November 13, 2012

Petraeus -- And the Bottom Line on Email Privacy

In some respects, the saga of now former CIA director David Petraeus and Paula Broadwell does not make for the best possible example for analysis of email privacy issues.

In their case, a citizen complaint about harassing emails reportedly triggered an FBI investigation, not some sort of internally generated FBI action. And once the director of CIA's emails were found to be in the mix, the triggering of security concerns (whether ultimately proved out or not) does not seem particularly surprising. That's one of the most sensitive intelligence positions on the planet.

It probably didn't help matters that Petraeus and Broadwell were apparently using Gmail message drafts in a shared access account, as a form of the classic intelligence operative "dead drop" -- likely in an effort to avoid sending messages between accounts. Such behavior in this case was bound to trigger even more security concerns, including of possible account hacking and other issues.

Also, it appears likely that most or all of the emails involved in this case were relatively recent, which is an important point -- as we'll revisit in a moment.

But none of us are director of CIA, and it's reasonable to wonder how well our own email is protected from unreasonable and inappropriate government snooping.

First, a fact. If the government, really, seriously, wants access to your email, no matter where it is stored, they are likely to find a way to do this in most cases. Even advanced encryption systems can often be subverted through keyloggers, screen grabbers, and other mechanisms that "work around" encryption, rather than break it per se.

That said, in the U.S., the primary driver of these issues today is a nearly three decade old federal law, 1986's Electronic Communications Privacy Act (ECPA). By modern standards, this law has actually become a dangerous anachronism.

For example, it assumes that email left on service provider's system has been "abandoned" and permits law enforcement access without a judge issuing a warrant showing probable cause to suspect a crime had been committed.

This was a nonsensical approach even in 1986. It is ridiculous to assert that there should be less privacy protection for email more than six months old that happens not to be on a system under your immediate personal control.

And it simply isn't practical for everyone to deal with email locally anymore. The ability to keep systems up to date, properly backed up, and flexibly accessible to the email's owner, has given rise to cloud-based systems that can reliably provide these functions far more effectively than is possible on most persons' home systems, and in many cases office systems as well.

The problem isn't with remotely hosted email systems per se, the issue is the failure of the ECPA to keep up with technological change, as cloud systems and various hybrid email access environments like POP and IMAP became commonplace.

The intolerable dichotomy created by the obsolete ECPA must be eliminated. All of an entity's email, whether hosted and/or accessed locally or remotely, no matter its age, should have the same requirement that it can only be accessed by authorities (without the permission of the email's owner) upon issuing of a valid probable cause warrant by a judge.

A very long list of firms and other organizations, including Google, Twitter, Microsoft, Facebook, Apple, AT&T, the ACLU, and many others, have joined forces to push for changes in the law along these lines, as the Digital Due Process coalition. I urge you to visit their site and support their effort.

Also, nascent Congressional legislative attempts to implement such changes have been appearing -- so far without gaining much traction. These should also be supported as appropriate.

Google and other firms have reported that government demands for user emails and other data have been rising rapidly. The failure of the ECPA to keep pace with our modern Internet environment sets the stage for abuses in this sphere that should be deemed absolutely unacceptable.

This should hold true for all of us -- even if our email is as pure as the driven snow.

Even for directors of CIA.


Posted by Lauren at November 13, 2012 01:54 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein