Data security lessons from the Petraeus scandal


By Andrew Collins
Wednesday, 09 January, 2013


Data security lessons from the Petraeus scandal

The Petraeus scandal - the story of the resignation of the Director of the CIA following an investigation into harassing emails sent by his mistress - provides not just an insight into the lives of top spies, but also serves as a reminder that no one is exempt from digital privacy breaches.

The details of the scandal have been widely reported by now, with more coming to light on a daily basis. But before we get into the broader meaning of the story, here’s a brief refresher of the broad strokes of the story.

In late 2011, David Petraeus, a one-time four-star general in the US Army and newly crowned Director of the CIA, began an affair with Paula Broadwell, a writer who co-authored Petraeus’s biography. The two had reportedly become close while she chronicled his life. Both had spouses of their own.

Petraeus and Broadwell used webmail accounts under fake names to exchange unencrypted messages. One would log in, write an email and save it in drafts, after which the other would log in, read the draft and delete it.

In May 2012, a friend of the Petraeus family, Jill Kelley, filed a report with the FBI after receiving disturbing emails from a user calling themselves ‘kelleypatrol’. Some reports say the emails contained warnings to Kelley to stay away from Petraeus, while others suggest they contained more vague criticisms of her behaviour.

The FBI used various information - including IP addresses associated with the emails - to identify Broadwell as kelleypatrol. Further investigation of Broadwell’s email accounts revealed the affair with Petraeus.

In early November 2012, authorities confronted Broadwell about the affair. Various intelligence bosses were informed, who eventually passed it on to the White House. On the 9th of November, Petraeus formally resigned as Director of the CIA.

There are all sorts of conspiracy theories going around about why an affair would demand the resignation of the CIA Director. Conspiracies aside, it’s pretty simple. Knowledge of a clandestine affair would give anyone with malicious intent pretty hefty leverage against anyone involved - Petraeus or Kelley could have been blackmailed into doing something nefarious.

The official and media investigations that followed the initial revelations from the FBI have brought other sordid stories to light. The scandal will likely have wide-ranging and long-lasting effects on the entirety of the US government. But it’s also interesting in terms of what it reveals about our online privacy - or lack thereof.

What’s truly remarkable about the story is that Petraeus was the head of one of the world’s most powerful intelligence organisations, but was undone by his own sloppy digital footprints. Even he, with his experience in international espionage, found his personal digital privacy breached - and by his own government, nonetheless.

The scandal highlights how easy it is for authorities, at least in the US (where many webmail and cloud storage services are hosted), to gain access to information stored online, potentially without users’ knowledge.

US authorities’ access to private emails stored on remote servers is governed by the US’s Electronic Communications Privacy Act 1986. To access messages that are six months old or older, federal authorities only need a subpoena from a prosecutor to access them, according to the Act.

Authorities only need a judge’s permission - significantly harder to get and requiring demonstration of probable cause - if the messages in question are less than six months old.

If this time-based distinction seems ridiculous, it’s because the Act was designed for the digital world that existed in 1986, not the one that might exist in 2012 (or beyond). Back in those days, electronic messages were not stored on remote servers for long periods of time like they are today. 10 GB email accounts that could store tens or hundreds of thousands of emails until the end of time (or at least until the end of Google, which may end up being the same thing) were unfathomable.

In 1986, US lawmakers figured that if messages were still on a remote server after six months, no one really wanted them anyway, so authorities could look at them without having to ask a judge first.

As is often the case, the law lags behind the technology.

Lobby groups are petitioning the US government to update the laws, but you can bet that authorities will resist any change that makes it harder for them to make an arrest or bring charges against a suspect.

Of course, any case that crosses international boundaries is inherently more complex than one that is purely domestic. But the point remains that it’s pretty damn easy for investigators to get into the private data of a person - even if that person is the head of one of the largest spy organisations in the world.

There are a lot of insights to be gleaned from the Petraeus scandal, including the unintended consequences of illicit affairs, the strange ways that the many arms of a monolithic bureaucracy like the US government interact and that even top spies can make pretty ridiculous blunders.

But from a data security perspective, the lesson is very simple, and very similar to the advice given to teenagers who post naughty pictures of themselves on Facebook: never store anything online, unencrypted, that you wouldn’t want the world to see.

Image credit ©iStockphoto.com/GYI NSEA

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd