Petraeus scandal highlights how email isn't secure

Former CIA boss David Petraeus and his biographer Paula Broadwell tried to cover their tracks in their now-very-public extramarital affair.

They used anonymous email accounts with a shared password, composing draft messages to each other that were never actually sent over the Internet -- a so-called "dead-drop" technique also used by Osama bin Laden's couriers to keep correspondence secret.

But the once-clever technique is now well known and widespread -- and more importantly, traceable, says U.S. cyber-law expert Parry Aftab.

Petraeus stepped down from his position as CIA director Friday after news of the affair with 40-year-old Broadwell came to light. The scandal has proven quite the blow to the revered four-star general, who led the U.S. through the Iraq and Afghanistan wars. The affair began in 2011 and ended a few months ago.

"They drafted an email and left it in the draft box and the other one would log in and read it. It's sort of like leaving a note in a tree and someone can come in and see what it is and leave their own note," Aftab told CTV's Canada AM. "But they didn't delete."

"This wasn't done very intelligently," Aftab added. "And the problem is most of us don't use digital technology in very intelligent ways; we use it because it's fast. It's a very impulsive technology and we do things that, later on, we regret."

When U.S. investigators started probing a complaint by another woman, Jill Kelley, about harassing emails she was receiving, they eventually traced the account to Broadwell and the affair was soon uncovered. Broadwell had allegedly perceived Kelley as a rival for the retired general’s affections.

Further complicating the case is the fact that when investigators searched Kelley's email, they turned up hundreds of messages between her and U.S. Gen. John Allen which have been described as "flirtatious."

And adding yet another layer, Kelley originally reported the harassment to an FBI agent she knew from a previous interaction -- someone who had subsequently pursued a friendship with her, sending her shirtless pictures of himself.

Since all the FBI needed to search and monitor the email account connected to Petraeus and Broadwell was a subpoena or a warrant, they were given full access to the account, rendering the unsophisticated "draft" technique redundant. Similar to a wiretap on a phone, investigators were able to track all correspondence occurring through the account.

According to Stewart Baker, a former assistant secretary at the Department of Homeland Security now in private-law practice, federal agents routinely access email inboxes provided by Google, Yahoo and other providers if they believe a crime was committed.

"The government can't just wander through your emails just because they'd like to know what you're thinking or doing," Baker told The Associated Press. "But if the government is investigating a crime, it has a lot of authority to review people's emails."

Under the 1986 Electronic Communications Privacy Act -- which lobbyists want to update to reflect the changing times -- federal authorities need only a subpoena approved by a federal prosecutor (not a judge) to obtain messages that are six months old or older. If they want more recent communications, a warrant from a judge is needed and agents must prove with probable cause that a crime is being committed.

"We have to remember it's not just the government who can get these, there's always a third party to our communication," Aftab said. "Whoever is providing our email, they always have it. It's stored and, in many cases, it’s kept for a very long time."

While Petraeus and Broadwell undertook efforts to hide their identity by creating accounts under false names, they didn't mask their IP addresses, which provide a specific signature for every computer. Those IP addresses allowed investigators to draw a link between the anonymous accounts and Petraeus and Broadwell's computers.

Often, secrets meant to stay between two people are discovered because one of the parties fails to create a secure password -- the most common form of digital hacking.

Aftab suggests nicknames, birthdays and addresses are simply not sufficient to protect personal correspondence.

What’s more, Aftab said many people simply don't realize the extent of the digital footprint they leave when surfing the Internet, sending emails, instant messaging friends or using Facebook.

"When I was young, I used to write things in a diary with a cute little lock and my brother used to break into it all the time," Aftab said. "Email is even less secure than that … so remember those little locks don't work.

"If you don't want someone to see it, you don't put it in writing -- online or offline."