Some musings on email privacy (yours and mine)

In the fallout from the Petraeus incident there has been much discussion about the privacy of email, and for good reason.

I will assume that everyone knows that CIA Director David Petraeus resigned recently because he was found to be having an affair with his biographer Paula Broadwell. This became ‘known’ in a complex way. A second woman (or third, if you count Petraeus’ wife), Jill Kelley, received some rude anonymous email messages and asked an FBI agent friend (we can presume ‘friend’–he had sent her shirtless pictures of himself) to investigate. Despite the fact that sending weird emails is not a federal crime, the FBI obtained subpoenas for IP logs (i.e. logs identifying which computer address(es) had sent the messages). These turned out to be the same computers that Paula Broadwell had used at various times (and they could then subpoena hotel IP records, WiFi network records and so on).

Note that the FBI obtained all these records without a warrant (and therefore without showing ‘probable cause’ that a crime had been committed). Having shown that Broadwell’s email account contents were ‘relevant’ to their investigation they then subpoenaed, and received access to her Gmail accounts. And within those accounts they found tons of correspondence between her and Petraeus. Interestingly, Broadwell and Petraeus used an old spy’s trick to correspond–they shared an account, and stored the messages as ‘drafts’, thus never sending the actual messages from one account to another. Unfortunately for their romance, you don’t need to send an email message to leave a trail–all you have to do is connect to an email system.

As Julian Sanchez has pointed out, ‘the demand for access to Broadwell’s emails was just one of 6,321 requests for user data—covering 16,281 user accounts—fielded by Google alone in the past six months’.
Aside from the titillating details, why should we care about this? It’s very simple–at least potentially, nothing you put in an email is private. The Feds can look at it whenever they want, and they don’t need a search warrant. Of course, there’s no specific reason to be worried that they will look at your email, especially if you have done nothing to attract their attention.

And, of course, attracting the FBI (or TSA’s) attention is quite unrelated to whether you have done anything wrong (witness screaming toddlers being groped by TSA agents and the FBI’s legendary attempts to blackmail Martin Luther King Jr.)  And, all jokes aside, I myself spent about six months on the TSA’s ‘selectee’ list in 2004-5, which meant that I couldn’t fly without an extensive interview at the gate every time I flew. To the best of my knowledge I have not consorted with bad guys, nor is my name similar to that of someone who is. So I don’t accept the ‘if you have nothing to hide, you have nothing to worry about’ as an answer.

Most of us believe our ‘persons, houses, papers and effects’ are protected against ‘unreasonable search and seizure’ (it’s called the 4th Amendment). However, in a bizarre reinterpretation of that statement, the Electronic Communications Privacy Act (passed in 1986, right at the beginning of widespread use of email) states that email messages stored on servers for more than 180 days are considered to be ‘abandoned’, and hence no judicial review is required for law enforcement to request it’ [1]. This was because in the eighties email was always downloaded to your computer, unlike the current cloud-based email systems (such as Gmail, Wayne Connect and Microsoft’s Live Mail), where many of us keep years of correspondence online. Clearly the ECPA is grossly out of date, and there have been movements in congress to update it. However, law enforcement, never an interest group to give itself more obstacles, has been lobbying heavily to make retrieval of stored email even easier for an alphabet soup of government agencies. As this is written there are conflicting reports[2] on whether Sen. Patrick Leahy is trying to prevent this or to encourage it in a new bill being discussed in the lame-duck congress.



[2] (Declan McCullagh)

Additional references: (New York Times coverage)

2 Replies to “Some musings on email privacy (yours and mine)”

  1. I have always felt that there was no privacy with anything typed into a computer. Your comments certainly confirm that suspicion. Sadly, it is hard to prove that we “aren’t the bad guy” once you get on one of those lists.

Comments are closed.