Whether you use email for business affairs or illicit affairs, there are many lesson to learn from David Petraeus and his paramour.  This is not a morality site, so we will skip over the obvious issues there.  But, if you have been hunting terrorists for a while and are the chief spook at the CIA, you should know how to keep a secret.  So what does the news about Petraeus teach us about email and other discrete communication:

  • Data Mining: If the government wants to track you, they have more than enough means to take a single email, track it back to another person, unlock all that persons email accounts, search through those emails, then track back to you.
  • Content: Even if you leave out names in an email, by tracking the header meta data, its possible to infer meaning.  Best not tot talk about sex or other details that stoke media hype.
  • Encryption: Its hard to know for sure, but no one seemed to be using encryption.  This suggests Petraeus knows it is better to use disposable accounts, then try to encrypt a message.  This may tell us a lot about sources and methods.  Or perhaps General Petraeus is simply not IT savvy.
  • G-Mail: Apparently Petraeus and Broadwell used a technique Terrorists use to communicate.  They had a shared GMail account.  They edited a joint “Draft” email, communicating through the draft without ever sending it.  So there was no email to track, just the source IP address from logins.
  • Feds Can Track Drafts: With stories of 1000s of messages” between Petraeus and Broadwell, given they communicated through Drafts in Gmail, it suggests the feds can trace old versions of a draft document.

Petraeus could probably have used better technology.  Its however safe to assume if you write something in a digital realm, the Federal Government can find it if they want to find it.  If you need to be discreet, feel you deserve your privacy, or otherwise want the Government and others to stay away there are some good practices to follow:

  1. Content: Don’t communicate anything on line, in a document, or digitally that looks bad when observed by a 3rd party after the fact amidst a media frenzy. Delete all documents, emails, texts, etc after transmission.  Run CCleaner on a regular basis.  Better yet, put it on a schedule.
  2. Meta Data: Assume the government has means to look across meta data and see links in nodes.  This means if you log in from an IP address to look at a bank statement, and then log in to Gmail through a browser to use an anonymous email address, its easy to link your ID from the banking event to your anonymous email account.  Assume the feds have this technology and its turn key.  Key identifiers include: IP address, SimCard, MAC address, phone number, geo-location.  Reduce your meta data footprint:
  3. Encrypt Emails: Encryption may signal you are up to something wrong.  Given Petraeus did not seem to use encryption, it may suggest he knows all encryption is crap.  Its safe to assume, if needed, with enough resources encryption can be compromised.  However, it takes a lot of resources.  So as long as you are not doing something truly evil, encryption gives you some protection.  Good browser based email tools include Voltage, Hushmail, and 10Minute.  HushMail’s servers are in Canada, which limits non-specific subpoena’s reach (i.e. FBI could not have accessed Petraeus while researching the paramour cat fight)
  4. Drop Box: Drop box, google drive, etc are essentially insecure and easily accessed by blanket warrants.  They offer very limited ability to control access or view access.  If you are going to put data into these shared locations, use encryption tools like SecureZip.
  5. Texting: It’s a bit unsure, but with the volume of texting, its unclear text messages are easy to track.  Blackberry messenger is giving the Saudi’s fits because they have a hard time penetrating its peer-to-peer nature.  Some use of texting may be helpful for quick but low profile communication.
  6. Virtual Machines: As you wonder through the internet in your browser, you leave various traces behind on your computer.  For your more sensitive work, consider creating a virtual machine or loading Linux onto a USB stick.  If you encrypt the disk with the VM image, its very difficult for someone to get to the core data within the virtual machine.  Within your virtual machine, configure your session to always use TOR, private browsing etc. you can maintain a very low profile.
  7. USB Boot: There are various tools to create a bootable linux OS from a USB stick.  This bypasses many tracking/data access issues.  Someone would typically need to get to the actual USB stick to get access to your data history.  This is much like a Virtual Machine, just more secure.

Its important to note that in the end, the NSA can get whatever it wants from your online and computer activity.  If you are doing something criminal, the recommendations above will not protect you.  We do not advocate criminal activity.  If you want to protect your privacy, which is still legal in the United States, these recommendations can help protect you from others probing eyes.

Tagged with →