Washington has been embroiled in an ever-escalating sex scandal involving Gen. David Petraeus, his biographer Paula Broadwell and a third woman named Jill Kelley, and now, tangentially it seems, Gen. John Allen. The affair between Petraeus and Broadwell was discovered by the FBI and revealed when Petraeus resigned as director of the CIA. But while the salacious details have kept Washington’s press corps busy, the details about how the bureau ever got this information should concern us far more.
Every turn in the investigation that led to Petraeus’ resignation perfectly illustrates the incredible and dangerous reach of the massive United States surveillance apparatus, which, through hundreds of billions of dollars in post-9/11 programs – coupled with weakened privacy laws and lack of oversight – has affected the civil liberties of every American for years. The only difference here is the victim of the surveillance state’s reach was not a faceless American, but the head one of the agencies tasked to carry it out.
The spark that set events in motion was a handful of allegedly harassing emails sent anonymously to Kelley, a friend of Petraeus’, which she brought to a friend at the FBI. Yet it’s unclear why an investigation was ever opened, given that everything publicly known about the emails suggests they weren’t illegal.
As the Daily Beast reported, they said things like “Who do you think you are? . . . You parade around the base . . . You need to take it down a notch.” The story noted, “when the FBI friend showed the emails to the cyber squad in the Tampa field office ... fellow agents noted the absence of any overt threats.” It seems the deciding factor in opening the investigation was not the emails’ content, but the fact that the FBI agent was friendly with Kelley.
But these initial emails reportedly did not identify Broadwell as the sender and only made passing reference to Petraeus. So how did the FBI end up uncovering the affair?
It obtained the IP addresses attached to the emails, which can give a fairly accurate location of the email sender. This “metadata,” as it’s called, can be obtained by law enforcement without a warrant or any court oversight. All that is needed is a subpoena signed by a prosecutor indicating the information is relevant to an ongoing investigation.
Metadata can include not only your IP address, but to whom and when you’re sending emails, and in other cases, the exact location of your cell phone for weeks or months at a time. And police get this type of data in everyday investigations without a warrant at a staggering and alarming rate.
But finding the location of the sender was just the beginning. From there, “armed with information about where the messages originated, the FBI is believed to have drawn up a list, as far as was possible, of who was at those locations when messages were sent,” the BBC reported. Because the IP addresses were hotel WiFi hotspots, the FBI obtained the hotel records at the various locations.
But how, exactly? Again, we don’t know the precise procedure used, but hotel records – which are private – can also be obtained with just a subpoena and do not require a judge to sign off on anything.
In other cases, the FBI has been known to use additional tools in its national security belt. The bureau once infamously used the relaxed “National Security Letter” requirements in the Patriot Act to get the hotel records on an estimated 1 million Las Vegas tourists – all of whom turned out to be completely innocent.
From here, the FBI figured out that Broadwell was the likely sender, and only then went to get a warrant to read her emails – or so it seems. One would assume, and hope, police have to get probable cause for all emails, just like they would for a physical letter or a phone call. But the law governing email – the Electronic Communications Privacy Act (ECPA) – doesn’t have such requirements for emails more than 180 days old. Because ECPA was written in 1986, before the World Wide Web even existed, archived emails were an afterthought given the incredibly small storage space on email servers.
Complicating matters further, Petraeus and Broadwell were communicating not by sending each other emails, but using an old (and apparently ineffective) trick of saving drafts in the draft folder of Gmail, thinking this was more private than if they sent them to each other. But as the ACLU’s Chris Soghoian explained, this was not so:
“Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications. This is because the Department of Justice has argued that emails in the ‘draft’ or ‘sent mail’ folder are not in ‘electronic storage’ (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.”
Regardless of what method the FBI used to read their allegedly explicit communications, the Daily Beast reported, “the FBI agents found no indication that it constituted a crime or a threat to national security. They confirmed this when they interviewed Broadwell and then Petraeus.”
Incredibly, this didn’t stop the investigation. And if privacy were any kind of priority, this should have been the end. The FBI has to comply with legally mandated “minimization” standards under law which, in theory, should prevent the bureau from snooping on personal conversations that do not reveal criminal conduct, even if its agents have permission to read all relevant communications to an investigation.
Instead, as the investigation deepened, top FBI officials were alerted, and they in turn told the director of national intelligence. Petraeus eventually resigned.
While these details may shock the average reader, these privacy-invasive tactics are used regularly by both federal and local law enforcement around the United States. In fact, as The New York Times reported, referring to Petraeus, “Law enforcement officials have said they used only ordinary methods in the case.” The only difference here is the target was the director of the CIA and one of the most decorated soldiers in modern military history.
The Petraeus scandal – or perhaps we should call it the FBI snooping scandal – dovetailed with Google releasing its semi-annual transparency report, which again showed that government requests for ordinary user data continue to skyrocket. The last six months showed the U.S. government requesting data from Google alone on more than 12,000 users, a marked increase over the six months prior. And this number doesn’t even include some Patriot Act demands, National Security Letters with gag orders, or secret FISA court orders for intelligence operations.
As Google said in conjunction with the release of its report, “This is the sixth time we’ve released this data, and one trend has become clear: Government surveillance is on the rise.”
Congress is now demanding to know why it wasn’t informed by the Justice Department about the details of the Petraeus affair earlier. Lawmakers should instead be worried about why the public was informed of these details at all, given that no crime was committed. And instead of investigating one man’s personal life, they should investigate how to strengthen our privacy laws so this does not happen to anyone else.
The U.S. government has so far been unable to keep its colossal surveillance state in check. Now that it is so bloated it is eating itself, one hopes more people will finally pay attention.
Trevor Timm is a policy analyst at the Electronic Frontier Foundation. The views expressed here are his own.