San Francisco Chronicle By Caleb Garling
Posted on Wednesday, November 14, 2012
Gen. David Petraeus' bizarre fall from grace over a mistress' threatening e-mails has raised a crucial question: Under current law, does the federal government have too much access to Americans' online activities?
At present, it is unclear whether the FBI had a warrant to connect the dots that led them to the scandal that brought about Petraeus' resignation as CIA director. But the situation has brought into focus the fuzzy legalities surrounding digital privacy.
U.S. citizens are protected from unreasonable search and seizure under the Fourth Amendment to the Constitution. However, when that principle shifts into the digital world, the boundaries get blurry.
For instance, the government needs a warrant, an order approved by a judge, to read a mailed letter. But to read most e-mails, it only needs a subpoena – which can be secured from a grand jury or a district attorney, not a judge, and can be sealed so the subject never knows the government peered into their life.
The Electronic Communications Privacy Act covering online privacy was designed to protect consumers' rights in digital mediums. But it became law in 1986, years before the world was full of e-mail and smartphones.
The courts are still grappling with exactly where the boundary lies regarding search and seizure when it comes to digital fingerprints. A mailed letter is sent and received, but there's really no record in between. An e-mail or a Facebook message can be stored in a remote server for a century.
No need to break law
Jim Dempsey, vice president of public policy at the Center for Democracy and Technology in Washington, D.C., said he's confident that the FBI didn't break any laws uncovering the Petraeus scandal – but only because it didn't have to.
"There's no need for them to," he said. "With a little effort and a subpoena, you can uncover the ID of the average Internet user."
And there is nothing that confines digital forensics to only suspected criminals, notes Chris Soghoian, principal technologist for the American Civil Liberties Union's Speech, Privacy and Technology Project. "The amount of information the government can get without talking to a judge is really shocking," he said.
Government investigators can now go directly to companies like Google and Facebook or Internet service providers like Comcast and Verizon and ask for customer records. While obtaining the exact content of an e-mail is a little trickier, the FBI can access these companies' logs – to learn when, where and by whom an electronic event occurred – to build a case.
Google makes public how often the government makes requests about its users. In the first half of 2012, it reported Tuesday, governments made requests for personal information from the search giant on 34,614 Google accounts. The total number of requests was up 15 percent from the second half of 2011, the company said.
In the last year, companies including social networks Twitter and LinkedIn and file-sharing giant Dropbox have begun sharing their numbers of government requests as well.
There are grassroots online movements like the Tor Project, free software designed to help people remain completely anonymous online. But without more protections of personal online data, the same tactics used to find Petraeus' mistress, Paula Broadwell, could be used to track those critical of the government, for example.
"You have to get every detail right to hide online," Soghoian said. "You only have to screw up once."
The Petraeus scandal unfolded after Broadwell allegedly sent threatening e-mails to a woman named Jill Kelley when she thought Kelley also was having an affair with Petraeus. Broadwell tried to disguise her identity by sending the e-mails from anonymous accounts. Kelley then turned over the e-mails she'd received to the FBI. How exactly the agency determined that the sender was Broadwell has not been explained.
Finding the culprit
One possibility: If one of the threatening e-mails came from a Hotmail account, the FBI could subpoena a service provider like Comcast for the precise geolocation where that e-mail originated, such as a hotel or a coffee shop. The FBI could then subpoena credit card transactions at the site that occurred around the time the e-mail was sent.
Agents could then cross-reference that data with another threat sent from a different location. A name common to credit card transactions in both locations would suggest the likely identity of the perpetrator.
Another possibility: The FBI could examine what other e-mail accounts logged on to the computer around the time the threatening e-mail was sent, assuming that the sender might shift back and forth between the anonymous account and a real personal account.
While observers so far can only guess at what really unfolded in the FBI probe, digital privacy advocates say they hope the incident might help lead to a rethinking of current law.
Jennifer Granick, director of civil liberties at Stanford's Center for Internet and Society, is hopeful the outdated law will be rewritten soon.
"Even when there is a warrant, (Internet companies) are turning over too much information," she said. "There's a problem here, with the relationship with probable cause and resulting disclosures."