What the Petraeus scandal says about digital spying and your e-mail
Here’s a thought that might make even the most conscientious e-mail user nervous: “When the CIA director cannot hide his activities online, what hope is there for the rest of us?”
The American Civil Liberties Union posed this question in a recent blog post. The group, of course, was referring to the scandal involving David Petraeus, who resigned as head of the spy agency after the FBI uncovered e-mails indicating he was having an affair with his biographer, Paula Broadwell.
The story has gotten lots of media attention, in part for its soap-operatic qualities. Less discussed, however, at least outside the technology press, is what this e-mail-based investigation says about privacy and surveillance in the digital age. Here’s a quick look at some of the more surprising issues:
E-mail — even anonymous e-mail — is not as secure as you think: E-mails don’t just carry a subject line and whatever you type into them. These digital missives also tote along with them packets of information called “metadata” or “headers,” which may contain information about where the message was sent from. That can help investigators corroborate who sent an e-mail, even if it comes from an anonymous account.
“In the case of Yahoo Mail and Outlook that includes the IP address of the connection used to send an email, so investigators don’t need to subpoena a mail provider to trace its origin,” Tom Simonite writes for the MIT Technology Review.
Forbes writer Parmy Olson summarizes the situation this way: “In these days of constant communication by mobile and desktop, it’s almost impossible to leave zero trace of a digital footprint, even if you do send e-mails through an anonymous account.”
Communicating by saving e-mail drafts on a joint account is old hat: Some reports indicate Petraeus tried to communicate with his mistress by setting up a joint e-mail account with her and then saving messages in the account’s draft folder. So, essentially, they may have been e-mailing each other without actually sending an e-mail. That sounds smart, right? Very James Bond. (Or very al Qaeda.)
But the technique has become so dated that it’s no longer much of a cover. “If we know that kind of subterfuge is being used by terrorists,” writes Patrick Radden Keefe for The New Yorker, “then it’s almost axiomatically an inadequate counter-surveillance option.”
The ACLU’s Chris Soghoian writes that saving e-mails in draft form instead of sending them may, paradoxically, make it easier for investigators to access the messages.
U.S. digital privacy law was written before e-mail was popular: Here’s a doozy. The privacy law that governs digital communications was last updated in 1986, or, as the ACLU puts it, when “there was no World Wide Web, nobody carried a cell phone, and the only ‘social networking’ two-year-old Mark Zuckerberg (now the CEO of Facebook) was doing was at pre-school or on play dates.”
The law, called the Electronic Communications Privacy Act, has some seemingly odd provisions, including one that, according to Wired, allows authorities to access e-mail that’s more than 6 months old without a warrant from a judge. All that’s needed is a subpoena, which is easier to obtain.
“It’s not yet clear on precisely what legal authority the FBI obtained access to Broadwell’s e-mail,” The New Yorker says, “but under the relevant federal statute, the Electronic Communications Privacy Act, the government need do little more than ask.”
Tech companies want to make it harder for law enforcement to read your e-mail: As Heather Kelly reports for CNN, the tech companies that control most of the digital info stored by Americans these days actually want that law to change. “Google is an active member of the Digital Due Process Coalition, which has been pushing for reform of the ECPA,” she writes. “The group’s members include Apple, Amazon, the ACLU, Facebook, Google and Twitter along with a slew of other big-name tech companies and civil liberties groups.”
The U.S. Justice Department opposes reform on the grounds it would make it more difficult for investigators to obtain e-mail communications.
Still, search engines may pose the biggest privacy threat: It’s worth noting that when you send an e-mail or post something on Facebook, you usually expect someone else to see it, although maybe not everyone, and probably not the FBI. As John Herrman writes for BuzzFeed, however, search engines such as Google are the ones that know your “real secrets” since it doesn’t feel like anyone else would see what you’re searching for.
But, because of search, Google “knows the things you wouldn’t ask your friends. It knows things you can’t ask your spouse. It knows the things you haven’t asked your doctor yet. It knows things that you can’t ask anyone else and that might not have been asked at all before Google existed,” he writes. “Google’s servers are a repository of the developed world’s darkest and most heartbreaking secrets, a vast closet lined with millions of digital skeletons that, should they escape, would spare nobody.”
The search engine does anonymize data over time. “We strike a reasonable balance between the competing pressures we face, such as the privacy of our users, the security of our systems and the need for innovation.
We believe anonymizing IP addresses after 9 months and cookies in our search engine logs after 18 months strikes the right balance,” Google says on an FAQ page about privacy.
So maybe all online communications — every last Internet-connected keystroke — should be thought of as public, until proven otherwise? Let us know what you think in the (newly improved) comments section below.