The funny thing is, Paula Broadwell and David Petraeus thought they knew what they were doing. They were careful, more careful than the average American fooling around outside the bounds of marriage tends to be. When Broadwell wanted to warn off the other woman she suspected of messing with her man, she set up an anonymous email account and only used it away from home, usually on the Wi-Fi networks of hotels she was staying in. Broadwell and Petraeus also thought they could avoid having their emails intercepted in transit by technically avoiding "sending" them at all. Instead, they saved their messages to each other as "drafts" in a Gmail account to which they both enjoyed access.
But if they thought they were being smart, they were wrong. Broadwell and Petraeus were undone, says ACLU privacy and technology expert Christopher Soghoian, by their "lack of knowledge of operational security" and "poor tradecraft." "Draft" messages are stored in Gmail's server cloud just like all other sent and received messages. And the FBI turned out to be more than capable of correlating the Internet Protocol addresses that identified the origin of Broadwell's supposedly "anonymous" emails with hotel records that showed Broadwell as a guest at the same time the messages were sent.
If Broadwell had taken greater precautions, she might never have been caught. She could have covered her tracks with any one of myriad commercially available Virtual Private Network programs or, if she was looking for some heavy-duty protection, she could have downloaded the Tor Project's anonymizing browser. We should all takes notes from her misfortune. For those of us who have been able to look beyond the shirtless-pic-sending FBI agents and Tampa socialite "honorary consuls" and overly flirtatious four-star generals, the obvious lesson to take away from this mess is that if we're going to play hanky-panky with the director of the CIA, we'd better make sure we're using the best privacy protection tools available.
But there's another, more important lesson to be gleaned from this tale of a biographer run amok. Broadwell's debacle confirms something that some privacy experts have been warning about for years: Government surveillance of ordinary citizens is now cheaper and easier than ever before. Without needing to go before a judge, the government can gather vast amounts of information about us with minimal expenditure of manpower. We used to be able to count on a certain amount of privacy protection simply because invading our privacy was hard work. That is no longer the case. Our always-on, Internet-connected, cellphone-enabled lives are an open door to Big Brother. Just ask Paula Broadwell.
* * * *
The title of Chris Soghoian's dissertation is "The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance." The changing economics of surveillance is a topic close to his heart. As recently as a decade ago, he says, surveillance's "high transaction costs protected people's privacy without the need for the law to do it."
But then came the Internet, and GPS-enabled cellphones, and social networks. The cost of both crunching and storing data plummeted. We've seen this story play out in a host of domains -- the Internet is really, really great at removing the "frictions" that would otherwise raise the cost of providing goods and services. Facebook's Mark Zuckerberg loves to talk about how his social network facilitates "frictionless sharing." But there's a dark side to all the consumer benefits we gain from the digital, networked era. Call it "frictionless surveillance."
When the last major law on electronic communications and privacy was passed in 1986, notes Soghoian, cellphones barely existed and most companies considered it far too expensive to store years of data about their customers, if they even collected it at all. Today, says Soghoian, the phone companies store years of location data, and law enforcement agents can gain access to it through custom-made Web-based interfaces. Companies like Facebook and Google have hundreds of employees whose sole job is to deal with government information requests. Remember those episodes of "The Wire" in which key plot points hinged upon whether investigators could get the funding and authorization necessary for expensive surveillance operations? Today's intelligence agents "never have to leave their room," says Soghoian.
Nor do they, in many cases, need to go before a judge. In the case of Paula Broadwell, as Julian Sanchez devastatingly documented for Reuters, the FBI was able to obtain subpoenas for Internet Protocol logs, guest records from hotels, and Wi-Fi activity at those hotels without seeking judicial approval or a warrant.
"We have unwittingly constructed a legal and technological architecture that brings point-and-click simplicity to the politics of personal destruction," writes Sanchez. "The Petraeus affair has, for a moment, exposed that invisible scaffolding - and provided a rare opportunity to revisit outdated laws and reconsider the expanded surveillance powers doled out over the past panicked decade."
"I think it is problematic and a concern for me that the government can pierce the veil of anonymity that Broadwell and General Petraeus worked so hard to erect," says Soghoian, "and they can determine the identity of these people who have taken affirmative steps to protect their privacy, without having to appear before a judge. The history books are filled with examples of governments abusing surveillance powers -- it's just too easy not to -- and one of the ways that we protect our society against that is by placing a judge in the middle."
Our laws haven't kept up with the changes wrought by technological progress, says Soghoian. He cites the work of law professor Harry Surden, who presciently saw all this coming in a law review article published in 2007. Surden explained that many of the safeguards that have traditionally protected our privacy never had to be written down in the legal code, because they weren't needed: It was too hard or too expensive to gather all that detailed, granular information about our lives.
Surden warned that technological change would eventually result in the withering away of these "structural constraints" protecting our privacy. In the introduction to his law review essay, Surden wrote, "I emphasize the way in which latent structural constraints --which are premised upon cost inhibiting actions -- are vulnerable to erosion by particular emerging technologies that lower those inhibiting costs. To the extent that society depends upon the presence of these costs to reliably inhibit a potential privacy-violating activity, their dissipation results in a sudden regulatory shift, leaving these interests unprotected."
In that context, Broadwell's misadventures are a wake-up call. Our interests are no longer being protected, and most of us haven't even noticed, distracted by the last viral video posted on Facebook. We may not feel impelled to strike up an affair with one of the most powerful men in America, or send harassing emails to potential rivals, but we do have the right to draw the line at what our own government can find out about us without either our permission or that of a judge. If the old constraints are gone, it's high time for some new ones.