« Ind. Decisions - "Appeals court OKs Lebo trial in LaPorte HS volleyball sex case" [Updated] | Main | Ind. Courts - Should a highly respected Indiana trial judge, who was a star athlete for Ball State in the late 1970s, preside over a case involving the school? »

Saturday, November 17, 2012

A teaching moment - A look at techniques for keeping emails secrets, and their use [Updated]

Nov. 13, 2012 - "David Petraeus, Paula Broadwell’s email secret" from Kevin Robillard of Politico briefly describes their use of "an email technique favored by Al Qaeda."

Nov. 13, 2012 - "Instead of 'Dead Dropping,' Petraeus and Broadwell Should Have Used These Email Security Tricks," is the headline to this article by Ryan Gallagher of Slate, states that:

... if Petraeus and Broadwell had been savvy enough to use encryption and anonymity tools, their affair would probably never have been exposed. If they had taken advantage of PGP encryption, the FBI would have been able to decipher their randy interactions only after deploying Trojan-style spyware onto Broadwell’s computer. Further still, if the lovers had only ever logged into their pseudonymous Gmail accounts using anonymity tools like Tor, their real IP addresses would have been masked and their identities extremely difficult to uncover.

But then it is unlikely that they ever expected to come under FBI surveillance. Their crime was a moral one, not a felony, so there was no real reason to take extra precautions. In any other adulterous relationship a pseudonym and a dead drop would be more than enough to keep it clandestine, as my Slate colleague Farhad Manjoo noted in an email.

Broadwell slipped up when she sent the harassing emails—as that, as far as we know, is what ended up exposing her and Petraeus to surveillance. Whether the harassment was serious enough to merit email monitoring is still to be established, as Emily Bazelon writes on “XX Factor.” It goes without saying, however, that the real error here was ultimately made by Petraeus. If he had stayed faithful to his wife of 38 years in the first place, he’d still be in charge at the CIA—and I wouldn’t be writing about how he could have kept his adultery secret more effectively by using encryption.

Today, Nov. 16, in a long NY Times story titled "Trying to Keep Your E-Mails Secret When the C.I.A. Chief Couldn’t", Nicole Perlroth makes many of the same points and discusses the same techniques/software. For example:
Technically speaking, the undoing of Mr. Petraeus was not the extramarital affair, per se, it was that he misunderstood the threat. He and his mistress/biographer, Paula Broadwell, may have thought the threat was their spouses snooping through their e-mails, not the F.B.I. looking through Google’s e-mail servers.

“Understanding the threat is always the most difficult part of security technology,” said Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania and a security and cryptography specialist. “If they believed the threat to be a government with the ability to get their login records from a service provider, not just their spouse, they might have acted differently.”

To hide their affair from their spouses, the two reportedly limited their digital communications to a shared Gmail account. They did not send e-mails, but saved messages to the draft folder instead, ostensibly to avoid a digital trail. It is unlikely either of their spouses would have seen it.

But neither took necessary steps to hide their computers’ I.P. addresses. According to published accounts of the affair, Ms. Broadwell exposed the subterfuge when she used the same computer to send harassing e-mails to a woman in Florida, Jill Kelley, who sent them to a friend at the F.B.I.

Authorities matched the digital trail from Ms. Kelley’s e-mails — some had been sent via hotel Wi-Fi networks — to hotel guest lists. In cross-checking lists of hotel guests, they arrived at Ms. Broadwell and her computer, which led them to more e-mail accounts, including the one she shared with Mr. Petraeus.

The long story concludes:
It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake — forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once — to ruin you.

“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”

In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.

Some people think that if something is difficult to do, “it has security benefits, but that’s all fake — everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”

[More] An ACLU blog has a good Nov. 13th article by Chris Soghoian, headed "Surveillance and Security Lessons From the Petraeus Scandal."

The article is quoted in this Nov. 14th story by Peter Maass in The New Yorker News Desk. A quote:

[T]he Petraeus scandal appears to show just how much surveillance the F.B.I. and other law-enforcement agencies can conduct without a judge or a company telling them, “No, you can’t have that.”

For instance, in its semiannual transparency report, Google announced this week that it receives more requests for user data from the U.S. government than any other government in the world, and that those requests rose twenty-six per cent in the latest six-month reporting period, to nearly eight thousand; the company said that it complied with ninety per cent of the requests, either fully or partially. * * *

It’s not just e-mail. In July, Representative Edward Markey, a Democrat from Massachusetts, cajoled major cell-phone carriers into disclosing the number of requests for data that they receive from federal, state, and local law-enforcement agencies: in 2011, there were more than 1.3 million requests. As ProPublica reported at the time, “Police obtain court orders for basic subscriber information so frequently that some mobile phone companies have established websites—here’s one—with forms that police can fill out in minutes. The Obama Administration’s Department of Justice has said mobile phone users have ‘no reasonable expectation of privacy.’”

There’s a particularly cruel irony in all of this: if you contact your cell-phone carrier or Internet service provider or a data broker and ask to be given the information on you that they provide to the government and other companies, most of them will refuse or make you jump through Defcon levels of hops, skips, and clicks. Uncle Sam or Experian can easily access information that shows where you have been, whom you have called, what you have written, and what you have bought—but you do not have the same privileges.

[Updated] Ashby Jones and Joe Palazzolo have this Nov. 16th post in the WSJ Law Blog, headed "Affair Highlights Uncertainty of Email-Privacy Laws."

Posted by Marcia Oddi on November 17, 2012 02:28 PM
Posted to A teaching moment | General Law Related