Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Petraeus Snoop: 7 Privacy Facts

Investigation of former CIA director Petraeus introduces some tough privacy questions. The good news: it could lead to tighter protections for everyone.

What email privacy protections do U.S. residents currently enjoy?

That question is on the minds of everyone from Gmail accountholders and hard-core PGP fanatics to legislators and privacy advocates in the wake of the scandal involving David H. Petraeus. Petraeus resigned as director of the CIA after an FBI inquiry found -- in part via a shared Gmail account -- that Petraeus was having an extramarital affair.

The FBI's cyber-squad investigation was kicked off after Petraeus' mistress and biographer Paula Broadwell anonymously sent supposedly threatening emails to Jill Kelly, a friend of Petraeus. Kelly, who also happened to be friends with an FBI agent, was a rival in Broadwell's eyes.

But that's where the privacy picture goes murky. A source with knowledge of the investigation told The New York Times that "the squad was not even sure the case was worth pursuing." Furthermore, the FBI has yet to release any emails of a threatening nature, which has led some commentators to think that the outing of Petraeus' affair was personal, and that whatever flimsy pretexts emerge, the investigation likely violated Petraeus' privacy.

[ For more on Gmail's role in the Petraeus scandal, see Petraeus Fallout: 5 Gmail Security Facts. ]

"This is a surveillance state run amok," said journalist Glenn Greenwald in The Guardian. "But as unwarranted and invasive as this all is, there is some sweet justice in having the stars of America's national security state destroyed by the very surveillance system which they implemented and over which they preside."

In other words, the upside of the Petraeus scandal may be better privacy protections for the rest of us, by finally forcing Congress to update Americans' email privacy protections.

Here are seven related facts about where things stand:

1. Petraeus Case Particulars Remain Unclear

Legally speaking, it's still not clear which measures the FBI used to trace back the emails sent by Broadwell, or how they discovered that both she and Petraeus had logged into the same anonymous email account. Some sources have said that a probable cause warrant for the couple's emails was obtained by the bureau; others say not. If a probable-cause warrant was issued, however, to date no evidence has emerged that a crime was probably being committed, which means the warrant could have been illegally obtained.

2. Email Location Information Isn't Protected

While emails enjoy some privacy protections, the same isn't true for location information, even if it's embedded in an email. ECPA provides scant protection for your identifying information, such as the IP address used to access an account, according to an email privacy primer published by the Electronic Frontier Foundation (EFF). While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider.

From there, the FBI would likely have searched for any email accounts that also associated with that same collection of IP addresses. "Webmail providers like Google, Yahoo and Microsoft retain login records -- typically for more than a year -- that reveal the particular IP addresses a consumer has logged in from," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, in a blog post.

Finally, after having identified the IP addresses from which the emails had been sent -- which included hotel Wi-Fi hotspots -- the FBI likely compared guest lists at the hotels for the days that the emails were sent to find which names they had in common.

3. Surveillance State Thriving

The Justice Department continues to argue that it needs even greater access to electronic communications or else it risks "going dark." Accordingly, it's argued that the Electronic Communications Privacy Act (ECPA), a 1986 law designed to protect the privacy of people's electronic communications, should remain unchanged. It's also been pushing Congress to expand the Communications Assistance for Law Enforcement Act (CALEA) to require more online services easier to wiretap.

But is U.S. law enforcement surveillance now out of control? According to a Google report released this week, government surveillance has been growing, with the United States making more requests to Google for user data than any other country.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Dean S
Dean S,
User Rank: Apprentice
11/19/2012 | 12:56:23 PM
re: Petraeus Snoop: 7 Privacy Facts
The head of the CIA does not have email privacy issues. As a member of the CIA, they are contractually and lawfully spied upon as part of their job. The CIA must and will investigate any and all infractions of policy, to include reviewing all personal communication. The FBI conducts these investigations and only need notify the court dealing with intelligence that it will do so, as the CIA employee has already signed away privacy rights by contract. This is not a privacy issue. It is a national security issue.

Mrs. Broadwell had classified information on a personal computer and the whereabouts of information on that computer is now the real question unmentioned in the press. Yes, she had clearance. So what? She has been briefed annually to handle classified material properly and she deliberately failed to do so.

There has been discussion in the press that the General had passed on some of this information to her. The question is why. Later, the press reported the General did not pass on information to her. I do not believe this investigation is over. And, it smells really fishy from a national security perspective. Why throw parties with top brass all the time? Why the classified material on a PC? Where was that information going? Who was receiving it? Why was the head of the CIA repeatedly invited to her home? Think of all of these questions in terms of national security and the conversation changes course very quickly. The General is not a target of the investigation primarily. It is Mrs. Broadwell. The General properly resigned. He put himself at risk.
Michael Endler
Michael Endler,
User Rank: Apprentice
11/18/2012 | 8:42:50 AM
re: Petraeus Snoop: 7 Privacy Facts
I hope this story generates enough public interest to pressure lawmakers into fixing this mess. I'm pessimistic, though. The "series of tubes" heritage remains strong in Congress. I'm still dispirited by all the representatives who admitted IT ignorance while also condescendingly characterizing computer experts as "nerds." That would be obnoxious on its own, but it's ridiculous when one considers that many of the lawmakers who made these comments also tried to justify SOPA in the same breath. Whatever the solution, the laws are outdated and/or flawed -- like the 180-day limit Mathew notes in the article. It's also troubling that the Department of Justice has argued messages stored as drafts don't qualify for "electronic storage" privacy protections. Yes, draft folders have been used to hide messages and avoid detection. The tactic was used by not only the Petraeus players but also terrorists. It's of course important that the government be empowered to collect intelligence and thwart threats. But I suspect sinister spam folder uses represent a minority of all uses. And I also know that tools designed for one purpose often bleed into other purposes. As a culture, are we okay making billions of people subject to privacy policies that are intended for a few dangerous individuals? Are we concerned that these policies' restraints are too nebulously defined? Congress talks about the need for parallels between the virtual and physical worlds' respective laws. No argument here. But data mining tools being what they are, warrant-less access to draft folders go way beyond what can be surveilled in the physical realm. If we're gonna go there, we need to talk about it. A lot of active legislation was either written too long ago to apply or passed without sufficient thought. This is the latest point in case.

Michael Endler
InformationWeek Associate Editor
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.