Some musings on email privacy (yours and mine)

In the fallout from the Petraeus incident there has been much discussion about the privacy of email, and for good reason.

I will assume that everyone knows that CIA Director David Petraeus resigned recently because he was found to be having an affair with his biographer Paula Broadwell. This became ‘known’ in a complex way. A second woman (or third, if you count Petraeus’ wife), Jill Kelley, received some rude anonymous email messages and asked an FBI agent friend (we can presume ‘friend’–he had sent her shirtless pictures of himself) to investigate. Despite the fact that sending weird emails is not a federal crime, the FBI obtained subpoenas for IP logs (i.e. logs identifying which computer address(es) had sent the messages). These turned out to be the same computers that Paula Broadwell had used at various times (and they could then subpoena hotel IP records, WiFi network records and so on).

Note that the FBI obtained all these records without a warrant (and therefore without showing ‘probable cause’ that a crime had been committed). Having shown that Broadwell’s email account contents were ‘relevant’ to their investigation they then subpoenaed, and received access to her Gmail accounts. And within those accounts they found tons of correspondence between her and Petraeus. Interestingly, Broadwell and Petraeus used an old spy’s trick to correspond–they shared an account, and stored the messages as ‘drafts’, thus never sending the actual messages from one account to another. Unfortunately for their romance, you don’t need to send an email message to leave a trail–all you have to do is connect to an email system.

As Julian Sanchez has pointed out, ‘the demand for access to Broadwell’s emails was just one of 6,321 requests for user data—covering 16,281 user accounts—fielded by Google alone in the past six months’.
Aside from the titillating details, why should we care about this? It’s very simple–at least potentially, nothing you put in an email is private. The Feds can look at it whenever they want, and they don’t need a search warrant. Of course, there’s no specific reason to be worried that they will look at your email, especially if you have done nothing to attract their attention.

And, of course, attracting the FBI (or TSA’s) attention is quite unrelated to whether you have done anything wrong (witness screaming toddlers being groped by TSA agents and the FBI’s legendary attempts to blackmail Martin Luther King Jr.)  And, all jokes aside, I myself spent about six months on the TSA’s ‘selectee’ list in 2004-5, which meant that I couldn’t fly without an extensive interview at the gate every time I flew. To the best of my knowledge I have not consorted with bad guys, nor is my name similar to that of someone who is. So I don’t accept the ‘if you have nothing to hide, you have nothing to worry about’ as an answer.

Most of us believe our ‘persons, houses, papers and effects’ are protected against ‘unreasonable search and seizure’ (it’s called the 4th Amendment). However, in a bizarre reinterpretation of that statement, the Electronic Communications Privacy Act (passed in 1986, right at the beginning of widespread use of email) states that email messages stored on servers for more than 180 days are considered to be ‘abandoned’, and hence no judicial review is required for law enforcement to request it’ [1]. This was because in the eighties email was always downloaded to your computer, unlike the current cloud-based email systems (such as Gmail, Wayne Connect and Microsoft’s Live Mail), where many of us keep years of correspondence online. Clearly the ECPA is grossly out of date, and there have been movements in congress to update it. However, law enforcement, never an interest group to give itself more obstacles, has been lobbying heavily to make retrieval of stored email even easier for an alphabet soup of government agencies. As this is written there are conflicting reports[2] on whether Sen. Patrick Leahy is trying to prevent this or to encourage it in a new bill being discussed in the lame-duck congress.

Notes:

[1] http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act

[2] http://news.cnet.com/8301-13578_3-57552687-38/leahy-scuttles-his-warrantless-e-mail-surveillance-bill/ (Declan McCullagh)

Additional references:

http://www.nytimes.com/2012/11/14/us/david-petraeus-case-raises-concerns-about-americans-privacy.html (New York Times coverage)
http://www.sfgate.com/news/article/Privacy-law-can-t-keep-up-with-digital-age-4047236.php
http://www.thenewamerican.com/usnews/politics/item/13710-sen-leahy-drops-controversial-warrantless-e-mail-surveillance-bill

National Cybersecurity Month is over, and we have winners! And a few losers!


Cat caught phishing

 

I’m sure you all eagerly read my announcement of National Cybersecurity Month, October:

October is National Work and Family Month and…

Well, October has been, and gone, and we’re assessing our results. As you may remember, we focused on phishing, with a quiz that we invited all of Wayne State to take. And the results were quite encouraging: 1744 people took the quiz. 1323 of them got ten out of eleven questions right (that’s 76%) and 637 got all eleven questions right (an excellent 37%). 

In case you’re wondering, the one question that turned out to be the hardest was one that really looked like Wayne Connect’s log-in page, but if you look carefully at the URL (web address) in the address bar of the browser, you see that it doesn’t end in ‘wayne.edu’, but rather an address in Tokelau, a small Pacific atoll that bases its economy in part on supplying cheap web addresses.

Hard quiz question

Two people won a copy of Adobe Photoshop compliments of the Software Clearinghouse.

Unfortunately, we apparently didn’t do enough training. Last week (November 7, specifically) people at Wayne received a tempting-looking email with a link to what looked like a legitimate Wayne log-in page, and 4 or 5 people logged in, with the result that the next evening some of their accounts were compromised and used to launch attacks. So our work here, alas, is not yet done.

Remember: never ‘reply’ to any email with your password. And, if you click on a link to something asking for your password, look at the web address and make sure it’s ‘wayne.edu’ (or ‘amazon.com’, or whatever you are trying to reach). If it look suspicious, it probably is.

Don’t walk while texting (or emailing or browsing…)

On Thursday October 25 I was walking across campus, around 1:30, heading towards a meeting and trying to deal with an issue with a recent travel request. While attempting to look up a phone number on my smartphone I tripped over the edge of a small platform and landed on my knees while my head hid a planter with a pebbly surface:

Planter under Prentis BuildingAs you might imagine, this did considerable damage to my face, and attracted a crowd. Some wonderful people from the Rec Center came with a first-aid kit and cleaned up most of the blood, but decided to call an ambulance, as this was potentially a closed-head brain injury. Never got a chance to get their names, but within five minutes an ambulance came and transported me to the Emergency Room in Receiving Hospital. I spent about four hours there, and, after a CAT scan it was decided that nothing was broken, but I was told to have someone watch me overnight and wake me every two hours to make sure I wasn’t experiencing post-traumatic brain swelling.

In the end, I was very lucky, and got off with a bad scrape on my forehead:

Abraded face

 

I took this picture with the offending instrument immediately after I was discharged from the hospital, and was waiting to be driven back to my car. I look much better here than I did the next morning, when my right eye was completely swollen shut and I was developing a ‘sympathetic’ black eye on the left side as well.

Almost all the ‘blackening’ is now gone, and there are only scabs and scars left, as of today. But the ‘take-home’ is very simply–don’t text and walk. It’s dangerous. I could have been badly hurt, not just ‘defaced’.

End of lesson for today.