There are a lot of unanswered questions on exactly how FBI unraveled the communications between General Petraeus and his biographer Paula Broadwell. Were accounts breached due to “user error” in password management, as many quips about enabling 2-factor authentication assume? Or was information subpoeneaed via lawful channels from the service providers? As other critics were quick to point out, the incident is sure to focus attention on the question of exactly how much privacy exists in traffic entrusted to cloud service providers.
First the red herrings. Yes, the general and Ms. Broadwell clumsily attempted to hide their communications by composing messages and saving them as unsent drafts, using the GMail drafts folder as a dropbox. As Chris Soghoian points out, this technique was tried before, by none other than terrorists linked to Al Queda in the past. It did not work– a point that one would assume the person running a US intelligency agency would know by heart. Similarly news accounts imlpy that Broadwell used “anonymous” email accounts. That phrase is ambiguous but in this context it presumably means she used a dedicated account, where the chosen email address and associated profile (providing the name appearing in the “From” field of outbound messages) were made up aliases, lacking any obvious connection to the legal name of the user.
Soghoian’s account has two competing explanations of how that scheme fell apart. The first one from NYT implies that FBI used IP addresses from email threats to identify other accounts used by the same person:
“[…] investigators had to use forensic techniques — including a check of what other e-mail accounts had been accessed from the same computer address — to identify who was writing the e-mails.”
This implies that a very wide net may have been cast during the investigation. Even if the original threats were sent using an account from one email provider, it does not follow that the same person had a second account with the same provider containing her real identity. Instead law enforcement may be forced to request information from several other providers. To make this more concrete, suppose the threats were sent from an AOL account. (Hypothetically speaking, as this particular detail is not known– earlier allegations that it was GMail were retracted by Wired.) While AOL can provide information from their logs on the IP addresses used to access the sender account, they may have seen no other activity from that address. It could even go in the other direction, where a large amount of activity is observed, which does not permit unique identification. But the same person could have accessed their “true” Yahoo, Hotmail or GMail account from the same IPs. By collecting information from these other providers, the investigators stand a better chance of singling out the suspect. It’s difficult to imagine this happening, considering that at this stage the investigation was purely around email threats to Ms. Kelley and no link to General Petraeus had been established. But emerging information also points to an over-zealous FBI agent that may have taken a personal interest in the case.
The other alternative suggests that no such cross linking was required, and that correlating IP addresses over time was sufficient. Specifically hotel networks are implicated:
“They did that by finding out where the messages were sent from—which cities,
which Wi-Fi locations in hotels. That gave them names, which they then checked
against guest lists from other cities and hotels, looking for common names.”
Once an email is traced back to a particular hotel wireless network, a reasonable hypothesis is that it was a guest staying there. (Granted, this is far from being a slam-dunk conclusion: it could have been a visitor, or friend of a guest for example.) But once multiple data points are available from several hotels, simply taking the intersection of all travellers staying at those hotels could lead to the single person that fits all the data. This would not require casting a wide net across multiple cloud providers, only the hotels implicated in the messages. If the wireless network at each location recorded the MAC address of connecting laptops, it would also be possible to verify that a particular machine indeed accessed that network– assuming no tampering of MAC addresses.
Either way, once Ms. Broadwell’s identity and associated email accounts were revealed, the rest followed quickly. It is clear FBI obtained access to the content of her communications, spent significant time reading through her correspondence and unmasking the identity of her email contacts, leading to the CIA director.
All of this poses one question: is there a way to use cloud services that affords better privacy protection?