The big story right now is about how the head of the Central Intelligence Agency (CIA) was busted by FBI investigators after they found that he was having an affair with writer Paula Broadwell, principal author of his biography, perhaps ironically called All In: The Education of General David Petraeus. It happens, I suppose, and whether that’s the real reason – and only reason — for his resignation or whether there were other issues that haven’t come to light yet, well, we might never know the full story.
What we do know is that the details of the FBI investigation into General Petraeus’ communications with Paula Broadwell have spurred much discussion about privacy, security and the wisdom of having a mail service like Google’s Gmail — which they used — archive your email forever.
So how much does Gmail archive? For how long? And once you delete something, is it really deleted? For that matter, what does “sharing drafts” mean when the investigators explained how David and Paula communicated without actually sending messages to each other?
This is a bit of a tricky subject to write about because I want to honor the 37 years of service that General Petraeus gave to our country while in the U.S. Army, and his 18 months or so as head of the CIA. A life of service is a respectable thing indeed. But an affair? Stupid.
Let’s start with how they used Gmail to communicate. Once they realized that sending email back and forth was going to be a potential disaster (because it’s so easy to track and analyze) they came up with the pretty smart idea of communicating via draft email messages in a shared Gmail account.
The idea is that if you share login credentials with someone else, you can write a message to them and leave it unsent in the “drafts” folder. They then log in later, see a message in Drafts, read it, delete the content of the message and write their own message back.
In fact, you could both be writing messages simultaneously, though at that point it’s probably easier to just use Gtalk to chat with each other. But… that again leaves a digital trail that the draft messages, deleted after being read, does not.
How would this look? When one of them logged in to Gmail, they’d have see this on the left side:
A click on “Drafts” and it might have looked like this:
Probably they deleted messages as they went along, but it’s entirely possible that they kept them, even though that would rather defeat the purpose of their stealth communications channel. People in love can do daft things, after all.
In terms of how long Gmail saves messages? That’s forever, as far as I can tell, as long as you don’t push a message into the trash. I signed up for Gmail back in 2004 and can still find messages from August of that year in my “All Mail” folder.
Spam messages are automatically trashed after 30 days. And drafts? As far as I can tell, they’ll stick around until you shut down the account, send them or delete them.
Testing reveals that if you “discard” a draft message, however, it doesn’t move into the trash folder, it just vanishes. Can you recover it? It doesn’t appear so, but it could be in the computer or Web browser’s cache so if an investigator has access to either person’s computer system, they can circumvent a lot of the privacy measures that Broadwell and Petraeus put in place.
It also turns out that email that’s sitting on a server for more than six months, according to the Electronic Communications Privacy Act, can be considered abandoned and examined by law enforcement personnel. The Petraeus investigation brings this issue to light again: Under current U.S. law, federal authorities only need a subpoena approved by a federal prosecutor — not a judge — to obtain electronic messages that are six months old or older.
Do you have email that’s more than six month sold, sitting on an IMAP server or on Gmail? If you think about it, a system like Gmail, Yahoo Mail, Windows Live, and even Facebook can be considered a “server” according to the ECPA. Something to think about, indeed.
So that’s the scoop, that’s how the two of them communicated via computer without actually sending email messages or using a chat service — or text messages — that could be easily monitored. And yet, somehow, they were busted. Curious indeed.