While some have noted the irony
of General Petreaus being taken down due to online surveillance methods that he should have been aware of, the case is bringing growing attention to an issue many of us have been discussing for a while: how easy it is for law enforcement to snoop through your email. We raised
the question already, but as more info comes out, the whole thing is looking that much more questionable.
Julian Sanchez keeps trying to find out exactly what legal process the FBI used to go through a variety of email accounts based on an apparently non-criminal cyberstalking claim (which was apparently brought to the FBI by a non-cyber-focused agent who had seemed to have a crush on the "victim"of the cyberstalking), and notes that there are big questions
about what process was used to go through these emails and how much oversight was involved:
To Julian Sanchez, a research fellow at the Cato Institute, the real scandal over the Petraeus affair is not the extramarital sex, but the invasion of privacy.
"Law enforcement and certainly intelligence agencies have an incredible amount of ability to gather huge volumes of detailed information about people's most intimate online communications, a lot of it without requiring a full-blown warrant, a lot of it without requiring even any kind of judicial approval," Sanchez said.
Meanwhile, Chris Soghoian, working for the ACLU, highlights some of what's been revealed about the snooping. For example, FBI agents tracked down Patricia Broadwell as the email sender, even though she was using throwaway accounts, because webmail providers record the IP address from whence someone logs in -- and Broadwell didn't conceal that info. Apparently, the IP addresses were a series of hotels, and cross-checking with guest lists, it didn't take long to narrow down the only real suspect. Oh, and none of that info required judicial oversight for the FBI to get:
The guest lists from hotels, IP login records, as well as the creative request to email providers for “information about other accounts that have logged in from this IP address” are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the “what” being communicated; the government’s powers to determine “who” communicated remain largely unchecked.
He also delves into the method by which Petreaus and Broadwell communicated -- by sharing an account and communicating via "drafts" that were saved. For the head of the CIA you'd think he'd use a method that wasn't long known to be just as (if not more) insecure than regular email. Soghoian tears apart this supposedly "secret" method of communicating:
For more than a decade, a persistent myth in Washington DC, fueled by several counterterrorism experts, has been that it is possible to hide a communications trail by sharing an email inbox, and instead saving emails in a “draft” folder. This technique has been used by Khaled Sheikh Mohammed, Richard Reid (the shoe bomber), the 2004 Madrid train bombers, terrorists in Germany, as well as some domestic “eco-terrorists.” This technique has appeared in federal court documents as early as 2003, and was described in a law journal article written by a DOJ official in 2004. It is hardly a state secret.
Apparently, this method was also used by General Petraeus. According to the Associated Press, “[r]ather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic ‘dropbox,’ the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace.”
The problem is, like so many other digital security methods employed by terrorists, it doesn’t work. Emails saved in a draft folder are stored just like emails in any other folder in a cloud service, and further, the providers can be compelled, prospectively, to save copies of everything (so that deleting the messages after reading them won’t actually stop investigators from getting a copy).
Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications. This is because the Department of Justice has argued that emails in the “draft” or “sent mail” folder are not in “electronic storage” (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.
Got all that? It's even more info that the FBI may have been able to obtain without ever having to get approval from a judge. That's not to say they didn't
necessarily go before a judge to get a warrant or similar tool for surveillance, but it does highlight just how much info the FBI can
obtain without any real oversight, and how it's entirely possible for it to be abused -- taking a very limited situation (non-criminal online harassment) and turning it into something massive.
In fact, as the EFF's Trevor Timm notes, we should be investigating the FBI
over why it was snooping through people's emails and how frequently it does this. He notes, as others have, that nothing about the origination of this case should have resulted in FBI involvement, let alone reading people's emails. Remember, early on, no one knew this had anything to do with General Petreaus or any other high ranking official:
The spark that set events in motion was a handful of
allegedly harassing emails sent anonymously to Kelley, a friend of Petraeus's,
which she brought to a friend at the FBI. Yet it's unclear why an investigation
was ever opened, given that everything publicly known about the emails suggests
they weren't illegal.
As the Daily Beast reported, they
said things like "Who do you think you are? ... You parade around the base ... You
need to take it down a notch." The story noted, "when the FBI friend showed the emails to
the cyber squad in the Tampa field office, her fellow agents noted that the
absence of any overt threats."
It seems the deciding factor in opening the investigation
was not the emails' content, but the fact that the FBI agent was friendly with
Kelley. (Even more disturbing, the same FBI agent has now been accused of becoming "obsessed" with the Tampa socialite, sent
shirtless pictures to her, and has been removed from the case.)
Basically, it sounds like the FBI had very questionable reasons for digging all that deep into this case at all. Michael Davis, at the Daily Beast, notes that the emails were typical "cat-fight stuff,"
with no indication of illegal activity:
When the FBI friend showed the emails to the cyber squad in the Tampa field office, her fellow agents noted that the absence of any overt threats.
“No, ‘I’ll kill you’ or ‘I'll burn your house down,’” the source says. “It doesn’t seem really that bad.”
The squad was not even sure the case was worth pursuing, the source says.
“What does this mean? There’s no threat there. This is against the law?” the agents asked themselves by the source’s account.
At most the messages were harassing. The cyber squad had to consult the statute books in its effort to determine whether there was adequate legal cause to open a case.
“It was a close call,” the source says.
So while there's all sorts of talk of investigations into who should have known the details of what was going on at what time, no one seems to be questioning why a simple "cat fight" resulted in the FBI digging in and reading people's emails. Yet, that seems like something we should all be quite worried about.
Indeed, if there's any "benefit" to come out of this, perhaps it's that more and more people are hopefully realizing just how easy it is for the FBI to spy on people