Regarding the current scandal involving former CIA director, General David
Petraeus, did we learn anything new about email security or the lack thereof?
Were you surprised at what the FBI was able to find out about the parties to
this scandal before the FBI even obtained a court order or a warrant or
In this excerpt from
Answercast #74, I look at how email can be accessed easily by the
authorities if it is available in an online service.
Become a Patron of Ask Leo! and go ad-free!
Hiding emails online
Was I surprised? Absolutely not.
Did we learn anything? Well, I think a lot of people learned something. But
it’s not something that wasn’t already out there to be learned.
The fact is when you store email on a service provider like Gmail or Hotmail
or whatever, the email in many cases is legally accessible to law enforcement
if they have a good reason.
Online email can be accessed
Now, I don’t want to get into the legalities and picking apart the law. For
one thing I’m not a lawyer. For another thing the law keeps changing. But as I
kind of sort of understand it, if you leave email on your email server for long
enough, the email is (currently under the law, I think) deemed as being
abandoned, or available, or whatever. What that means is that if you are
honestly, truly concerned about the government accessing your email, don’t
leave it on a common server like Gmail – or your ISP, or wherever.
That’s an important lesson to be learned.
Hiding messages in drafts
The other lesson to be learned, by the way, is about this technique they
were using: where they didn’t actually send mail. They were sharing
access to a single account and leaving each other messages in the Drafts
In other words – they would type up a message, but leave it in “Drafts” and
never hit send.
That didn’t help them. The fact is that the email account is available.
These folders are available to law enforcement.
Apparently this is a technique that’s been used by others before. I think
you can see that it is not something that is particularly secure, and is not
something that adds a real layer of security to what you’re doing.
Email servers are vulnerable
The important things to take away from this are:
- Mail on a server is vulnerable to inspection by the authorities.
If that’s a problem then you want to take steps to make sure that’s not your
- Your email then needs to be on your PC where it’s in your control;
or it needs to be encrypted in some way that cannot be decrypted, just by
nature of its storage on the service.
(Transcript lightly edited for readability.)
Next from Answercast 74- Is there
a downside to storing files in recycle bin?