The bulk of the coverage of the departure of CIA head and retired Gen. David Petraeus has focused on the more salacious elements of the story. If it were only a story of who boned whom, it would be merely gross. But it’s more than that. It’s a story of online privacy. Perhaps it’s a cautionary tale about interpersonal relationships, but it certainly is an object lesson in the issues surrounding privacy in a digital age.
Privacy advocates have recognized in this investigation examples of how poorly the current privacy law covers a complex online environment. They point out how vulnerable personal email is in current criminal investigations and even draw a line from our poorly-defined sense of what legally constitutes privacy to our activities in the so-called war against terror, indicating this struggle to define the private online has been a fact of life outside the US for a decade and more.
The Petraeus case, for those worried about privacy, is a watershed moment.
The Investigation
Jill Kelley, a woman who spent a great deal of social time around MacDill Air Force Base in Tampa, Fla., reported some threatening emails that had been sent to her to the local FBI office. FBI agents there began a cyberstalking investigation. The FBI examined Kelley’s emails, which led to the woman with whom Petraeus is now said to have conducted an adulterous affair, his biographer Paula Broadwell.
During the course of this investigation, FBI investigators found incriminating emails to and by both Gen. Petraeus and Gen. John Allen, leader of NATO forces in Afghanistan who served as deputy under Petraeus (and later, acting chief) at United States Central Command (CENTCOM), headquartered at MacDill. “Prosecutors and agents,” according to the Wall Street Journal, made the decision to share the possibly inappropriate information the bureau had discovered with “senior officials at the FBI and the Justice Department,” including Attorney General Eric Holder.
The investigators were able to trace anonymous emails back to Broadwell by matching the IP address of the anonymous account with other accounts logged into from that computer, then matching that information to Broadwell’s activities, movements, and location at the times of login.
This was possible because, as analyst Chris Soghoian wrote in a post on the ACLU’s blog, “U.S. law currently permits law enforcement agencies to obtain these records with a mere subpoena—no judge required.”
The Law
Current legal protection for email users is, as the Electronic Frontier Foundation (EFF) put it in its “Email Privacy Primer,” a “confusing, abuse-prone legal mess.”
“Your email privacy should be simple: it should receive the same protection the Fourth Amendment provides for your home,” the EFF suggests.
There is a law guaranteeing electronic privacy, the Electronic Communications Privacy Act, but, “ECPA provides scant protection for your identifying information, such as the IP address used to access an account.”
As Scott Shane wrote in his coverage in the New York Times, the Petraeus story “underscores a danger that civil libertarians have long warned about: that in policing the Web for crime, espionage and sabotage, government investigators will unavoidably invade the private lives of Americans.”
Soghoian, the principal technologist and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, described the Petraeus story as “an excellent lesson on the government’s surveillance powers—as well as a reminder of the need to reform those powers.”
“There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press). Unfortunately, our existing surveillance laws really only protect the ‘what’ being communicated; the government’s powers to determine ‘who’ communicated remain largely unchecked.”
Apparently, Petraeus kept his incriminating email in the draft folder of a shared account, in the belief that actually sending email poses a security risk, while merely storing it in a private account makes it legally immune from seizure. This method, which Soghoian’s post called a “dead drop,” has turned into a kind of fable of circumvention. Soghoian notes that a variety of terrorists, including Khalid Sheik Mohammed and the Madrid train bombers, made the same mistake.
He believes it makes the email not more secure but even less, as the Department of Justice has argued that emails in that folder are not in electronic storage, as described in the Stored Communications Act, “and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.”
The EFF explains the legality of the seizure like this:
“[A]lthough ECPA requires a warrant for the government to obtain the contents of an email stored online for less than 180 days, the government believes the warrant requirement doesn’t apply for email that was opened and left on the server – the typical scenario for webmail systems like Gmail – even if the messages are less than 180 days old. So, under the government’s view, so long as the emails had been opened or were saved in the ‘drafts’ folder, only a subpoena was required to look at contents of Broadwell’s email account.”
This interpretation, however, has been rejected by the Ninth Circuit Court of Appeals in Theofel v. Farey-Jones. The Ninth covers much of the Western United States, including California, where Google is headquartered. Because of the Ninth Circuit’s ruling, the Department of Justice’s seizure manual warns agents to get a warrant for matters taking place in the area of the United States covered by the Ninth. It is EFF’s opinion that a warrant was likely sought and received for the seizure of the emails in question.
Military law criminalizes adultery, which Petraeus denies committing. So the argument can be made that what the investigation uncovered was not merely personal information, but in this case information about a crime having been committed. But the ease by which personal information that is not actionable can be found during the course of a criminal investigation—including one which results in no charges—can be life-altering and, some would say, simply unfair.
The Consequences of U.S. Policy Abroad
But if it’s metaphorically life-destroying stateside, this conflation of the criminal with the personal can, in some situations, be literally life-ending, as Esra’a Al Shafei, director of Mideast Youth and a Bahraini citizen, told the Daily Dot.
“This invasion of privacy isn’t just an inconvenience. It’s a matter of life and death.”
In Al Shafei’s view, this is just the latest “consequence of a formal U.S. policy of changing the concept of privacy and invading the lives of both its citizens and anyone of interest around the world.”
Her organization, and those like it, who are involved in sensitive issues like queer rights and government censorship, come up against the results of a conflicted U.S. policy toward privacy, as when the Bahraini government, heavily backed by the U.S., use the Internet as a tool of surveillance and control.
“General Petraeus,” Al Shafei said, “has simply fallen victim to the same policy that he helps implement as a member of the U.S. State. But the important conversation about privacy rights has been lost in the soap opera of his affair.”
Photo by hectorir/Flickr