Skip to main content

What the Petraeus scandal says about digital spying and your e-mail

John D. Sutter, CNN
Former CIA Director David Petraeus is at the center of a Washington scandal that's raising questions about online privacy.
Former CIA Director David Petraeus is at the center of a Washington scandal that's raising questions about online privacy.
  • The David Petraeus scandal raises interesting questions about privacy in the digital era
  • The U.S. law governing digital privacy was last updated in 1986
  • Tech companies and the ACLU want to see protections in the law tightened

(CNN) -- Here's a thought that might make even the most conscientious e-mail user nervous: "When the CIA director cannot hide his activities online, what hope is there for the rest of us?"

The American Civil Liberties Union posed this question in a recent blog post. The group, of course, was referring to the scandal involving David Petraeus, who resigned as head of the spy agency after the FBI uncovered e-mails indicating he was having an affair with his biographer, Paula Broadwell.

The story has gotten lots of media attention, in part for its soap-operatic qualities. Less discussed, however, at least outside the technology press, is what this e-mail-based investigation says about privacy and surveillance in the digital age. Here's a quick look at some of the more surprising issues:

E-mail -- even anonymous e-mail -- is not as secure as you think: E-mails don't just carry a subject line and whatever you type into them. These digital missives also tote along with them packets of information called "metadata" or "headers," which may contain information about where the message was sent from. That can help investigators corroborate who sent an e-mail, even if it comes from an anonymous account.

"In the case of Yahoo Mail and Outlook that includes the IP address of the connection used to send an email, so investigators don't need to subpoena a mail provider to trace its origin," Tom Simonite writes for the MIT Technology Review.

Forbes writer Parmy Olson summarizes the situation this way: "In these days of constant communication by mobile and desktop, it's almost impossible to leave zero trace of a digital footprint, even if you do send e-mails through an anonymous account."

Communicating by saving e-mail drafts on a joint account is old hat: Some reports indicate Petraeus tried to communicate with his mistress by setting up a joint e-mail account with her and then saving messages in the account's draft folder. So, essentially, they may have been e-mailing each other without actually sending an e-mail. That sounds smart, right? Very James Bond. (Or very al Qaeda.)

But the technique has become so dated that it's no longer much of a cover. "If we know that kind of subterfuge is being used by terrorists," writes Patrick Radden Keefe for The New Yorker, "then it's almost axiomatically an inadequate counter-surveillance option."

The ACLU's Chris Soghoian writes that saving e-mails in draft form instead of sending them may, paradoxically, make it easier for investigators to access the messages.

U.S. digital privacy law was written before e-mail was popular: Here's a doozy. The privacy law that governs digital communications was last updated in 1986, or, as the ACLU puts it, when "there was no World Wide Web, nobody carried a cell phone, and the only 'social networking' two-year-old Mark Zuckerberg (now the CEO of Facebook) was doing was at pre-school or on play dates."

The law, called the Electronic Communications Privacy Act, has some seemingly odd provisions, including one that, according to Wired, allows authorities to access e-mail that's more than 6 months old without a warrant from a judge. All that's needed is a subpoena, which is easier to obtain.

"It's not yet clear on precisely what legal authority the FBI obtained access to Broadwell's e-mail," The New Yorker says, "but under the relevant federal statute, the Electronic Communications Privacy Act, the government need do little more than ask."

Tech companies want to make it harder for law enforcement to read your e-mail: As Heather Kelly reports for CNN, the tech companies that control most of the digital info stored by Americans these days actually want that law to change. "Google is an active member of the Digital Due Process Coalition, which has been pushing for reform of the ECPA," she writes. "The group's members include Apple, Amazon, the ACLU, Facebook, Google and Twitter along with a slew of other big-name tech companies and civil liberties groups."

The U.S. Justice Department opposes reform on the grounds it would make it more difficult for investigators to obtain e-mail communications.

Still, search engines may pose the biggest privacy threat: It's worth noting that when you send an e-mail or post something on Facebook, you usually expect someone else to see it, although maybe not everyone, and probably not the FBI. As John Herrman writes for BuzzFeed, however, search engines such as Google are the ones that know your "real secrets" since it doesn't feel like anyone else would see what you're searching for.

But, because of search, Google "knows the things you wouldn't ask your friends. It knows things you can't ask your spouse. It knows the things you haven't asked your doctor yet. It knows things that you can't ask anyone else and that might not have been asked at all before Google existed," he writes. "Google's servers are a repository of the developed world's darkest and most heartbreaking secrets, a vast closet lined with millions of digital skeletons that, should they escape, would spare nobody."

The search engine does anonymize data over time. "We strike a reasonable balance between the competing pressures we face, such as the privacy of our users, the security of our systems and the need for innovation. We believe anonymizing IP addresses after 9 months and cookies in our search engine logs after 18 months strikes the right balance," Google says on an FAQ page about privacy.

So maybe all online communications -- every last Internet-connected keystroke -- should be thought of as public, until proven otherwise? Let us know what you think in the (newly improved) comments section below.

Part of complete coverage on
CIA boss resigns
updated 7:58 PM EST, Wed November 14, 2012
The convoluted scandal has become an endless source of speculation. There is much we don't know, but a few important facts have emerged.
updated 12:01 PM EST, Thu November 15, 2012
The affair that led to the resignation of CIA Director had its roots in a multi-year friendship, a flattering book and a young writer.
updated 1:40 PM EST, Tue November 13, 2012
Learn about the key players in the unfolding Petraeus scandal through our photo gallery.
updated 4:04 PM EST, Thu November 15, 2012
Since the infidelity scandal that took down the CIA chief David Petraeus broke last Friday, a scattered timeline of bizarre events have captivated, if not confused, the public.
updated 2:17 PM EST, Thu November 15, 2012
It seems like everybody loves a good scandal except the people involved in it. How must it feel to be Jill Kelley, hearing stories everywhere?
updated 8:02 PM EST, Mon November 12, 2012
About four years ago, Paula Broadwell began her Ph.D. dissertation on Gen. David Petraeus' innovative leadership skills.
updated 9:25 AM EST, Wed November 14, 2012
A story told about Marine Gen. John Allen while commanding troops in Iraq describes his ability to inspire the loyalty.
updated 9:34 AM EST, Wed November 14, 2012
Unlike many stories about powerful Washington figures having secret affairs, the downfall of spy chief David Petraeus goes beyond sex.
As a commissioned officer in the military reserves, Paula Broadwell's security clearance would be "secret" or "top secret," allowing her access to classified documents.
Former CIA Director David Petraeus' wife has built impressive reputation of her own.
updated 12:08 PM EST, Sun November 11, 2012
Historians will likely judge David Petraeus to be the most effective American military commander since Eisenhower.