Slashdot Mirror
Petraeus Case Illustrates FBI Authority To Read Email
An anonymous reader writes "Back in April, we discussed how the 1986 Electronic Communications Privacy Act says email that has resided on a server for more than six months can be considered abandoned. The recent investigation of General Petraeus brings this issue to light again, and perhaps to a broader audience. Under current U.S. law, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?
No, but I don't know anyone a federal prosecutor would be interested in, either.
Nobody keeps lots of mail there for longer than six months.
I don't have a useless IMAP account - I keep all my valuable messages on Hotmail
This is why I delete my old emails every 3 months.
Of course, when you're living in "The Cloud©," who's to say that the "Delete" button really deletes your email, and doesn't just shift it off to some secondary storage cache where it sits undisturbed for years until the FBI decides it wants to read it?
I keep one month's email on my IMAP server, and pop everything to my main machine.
really.
Disparage them all you want, but they do have America's heart in mind.
I don't have friends, though...
"Rather than transmitting emails to the other's inbox, they composed at least some messages and left them in a draft folder or in an electronic dropbox, AP said" http://www.usatoday.com/story/tech/2012/11/13/petraeus-broadwell-email/1702057/ Yea some of them may have been in the drafts folder. Sending email to your secret lover is old school and gone to get you caught. OOPS maybe it did.
It all starts at 0
While its probably a good idea to erase your personally incriminating emails that you wrote 6 or more months ago (or a week ago!), at some point we want our CIA personnel to not be acting like idiots.
Me ... I have zero IMAP accounts
The NSA looks ant and stores most of them with no oversight anyway. You don't protest that.
Silence is a state of mime.
Don't leave behind incriminating evidence!
News at 11.
The guy who said the election was rigged won the presidency with the second-most votes.
And they will have nothing to say about your emails.
The thing about it is that Petraeus likely won't be charged or prosecuted for anything. So basically the FBI was "just checking" to make sure no law was broken. If they can do it to the CIA director they likely can do it for anyone they damn near please. Anyone suspected of cheating on their wife is fair game apparently.
... I run my own IMAP servers. A third party can't release something that a third party doesn't have. (Nothing, of course, is keeping the upstream mail relay from keeping copies of all the messages they send on to a local IMAP machine, but I would be very surprised if it were currently common practice.)
The other reason I run my own IMAP/postfix server is to get around bullshit port blocking at hotels and the like. They might block port 25, can't very well block http: and https: ports, now can they?
Petraeus was the head of our CIA and couldn't keep his own affair secret? If he can't camp a little action off on the side without getting caught, I sure don't want him in charge of our country's Department of Spies.
...within the context of the Fourth Amendment?
Yeah, yeah, I know...they're using the Bill of Rights as toilet paper and all- that's because we keep foolishly allowing them that and foolishly thinking that these rights are automatic. They're not automatic.
You only have rights if you're beligerent and EXPLICITLY demand them. Quit presuming that the government has any obligations to give you your rights. They do their level best only because of the consequences of them not doing so and somoene calling them out on it. What we're being presented here is explictly UNCONSTITUTIONAL. Yeah, yeah, it costs all sorts of money and effort to stand up for your rights. Freedom's NEVER free.
It's come time to decide, people... Are you slaves? Are you free men? If you're free men, that comes at a price- and you've got to be willing to PAY it.
and yet at&t can spy on all of us and get a free pass with retroactive immunity...
come on guys... grow the fuck up. they only follow the law when its in their favor and already agrees with what they are doing.
Every other time they'll still do it. and just declare what they did to be "secret" or for "national security" and you can't do shit about it.
What about at work? Can the same rule be used to subpoena emails on corp servers?
So if the FBI is reading the CIA's and DOD's emails does that mean that essentially the Chinese and Indians also have access to such info. Nice JOB NSA, I wonder if they have every strategic location, secure channels, and even personnel listings. I feel so safe in this police state.
I thought I was just behind the times with my POP3 email. Apparently, it was foresight.
Not that it matters, really. I think we have to assume they can get anything they want without a warrant anyway and whether or not I think I removed it from a provider's server. Just say the magic words: "national security," aka "sudo," aka "Simon says."
I am not a crackpot.
For anything interesting - enough said.
make me never reveal anything in emails, blog posts, IM's. Also, I never use social networking sites, as they are just an information gathering tool for the government.
all this does is every 10 minutes sends a giant image of a penis to yourself all day long
read that now you can stagger time so they dont know and vary the penis size of course...
Did he have the lifestyle poly that everyone else working for CIA or NSA gets?
For those that say it was a private adult matter, a normal worker would have their clearance in jeopardy. The boss who demands a standard of everyone else must fall on the sword when he fails that standard.
Now for congress demanding why they were not told, the details of an investigation that might effect a clearance are none of your business. If you are not involved in the investigation nor the adjudication, then all you get is pass fail. That is part of the bargain to have people bare all to the feds for a clearance.
As for reading email / cloud storage should need a warrant for anything that is not genuine CI/national security. The bargain there is that anything that is found that is not national security is let alone under the self enforcing mantra of not revealing sources nor methods.
So, who can point me to an e-mail vendor that keeps all messages encrypted?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Dang. Someone must have accidentally changed the time on those servers in the cloud and that's why we thought those messages were 6 months older than they really were.
Keep in mind that if you read your email using your work computer, then your employer can read it too - don't trust SSL to keep it private, your employer can transparently decrypt the SSL stream and re-encrypt using their own cert which your (well, your employer's) computer will trust.
If you want to keep your private email private, only read it on your own device, don't trust anyone else's device.
Some of us have web-based non-IMAP accounts, you insensitive clod!
j/k about the insensitive clod part. I hope either a court or Congress recognizes that personal "in the cloud" storage is for search-and-seizurepurposes "personal effects."
Doesn't Google keep your emails forever. They use them for advertising crap to you, but I expect they would provide them to the authorities.
Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Hell yes. Me. POP. Nothing stays on my ISP's server for more than a few days.
A decade or so ago, we finally admitted that the encryption cat was out of the bag, US rules loosened, and web browsers stopped coming in "128-bit encryption that you can't export" versus "56-bit encryption that the FBI or the teenager down the street can crack" varieties.
At the time, many people were cynical enough to speculate that this new "we won't worry about bad people using encryption" policy meant that NSA mathematicians had discovered algorithms for cracking our strongest ciphers.
Yet I don't recall anyone being so cynical as to realize the truth: we don't worry about bad people using encryption because (most) ecommerce vendors are the only ones not too lazy to use encryption. You'd think that a four-star general trying to hide an affair would at least try out PGP...
I don't understand why GPG is not baked into everyone's mail client by now. All my geek friends have my public key.
You should be using 4096 bit encryption and a public key server.
For someone in his position, he should know better than that.
Even an idiot can install Thunderbird and then put the Enigmail plugin on top of it.
Are there any plugins, scripts, extensions etc that one could install that automatically encrypts stuff that is over 5 months old? Occasionally I need stuff from back then when I would need to search for it -- which I guess would be problematic? Is there a solution to protecting this stuff w/o deleting it from the server?
And this is why, you should simply own your own IMAP server. Since it costs next to nothing. If you own it, the storage is yours, and you haven't abandoned anything.
Or, you know, you could let someone else hold onto your stuff forever, which for this law, and logic, means you've abandoned it.
Makes sense. Why weren't you paying the few pennies to own your stuff?
I'm thinking that the these emails are long strings of replies back and forth, with each email repeating the stuff already sent previously. What with all the blank spaces, headers, wrapping of text, I can see how that the page count gets inflated by quite a bit.
Ibid.
I let thunderbird copy all mails from the IMAP server on each machine, and let them delete after 2 weeks.
Btw, does anyone know how to make this fully automatic? I am using the filters in thunderbird. But they only work on unread messages, so I have to run them manually to get mails that I have read on a different computer.
Why do you think companies (and households such as my own) operate their own internal mail servers?
They do not have authority that is approved by the guidelines the Founders of this country created.
What it means is they are violating the founders intents and any supposed law in violation are not real laws but fabrications of distortions backed by nothing more than brute force using abstract words to make themselves feel better about it.
There are many violations of the founders intents. The Declaration of Independence even acknowledges the probability of corrupt government and the founders in doing so gave us recognition of our rights and duty to put off bad government and replace it with what the founders intended. They even provided us with real life example.
So No they do not have the Authority to try and take advantage of the short comings of technology that they perceive. Especially when the Email account is still actively being used. Being used does mean clearly that it is not an abandon mail.
Why would I save an email for 6 months, that's insane. If an email was so important that it needed to be kept for that long I would print it off and tack it somewhere around me so I could see it. If the email wasn't important and I was still mean to keep it I would tell the person who sent it to re-send it later closer to the date and if neither case is true then I delete it or handle it right away and make the idiot who sent it deal with me 6 months early. Email is meant for quick communication, if you don't need the quick part then print it out or just phone the person.
> Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?
I don't. I've used POP3 for years and years and pull all my mail to local and delete it from servers. Not that privacy was ever really a concern, I've just never thought leaving mail on some other server after I fetch it was a good idea. Now I see why!
In fact, Google Mail irritates me that it doesn't obey POP3 standard to remove mail after it's been fetched. I have to constantly go onto their web site to erase it myself.
I always pad my emails with a couple of hundred K of (already) compressed data - eventually, storage will be the issue.
My recipients know to prune that junk, but a BOT wouldn't. It doesn't really slow anything down, either, with networks
being what they are.
They have systems just for sifting through email and such. I'm pretty sure the main one used by the feds is EINSTEIN 3. It's also available to big businesses, but voluntarily. Email monitoring wasn't in the earlier versions, but EINSTEIN 3 can read the content of email.
When I worked at AT&T it automatically deleted ANY email older than 30 days. Deleted for you. plus they scanned for and deleted any PST files found on any computer.
Do not look at laser with remaining good eye.
No it does not. Government emails are archived and legally required to be open to investigation. You can file a FOA request and get the emails of public employees yourself.
He was a high level government official in a Nation security sensitive position. The rules and laws are quite different and this is not a good comparison.
Why? Because you're a high level military general and politician that someone cares about? Wait, what? No one would give a shit about your mail regardless? Thought so.
And as for gmail ... theres a checkbox for that... the web is hard eh?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"In a parallel process, the investigators gained access, probably using a search warrant, to Ms. Broadwell’s Gmail account. There they found messages that turned out to be from Mr. Petraeus." Source: http://www.nytimes.com/2012/11/14/us/david-petraeus-case-raises-concerns-about-americans-privacy.htm
The only reason that the FBI was able to gain access to her e-mails was because Google complied with FBI's request. So it seems that the real question is not about how vulnerable your email is to "hackers", but whether your email provider keeps your communications private.
"Do you know anyone these days who doesn't have IMAP accounts ..."
Huh? Use POP. Download and delete the server copy and encrypt on your client box, which you ssh into for all remote-access needs. Who *doesn't* do that?!
Seriously, its not impressive. Hasn't been for at least 15 years.
Second ... NO ONE GIVES A SHIT ABOUT YOUR MAIL. You are not a former high level military officer or high level politician. You are in fact nobody, just like me. How do I know you are nobody? Cause you have the spare time to dick around on slashdot and ... run your own mail server for no reason other than to wave it around like an epenis. Hell, most of you would be bragging up a shit storm if you had an affair.
All you do by bragging about running your own personal mail server is prove that you have more time than money ... and probably brains since you can get any of several places to host your mail for free and without ads if you don't use their web interface, so the end result is pretty much 0 cost hosting.
What do you do that someone cares about? Why is the government going to want your mail? Because you act like a bad ass on slashdot? I think not.
No one cares about your mail any more than they care about mine. Okay, so maybe a handful of people here have a reason to be concerned, I'm sure there are a few, but they aren't the ones bragging about running their own mail servers either. They are the ones that keep their head down and mouth shut ... hence why they haven't already been handled.
The more you go on and on about how you stick it to the government, the more you make it clear that the government doesn't give a shit about you and that you really don't actually know what you're doing ... or at the very least, why you are doing it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
An interesting aspect to the drop box they used, is that it seems like the investigators were able to get drafts that had been removed or altered.
Given the degree to which criminal elements already use that technique I would bet all large email providers store every update to a draft.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Nobody keeps lots of mail there for longer than six months.
In fact, people do. However, corporate email accounts at Google auto-delete email after 180 days because of the 1986 act. There was much grumbling when this came about, and there are exceptions for people with an email "litigation hold", but for everyone else, it's part of normal operation that it's deleted.
I believe that this is a settable option for corporate managed accounts (i.e. hosted domain email for commercial companies which pay Google to manage their companies mail).
I know that most other public corporations, such as Penton Media, have similar 6 month deletion policies. IBM's policy when I worked there (circa 2001) was 1 year, and switched to 6 months while I was employed by them.
Apple had a two year policy because it was difficult to establish separate policy for the US vs. Europe for compliance with Directive 2006/24/EC http://en.wikipedia.org/wiki/Data_Retention_Directive and Apple conservatively classed itself as an ISP. I don't know what their current policy is, given that the U.S. equivalent H.R.1076/S.436 http://en.wikipedia.org/wiki/SAFETY never made it into law.
I don't.
I do. But like any slashdotter worth his slashdot id, it's on my own email server.
this signature has been removed due to a DMCA takedown notice
scha-den-freu-de
[shahd-n-froi-duh] noun
see "General David Petraeus"
I have heard multiple "serious media commentators" refer to this unfolding of events as resembling something like "a Greek tragedy".
I am put more in mind of an Italian sex-farce. Like they used to make when Loren and Lollobrigida were at peak.
Now we will have to be merely content, whilst awaiting the Flynt Production: "This is Not Centcom!"
"Flyin' in just a sweet place,
Never been known to fail..."
That is but one of the reasons why I still use POP3 and keep all my email on my own system in Outlook...
Holy fuck, what is the matter with these people?
Nothing.
All Petraeus did was have a girlfriend. So at worst he was a dick to his wife, which is not a crime.
Allen might be in real trouble if he was sharing classified info. 20,000-30,000 is a LOT. That's over 60 a day for a year.
paintball
i'm a systems researcher, you insensitive clod!
Does this mean if I download all messages from my IMAP account from the server, delete them from the server, and then reupload them to the server every four months that they can never view my messages?
I run my own mail server to back up the mail going to my main domain. Everything is automatically forwarded to my server and I can log into it from anywhere and look for that old message from forever ago. Its easier than doing so with my hosting provider, and I control the up-time and reliability on it. But the main reason I run the server at all is for CalDav and CardDav. Sure no one cares about my mail, but Gmail does read through my messages, contacts and calendar info to serve ads. I don't particularly care to give out all my contact and calendar info to Google, Microsoft, Yahoo, or anyone else. It runs on a very low power (~8W box) that I have running all the time anyway, so why not feel like I have some semblance of privacy?
The moral angle is just a way to leave gracefully, nobody in Washington would really give a shit that he had a mistress.
The big news is that his mistress was a journalist and he seems to have been leaking state secrets to her, very poor behaviour when Bradley Manning (for example) was locked up for using his position to leak far more trivial state secrets than Petraeus has access to.
This whole scandal is caused by three things: His name has too many syllables; he's insufficiently suave; and he's with the CIA.
Give him a punchy name, gobs of suave, and put him in MI6, and you've got a 50+ year movie franchise.
Obama team no doubt holds several more in reserve to use as needed.
Well to me it's like having a photocopier instead of having to make copies elsewhere. It's a trivial bit of office equipment that barely needs attention and normally just works for years at a time. Unless of course it's Microsoft Exchange, but even the name tells you what to do with it :)
That's of course for a small office where people typically email each other enormous attachments that would choke an outgoing pipe, but since I run the server that's where I get my personal email sent. Email is inherently insecure and prone to get misaddressed, forwarded to third parties etc so if you've got anything in your emails that you want kept a secret from the state then you are doing it wrong.
More interesting to me is why was the head of the CIA (a guy with all the secrets about our country's operations) not using encrypted communications for something like this? Is the director of the CIA this stupid? Is he careless? Does he not know how to use crypto? Being the D/CIA, surely he knows about NSA and what those guys do all day long. Did he really think his in-the-clear e-mail would not be discovered by them or some other agency/organization/hacktivist group?
"Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Um... yes? Myself? Who the HELL keeps old e-mail around to violate your own and others' privacy when/if your account becomes compromised? It should be illegal.
I vote we extend this ruling to everything. If you haven't at least looked at everything you own within the last 6 months then I consider it abandoned and I'm entitled to simply take it. If you haven't opened up your PC and looked at everything inside it within 6 months I can open 'er up and take all the components (but leave the case since you can see that). Those 7 years of tax returns you're keeping in your closet? Yeah, I'll just take the last 6 1/2 years of them, thanks, they look abandoned to me. Oh yeah, and your software company hasn't read every line of code and done a full audit in 6 months...so, I'll take all your source code then, it looks abandoned there. Oh yeah, there's my old bar near here that shut down and they still haven't leased out the property. Well, I guess that's abandoned then - hand over the deeds. That shoebox of old memorabilia you keep in your closet? Oh...it's an old coin collection! Too bad you abandoned it, but thanks!
We could make this even more amusing by reducing the term to 15 seconds. Yeah, totally demolish working civilization overnight!
Abandonment is a totally subjective concept.
Fix: Petraeus Case Illustrates FBI power To Read Email
Because they don't have any authority to do it absent probable cause, oath or affirmation, and a warrant. What we're talking about here is a fishing expedition into two people's pending outgoing mailboxes.
Authorization goes: Constitution: Court: FBI. And they're completely missing the "constitution" step.
It's not all of us. Really, it's not. The system is, admittedly, very broken. But there are many, many citizens who are not.
I've fallen off your lawn, and I can't get up.
it's on my own email server.
And if your email server is in the US, it doesn't make a fucking difference. The US govt can and will look at all the data that is on that server, if they so wish.
Best example: megaupload.com
theres a checkbox for that... the web is hard eh?
You can tell gmail to "delete gmail's copy" when doing pop.
But gmail does not actually delete it. It goes into trash. Where it's still available for interested parties to look at.
So, like the parent poster wrote, if you want your emails really be gone, you have to go into the gmail's web interface and empty trash explicitly.
This reminds me of the Monica-Clinton situation. I doubt that any effect upon job performance was involved and frankly when you hire a general to screw entire nations it is rather hard to get bothered about him screwing around. I'll bet that most of the congress and senate as well as most presidents have dipped in forbidden pools and their wives may also fool around a bit. Big deal. It's almost a national sport these days. Probably most of America is worrying about how to get a fancier car then their neighbors as well as wishing they could get to the neighbors wife, daughters or in soem cases sons or even children. That stuff appears to be the actual operating morality of America. Even our ministers and priests seem to get caught these days.
Occasionally they come in handy when trying to figure out why we did certain things the way we did.
"Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Myself. The highest backlog I've ever had was about 40 days, some 5,000 messages across a dozen accounts. I have no problem maintaining coherent backups across multiple devices and locations for the few hundred actually important emails (accounts, software activations, and the like), so there is no value in having them accessible by anyone other than myself. Seriously, I don't even have to think about it when it comes time to set up a blank machine, it's that automagical by now.
While there is absolutely nothing of interest to the government or other players in anything that I keep, I can't see any reward, indeed much risk, with trusting others to maintain my privacy especially in the face of what I know to be unconstitutional (courts differ on that) means. [Some time ago I swore to "protect and defend the Constitution" so I took my duty seriously and studied it along with the Law around it. Not much left anymore for with to do either.]
In any case, none of this is particularly relevant to the General's situation. Along with his security clearance, he entirely waived more than a few rights (as did I back then), so the email would be accessible no matter what, even if it only existed on backup tapes instead of online storage.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
... I post cyphertext to Pastebin.
In the UK the FBI agent would seem to be guilty of
Misue of Public Office Misusing his authority.
Computer Misuse Act - Unauthorised access to a computer.
Data Protection Act - Disclosure of private data
The Harassment Act - Continuing Harassment after being warned to stop.
Download your emails to your computer. Make sure the email file is password protected and stored on an encrypted volume. let them try and get it.
Nice way to rehash your old articles but it's got nothing to do with Petraeus, or any other member of the armed forces. Anyone subject to the Uniform Code of Military Justice gave up their right to privacy when they took the oath.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy." Hamlet (I, v, 166-167)
You mis understand "corporate" in this context.
In this context, it means "for people working at Google". As I said, it's a settable option for corporate managed accounts, which I guess from your posting you have. The setting is for the account administrator, not for the account users. Policy gets set by the owner of the domain, not by the users within the domain.