Slashdot Mirror
Petraeus Case Illustrates FBI Authority To Read Email
An anonymous reader writes "Back in April, we discussed how the 1986 Electronic Communications Privacy Act says email that has resided on a server for more than six months can be considered abandoned. The recent investigation of General Petraeus brings this issue to light again, and perhaps to a broader audience. Under current U.S. law, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Nobody keeps lots of mail there for longer than six months.
I don't have a useless IMAP account - I keep all my valuable messages on Hotmail
This is why I delete my old emails every 3 months.
Of course, when you're living in "The Cloud©," who's to say that the "Delete" button really deletes your email, and doesn't just shift it off to some secondary storage cache where it sits undisturbed for years until the FBI decides it wants to read it?
I keep one month's email on my IMAP server, and pop everything to my main machine.
I don't have friends, though...
"Rather than transmitting emails to the other's inbox, they composed at least some messages and left them in a draft folder or in an electronic dropbox, AP said" http://www.usatoday.com/story/tech/2012/11/13/petraeus-broadwell-email/1702057/ Yea some of them may have been in the drafts folder. Sending email to your secret lover is old school and gone to get you caught. OOPS maybe it did.
It all starts at 0
While its probably a good idea to erase your personally incriminating emails that you wrote 6 or more months ago (or a week ago!), at some point we want our CIA personnel to not be acting like idiots.
The NSA looks ant and stores most of them with no oversight anyway. You don't protest that.
Silence is a state of mime.
Don't leave behind incriminating evidence!
News at 11.
The guy who said the election was rigged won the presidency with the second-most votes.
The thing about it is that Petraeus likely won't be charged or prosecuted for anything. So basically the FBI was "just checking" to make sure no law was broken. If they can do it to the CIA director they likely can do it for anyone they damn near please. Anyone suspected of cheating on their wife is fair game apparently.
... I run my own IMAP servers. A third party can't release something that a third party doesn't have. (Nothing, of course, is keeping the upstream mail relay from keeping copies of all the messages they send on to a local IMAP machine, but I would be very surprised if it were currently common practice.)
The other reason I run my own IMAP/postfix server is to get around bullshit port blocking at hotels and the like. They might block port 25, can't very well block http: and https: ports, now can they?
Petraeus was the head of our CIA and couldn't keep his own affair secret? If he can't camp a little action off on the side without getting caught, I sure don't want him in charge of our country's Department of Spies.
...within the context of the Fourth Amendment?
Yeah, yeah, I know...they're using the Bill of Rights as toilet paper and all- that's because we keep foolishly allowing them that and foolishly thinking that these rights are automatic. They're not automatic.
You only have rights if you're beligerent and EXPLICITLY demand them. Quit presuming that the government has any obligations to give you your rights. They do their level best only because of the consequences of them not doing so and somoene calling them out on it. What we're being presented here is explictly UNCONSTITUTIONAL. Yeah, yeah, it costs all sorts of money and effort to stand up for your rights. Freedom's NEVER free.
It's come time to decide, people... Are you slaves? Are you free men? If you're free men, that comes at a price- and you've got to be willing to PAY it.
I don't think I'm an interesting party (what a setup), but I'm glad to hear POP3 is safe ;)
I thought I was just behind the times with my POP3 email. Apparently, it was foresight.
Not that it matters, really. I think we have to assume they can get anything they want without a warrant anyway and whether or not I think I removed it from a provider's server. Just say the magic words: "national security," aka "sudo," aka "Simon says."
I am not a crackpot.
For anything interesting - enough said.
Did he have the lifestyle poly that everyone else working for CIA or NSA gets?
For those that say it was a private adult matter, a normal worker would have their clearance in jeopardy. The boss who demands a standard of everyone else must fall on the sword when he fails that standard.
Now for congress demanding why they were not told, the details of an investigation that might effect a clearance are none of your business. If you are not involved in the investigation nor the adjudication, then all you get is pass fail. That is part of the bargain to have people bare all to the feds for a clearance.
As for reading email / cloud storage should need a warrant for anything that is not genuine CI/national security. The bargain there is that anything that is found that is not national security is let alone under the self enforcing mantra of not revealing sources nor methods.
So, who can point me to an e-mail vendor that keeps all messages encrypted?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Dang. Someone must have accidentally changed the time on those servers in the cloud and that's why we thought those messages were 6 months older than they really were.
Keep in mind that if you read your email using your work computer, then your employer can read it too - don't trust SSL to keep it private, your employer can transparently decrypt the SSL stream and re-encrypt using their own cert which your (well, your employer's) computer will trust.
If you want to keep your private email private, only read it on your own device, don't trust anyone else's device.
Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Hell yes. Me. POP. Nothing stays on my ISP's server for more than a few days.
A decade or so ago, we finally admitted that the encryption cat was out of the bag, US rules loosened, and web browsers stopped coming in "128-bit encryption that you can't export" versus "56-bit encryption that the FBI or the teenager down the street can crack" varieties.
At the time, many people were cynical enough to speculate that this new "we won't worry about bad people using encryption" policy meant that NSA mathematicians had discovered algorithms for cracking our strongest ciphers.
Yet I don't recall anyone being so cynical as to realize the truth: we don't worry about bad people using encryption because (most) ecommerce vendors are the only ones not too lazy to use encryption. You'd think that a four-star general trying to hide an affair would at least try out PGP...
I don't understand why GPG is not baked into everyone's mail client by now. All my geek friends have my public key.
You should be using 4096 bit encryption and a public key server.
For someone in his position, he should know better than that.
Even an idiot can install Thunderbird and then put the Enigmail plugin on top of it.
Are there any plugins, scripts, extensions etc that one could install that automatically encrypts stuff that is over 5 months old? Occasionally I need stuff from back then when I would need to search for it -- which I guess would be problematic? Is there a solution to protecting this stuff w/o deleting it from the server?
And this is why, you should simply own your own IMAP server. Since it costs next to nothing. If you own it, the storage is yours, and you haven't abandoned anything.
Or, you know, you could let someone else hold onto your stuff forever, which for this law, and logic, means you've abandoned it.
Makes sense. Why weren't you paying the few pennies to own your stuff?
I'm thinking that the these emails are long strings of replies back and forth, with each email repeating the stuff already sent previously. What with all the blank spaces, headers, wrapping of text, I can see how that the page count gets inflated by quite a bit.
Ibid.
They do not have authority that is approved by the guidelines the Founders of this country created.
What it means is they are violating the founders intents and any supposed law in violation are not real laws but fabrications of distortions backed by nothing more than brute force using abstract words to make themselves feel better about it.
There are many violations of the founders intents. The Declaration of Independence even acknowledges the probability of corrupt government and the founders in doing so gave us recognition of our rights and duty to put off bad government and replace it with what the founders intended. They even provided us with real life example.
So No they do not have the Authority to try and take advantage of the short comings of technology that they perceive. Especially when the Email account is still actively being used. Being used does mean clearly that it is not an abandon mail.
Why would I save an email for 6 months, that's insane. If an email was so important that it needed to be kept for that long I would print it off and tack it somewhere around me so I could see it. If the email wasn't important and I was still mean to keep it I would tell the person who sent it to re-send it later closer to the date and if neither case is true then I delete it or handle it right away and make the idiot who sent it deal with me 6 months early. Email is meant for quick communication, if you don't need the quick part then print it out or just phone the person.
They have systems just for sifting through email and such. I'm pretty sure the main one used by the feds is EINSTEIN 3. It's also available to big businesses, but voluntarily. Email monitoring wasn't in the earlier versions, but EINSTEIN 3 can read the content of email.
I'm archived, back to 1999 on some mails - personal account. :-)
"Flyin' in just a sweet place,
Never been known to fail..."
When I worked at AT&T it automatically deleted ANY email older than 30 days. Deleted for you. plus they scanned for and deleted any PST files found on any computer.
Do not look at laser with remaining good eye.
He was a high level government official in a Nation security sensitive position. The rules and laws are quite different and this is not a good comparison.
Because you have more time than money or brains and a retarded idea that someone gives a shit about your email?
What do you do that anyone gives a fuck about? Nothing. No one is going to steal your precious email anyway.
Why do you run your own mail server? Because you still think that makes you leet. I stopped giving a shit about my own mail server about the same time I got out of school and got a job. I have better things to do with my life than dick around with mail server upgrades every 6 months or more, and whats best ... I never have to give 2 shits about a hard drive failing, RAID or otherwise, because someone else days that for me ... FOR FREE.
Seriously, get over yourself, you might think you're bad ass because you can install a package, you're just too silly to realize that the instant you could install Linux as a mail server ... it was no longer impressive. Running apt-get doesnt' make you an admin, hell it doesn't even make you a freaking script kiddie anymore.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Why? Because you're a high level military general and politician that someone cares about? Wait, what? No one would give a shit about your mail regardless? Thought so.
And as for gmail ... theres a checkbox for that... the web is hard eh?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"In a parallel process, the investigators gained access, probably using a search warrant, to Ms. Broadwell’s Gmail account. There they found messages that turned out to be from Mr. Petraeus." Source: http://www.nytimes.com/2012/11/14/us/david-petraeus-case-raises-concerns-about-americans-privacy.htm
The only reason that the FBI was able to gain access to her e-mails was because Google complied with FBI's request. So it seems that the real question is not about how vulnerable your email is to "hackers", but whether your email provider keeps your communications private.
Seriously, its not impressive. Hasn't been for at least 15 years.
Second ... NO ONE GIVES A SHIT ABOUT YOUR MAIL. You are not a former high level military officer or high level politician. You are in fact nobody, just like me. How do I know you are nobody? Cause you have the spare time to dick around on slashdot and ... run your own mail server for no reason other than to wave it around like an epenis. Hell, most of you would be bragging up a shit storm if you had an affair.
All you do by bragging about running your own personal mail server is prove that you have more time than money ... and probably brains since you can get any of several places to host your mail for free and without ads if you don't use their web interface, so the end result is pretty much 0 cost hosting.
What do you do that someone cares about? Why is the government going to want your mail? Because you act like a bad ass on slashdot? I think not.
No one cares about your mail any more than they care about mine. Okay, so maybe a handful of people here have a reason to be concerned, I'm sure there are a few, but they aren't the ones bragging about running their own mail servers either. They are the ones that keep their head down and mouth shut ... hence why they haven't already been handled.
The more you go on and on about how you stick it to the government, the more you make it clear that the government doesn't give a shit about you and that you really don't actually know what you're doing ... or at the very least, why you are doing it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
An interesting aspect to the drop box they used, is that it seems like the investigators were able to get drafts that had been removed or altered.
Given the degree to which criminal elements already use that technique I would bet all large email providers store every update to a draft.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Nobody keeps lots of mail there for longer than six months.
In fact, people do. However, corporate email accounts at Google auto-delete email after 180 days because of the 1986 act. There was much grumbling when this came about, and there are exceptions for people with an email "litigation hold", but for everyone else, it's part of normal operation that it's deleted.
I believe that this is a settable option for corporate managed accounts (i.e. hosted domain email for commercial companies which pay Google to manage their companies mail).
I know that most other public corporations, such as Penton Media, have similar 6 month deletion policies. IBM's policy when I worked there (circa 2001) was 1 year, and switched to 6 months while I was employed by them.
Apple had a two year policy because it was difficult to establish separate policy for the US vs. Europe for compliance with Directive 2006/24/EC http://en.wikipedia.org/wiki/Data_Retention_Directive and Apple conservatively classed itself as an ISP. I don't know what their current policy is, given that the U.S. equivalent H.R.1076/S.436 http://en.wikipedia.org/wiki/SAFETY never made it into law.
I don't.
I do. But like any slashdotter worth his slashdot id, it's on my own email server.
this signature has been removed due to a DMCA takedown notice
scha-den-freu-de
[shahd-n-froi-duh] noun
see "General David Petraeus"
I have heard multiple "serious media commentators" refer to this unfolding of events as resembling something like "a Greek tragedy".
I am put more in mind of an Italian sex-farce. Like they used to make when Loren and Lollobrigida were at peak.
Now we will have to be merely content, whilst awaiting the Flynt Production: "This is Not Centcom!"
"Flyin' in just a sweet place,
Never been known to fail..."
Holy fuck, what is the matter with these people?
Nothing.
All Petraeus did was have a girlfriend. So at worst he was a dick to his wife, which is not a crime.
Allen might be in real trouble if he was sharing classified info. 20,000-30,000 is a LOT. That's over 60 a day for a year.
paintball
Does this mean if I download all messages from my IMAP account from the server, delete them from the server, and then reupload them to the server every four months that they can never view my messages?
I run my own mail server to back up the mail going to my main domain. Everything is automatically forwarded to my server and I can log into it from anywhere and look for that old message from forever ago. Its easier than doing so with my hosting provider, and I control the up-time and reliability on it. But the main reason I run the server at all is for CalDav and CardDav. Sure no one cares about my mail, but Gmail does read through my messages, contacts and calendar info to serve ads. I don't particularly care to give out all my contact and calendar info to Google, Microsoft, Yahoo, or anyone else. It runs on a very low power (~8W box) that I have running all the time anyway, so why not feel like I have some semblance of privacy?
The moral angle is just a way to leave gracefully, nobody in Washington would really give a shit that he had a mistress.
The big news is that his mistress was a journalist and he seems to have been leaking state secrets to her, very poor behaviour when Bradley Manning (for example) was locked up for using his position to leak far more trivial state secrets than Petraeus has access to.
Well to me it's like having a photocopier instead of having to make copies elsewhere. It's a trivial bit of office equipment that barely needs attention and normally just works for years at a time. Unless of course it's Microsoft Exchange, but even the name tells you what to do with it :)
That's of course for a small office where people typically email each other enormous attachments that would choke an outgoing pipe, but since I run the server that's where I get my personal email sent. Email is inherently insecure and prone to get misaddressed, forwarded to third parties etc so if you've got anything in your emails that you want kept a secret from the state then you are doing it wrong.
It's not all of us. Really, it's not. The system is, admittedly, very broken. But there are many, many citizens who are not.
I've fallen off your lawn, and I can't get up.
But what a sequel for "Who's Naylin' Paylin"!
"Flyin' in just a sweet place,
Never been known to fail..."
Occasionally they come in handy when trying to figure out why we did certain things the way we did.
"Do you know anyone these days who doesn't have IMAP accounts with 6+-month-old mail on them?"
Myself. The highest backlog I've ever had was about 40 days, some 5,000 messages across a dozen accounts. I have no problem maintaining coherent backups across multiple devices and locations for the few hundred actually important emails (accounts, software activations, and the like), so there is no value in having them accessible by anyone other than myself. Seriously, I don't even have to think about it when it comes time to set up a blank machine, it's that automagical by now.
While there is absolutely nothing of interest to the government or other players in anything that I keep, I can't see any reward, indeed much risk, with trusting others to maintain my privacy especially in the face of what I know to be unconstitutional (courts differ on that) means. [Some time ago I swore to "protect and defend the Constitution" so I took my duty seriously and studied it along with the Law around it. Not much left anymore for with to do either.]
In any case, none of this is particularly relevant to the General's situation. Along with his security clearance, he entirely waived more than a few rights (as did I back then), so the email would be accessible no matter what, even if it only existed on backup tapes instead of online storage.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
It's not just "tech-challenged" friends. I have friends that are quite technically knowledgeable and competent but still won't do it.
Quite a bit of it simply not-caring.
In the last few years, a new problem has arisen: people are using tech-challenged software. Both iOS and Android come with shockingly bad email clients that probably aren't as good as whatever you were using a decade or two ago. Presumably you can get pgp-interoperative mailreaders for these platforms but I think the users of these platforms have a weird everything-must-be-out-of-the-box expectation. And out-of-the-box, the platforms are simply hopeless for reading encrypted mail. It's weird; in some ways these platforms are super-slick, and in other ways they are glaringly impoverished anachronistic wastelands.
Before this, another one of the problems was webmail; it's very awkward to do webmail right. (And I'm being rather charitable!)
On the bright side, I think mobiles are making people care less about webmail (not completely, but less); now that everyone has a personal terminal in their pocket, they don't need "read from anyone's machine with no installs or complicated configuration" which is what webmail's big attraction was. So if decent mailreaders somehow get more common on mobiles, then email security could get back up to mid-1990s tech some day.
Then it'll be time to sigh and fight the people-not-caring battle all over again. :-/
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In the UK the FBI agent would seem to be guilty of
Misue of Public Office Misusing his authority.
Computer Misuse Act - Unauthorised access to a computer.
Data Protection Act - Disclosure of private data
The Harassment Act - Continuing Harassment after being warned to stop.
Nice way to rehash your old articles but it's got nothing to do with Petraeus, or any other member of the armed forces. Anyone subject to the Uniform Code of Military Justice gave up their right to privacy when they took the oath.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy." Hamlet (I, v, 166-167)
You mis understand "corporate" in this context.
In this context, it means "for people working at Google". As I said, it's a settable option for corporate managed accounts, which I guess from your posting you have. The setting is for the account administrator, not for the account users. Policy gets set by the owner of the domain, not by the users within the domain.