Cybersecurity

Subj: E-Mailed Secrets Will Be Found Out


David Petraeus poses for a photo with Paula Broadwell

Photograph by Rex Features via AP Photo

David Petraeus poses for a photo with Paula Broadwell

David Petraeus ran the largest, best-funded, most capable intelligence service in the history of the world, but even he failed to learn the lesson learned long ago by small-time mobsters and corner drug dealers: If you want something to remain a secret, stay off the phones and—more important—stay off e-mail.

You have to presume that anything sent electronically can be discovered, duplicated, decoded, and un-deleted—because it can. Digital files can be infinitely reproduced, and they leave a trail of data wherever they go.

General Petraeus was not entirely unaware of this. He did make some attempts to conceal his communication with his paramour, Paula Broadwell. But it’s not as if he used NSA-level encryption and bounced his e-mails off 17 satellites to make them hard to trace. (I’m not sure even this would work, but it always seems to do the trick in the movies.)

No, the director of the Central Intelligence Agency set up a Gmail account under a pseudonym, to which both he and Broadwell had the password. They would write messages to each other; instead of sending them, they would leave their hot-and-heavy missives in the drafts folder. By not transmitting them, there was no way to trace them back to a specific PC.

Except, of course, when Broadwell sent messages to that account. (Whoops.) That established a connection the FBI could follow, leading to the “secret” e-mails the two were sharing.

Petraeus and Broadwell could have taken things a step further by using an e-mail service that encrypts messages. With e-mail encrypted, only sender and recipient would be able to read the contents—anyone else would see gibberish. Sites like Hushmail automatically encrypt messages, and downloadable software patches such as GPG and Enigmail can encrypt messages on Gmail and other Web-mail sites. Sites like 10minutemail create e-mail addresses that can be used for only 10 minutes before the address expires.

But even these measures have loopholes. While encrypted messages have encoded content, address and subject information is not encoded. Even though the main text may be garbled, an investigator could, for example, see that 39 messages were sent to the same person in one day, including one at 1:37 a.m. with the subject line “You just left—still cleaning the maple syrup off my chest.” At that point, does it even matter what was written in the e-mail?

A distinction is made regarding who is trying to retrieve old electronic messages. The government—local, state, or federal—is bound by the Stored Communications Act, part of the Electronic Communications Privacy Act of 1986. (That’s not a typo.) This means that electronic communications less than 180 days old require a search warrant before they can be viewed by law enforcement. Messages older than 180 days, however, are able to be viewed by the government with a subpoena. (Except at the U.S. Court of Appeals for the Sixth Circuit, which includes parts of Michigan, Ohio, Kentucky, and Tennessee; the court ruled that the SCA is in violation of the Fourth Amendment and that therefore, even messages that are more than 180 days old require a search warrant.)

For private investigations such as those of divorce attorneys, the bar is much, much higher. “Private parties have a much harder time accessing e-mail than the government,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, a legal nonprofit. Private investigators may be able to access the header information on an e-mail (addressee and subject fields), but the content of the e-mails will remain off limits.

Even deleted messages are not always truly deleted. For starters, anything “deleted” from a local hard drive may still be recoverable by savvy law-enforcement technicians. (Most data are not really deleted on a hard drive, just overwritten.) On many Web-mail services, you have the option to archive or delete messages, but even deleting them doesn’t banish them to oblivion. Here’s what Google’s (GOOG) Gmail help page says about deleted messages:

“Please be aware, residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our backup systems for an additional period of time.”

The same can be true of instant messages and texts. In the case of the former, most IM programs let you choose whether you want to archive your conversations or not—retired (and not retired, in what appears to be the case of General John Allen) four-star generals may want to uncheck that box.

Grobart is a senior writer for Bloomberg Businessweek and the managing editor of Bloomberg Digital Video. Follow him on Twitter @samgrobart.

Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Companies Mentioned

  • GOOG
    (Google Inc)
    • $593.35 USD
    • -2.63
    • -0.44%
Market data is delayed at least 15 minutes.

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus