Petraeus Snoop: 7 Privacy Facts

What email privacy protections do U.S. residents currently enjoy?

That question is on the minds of everyone from Gmail accountholders and hard-core PGP fanatics to legislators and privacy advocates in the wake of the scandal involving David H. Petraeus. Petraeus resigned as director of the CIA after an FBI inquiry found -- in part via a shared Gmail account -- that Petraeus was having an extramarital affair.

The FBI's cyber-squad investigation was kicked off after Petraeus' mistress and biographer Paula Broadwell anonymously sent supposedly threatening emails to Jill Kelly, a friend of Petraeus. Kelly, who also happened to be friends with an FBI agent, was a rival in Broadwell's eyes.

But that's where the privacy picture goes murky. A source with knowledge of the investigation told The New York Times that "the squad was not even sure the case was worth pursuing." Furthermore, the FBI has yet to release any emails of a threatening nature, which has led some commentators to think that the outing of Petraeus' affair was personal, and that whatever flimsy pretexts emerge, the investigation likely violated Petraeus' privacy.

[ For more on Gmail's role in the Petraeus scandal, see Petraeus Fallout: 5 Gmail Security Facts. ]

"This is a surveillance state run amok," said journalist Glenn Greenwald in The Guardian. "But as unwarranted and invasive as this all is, there is some sweet justice in having the stars of America's national security state destroyed by the very surveillance system which they implemented and over which they preside."

In other words, the upside of the Petraeus scandal may be better privacy protections for the rest of us, by finally forcing Congress to update Americans' email privacy protections.

Here are seven related facts about where things stand:

1. Petraeus Case Particulars Remain Unclear

Legally speaking, it's still not clear which measures the FBI used to trace back the emails sent by Broadwell, or how they discovered that both she and Petraeus had logged into the same anonymous email account. Some sources have said that a probable cause warrant for the couple's emails was obtained by the bureau; others say not. If a probable-cause warrant was issued, however, to date no evidence has emerged that a crime was probably being committed, which means the warrant could have been illegally obtained.

2. Email Location Information Isn't Protected

While emails enjoy some privacy protections, the same isn't true for location information, even if it's embedded in an email. ECPA provides scant protection for your identifying information, such as the IP address used to access an account, according to an email privacy primer published by the Electronic Frontier Foundation (EFF). While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider.

From there, the FBI would likely have searched for any email accounts that also associated with that same collection of IP addresses. "Webmail providers like Google, Yahoo and Microsoft retain login records -- typically for more than a year -- that reveal the particular IP addresses a consumer has logged in from," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, in a blog post.

Finally, after having identified the IP addresses from which the emails had been sent -- which included hotel Wi-Fi hotspots -- the FBI likely compared guest lists at the hotels for the days that the emails were sent to find which names they had in common.

3. Surveillance State Thriving

The Justice Department continues to argue that it needs even greater access to electronic communications or else it risks "going dark." Accordingly, it's argued that the Electronic Communications Privacy Act (ECPA), a 1986 law designed to protect the privacy of people's electronic communications, should remain unchanged. It's also been pushing Congress to expand the Communications Assistance for Law Enforcement Act (CALEA) to require more online services easier to wiretap.

But is U.S. law enforcement surveillance now out of control? According to a Google report released this week, government surveillance has been growing, with the United States making more requests to Google for user data than any other country.

4. ECPA Amendments Proposed, Again

Improved privacy protections, however, may be on the way. Thursday, Senate Judiciary Committee announced that on November 29, it plans to vote on amendments proposed to ECPA in September by the chairman of the committee, Sen. Patrick Leahy (D-Vt.), who was also the lead Senate author of the bill itself, which was enacted in 1986. As with a search of a car or house, Leahy's ECPA amendments would require the government to obtain a probable cause warrant before being able to access any email stored in the cloud.

"The legislation will make commonsense changes to existing law to improve privacy protections for consumers' electronic communications, and clarifies the legal standards for the government to obtain this information," read a statement released by Leahy.

Right now, ECPA doesn't always require a probable cause warrant to force service providers to turn over the contents of users' private emails, instant messages, and social networking messages, according to EFF's analysis of Leahy's proposals, which it has endorsed. "Nor does the government need a warrant if an email message is older than 180 days. This low threshold to electronic messages is in stark contrast to the Fourth Amendment protections for physical letters."

5. Email Privacy Protections Expire After 180 Days

Remember the innovative Gmail archive feature, through which no email need ever be deleted? Turns out it's a smorgasbord for any law enforcement agencies that are conducting surveillance. That's because the Justice Department currently maintains that any emails that have been read by the receiver and left in a mailbox--for example, on Gmail or Hotmail -- as well as saved drafts or copies of sent messages, and emails that are more than 180 days old, aren't covered by the Stored Communications Act.

But wait, there's more: "The government's view of the law was rejected by the Ninth Circuit Court of Appeals, the federal appellate court that covers the western United States, including California, and the home to many online email companies and the servers that host their messages." As a result, the Department of Justice has instructed any investigators accessing emails that are older than 180 days, without a subpoena, to make sure they do so outside of the jurisdiction of the Ninth Circuit Court of Appeals.

6. Email "Minimization" Requirements Vague

Another privacy issue is that once investigators access an email account, they can review any of the messages they find. "The government is required to 'minimize' its collection of some electronic information," said EFF -- for example, when conducting wiretaps. "But when it comes to email, such minimization requirements aren't as strong. The DOJ Manual suggests that agents 'exercise great caution' and 'avoid unwarranted intrusions into private areas,' when searching email on ISPs but is short on specifics."

7. Incident Could Happen All Over Again

Did the Petraeus investigation break any laws? Apparently not, and that fact -- as well as the prospect that the FBI could similarly investigate anyone on what seems to be the flimsiest of pretexts -- has privacy advocates demanding that Congress finally extend the nation's privacy laws to cover people's personal electronic communications. As noted in the EFF email privacy primer, "If we learn nothing else from the Petraeus scandal, it should be that our private digital lives can become all too public when over-eager federal agents aren't held to rigorous legal standards."

Organizations challenged by meeting the requirements of multiple regulatory mandates are increasingly looking at the alignment of governance, risk, and compliance under a unified framework, GRC. In our report, A Security Pro's Guide To GRC, we examine where the security professionals figure into the mix and recommend the steps organizations should take to align IT GRC with existing security programs and processes. (Free registration required.)