When Will Our Email Betray Us? An Email Privacy Primer In Light Of The Petraeus Saga

Hanni Fakhoury, Kurt Opsahl, and Rainey Reitman | Electronic Frontier Foundation | November 14, 2012

The unfolding scandal that led to the resignation of Gen. David Petraeus, the Director of the Central Intelligence Agency, started with some purportedly harassing emails sent from pseudonymous email accounts to Jill Kelley. After the FBI kicked its investigation into high gear, it identified the sender as Paula Broadwell and, ultimately, read massive amounts of private email messages that uncovered an affair between Broadwell and Petraeus (and now, the investigation has expanded to include Gen. John Allen's emails with Kelley). We've received a lot of questions about how this works—what legal process the FBI needs to conduct its email investigation. The short answer? It's complicated.

The Electronic Communications Privacy Act (ECPA) is a 1986 law that Congress enacted to protect your privacy in electronic communications, like email and instant messages. ECPA provides scant protection for your identifying information, such as the IP address used to access an account. While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider. But obtaining the account's IP address alone does not establish the identity of the emails' sender.

Broadwell apparently accessed the emails from hotels and other locations, not her home.  So the FBI cross-referenced the IP addresses of these Wi-Fi hotspots “against guest lists from other cities and hotels, looking for common names.” If Broadwell wanted to stay anonymous, a new email account combined with open Wi-Fi was not enough. The ACLU has an in-depth write-up of the surveillance and security lessons to be learned from this...