Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/13/2012
06:43 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The Petraeus Affair: Surveillance State Stopper?

Lawmakers, now reminded of their own vulnerability, need to strengthen email privacy protections. Companies need to do more to help customers protect content.

When the Director of the Central Intelligence Agency can't maintain his privacy, nobody else has a chance.

The only way to win the self-surveillance game -- played by everyone who uses a network-connected computer -- is not to play. That's why U.S. Homeland Security Secretary Janet Napolitano doesn't use email.

David H. Petraeus resigned as head of the CIA, according to reports, because of an FBI inquiry into confrontational emails sent by his biographer and mistress, Paula Broadwell, to Jill Kelly, a friend of Petraeus and a rival in Broadwell's eyes.

[ Do you know how to protect yourself when using free email services? Read Petraeus Fallout: 5 Gmail Security Facts. ]

The FBI's investigation appears to be more the result of Kelly's friendship with an agent than the content of the messages. According to The Daily Beast, the FBI could barely muster a legal justification for opening an investigation. The agency would have to hire a lot more agents if it routinely investigated every email message deemed to be mildly harassing.

Nevertheless, in this course of its investigation, the agency discovered that Petraeus and Broadwell had been communicating covertly, by saving messages as unsent drafts in a single Gmail account, so they could login to the account and read what the other had written.

Petraeus evidently failed to consider the privacy implications of a change Google made to Gmail in 2008. That was when the company began providing Gmail users with the ability to track the IP address used to access accounts as a way to improve online security. As I noted at the time, "The information listed includes the Gmail user's type of access (browser, mobile, POP3), IP address, date and time. Not only will this new feature improve Gmail security, but it's also likely to please law enforcement authorities. In cases where a suspect's Gmail use is an issue, investigators who might otherwise have to request or subpoena log data from Google may only need access to the Gmail account itself."

What's more, now we're learning that the same inquiry -- which is unlikely to result in any criminal charges -- has claimed another victim. On Monday, the Department of Defense said it had been informed that the FBI's investigation had identified issues that affect Gen. John R. Allen, the commander of U.S. and NATO troops in Afghanistan. The Washington Post reports that the FBI found some 20,000 to 30,000 pages of "potentially inappropriate" email messages between Allen and Kelly, the woman who sought the FBI inquiry in the first place.

There are conflicting accounts about whether or not the FBI obtained a warrant for its inquiry.

"This is a surveillance state run amok," writes Glenn Greenwald in The Guardian. "It also highlights how any remnants of Internet anonymity have been all but obliterated by the union between the state and technology companies."

The careers of two of the nation's top military men have unraveled because the FBI started pulling threads from an inbox without any real evidence of a crime. Maybe that's just the wakeup call the government needs to recognize the value of privacy.

If that happens, it won't be the first time. In 1987, Supreme Court nominee Robert Bork's video rental history was revealed by reporter Michael Dolan, who obtained the information from Bork's local Washington, D.C. video store. Dolan justified his actions in part by noting, "[T]he judge indicated during his confirmation hearings that he's not necessarily a rabid fan of the notion of a constitutional guarantee of privacy."

Washington legislators were so shocked that their indiscreet viewing choices might be revealed that they promptly passed the 1988 Video Privacy Protection Act, which would have to wait until the Facebook era to be rendered obsolete by the marketing-surveillance complex's promotion of sharing as a social good.

Now that it's clear government officials stand as naked before online investigators as lowly citizens, maybe we'll see privacy exhumed from its grave, embalmed, and propped up as if it were alive and well again.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
11/16/2012 | 1:13:38 AM
re: The Petraeus Affair: Surveillance State Stopper?
I too question this, and wonder whether or how much of FBI's procedures for launching an investigation (and whether they properly were followed here) will be discussed as part of any Congressional investigation into the matter.
macker490
50%
50%
macker490,
User Rank: Ninja
11/14/2012 | 4:08:47 PM
re: The Petraeus Affair: Surveillance State Stopper?
once could of course use PGP or ENIGMAIL, or just use zip with an pre-agreed symetrical password

but there is still traffic analysis: why is Bob texting to Alice ?

best to keep msg in plain text and innocuous
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
11/14/2012 | 3:08:41 PM
re: The Petraeus Affair: Surveillance State Stopper?
That FBI agents are conducting or initiating investigations on little more than a complaint based on a personal relationship should be disconcerting to anyone. That the investigation has revealed little which can be placed in the "illegal" realm beyond movements of senior military officials or harassment only further questions the basis of a continued investigation. The issue seems to have been completely blown out of proportion and I believe that as much as the generals actions, the actions of the FBI or agents involved need to be analyzed.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.