There is little doubt that email would not have become as pervasive as it is today if it did not ride on the cloud. But the recent stepping down of Central Intelligence Agency (CIA) Director David Petraeus, following an investigation by the Federal Bureau of Investigation (FBI) of the email trail leading to him and his biographer, Paula Broadwell, has revealed that the mailbox on the cloud may be convenient, but not necessarily as safe as we lull ourselves into imagining.
The supreme irony of l’affaire Petraeus was, of course, that the top spy forgot to cover his tracks, using the most basic of techniques in the toolkit of not only spies and terrorists, but truant kids who are keen to keep their secrets away from their parents.
The preliminary (and sketchy) details of the FBI’s investigations show that Ms. Broadwell and Mr. Petraeus had used a technique that is commonly used by terrorist organisations, spies, organised crime syndicates and, not surprisingly, by smart teenagers who guard their privacy with zeal. The duo used the ‘Drafts’ folder of a common Gmail account into which they would put their message, which could be read by either person (obviously, both had free access to the account).
Ironically, the ‘Drafts’ folder is, according to the U.S. Department of Justice’s interpretation of the relevant legal provisions, not part of “electronic storage”, as defined by the U.S. Stored Communications Act and, hence, not afforded the privacy protection that would otherwise be available. Indeed, observers have pointed out that the investigators would get access to such messages with a mere subpoena instead of a warrant.
In this technique, one person will write a message and rather than send the message, they will save it to their draft folder. The other person will then log in to the account, usually through a Web browser, and read the message in the folder. The duo probably resorted to this ruse believing that the “exchange” of messages would not leave a digital footprint. But electronic communication is not so simple. Even to access the ‘Drafts’ folder of the Gmail service, one has to communicate with its servers, which reveals the users’ IP addresses. Identifying the user physically is now just a short step away.
Ironically, storing emails in a draft folder, rather than an inbox, may make it easier for the government to intercept the communication. This is because the Department of Justice has argued that emails in the ‘Drafts’ or ‘Sent Mail’ folder are not in “electronic storage” (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with just subpoena rather than a warrant.
For instance, in the case of a Gmail account, it is easy to access the metadata in a message by merely following the sequence of steps mentioned below:
1. Log in to the Gmail account and open a message
2. In the upper right corner of the message, click the down button that is located next to the ‘Reply’ icon
3. Choose ‘Show Original’ in the drop down menu that scrolls down.
4. You can see the data that was part of the original message
The last line on every Gmail account reads ‘Last activity from’ and it gives the time and IP address of the last activity. A click on ‘View details’ would reveal the last 10 IP addresses the user has accessed the account from, while Google keeps a record of at least 18 months of these logs. On the Net are hundreds of ‘kits’ available that can be used to access the metadata that are embedded in emails. For instance, Mediatemple.net offers techniques to access 19 different types of email accounts — email clients such as Thunderbird and Outlook and email services such as Gmail and Yahoo. The metadata, which to most ordinary users would appear gibberish, are critical for tracking the physical location of email accounts that are being tracked.
Again, these techniques are available fairly easily on the Internet. For instance, there is whatismyipaddress.com, an IP address locator, which can give information about where the email account is registered or tell you where it is physically located.
People do have secrets, and every person has a right to communicate with some assurance of privacy protection. While staying anonymous over the Internet is next to impossible, projects like the Electronic Frontier Foundation (https://www.eff.org/) specialise in popularising simple techniques that help users remain anonymous on the Web.
The Onion Router (TOR) project popularises a browsing technique, which employs a relay of inter-connected peer computers to send requests to Web servers. For instance, if a user from India tries logging into a website without TOR, the user’s IP address is logged, which can be traced back to his/her geographic location.
Using TOR, the request from is sent via hundreds of relay computers and the IP that is logged is that of the last link in the relay of computers in the network.
Another method is to encrypt mail content using PGP (Pretty Good Privacy)-like techniques to send communication via commercial links. An encrypted email cannot be deciphered unless the passphrase of the encrypting algorithm is known.
An encrypted email sent to a friend via Gmail about a vacation in Andaman islands will not intelligently show you ads of hotels in Andaman, as is the case with ‘targeted ads’ delivered by Gmail. Even Google cannot decipher the content in the mail!
