NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Petraeus -- And the Bottom Line on Email Privacy

               Petraeus -- And the Bottom Line on Email Privacy


In some respects, the saga of now former CIA director David Petraeus
and Paula Broadwell does not make for the best possible example for
analysis of email privacy issues.

In their case, a citizen complaint about harassing emails reportedly
triggered an FBI investigation, not some sort of internally generated
FBI action.  And once the director of CIA's emails were found to be in
the mix, the triggering of security concerns (whether ultimately
proved out or not) does not seem particularly surprising.  That's one
of the most sensitive intelligence positions on the planet.

It probably didn't help matters that Petraeus and Broadwell were
apparently using Gmail message drafts in a shared access account, as a
form of the classic intelligence operative "dead drop" -- likely in an
effort to avoid sending messages between accounts.  Such behavior in
this case was bound to trigger even more security concerns, including
of possible account hacking and other issues.

Also, it appears likely that most or all of the emails involved in
this case were relatively recent, which is an important point -- as
we'll revisit in a moment.

But none of us are director of CIA, and it's reasonable to wonder how
well our own email is protected from unreasonable and inappropriate
government snooping.

First, a fact.  If the government, really, seriously, wants access to
your email, no matter where it is stored, they are likely to find a
way to do this in most cases.  Even advanced encryption systems can
often be subverted through keyloggers, screen grabbers, and other
mechanisms that "work around" encryption, rather than break it per se.

That said, in the U.S., the primary driver of these issues today is a
nearly three decade old federal law, 1986's Electronic Communications
Privacy Act (ECPA).  By modern standards, this law has actually become
a dangerous anachronism.

For example, it assumes that email left on service provider's system
has been "abandoned" and permits law enforcement access without a
judge issuing a warrant showing probable cause to suspect a crime had
been committed.

This was a nonsensical approach even in 1986.  It is ridiculous to
assert that there should be less privacy protection for email more
than six months old that happens not to be on a system under your
immediate personal control.

And it simply isn't practical for everyone to deal with email locally
anymore.  The ability to keep systems up to date, properly backed up,
and flexibly accessible to the email's owner, has given rise to
cloud-based systems that can reliably provide these functions far more
effectively than is possible on most persons' home systems, and in
many cases office systems as well.

The problem isn't with remotely hosted email systems per se, the issue
is the failure of the ECPA to keep up with technological change, as
cloud systems and various hybrid email access environments like POP
and IMAP became commonplace.

The intolerable dichotomy created by the obsolete ECPA must be
eliminated.  All of an entity's email, whether hosted and/or accessed
locally or remotely, no matter its age, should have the same
requirement that it can only be accessed by authorities (without the
permission of the email's owner) upon issuing of a valid probable
cause warrant by a judge.

A very long list of firms and other organizations, including Google,
Twitter, Microsoft, Facebook, Apple, AT&T, the ACLU, and many others,
have joined forces to push for changes in the law along these lines,
as the "Digital Due Process" coalition.  I urge you to visit their
site and support their effort ( http://j.mp/QgIvWT [Digital Due Process] ).

Also, nascent Congressional legislative attempts to implement such
changes have been appearing -- so far without gaining much traction.
These should also be supported as appropriate.

Google and other firms have reported that government demands for user
emails and other data have been rising rapidly.  The failure of the
ECPA to keep pace with our modern Internet environment sets the stage
for abuses in this sphere that should be deemed absolutely

This should hold true for all of us -- even if our email is as pure as
the driven snow.

Even for directors of CIA.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
nnsquad mailing list