FBI, NSA and CIA can read your email. Here’s how
The U.S. government — and likely your own government, for that matter — is either watching your online activity every minute of the day through automated methods and non-human eavesdropping techniques, or has the ability to dip in as and when it deems necessary — sometimes with a warrant, sometimes without.
That tin-foil hat really isn’t going to help. Take it off, you look silly.
Gen. David Petraeus, the former head of the U.S. Central Intelligence Agency, resigned over the weekend after he was found to have engaged in an extra-marital affair. What caught Petraeus out was, of all things, his usage of Google’s online email service, Gmail.
This has not only landed the former CIA chief in hot water but has ignited the debate over how, when, and why governments and law enforcement agencies are able to access ordinary citizens’ email accounts, even if they are the head of the most powerful intelligence agency in the world.
If it makes you feel any better, the chances are small that your own or a foreign government will snoop on you. The odds are much greater — at least for the ordinary person (terrorists, hijackers et al: take note) — that your email account will be broken into by a stranger exploiting your weak password, or an ex-lover with a grudge (see “Fatal Attraction“).
Forget ECHELON, or signals intelligence, or the interception of communications by black boxes installed covertly in data centers. Intelligence agencies and law enforcement bodies can access — thanks to the shift towards Web-based email services in the cloud — but it’s not as exciting or as Jack Bauer-esque as one may think or hope for.
The easiest way to access almost anybody’s email nowadays is still through the courts. (Sorry to burst your bubble, but it’s true.)
The ‘save as draft’ trick
Petraeus set up a private account under a pseudonym and composed email messages but never sent them. Instead, they were saved in draft. His lover, Paula Broadwell, would log in under the same account, read the email and reply, all without sending anything. The traffic would not be sent across the networks through Google’s data centers, making it nigh on impossible for the National Security Agency or any other electronic signals eavesdropping agency (such as Britain’s elusive GCHQ) to ‘read’ the traffic while it is in transit.
Saving an email as a draft almost entirely eliminates network traffic, making it nigh on impossible for intelligence agencies to ‘traffic sniff.’
And yes, terrorists and pedophiles have been known to use this ‘trick’, but also sophisticated criminals also use this technique. It eliminates a network trail to a greater or lesser extent, and makes it more difficult to trace.
But surely IP addresses are logged and noted? When emails are sent and received, yes. But the emails were saved in draft and therefore were not sent. However, Google may still have a record of the IP addresses of those who logged into the account.
However, most Internet or broadband providers offer dynamic IP addresses that change over time, and an IP address does not always point to the same computer, let alone the same region or state every time it is assigned to a user. Even then, recent U.S. court cases have found that IP addresses do not specifically point to a computer, meaning even if the authorities were sure that it was Petraeus, for instance — though IP addresses very rarely give the exact house number and street address — it would not stick in court.
As is often the case, human error can land someone in the legal spotlight. 37-year-old Florida resident Jill Kelley, a family friend to the Petraeus’, allegedly received emails from an anonymous account warning Kelley to stay away from the CIA chief.
But when Broadwell sent these messages, it left behind little fragments of data attached to the email — every email you send has this data attached — which first led the FBI on a path that led up to the very door of Petraeus’ office door in Langley, Virginia.
Get a warrant, serve it to Google?
There’s no such thing as a truly ‘anonymous’ email account, and no matter how much you try to encrypt the contents of the email you are sending, little fragments of data are attached by email servers and messaging companies. It’s how email works and it’s entirely unavoidable.
Every email sent and received comes with ‘communications data,’ otherwise known as “metadata” — little fragments of information that carries the recipient and the sender’s address, and routing data such as the IP addresses of the sender and the servers or data center that it’s passed through. Extracting this metadata is not a mystery or difficult, in fact anyone can do it, but if you have the legal tools and law enforcement power to determine where the email was passed through — such as an IP address of one of Google’s data center in the United States.
Email is surprisingly similar to the postal system, especially when it comes to the communication “metadata.”
The system is remarkably similar to the postal system. You can seal the envelope and hide what’s inside, but it contains a postmark of where it came from and where it’s going. It may even have your fingerprints on it. All of this information outside the contents is “metadata.”
That said, even if you use a disposable Gmail account — such as firstname.lastname@example.org, for instance — it’s clearly a Gmail account, and Gmail is operated by Google. Sometimes it just takes a smidgen of common knowledge.
Ultimately, only Google had access to the emails. Because it’s a private company, it does not fall under the scope of the Fourth Amendment. If the U.S. government or one of its law enforcement agencies wanted to access the private Petraeus email account, it would have to serve up a warrant.
In this case, however, the Foreign Intelligence Services Act (FISA) would not apply. Even the Patriot Act would not necessarily apply in this case, even though it does allow the FBI and other authorized agencies to search email. However, in this case, above all else, the Stored Communications Act does apply — part of the Electronic Communications Privacy Act.
The act allows for any electronic data to be read if it has been stored for less than 180 days. In this case, the law was specifically designed — albeit quite some time before email became a mainstream communications medium — to allow server- or computer-stored data to be accessed by law enforcement.
However, a court order must be issued after the 180 days, and in this case it was. Reporting from London, the BBC News’ Mark Ward summed it up in a single sentence:
Once it knew Ms. Broadwell was the sender of the threatening messages, the FBI got a warrant that gave it covert access to the anonymous email account.
And that’s how they do it. No matter which way you look at it, no matter how much the government or its law enforcement agencies want the data or the proof of wrongdoing, they must almost always get a court order.
And Petraeus is no different from any other U.S. citizen, U.K. citizen, or European citizen — and further afield for that matter. What it always boils down to is a court order, and it’s as simple as that. It’s not ECHELON or an episode of “24” using hacking or cracking techniques; it’s an afternoon in a fusty courtroom with a semi-switched on (and preferably sober) judge.
That said, it doesn’t grant unfettered or unrestricted access to a user’s inbox or email account, but when an alleged crime has been committed or law enforcement starts digging around, it allows a fairly wide berth of powers to request access to electronically stored data.
Former assistant secretary to the U.S. Department of Homeland Security Stewart Baker told the Associated Press:
The government can’t just wander through your emails just because they’d like to know what you’re thinking or doing. But if the government is investigating a crime, it has a lot of authority to review people’s emails.
So there it is. A court order is all you need to access a person’s inbox, but sufficient evidence is often required in order to do this — particularly through the Stored Communications Act, or the Electronic Communications Privacy Act.
It sounds obvious, of course, that’s because it is.
That said, if there is reasonable suspicion albeit lacking evidence, or a U.S. law enforcement agency is dealing with a foreign national outside of the United States, that normally requires a secret FISA court order to be granted in order to proceed with the interception of data or warranted access to an email account, for example.
Outside the U.S.: Is it still ‘just’ a court order?
A simple court order is all it takes and it can apply to anyone in public office or the man on the street holding a sign warning that “the end is nigh.”
But it’s OK; you’re in Europe, or Australia, or Asia. The U.S. can’t use their laws against you in a foreign country because, well, you’re outside of its jurisdiction. Again, sorry to burst your privacy bubble but that excuse didn’t wash with the European Parliament, it shouldn’t with you either.
If you’re a European citizen with a Microsoft, Google, Yahoo or Apple account — or any email offered in the cloud by a U.S. company — which is most consumer email services nowadays — it is accessible to the U.S. courts and other nations through various acts of law, such as the Foreign Intelligence Surveillance Act (FISA) or the PATRIOT Act, in which the latter amended much of what the former had implemented in the first place.
(“Oh great, he’s talking about the Patriot Act again,” says everybody.)
It’s worth noting a common few misconceptions. Since first reporting this some years ago (and subsequently sparking a trans-Atlantic diplomatic row, whoops) analysts and experts alike, some who are under the thumb of the cloud companies themselves, claim that the Patriot Act — to use the umbrella, common term — does not allow the U.S. government or its law enforcement agencies the powers that others (*cough* including me) claim.
Let’s just run through a few examples of false claims on top of false claims:
|The Patriot Act is the magic wand that allows the U.S. government unrestricted access to any data, anywhere, anytime.||Untrue.|
|The Patriot Act gives the U.S. government unprecedented access to data hosted by U.S. companies anywhere in the world.||Untrue.|
|All countries have similar legislation that gives the authorities a means to requisition data on cloud services, to investigate and prevent acts of terrorism.||Unt… actually, quite true.|
It doesn’t give “unrestricted” or “unprecedented” access to date outside the U.S., because for the most part these warrants must go through a special FISA court. The trouble is even though there is some level of accountability via the FISA courts, these sessions are held in secret and there are no public minutes or record to go from, so swings and roundabouts.
Only in exceptional cases where warrants are not issued is when there is an immediate threat to life. But because these courts are secret, there’s no definitive and ultimate way to know for an absolute fact that the U.S. authorities don’t just bypass the FISA courts and skip ahead with their investigations anyway. (You only really have my word — and my sources in the U.S. government, such as legal counsels and spokespeople, to go on.)
Pretty much every country around the world has ‘Patriot Act’-like legislation. It’s just where to look for it.
On the third point, other countries do have similar laws and this should be noted. (I personally thought it was relatively common knowledge, forgive my naivety.) The U.K., for instance, has the Regulation of Investigatory Powers Act that can be used to acquire data from a third-country via a U.K.-based firm, just as the Patriot Act can be used on a U.S. firm to access data in a third-country via a local subsidiary.
But in terms of where the major email and cloud providers are based — the United States, notably on the West Coast — it means that U.S. law must apply, in spite of foreign laws that attempt to or successfully counteract the provisions offered in U.S. law. Not many major cloud providers operate solely in the U.K., whereas Microsoft, Google, Apple and Amazon are all U.S. headquartered with a subsidiary in the U.K. and other countries.
The lesson here? We’re all as bad as each other and no legally or financially reasonable place is safe to store data if you’re a massive criminal or looking to stash a bunch of secret or uncouth documents away from the authorities.
As for Petraeus, he may have been careful but in spite of his counter-terrorism knowledge and clever tricks in going under the radar, ultimately there was a weak link in the security chain — and no matter how far you go to try and cover your tracks, often it always falls down to two things: human error, or sex.