Lesson from Petraeus: Your emails, and Gmail, aren't that private
Wired | Associated Press | Opinio Juris
FBI investigators stumbled across Gen. David Petraeus' affair with Paula Broadwell by tracking harassing emails she allegedly sent to another woman, Jill Kelley. It's not clear whether those emails were sent from a Gmail account, Kim Zetter writes in Wired, but they led the investigators to a Gmail account via which Broadwell and Petraeus communicated.
Associated Press reporter Richard Lardner writes, "Petraeus and Broadwell apparently used a trick, known to terrorists and teen-agers alike, to conceal their email traffic."
One of the law enforcement officials said they did not transmit all of their communications as emails from one's inbox to the other's inbox. Rather, they composed some emails in a Gmail account and instead of transmitting them, left them in a draft folder or in an electronic "dropbox." Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail which is easier to trace. It's a technique that al-Qaida terrorists began using several years ago and teen-agers in many countries have since adopted.
Investigators need only a subpoena to go through emails that go back more than six months, Lardner writes. They need a warrant, and "proof of probable cause that a crime is being committed," to get access to newer communications. The Electronic Communications Privacy Act, Lardner writes, "was written a quarter-century ago when most emails were deleted after a few months because the cost of storing them indefinitely was prohibitive." Now that cloud storage means emails don't need to be deleted, investigators can theoretically get access to a wealth of communication.
Authorities used location data in email headers to track them back to Broadwell. Gmail headers don't usually contain location data, Zetter writes.
Authorities would have had to contact Google to obtain information about the IP address that was used to log into the anonymous account and any other accounts that were accessed from the same address. But other e-mail providers, such as Yahoo, do include the sender IP address in the metadata.
Once they had the location data, Zetter writes, FBI investigators were able to get a warrant "to monitor other e-mail accounts Broadwell used, including a Gmail account."
Google's transparency report for July to December 2011 says it received 6,321 requests for user data from the U.S. government during that time. It "fully or partially complied" with 93 percent of the requests, Google says.
Other parties can gain access to your email, too. In late September, blogger and law professor Kevin Jon Heller wrote he'd gotten Chevron to drop its request for nine years' worth of his Gmail records, part of the complicated legal events surrounding Chevron's attempts to void an $18.2 billion judgment against the company in a case involving pollution in Ecuador.
"I have sources who provide me with confidential information on a wide variety of issues; those sources could lose their jobs if their identities were ever revealed," Heller wrote.
In an email sent to Poynter at the beginning of last month, Chevron spokesperson Justin Higgs said the company hadn't received any of the information it's seeking via the various email providers. "Also, to be clear, we are not seeking to obtain information from journalists or bloggers," Higgs writes.
We are working to obtain more information pertaining to the plaintiffs’ lawyers creation of e-mail addresses intended to be aliases to disguise the ultimate user, and their use of dozens of email accounts to conceal the transfer fraudulent documents. Among other things, these subpoenas serve to flush out which e-mail addresses are legitimate and have been used for benign purposes. The subpoenas will also help to demonstrate which e-mail accounts have been used in furtherance of a fraud.
In regard to the same matter, a Google spokesperson told Poynter last month:
When we receive a request for user information, we review it carefully and only provide information within the scope and authority of the request. We may refuse to produce information or try to narrow the request in some cases. Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.