E-Mail Security in the Wake of Petraeus
I've been reading lots of articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with:
The FBI obliged -- apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the sender’s anonymous Google Mail account to others accessed from the same computers, accounts that belonged to Petraeus biographer Paula Broadwell. The bureau could then subpoena guest records from hotels, tracking the WiFi networks, and confirm that they matched Broadwell’s travel history. None of this would have required judicial approval -- let alone a Fourth Amendment search warrant based on probable cause.
While we don't know the investigators’ other methods, the FBI has an impressive arsenal of tools to track Broadwell’s digital footprints -- all without a warrant. On a mere showing of "relevance," they can obtain a court order for cell phone location records, providing a detailed history of her movements, as well as all people she called. Little wonder that law enforcement requests to cell providers have exploded -- with a staggering 1.3 million demands for user data just last year, according to major carriers.
An order under this same weak standard could reveal all her e-mail correspondents and Web surfing activity. With the rapid decline of data storage costs, an ever larger treasure trove is routinely retained for ever longer time periods by phone and Internet companies.
Had the FBI chosen to pursue this investigation as a counterintelligence inquiry rather than a cyberstalking case, much of that data could have been obtained without even a subpoena. National Security Letters, secret tools for obtaining sensitive financial and telecommunications records, require only the say-so of an FBI field office chief.
While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the usually sensitive methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.
The guest lists from hotels, IP login records, as well as the creative request to email providers for "information about other accounts that have logged in from this IP address" are all forms of data that the government can obtain with a subpoena. There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the "what" being communicated; the government's powers to determine "who" communicated remain largely unchecked.
This is good, too.
The EFF tries to explain the relevant laws. Summary: they're confusing, and they don't protect us very much.
My favorite quote is from the New York Times:
Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, said the chain of unexpected disclosures was not unusual in computer-centric cases.
"It's a particular problem with cyberinvestigations -- they rapidly become open-ended because there’s such a huge quantity of information available and it’s so easily searchable," he said, adding, "If the C.I.A. director can get caught, it’s pretty much open season on everyone else."
And a day later:
"If the director of central intelligence isn't able to successfully keep his emails private, what chance do I have?" said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation, a digital-liberties advocacy group.
In more words:
But there's another, more important lesson to be gleaned from this tale of a biographer run amok. Broadwell's debacle confirms something that some privacy experts have been warning about for years: Government surveillance of ordinary citizens is now cheaper and easier than ever before. Without needing to go before a judge, the government can gather vast amounts of information about us with minimal expenditure of manpower. We used to be able to count on a certain amount of privacy protection simply because invading our privacy was hard work. That is no longer the case. Our always-on, Internet-connected, cellphone-enabled lives are an open door to Big Brother.
Remember that this problem is bigger than Petraeus. The FBI goes after electronic records all the time:
In Google’s semi-annual transparency report released Tuesday, the company stated that it received 20,938 requests from governments around the world for its users’ private data in the first six months of 2012. Nearly 8,000 of those requests came from the U.S. government, and 7,172 of them were fulfilled to some degree, an increase of 26% from the prior six months, according to Google’s stats.
So what's the answer? Would they have been safe if they'd used Tor or a regular old VPN? Silent Circle? Something else? This article attempts to give advice; this is the article's most important caveat:
DON'T MESS UP It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake -- forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once -- to ruin you.
"Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use," Mr. Blaze warned. "We've all made the mistake of accidentally hitting 'Reply All.' Well, if you're trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make."
In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.
Some people think that if something is difficult to do, "it has security benefits, but that’s all fake -- everything is logged," said Mr. Kaminsky. "The reality is if you don't want something to show up on the front page of The New York Times, then don't say it."
The real answer is to rein in the FBI, of course:
If we don't take steps to rein in the burgeoning surveillance state now, there’s no guarantee we'll even be aware of the ways in which control is exercised through this information architecture. We will all remain exposed but the extent of our exposure, and the potential damage done to democracy, is likely to remain invisible.
"Hopefully this [case] will be a wake-up call for Congress that the Stored Communications Act is old and busted," Mr Fakhoury says.
I don't see any chance of that happening anytime soon.
EDITED TO ADD (12/12): E-mail security might not have mattered.
Posted on November 19, 2012 at 12:40 PM • 56 Comments