Risk
11/13/2012
06:43 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

The Petraeus Affair: Surveillance State Stopper?

Lawmakers, now reminded of their own vulnerability, need to strengthen email privacy protections. Companies need to do more to help customers protect content.

When the Director of the Central Intelligence Agency can't maintain his privacy, nobody else has a chance.

The only way to win the self-surveillance game -- played by everyone who uses a network-connected computer -- is not to play. That's why U.S. Homeland Security Secretary Janet Napolitano doesn't use email.

David H. Petraeus resigned as head of the CIA, according to reports, because of an FBI inquiry into confrontational emails sent by his biographer and mistress, Paula Broadwell, to Jill Kelly, a friend of Petraeus and a rival in Broadwell's eyes.

[ Do you know how to protect yourself when using free email services? Read Petraeus Fallout: 5 Gmail Security Facts. ]

The FBI's investigation appears to be more the result of Kelly's friendship with an agent than the content of the messages. According to The Daily Beast, the FBI could barely muster a legal justification for opening an investigation. The agency would have to hire a lot more agents if it routinely investigated every email message deemed to be mildly harassing.

Nevertheless, in this course of its investigation, the agency discovered that Petraeus and Broadwell had been communicating covertly, by saving messages as unsent drafts in a single Gmail account, so they could login to the account and read what the other had written.

Petraeus evidently failed to consider the privacy implications of a change Google made to Gmail in 2008. That was when the company began providing Gmail users with the ability to track the IP address used to access accounts as a way to improve online security. As I noted at the time, "The information listed includes the Gmail user's type of access (browser, mobile, POP3), IP address, date and time. Not only will this new feature improve Gmail security, but it's also likely to please law enforcement authorities. In cases where a suspect's Gmail use is an issue, investigators who might otherwise have to request or subpoena log data from Google may only need access to the Gmail account itself."

What's more, now we're learning that the same inquiry -- which is unlikely to result in any criminal charges -- has claimed another victim. On Monday, the Department of Defense said it had been informed that the FBI's investigation had identified issues that affect Gen. John R. Allen, the commander of U.S. and NATO troops in Afghanistan. The Washington Post reports that the FBI found some 20,000 to 30,000 pages of "potentially inappropriate" email messages between Allen and Kelly, the woman who sought the FBI inquiry in the first place.

There are conflicting accounts about whether or not the FBI obtained a warrant for its inquiry.

"This is a surveillance state run amok," writes Glenn Greenwald in The Guardian. "It also highlights how any remnants of Internet anonymity have been all but obliterated by the union between the state and technology companies."

The careers of two of the nation's top military men have unraveled because the FBI started pulling threads from an inbox without any real evidence of a crime. Maybe that's just the wakeup call the government needs to recognize the value of privacy.

If that happens, it won't be the first time. In 1987, Supreme Court nominee Robert Bork's video rental history was revealed by reporter Michael Dolan, who obtained the information from Bork's local Washington, D.C. video store. Dolan justified his actions in part by noting, "[T]he judge indicated during his confirmation hearings that he's not necessarily a rabid fan of the notion of a constitutional guarantee of privacy."

Washington legislators were so shocked that their indiscreet viewing choices might be revealed that they promptly passed the 1988 Video Privacy Protection Act, which would have to wait until the Facebook era to be rendered obsolete by the marketing-surveillance complex's promotion of sharing as a social good.

Now that it's clear government officials stand as naked before online investigators as lowly citizens, maybe we'll see privacy exhumed from its grave, embalmed, and propped up as if it were alive and well again.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
11/16/2012 | 1:13:38 AM
re: The Petraeus Affair: Surveillance State Stopper?
I too question this, and wonder whether or how much of FBI's procedures for launching an investigation (and whether they properly were followed here) will be discussed as part of any Congressional investigation into the matter.
macker490
50%
50%
macker490,
User Rank: Ninja
11/14/2012 | 4:08:47 PM
re: The Petraeus Affair: Surveillance State Stopper?
once could of course use PGP or ENIGMAIL, or just use zip with an pre-agreed symetrical password

but there is still traffic analysis: why is Bob texting to Alice ?

best to keep msg in plain text and innocuous
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
11/14/2012 | 3:08:41 PM
re: The Petraeus Affair: Surveillance State Stopper?
That FBI agents are conducting or initiating investigations on little more than a complaint based on a personal relationship should be disconcerting to anyone. That the investigation has revealed little which can be placed in the "illegal" realm beyond movements of senior military officials or harassment only further questions the basis of a continued investigation. The issue seems to have been completely blown out of proportion and I believe that as much as the generals actions, the actions of the FBI or agents involved need to be analyzed.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio