CSM Marvin L. Hill
Paula Broadwell with Gen. David Petraeus
Paula Broadwell is a trained intelligence officer who'd spent years working with some of the most secretive agencies in the world, according to her biography from her book publisher, Penguin. How were FBI agents able to hunt her through cyberspace with just a handful of anonymous emails to begin?
Anonymity online is a lot harder than it appears, experts say.
The downfall of CIA Director David Petraeus demonstrates how easy it is for federal law enforcement agents to examine emails and computer records if they believe a crime was committed. With subpoenas and warrants, the FBI and other investigating agencies routinely gain access to electronic inboxes and information about email accounts offered by Google, Yahoo and other service providers.
Meanwhile, it’s possible investigators didn’t even need a court order to connect the dots between the alleged anonymous threatening emails sent by Broadwell to Gen. David Petraeus friend Jill Kelley.
"The government can't just wander through your emails just because they'd like to know what you're thinking or doing," said Stewart Baker, a former assistant secretary at the Department of Homeland Security who's now in private law practice. "But if the government is investigating a crime, it has a lot of authority to review people's emails."
Unless an email sender goes to great pains to cover his or her tracks — using anonymous remailers, for example — it’s fairly trivial for a law enforcement official to obtain a court order and track down the computer used to commit a crime with the help of an Internet service provider. But how could federal investigators link an anonymous email to a suspect without even going to court?
There are several possibilities, experts say.
Some Web mail services, including Yahoo and Microsoft's Outlook.com, send user IP addresses across the Web with every email, according to privacy researcher Chris Soghoian, a senior policy analyst at the American Civil Liberties Union. IP addresses can be used to track the physical location of a computer user connected to the Internet, sometimes without the help of an Internet service provider.
Broadwell had used a Yahoo account publicly in the past. If she used a new Yahoo account for any of the threatening emails — federal officials told NBC’s Michael Isikoff that she used several accounts to send the emails — agents would have had an easy time gathering a list of IP addresses from the threatening emails Kelley provided to them. But even if Broadwell used another service that doesn't "leak" IP addresses, an FBI agent can obtain such information by subpoenaing those providers.
It’s important to note that most ISPs have hotlines which respond to subpoena requests with high efficiency, and that subpoenas do not require government authorities to prove probable cause before a judge. For example, Google, which operates the widely used Gmail service, complied with more than 90 percent of the nearly 12,300 requests it received in 2011 from the U.S. government for data about its users, according to figures from the company.
As one former federal prosecutor describes the process, many investigators have "a desk drawer full of blank subpoenas, and they just fill one out and fax it to the company. Often, the ISP has the data waiting before the fax even arrives." The former prosecutor spoke to NBC News on condition of anonymity because of the sensitive nature of investigations.
An IP address by itself would have told investigators little, but agents could have used one of two techniques to identify the person behind the keyboard. The former prosecutor said that agents could have linked some of the IP addresses on the emails to hotels where Broadwell stayed, then called the hotels and retrieved guest lists, which hotels often volunteer to investigators. Anyone who logged on from hotels at the time when the menacing emails were sent would be a suspect, he said. If agents found someone had checked into multiple hotels which matched the list of IP addresses, that would narrow the suspect list considerably.
Federal officials told NBC News' Pete Williams that the FBI used this method to link the menacing emails to Broadwell.
But agents may not have had to work that hard, Soghoian said. They could have taken an IP address from Kelley’s email, called an email provider like Yahoo or Google, and asked for details on any accounts that logged in from that same IP address at the same time. If Broadwell slipped up just once, and logged into her personal account during the same "session" that she logged into her anonymous account, agents would have been able to link her to the menacing emails.
Some reports suggest Broadwell and Petraeus did take steps to evade cyber-investigators. They apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic. The Associated Press reported Broadwell and Petraeus composed some emails and instead of transmitting them, left them in a draft folder for each other to read. That avoids creating an email transmission trail, which is easier to trace. It's a technique that al-Qaida terrorists began using several years ago and teenagers in many countries have since adopted.
"The lesson for the rest of us here is you have to go through a lot of steps to maintain anonymity, and you only have to screw up once," said Soghoian. "The FBI was able to pierce the veil of anonymity even for someone who's been trained. The government only has to get one clue. You have to be successful 100 percent of the time."
To actually read the content of Broadwell’s emails — as opposed to viewing the IP address and other header information about the emails — investigators would have had to obtain a fresh court order, but that’s not much of a legal challenge, either. Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older. To get more recent communications, a warrant from a judge is required. This is a higher standard that requires federal authorities to convince a judge that there’s probable cause that a crime is being committed. And if they wanted to intercept emails in real time, a federal wiretap order would have been required. But those 180-day-old emails probably told the story.
Public interest groups are pressing Congress to update the privacy law because it was written a quarter-century ago, when most emails were deleted after a few months because the cost of storing them indefinitely was prohibitive. Now, "cloud computing" services provide huge amounts of inexpensive storage capacity. Other technological advances, such as mobile phones, have dramatically increased the amount of communications that are kept in electronic warehouses and can be reviewed by law enforcement authorities carrying a subpoena.
"Technology has evolved in a way that makes the content of more communications available to law enforcement without judicial authorization, and at a very low level of suspicion," said Greg Nojeim, a senior counsel at the Center for Democracy & Technology.
Reporting by the Associated Press is included in this report.
* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter.
Some members of Congress are saying that they or, at the least President Obama, should have been told about the investigation into the director of the CIA while it was going on. NBC's Pete Williams reports.