Metadata and the fall of Petraeus
The resignation of former CIA director David Petraeus following the disclosure of an extramarital affair with his biographer shines a spotlight on the current state of data security and surveillance in our country, warns Chris Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union. Under existing laws, investigators were able to track emails regarding the retired four-star general without so much as a search warrant.
The first lesson we can learn from the scandal is that metadata is king, Soghoian says. The woman Petraeus left his job over, Paula Broadwell, apparently set up anonymous email accounts so that she could remain unknown when sending allegedly threatening emails to another woman. It may have worked if not for the "sloppy operational security and the data retention practices of the companies to whom she entrusted her private data," he says.
Investigators reportedly used forensic techniques to figure out who was writing the emails because the accounts were set up anonymously. Law enforcement agencies are permitted to get log-in records from webmail providers, including Google (NASDAQ: GOOG), with only a subpoena, Soghoian notes. It reportedly took them weeks to identify Broadwell as the sender, by determining where the emails were sent from, such as hotels, and then comparing the locations to hotel guest lists.
From Soghoian's perspective, this example of FBI surveillance shows the extent to which the government can go to unveil anonymous communications without even getting a search warrant. "There is no independent review, no check against abuse, and further, the target of the subpoena will often never learn that the government obtained data (unless charges are filed, or, as in this particular case, government officials eagerly leak details of the investigation to the press)," he warns.
- see Chris Soghoian's post at the ACLU