Sex, security and surveillance | World | Times Crest
Popular on Times Crest
  • In This Section
  • Entire Website
  • Hiding, but still a hero
    July 6, 2013
    Edward Snowden's revelations about government surveillance transformed him into a champion of the people world over, but left him on the run.
  • Taking a stand
    July 6, 2013
    The Standing Man of Taksim Square helped revive the spirit of Turkey protests.
  • Restless in Rio
    June 29, 2013
    A protest in the Confederations Cup has become the catalyst for a nationwide movement.
More in this Section
Profiles
Leaving tiger watching to raise rice Ecologist Debal Deb, who did his post-doctoral research from IISc in…
The crorepati writer He's the man who gives Big B his lines. RD Tailang, the writer of KBC.
Chennai-Toronto express Review Raja is a Canadian enthusiast whose quirky video reviews of Tamil…
Don't parrot, perform Maestro Buddhadev Dasgupta will hold a masterclass on ragas.
A man's man Shivananda Khan spent his life speaking up for men who have sex with men.
Bhowmick and the first family of Indian football At first glance, it would be the craziest set-up in professional football.
From Times Blogs
The end of Detroit
Jobs in Detroit's car factories are moving to India.
Chidanand Rajghatta
How I love the word ‘dobaara’...
Can ‘bindaas’ or ‘jhakaas’ survive transliteration?
Shobhaa De
Anand marte nahin...
India's first superstar died almost a lonely life.
Robin Roy
Cheat Sheet

Sex, security and surveillance

|


MAIL TRAIL: Broadwell ended plausible deniability by repeatedly logging on to hotel wi-fi networks.

A key lesson from the Petraeus scandal: There is no such thing as online privacy.

When the CIA director cannot hide his activities online, what hope is there for the rest of us? In the unfolding sex scandal that has led to the resignation of David Petraeus, the FBI's electronic surveillance and tracking of Petraeus and his mistress Paula Broadwell is more than a side show - it's a key component of the story.

METADATA IS KING


Broadwell apparently attempted to shield her identity by using anonymous email accounts. However, it appears that her efforts were thwarted by sloppy operational security and the data retention practices of the companies to whom she entrusted her private data.

The New York Times reported that "[ b]ecause the sender's account had been registered anonymously, investigators had to use forensic techniques - including a check of what other e-mail accounts had been accessed from the same computer address-to identify who was writing the e-mails. "

Webmail providers like Google, Yahoo and Microsoft retain login records (typically for more than a year) that reveal the particular IP addresses a consumer has logged in from. Although these records reveal sensitive information, including geo-location data associated with the target, US law currently permits law enforcement agencies to obtain these records with a mere subpoena - no judge required.

Although Broadwell took steps to disassociate herself from at least one particular email account, by logging into other email accounts from the same computer (and IP address), she created a data trail that agents were able to use to link the accounts.

The Wall Street Journal similarly revealed that "agents spent weeks piecing together who may have sent [the emails]. They used metadata footprints left by the emails to determine what locations they were sent from. They matched the places, including hotels, where Broadwell was during the times the emails were sent". NBC added further details, revealing that "it took agents a while to figure out the source. They did that by finding out where the messages were sent from-which cities, which Wi-Fi locations in hotels. That gave them names, which they then checked against guest lists from other cities and hotels, looking for common names".

Based on these reports, it seems that Broadwell did at least avoid the common mistake of sending sensitive emails from her residential Internet connection. However, she did not, it seems, take affirmative steps to shield her IP address (such as by using Tor or a privacy-preserving VPN service). Instead, she apparently logged in to her email accounts from public Wi-Fi networks, such as those in hotels. Had she sent just one email, she might have been able to at least maintain plausible deniability. However, each new hotel (and associated IP login record) reduced the anonymity set of potential suspects. By the second or third hotel, it is likely that the list of intersecting names from the various guest lists contained just a single name: Broadwell's.

While the details of this investigation that have leaked thus far provide us all a fascinating glimpse into the methods used by FBI agents, this should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge.

The guest lists from hotels, IP login records, as well as the creative request to email providers for "information about other accounts that have logged in from this IP address" are all forms of data that the government can obtain with a subpoena.

DIGITAL "DEAD DROPS" DON'T PROTECT YOU


For more than a decade, a persistent myth has been that it is possible to hide a communications trail by sharing an email inbox, and instead saving emails in a "draft" folder. This technique has been used by Khaled Sheikh Mohammed, Richard Reid (the shoe bomber), the 2004 Madrid train bombers, terrorists in Germany, as well as some domestic "eco-terrorists".

Apparently, this method was also used by General Petraeus. According to the Associated Press, "[ r]ather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic 'dropbox', the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace".

The problem is, like so many other digital security methods employed by terrorists, it doesn't work. Emails saved in a draft folder are stored just like emails in any other folder in a cloud service, and further, the providers can be compelled, prospectively, to save copies of everything (so that deleting the messages after reading them won't actually stop investigators from getting a copy). I hope that this scandal will finally kill off this inaccurate myth.
General Petraeus should have known better - placing documents in an email "drafts" folder is not an effective way to hide things from the government. It wasn't 10 years ago, and it certainly isn't anymore. More broadly, this scandal centers around email, and it's a reminder that the legal protections for email fall far short of what they should be. We need to modernise privacy laws and we need protections that cover metadata of the kind that was apparently so central in this scandal.

The writer is principal technologist and senior policy analyst, ACLU Speech, privacy and technology project. The article first appeared on http:// www. aclu. org

Other Times Group news sites
The Times of India | The Economic Times
इकनॉमिक टाइम्स | ઈકોનોમિક ટાઈમ્સ
Mumbai Mirror | Times Now
Indiatimes | नवभारत टाइम्स
महाराष्ट्र टाइम्स
Living and entertainment
Timescity | iDiva | Bollywood | Zoom
| Technoholik | MensXP.com

Networking

itimes | Dating & Chat | Email
Hot on the Web
Hotklix
Services
Book print ads | Online shopping | Business solutions | Book domains | Web hosting
Business email | Free SMS | Free email | Website design | CRM | Tenders | Remit
Cheap air tickets | Matrimonial | Ringtones | Astrology | Jobs | Property | Buy car
Online Deals
About us | Advertise with us | Terms of Use and Grievance Redressal Policy | Privacy policy | Feedback
Copyright© 2010 Bennett, Coleman & Co. Ltd. All rights reserved. For reprint rights: Times Syndication Service