When Will our Email Betray Us? An Email Privacy Primer in Light of the Petraeus Saga

The following guest repost is from the EFF (Electronic Frontier Foundation (https://www NULL.eff NULL.org/deeplinks/2012/11/when-will-our-email-betray-us-email-privacy-primer-light-petraeus-saga)). Usually with few exceptions Tech Geek and More has chosen to stay out of political issues. However, I do believe that the following post from the EFF is important. I hear from many people every day who believe that their email is private. Unfortunately due to the scandal that is currently happening in Washington with the former head of the CIA, we have another example on how our laws (in the USA) are NOT keeping up with technology itself.

by HANNI FAKHOURY (https://www NULL.eff NULL.org/about/staff/hanni-fakhoury) AND KURT OPSAHL (https://www NULL.eff NULL.org/about/staff/kurt-opsahl) AND RAINEY REITMAN (https://www NULL.eff NULL.org/about/staff/rainey-reitman)

The unfolding scandal (http://en NULL.wikipedia NULL.org/wiki/David_Petraeus#Extramarital_affair_and_resignation) that led to the resignation of Gen. David Petraeus, the Director of the Central Intelligence Agency, started with some purportedly harassing emails sent from pseudonymous email accounts to Jill Kelley. After the FBI kicked its investigation into high gear, it identified the sender as Paula Broadwell and, ultimately, read massive amounts of private email messages that uncovered an affair between Broadwell and Petraeus (and now, the investigation has expanded to include Gen. John Allen (http://nation NULL.time NULL.com/2012/11/13/general-investigated-for-emails-to-petraeus-friend/)‘s emails with Kelley). We’ve received a lot of questions about how this works—what legal process the FBI needs to conduct its email investigation. The short answer? It’s complicated.

The Electronic Communications Privacy Act (https://ilt NULL.eff NULL.org/index NULL.php/Privacy:_Statutory_Protections#Electronic_Communications_Privacy_Act_of_1986) (ECPA) is a 1986 law that Congress enacted to protect your privacy in electronic communications, like email and instant messages. ECPA provides scant protection for your identifying information, such as the IP address used to access an account. While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps (https://ssd NULL.eff NULL.org/) to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider. But obtaining the account’s IP address alone does not establish the identity of the emails’ sender.

Broadwell apparently (http://online NULL.wsj NULL.com/article/SB10001424127887324073504578113460852395852 NULL.html) accessed the emails from hotels and other locations, not her home.  So the FBI cross-referenced (http://openchannel NULL.nbcnews NULL.com/_news/2012/11/12/15119872-emails-on-coming-and-goings-of-petraeus-other-military-officials-escalated-fbi-concerns) the IP addresses of these Wi-Fi hotspots “against guest lists from other cities and hotels, looking for common names.” If Broadwell wanted to stay anonymous, a new email account combined with open Wi-Fi was not enough. The ACLU has an in-depth write-up (http://www NULL.aclu NULL.org/blog/technology-and-liberty-national-security/surveillance-and-security-lessons-petraeus-scandal) of the surveillance and security lessons to be learned from this.

After the FBI identified Broadwell, they searched her email. According to news reports (http://www NULL.politico NULL.com/news/stories/1112/83762 NULL.html), the affair between Petraeus and Broadwell lasted from November 2011 to July 2012.  The harassing emails sent by Broadwell to Jill Kelley started in May 2012, and Kelley notified the FBI shortly thereafter.  Thus, in the summer of 2012, when the FBI was investigating, the bulk of the emails would be less than 180 days old. This 180 day old dividing line is important for determining how ECPA applies to email.

Compared to identifying information, ECPA provides more legal protection for the contents of your email, but with gaping exceptions. While a small but increasing number (https://www NULL.eff NULL.org/deeplinks/2010/12/breaking-news-eff-victory-appeals-court-holds) of federal courts have found that the Fourth Amendment requires a warrant for all email, the government claims ECPA (http://www NULL.law NULL.cornell NULL.edu/uscode/text/18/2703) only requires a warrant for email that is stored for 180 days or less.

But as the Department of Justice Manual (http://www NULL.justice NULL.gov/criminal/cybercrime/docs/ssmanual2009 NULL.pdf) for searching and seizing email makes clear, the government believes this only applies to unopened email. Other email is fair game with only a subpoena, even if the messages are less than 180 days old.  According to reports, Patraeus and Broadwell adopted a technique of drafting emails, and reading them in the draft folder (http://www NULL.washingtonpost NULL.com/blogs/worldviews/wp/2012/11/12/heres-the-e-mail-trick-petraeus-and-broadwell-used-to-communicate/) rather than sending them.  The DOJ would likely consider draft messages as “opened” email, and therefore not entitled to the protection of a search warrant.

In a nutshell, although ECPA requires a warrant for the government to obtain the contents of an email stored online for less than 180 days, the government believes the warrant requirement doesn’t apply for email that was opened and left on the server – the typical scenario for webmail systems like Gmail – even if the messages are less than 180 days old. So, under the government’s view, so long as the emails had been opened or were saved in the “drafts” folder, only a subpoena was required to look at contents of Broadwell’s email account.

Confused? Well, here’s where things get really complicated.  The government’s view of the law was rejected by the Ninth Circuit Court of Appeals, the federal appellate court that covers the western United States, including California, and the home to many online email companies and the servers that host their messages. As a result, the DOJ Manual notes that “Agents outside of the Ninth Circuit can therefore obtain such email (and other stored electronic or wire communications in “electronic storage” more than 180 days) using a subpoena…” but reminds agents in the Ninth Circuit to get a warrant.

News reports show that the FBI agents involved in the Petraeus scandal were in Tampa, Florida.  Thus, according to the DOJ Manual, they did not need to get a warrant even if the email provider was in California (like, for example, Gmail): “law enforcement elsewhere may continue to apply the traditional narrow interpretation of ‘electronic storage,’ even when the data sought is within the Ninth Circuit.”

A subpoena for email content would generally require notice to the subscriber, though another section of ECPA (http://www NULL.law NULL.cornell NULL.edu/uscode/text/18/2705) allows for delayed notice, for up to 90 days. The FBI interviewed Broadwell for the first time in September, about 90 days after the investigation began in June.

However, many providers nevertheless protect their users by following the Ninth Circuit rule, and insist upon a warrant for the contents of all email. In EFF’s experience, the government will seek a warrant rather than litigate the issue. Thus, assuming the service provider stepped up, it is likely that the government used a warrant to obtain access to the emails at issue.

If a warrant was used, note that a warrant is often quite broad, and the government may well have obtained emails from other accounts under the same warrant. And as result, there’s no telling how much email the FBI actually read.

The government is required to “minimize” its collection of some electronic information. For example, under the Wiretap Act (http://www NULL.law NULL.cornell NULL.edu/uscode/text/18/2518), the government is supposed to conduct its wiretapping in a way that “minimize[s] the interception of communications not otherwise subject to interception.” This ensures the government isn’t listening to conversations unrelated to their criminal investigation.

But when it comes to email, such minimization requirements aren’t as strong. The DOJ Manual suggests that agents “exercise great caution” and “avoid unwarranted intrusions into private areas,” when searching email on ISPs but is short on specifics. The New York Times reported (http://www NULL.nytimes NULL.com/2012/11/12/us/us-officials-say-petraeuss-affair-known-in-summer NULL.html?pagewanted=2) that FBI agents obtained access to Broadwell’s “regular e-mail account.” They could have read every email that came through as they investigated the affair. Possibly, the FBI could have read an enormous amount of email from innocent individuals not suspected of any wrongdoing.

And while the Fourth Amendment requires search warrants to be specific and particular, as noted earlier, it’s not entirely clear whether the FBI got a search warrant to search Broadwell’s email. Even if it did get a warrant, the government has argued that broad warrants are needed (https://www NULL.eff NULL.org/press/archives/2011/06/17) in electronic searches because evidence could be stored anywhere. While some courts have pushed back (http://www NULL.cybercrimereview NULL.com/2012/10/kansas-magistrate-adopts-warshak NULL.html) on this broad search authority when it comes to email, many courts still give the government wide access to email and other forms of electronic content.

Sound confusing? It is. ECPA is hopelessly out of date, and fails to provide the protections we need in a modern era.  Your email privacy should be simple: it should receive the same protection the Fourth Amendment provides for your home.

So why hasn’t Congress done anything to update the law? They’ve tried a few times but the bills haven’t gone anywhere. That’s why EFF members across the country are joining with other advocacy groups in calling for reform. This week, we’re proud to launch a new campaign page (http://www NULL.vanishingrights NULL.com/) to advocate for ECPA reform. And we’re asking individuals to sign EFF’s petition (https://action NULL.eff NULL.org/o/9042/p/dia/action/public/?action_KEY=8225) calling on Congress to update ECPA for the digital era so that there can be no question that the government is required to go to a judge and get a warrant before it can rummage through our email, online documents, and phone location histories.

We know that major privacy scandals can prompt Congress to get serious about updating privacy law.  The Video Privacy Protection Act (https://epic NULL.org/privacy/vppa/) was inspired by the ill-fated Supreme Court nomination of Judge Robert Bork, after a local Washington reporter obtained Bork’s video rental records. And the Foreign Intelligence Surveillance Act was inspired by the findings of the Church Committee (http://www NULL.pbs NULL.org/wgbh/pages/frontline/homefront/preemption/churchfisa NULL.html), which showed that the FBI had warrantlessly surveilled Dr. Martin Luther King, Jr. and many other activists.  If we learn nothing else from the Petraeus scandal, it should be that our private digital lives can become all too public when over-eager federal agents aren’t held to rigorous legal standards.

Congress has dragged its feet on updating ECPA for too long, resulting in the confusing, abuse-prone legal mess we’re in today. Join EFF (https://action NULL.eff NULL.org/o/9042/p/dia/action/public/?action_KEY=8225) in calling on Congress to fix the law.


Source: Electronic Frontier Foundation  (https://www NULL.eff NULL.org/deeplinks/2012/11/when-will-our-email-betray-us-email-privacy-primer-light-petraeus-saga)