The digital demise of former CIA Director David Petraeus underscores a key warning for an age in which computer servers retain nearly every residue of human interaction: Law enforcement authorities can easily trace who sent an email, even if users attempt to shield their identities. In many cases they don't even need to obtain a judge's permission, privacy experts note.
"You can take steps to protect your privacy but you have to get everything right," said Christopher Soghoian, principal technologist at the American Civil Liberties Union. "If you get one thing wrong, the government can figure out who you are."
Petraeus resigned Friday as CIA director after an FBI investigation revealed that he had an affair with his biographer, Paula Broadwell. The federal probe began when a Tampa woman, Jill Kelley, told an FBI acquaintance that she had received threatening emails from an anonymous address. Law enforcement eventually connected those emails to an account belonging to Broadwell, which also included details of her affair with Petraeus.
Many details of the case are still unclear. But experts say the FBI's investigation into Broadwell's emails highlights their concerns about a federal privacy law that is outdated.
The law meant to protect online privacy, the Electronic Communications Privacy Act, was passed in 1986. Back then, email providers only kept emails for a few months because Web storage was expensive. Today, emails are cheaply stored in the cloud, and Web companies can keep those messages indefinitely. But the privacy law hasn't kept up. Law enforcement officials need a warrant from a judge to obtain emails within the past six months. But they only need to ask Web companies to get older emails. The Senate Judiciary Committee is considering legislation to modernize the law.
"The way that emails are protected is completely outdated when compared to how people communicate today," said Gregory Nojeim, a senior counsel at the Center for Democracy & Technology.
Law enforcement officials are increasingly asking Web companies to hand over customers' data by issuing subpoenas, which don't require a judge's approval, and companies rarely fight them. In a recent report, Google said it complied with 90 percent of nearly 8,000 requests for user data from U.S. government agencies and courts in the first half of this year. That was up from less than 6,000 requests during the same period a year before. It's unclear how many of those requests were for private emails or other sensitive information, like location data or online search histories.
The alleged threatening emails between Broadwell and Kelley began in May, according to the Wall Street Journal, meaning the FBI would likely have needed a warrant to obtain them. But when Broadwell logged into her Gmail account, Google retained the location of that computer, known as the IP address, which the government could later obtain without needing a court order.
FBI agents were able to link Broadwell to the threatening emails by matching IP addresses from her messages to hotels and other locations where she stayed, according to the Journal.
Petraeus and Broadwell reportedly took great measures to hide their affair. They used anonymous accounts and saved their correspondences in the "drafts" folder in order to use the account as a sort of online dropbox -- a technique often used by al-Qaeda terrorists to make it harder to trace their correspondence, according to the Associated Press. But this trick would not have protected them from government surveillance because law enforcement can still force email providers to turn over messages saved in "drafts" folders, according to Soghoian.
The fact that Petraeus's affair with Broadwell came to light, despite their efforts to cover it up, highlights the challenges of privacy in the digital age.
"Online privacy is hard, perhaps too hard," Soghoian said. "If the director of the CIA and Ms. Broadwell had backgrounds in intelligence and they couldn’t keep their information private, what hope is there for the average citizen?"