The Petraeus principle: There is (almost) no email anonymity

Maintaining anonymity online is difficult, but there are steps goverment users can take — and missteps they can avoid.

It’s now common knowledge that email records helped bring down former Gen. David H. Petraeus, forcing him to resign as the director of the CIA when it was revealed that he was having an affair with his biographer, which is something that could potentially compromise agency security.

Ironically, the FBI wasn’t even looking for evidence of an affair, or even investigating Petraeus directly. But anyone trying to maintain anonymity online these days is facing an uphill battle.

Government employees may want to maintain an anonymous identity away from their work persona for legitimate reasons. Just commenting on a news article they feel strongly about, or supporting a political candidate, or sending a letter to the editor can spell trouble in certain jobs.  By examining how digital forensics was used in this case, users can learn how to protect themselves online.

The two people in the current scandal did a lot of things “right,” at least in terms of protecting their privacy. For one, they didn’t actually send very many emails. Instead they used a technique favored by terrorists planning attacks and teen lovers trying not to get caught. They shared an email account where each person knew the password and login information. Instead of actually sending an email, they would write it and then save it in a draft folder. Then the other person would log on, read the email in the draft folder and either delete it or add to it. The TV show Frontline reported how terrorists were using this technique as early as 2005.  In the terrorists’ case, they set up as many as 30 email accounts and then changed accounts on a regular basis, never going back to an old one.

The “save as draft” option of communicating works fairly well for secrecy, because emails are never actually sent. When emails are sent, location-based information is added to the header to help route it through the Internet. Some services such as Google’s Gmail also include the IP address of the sending computer, while others, such as Yahoo Mail, only include the IP address of the routers it went through to get to a target. But in every case, the email headers provide a wealth of information for potential investigations.

The secret communication became public when Paula Broadwell, the other person involved in the affair, allegedly sent threatening emails to a woman she apparently believed was getting to close to the general. That woman talked to a friend in the FBI and got an investigation started.

Broadwell obviously couldn’t use the “save as draft” option to send out those emails because the recipient wasn’t going to log into the account. Instead she allegedly created a new Gmail account using fake credentials, a really easy thing to accomplish, and sent the emails that way.

But Google and Yahoo both happily provide info about their users to investigators when asked, even without a court order. Google’s transparency report says that there were 7,969 requests from the U.S. government for information about users over a six month period in 2011, and that 90 percent of those requests were honored. Interestingly, Google gives up info about its users to governments of other countries as well, according to the report.

Once the FBI had the information about the fake account, it just took a little old-fashioned police work to find their suspect. Remember that location data put into emails? Agents found that a lot of emails had been sent from different hotels. So the FBI got a list of all the guests staying at various hotels when the messages were sent. And Broadwell’s name came up at all of them, probably the only person to do so, making her the primary suspect.

Once the FBI started monitoring Broadwell’s email communications, she allegedly made other mistakes, including logging into her personal Gmail account during the same Internet session as the fake one, plus the one she was sharing with the general. Not only did that further tie her to the emails the FBI was investigating, but it led them to the “save as draft” folder that was so cleverly hidden.

The precautions Petraeus and Broadwell took to keep their communications private obviously weren’t enough -- on the Internet, there is probably no sure-fire way to stay secret once investigators start looking. But people with legitimate reasons to protect their identity, can take a few steps toward protecting their privacy.

Besides the obvious advice of not sending harassing emails to anyone, ever, a remailer could have been employed. There are two kinds. The first takes email and strips all the header information out of it before sending it to its destination. The second allows users to type a message that is sent out without any extra info, such as the W3 Anonymous remailer. No IP information is kept, so governments can’t subpoena it. There is nothing there.

The only other tips would be to never log into a fake email account at the same time as using an account that is tied directly to you. And don’t log into a fake account from a hotel room or your house. Try a library or a public kiosk instead -- anywhere that doesn’t require identifying info, even indirectly, as with a credit card. Wireless hotspots work fine if users remember to scrub temporary files from their mobile devices once finished. And it’s probably a good idea to avoid using the same place more than once.

Again, the best advice is not to do anything nefarious in the first place. But people who need to maintain some level of anonymity online must always be vigilant. You have to do things right every single time to protect your privacy. The people investigating you only have to be right once.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.