Risk
11/13/2012
06:43 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The Petraeus Affair: Surveillance State Stopper?

Lawmakers, now reminded of their own vulnerability, need to strengthen email privacy protections. Companies need to do more to help customers protect content.

When the Director of the Central Intelligence Agency can't maintain his privacy, nobody else has a chance.

The only way to win the self-surveillance game -- played by everyone who uses a network-connected computer -- is not to play. That's why U.S. Homeland Security Secretary Janet Napolitano doesn't use email.

David H. Petraeus resigned as head of the CIA, according to reports, because of an FBI inquiry into confrontational emails sent by his biographer and mistress, Paula Broadwell, to Jill Kelly, a friend of Petraeus and a rival in Broadwell's eyes.

[ Do you know how to protect yourself when using free email services? Read Petraeus Fallout: 5 Gmail Security Facts. ]

The FBI's investigation appears to be more the result of Kelly's friendship with an agent than the content of the messages. According to The Daily Beast, the FBI could barely muster a legal justification for opening an investigation. The agency would have to hire a lot more agents if it routinely investigated every email message deemed to be mildly harassing.

Nevertheless, in this course of its investigation, the agency discovered that Petraeus and Broadwell had been communicating covertly, by saving messages as unsent drafts in a single Gmail account, so they could login to the account and read what the other had written.

Petraeus evidently failed to consider the privacy implications of a change Google made to Gmail in 2008. That was when the company began providing Gmail users with the ability to track the IP address used to access accounts as a way to improve online security. As I noted at the time, "The information listed includes the Gmail user's type of access (browser, mobile, POP3), IP address, date and time. Not only will this new feature improve Gmail security, but it's also likely to please law enforcement authorities. In cases where a suspect's Gmail use is an issue, investigators who might otherwise have to request or subpoena log data from Google may only need access to the Gmail account itself."

What's more, now we're learning that the same inquiry -- which is unlikely to result in any criminal charges -- has claimed another victim. On Monday, the Department of Defense said it had been informed that the FBI's investigation had identified issues that affect Gen. John R. Allen, the commander of U.S. and NATO troops in Afghanistan. The Washington Post reports that the FBI found some 20,000 to 30,000 pages of "potentially inappropriate" email messages between Allen and Kelly, the woman who sought the FBI inquiry in the first place.

There are conflicting accounts about whether or not the FBI obtained a warrant for its inquiry.

"This is a surveillance state run amok," writes Glenn Greenwald in The Guardian. "It also highlights how any remnants of Internet anonymity have been all but obliterated by the union between the state and technology companies."

The careers of two of the nation's top military men have unraveled because the FBI started pulling threads from an inbox without any real evidence of a crime. Maybe that's just the wakeup call the government needs to recognize the value of privacy.

If that happens, it won't be the first time. In 1987, Supreme Court nominee Robert Bork's video rental history was revealed by reporter Michael Dolan, who obtained the information from Bork's local Washington, D.C. video store. Dolan justified his actions in part by noting, "[T]he judge indicated during his confirmation hearings that he's not necessarily a rabid fan of the notion of a constitutional guarantee of privacy."

Washington legislators were so shocked that their indiscreet viewing choices might be revealed that they promptly passed the 1988 Video Privacy Protection Act, which would have to wait until the Facebook era to be rendered obsolete by the marketing-surveillance complex's promotion of sharing as a social good.

Now that it's clear government officials stand as naked before online investigators as lowly citizens, maybe we'll see privacy exhumed from its grave, embalmed, and propped up as if it were alive and well again.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
11/14/2012 | 3:08:41 PM
re: The Petraeus Affair: Surveillance State Stopper?
That FBI agents are conducting or initiating investigations on little more than a complaint based on a personal relationship should be disconcerting to anyone. That the investigation has revealed little which can be placed in the "illegal" realm beyond movements of senior military officials or harassment only further questions the basis of a continued investigation. The issue seems to have been completely blown out of proportion and I believe that as much as the generals actions, the actions of the FBI or agents involved need to be analyzed.
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
11/16/2012 | 1:13:38 AM
re: The Petraeus Affair: Surveillance State Stopper?
I too question this, and wonder whether or how much of FBI's procedures for launching an investigation (and whether they properly were followed here) will be discussed as part of any Congressional investigation into the matter.
macker490
50%
50%
macker490,
User Rank: Ninja
11/14/2012 | 4:08:47 PM
re: The Petraeus Affair: Surveillance State Stopper?
once could of course use PGP or ENIGMAIL, or just use zip with an pre-agreed symetrical password

but there is still traffic analysis: why is Bob texting to Alice ?

best to keep msg in plain text and innocuous
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.