technology companies."

The careers of two of the nation's top military men have unraveled because the FBI started pulling threads from an inbox without any real evidence of a crime. Maybe that's just the wakeup call the government needs to recognize the value of privacy.

If that happens, it won't be the first time. In 1987, Supreme Court nominee Robert Bork's video rental history was revealed by reporter Michael Dolan, who obtained the information from Bork's local Washington, D.C. video store. Dolan justified his actions in part by noting, "[T]he judge indicated during his confirmation hearings that he's not necessarily a rabid fan of the notion of a constitutional guarantee of privacy."

Washington legislators were so shocked that their indiscreet viewing choices might be revealed that they promptly passed the 1988 Video Privacy Protection Act, which would have to wait until the Facebook era to be rendered obsolete by the marketing-surveillance complex's promotion of sharing as a social good.

Now that it's clear government officials stand as naked before online investigators as lowly citizens, maybe we'll see privacy exhumed from its grave, embalmed, and propped up as if it were alive and well again.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
11/16/2012 | 1:13:38 AM
re: The Petraeus Affair: Surveillance State Stopper?
I too question this, and wonder whether or how much of FBI's procedures for launching an investigation (and whether they properly were followed here) will be discussed as part of any Congressional investigation into the matter.
macker490
50%
50%
macker490,
User Rank: Ninja
11/14/2012 | 4:08:47 PM
re: The Petraeus Affair: Surveillance State Stopper?
once could of course use PGP or ENIGMAIL, or just use zip with an pre-agreed symetrical password

but there is still traffic analysis: why is Bob texting to Alice ?

best to keep msg in plain text and innocuous
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
11/14/2012 | 3:08:41 PM
re: The Petraeus Affair: Surveillance State Stopper?
That FBI agents are conducting or initiating investigations on little more than a complaint based on a personal relationship should be disconcerting to anyone. That the investigation has revealed little which can be placed in the "illegal" realm beyond movements of senior military officials or harassment only further questions the basis of a continued investigation. The issue seems to have been completely blown out of proportion and I believe that as much as the generals actions, the actions of the FBI or agents involved need to be analyzed.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.