5 tips for email more private than Petraeus’

If there’s one thing we learn from the Petraeus scandal, it’s that IP addresses can identify you.

Petraeus’s emails weren’t private, and neither are yours. That should be the biggest takeaway from the Petraeus affair scandal, uncovered through a trail that circled back to a Gmail account that Petraeus and his mistress, Paula Broadwell, shared. People are saying Petraeus wasn’t a good CIA director because he couldn’t keep his emails secret, but the reality is that almost no one can under current laws.

We’ll start out with our 5 tech tips for more private email, then explain underneath how the whole salacious story unfolded and how the law made it possible. 

5 Tips for more private email

Free email services may be easy, but they aren’t private. If you want more private email, it’ll take a little effort.

1. Hide your IP address by using a VPN whenever you log into your email account

VPN stands for “virtual private network.” It creates a secure tunnel between your computer and the site you’re visiting, allowing you to use public wifi networks at places like cafes and airports without worrying about others accessing your connection.

Make sure that the VPN you select anonymizes your IP address (that’s what identified Petraeus!) and doesn’t just secure your wifi connection. It’s also important that the VPN company uses strong privacy protections, like not storing unnecessary user data that could be tied back to you. Some good, easy-to-use VPNs to try are Hot Spot Shield and Private Wifi.

2. Use masked email software

A masked email is a fully functioning email address that forwards to your real email inbox. Masked email software lets you create an unlimited number of these emails. For example, you could generate a masked email (like “anon...@privacy.com”) when you’re signing up for an account on a shopping site, which will forward your confirmation and shipping messages to your real account (like “y...@gmail.com”) so you still them. Then if you later start getting spam, you can simply delete the masked email. Because most email providers require a backup email address in case you lose access, you can use a masked email that won’t give away your identity.

3. Consider paying for a truly private email service

Stay away from email services that make their money by collecting user data: it’s a business model that’s bad for privacy. You may have to pay a few dollars a month to a private email service that encrypts and securely stores your data. Some examples are Unspyable, Countermail, Silent Circle, Shazzle, or Lavabit.

4. Don’t put any sensitive data in subject lines

This might seem obvious, but if your email is hacked or accessed, emails with eye-catching subject lines will be the first ones opened. Save the details for the body of the email, and even then, avoid sending sensitive info like bank account numbers or credit card numbers through email.

5. Don’t associate any of your personal info with your email account

When you sign up for any email account, don’t provide your real name, phone number, or other identifying information. Don’t link it up to your social networks, either. All these things tie the account back to you.

The timeline behind the Petraeus affair

Jill Kelley

Jill Kelley: the woman who started it all.

An event planner in Tampa named Jill Kelley got a few anonymous, allegedly threatening emails from someone who’d later turn out to be Paula Broadwell, accusing her of sleeping with Petraeus. Kelley knew both Petraeus and General Allen personally. Kelley took the emails to an agent she knew at the FBI, who’s still anonymous at this point. Investigators at the FBI’s Tampa office opened a cyberstalking inquiry that’s still pending and examined Kelley’s computer. They found thousands of “inappropriate” emails with General Allen, which they passed on to the Defense Department.

Paula Broadwell, Petraeus’s biographer and mistress.

They also gained access, probably using a search warrant, to Paula Broadwell’s Gmail account, where they found that the account sending the emails also had access to a Gmail account that Petraeus used. The FBI matched up the locations from where emails had been sent with Broadwell’s known locations, including hotel rooms where she’d stayed, to get a warrant to actively monitor her email accounts. They found that Broadwell and Petraeus had a shared Gmail account and were communicating using email drafts: one person would log in; write a draft; and log out; the other person would log in and respond.

IP is the key

General Petraeus

Although Petraeus was using a pseudonym, which made him harder to identify, the FBI eventually linked the shared email back to both of them through their IP addresses. An IP address is a unique number associated with the device you use to connect to the Internet. It also broadcasts the geographic area where you’re logging in, usually the city, state, and country. Your Internet service provider and almost every website you visit keeps logs of IP addresses for years, if not forever. Despite these companies’ claims that IP addresses aren’t personally identifiable info, the Petraeus incident makes clear that IP addresses can easily lead to identification of individuals.

How does the FBI have access to so many months of Petraeus’s email?

Under the Electronic Communications Privacy Act (specifically the Stored Communications Act part), law enforcement can access any stored emails older than 180 days without a warrant. All they have to do is ask in the form of a subpoena, which doesn’t require a neutral judge’s approval, or a Sec. 2703(d) order, which is just an administrative request with an easy-to-meet burden of proof: just show that there are grounds to believe the emails are relevant to the investigation. They can also get “non-content” information, the metadata associated with an email but not the body content, through various orders or a National Security Letter. The law offers far less protections for emails than it does for hard copy letters you send in the mail, so although the FBI would always need a warrant to open a letter, they rarely need one for an email.

Most people simply archive their emails so they can find them later, so they’re never deleted. And even if you do click “delete,” Google stores your emails in full for 30 days and in redacted forms for far longer than that, archiving backups of backups so nothing’s truly gone. They also store your login records for more than a year, if not longer.

When law enforcement agents ask service providers, like Gmail and Comcast, for their users’ emails, the companies have to turn them over. Google releases a transparency report every 6 months showing how many government requests it receives for its users’ data: it got 16,281 requests in the first half of 2012 and complied with 90% of them. The number of requests has increased by 25% since 2011. The user information they provide is used in court cases (a famous example is the Casey Anthony record of her Googling “chloroform“) and investigations, like Petraeus’s. Email records make their way into more mundane cases too, like using a person’s search history to argue they’re a bad parent in a child custody hearing, or using text records to show who’s at fault for a divorce.

If the FBI can access your email, who else can?

Almost any state or federal law enforcement agency could get it. Your email provider, like Google or Microsoft, obviously has it. So does your email provider’s partners and affiliates in many cases, especially for advertising. Some email services scan & analyze the content of your email–both what you send and receive–in order to target you with ads, which can appear both in your email window itself and on other sites you visit online. Your ISP has it. Sometimes your employer does, too, if they’re monitoring at-work communications. Anyone you’ve given your login info can access your email, and if you have a weak or reused password, so might hackers. Bottom line: it’s hardly private.

More and more, law enforcement uses social networks and other private companies to gather evidence

Despite the FBI having an entire wing of the Bureau dedicated to cyber crime, it’s very common for law enforcement to use information from private companies in its surveillance and investigations. For example, Facebook actively scans the photos you upload and what you write in private messages and wall posts to look for “risk words” and pass them on to law enforcement. The “free but pay with your data” model that email providers like Gmail and Yahoo Mail use is fundamentally at odds with user privacy: these companies collect as much data as they can to monetize it later, but if they collect it, they have to give it to law enforcement. They don’t just store what’s in your emails and who’s sending and receiving them, but information like IP address, which email providers don’t have to log (but most do).

Even though the FBI can easily access emails through subpoenas and other administrative requests we mentioned above, they’re pushing to make it even easier by asking service providers like Google and Facebook to build in back doors where they could come in and monitor user activity. These currently exist for phone companies, but not all web companies. Additionally, the FBI, the Department of Homeland Security, and various other government agencies collaborate with private companies like ISPs for fusion centers, surveillance offices that monitor everything from private security cameras to online comments to try to prevent crime before it happens. There are 70 of them across the country, and a senate report found they haven’t detected a single threat.


So there you have it: how to use email more privately, how the Petraeus scandal unfolded, and the messy state of email privacy law. Privacy advocates and companies like Google have been pushing for updates to the Electronic Communications Privacy Act to bring it in line with modern technology, and the Petraeus investigation may be the catalyst that pushes reform.




25 comments shared on this article:

  • Jeff says:

    Thanks for the info! Very Much!!

  • Paul says:

    Would you consider writing a piece that addresses security concerns with e-mail accounts through hosting companies?

  • Vanne Foster says:

    I use Thunderbird through my ISP. How can I secure my emails?
    I realize this isn’t a comment. *snickers*

  • Jason says:

    I am researching private and secure email (even though I realize such a thing is next to impossible), but I want to understand the technology behind safer email. In step number 3 above, you suggest paying for a truly private email service. It would really help me if there was a checklist of things to look for from a service provider, and how to confirm that they provide those safer services.

    • Sarah Downey says:

      Sure! Here are a few things you’ll want to consider when looking at a private email service:
      - Start simple: do they have even have a privacy policy? If not, look elsewhere.
      - Is their service built around privacy, or was privacy an afterthought? You can usually get a sense of this through their written materials on their website and their blog, if they have one.
      - What’s their data retention policy? Do they store your data at all, and if so, for how long? The best services don’t store anything on their servers.
      - If they store data, what exactly is it? Is any of it anonymized (stripped of identifying information)?
      - In which country are their servers located? Different countries have weaker or stronger laws when it comes to law enforcement accessing stored data. The US is generally weak; countries like The Netherlands, Singapore, Australia, and Panama are generally strong.
      - What’s their business model? If it’s “free” but they make their money from monetizing their data, like Gmail or Yahoo, be wary. A better option is either paid (you pay directly for the email service) or freemium (the email service is free, but they make money through selling other premium products).

      Hopefully this is helpful!

  • hope carey says:

    wow! i knew we were being watched. it wasn’t until a few mos. ago that i even signed into facebook. the reason i did was to let a friend use my computer to fill out job applications that HAD to be done on facebook. i have been in senior managment for years, so i know what questions can be asked of an applicant. these companies are using facebook, etc to ask questions of applicant’s that are against the law, from how many children do you have to what type of birth control she was on. i am from the old school where you went to an interview and put your best or worst foot forward. i thought for sure the computer applications were jijo. now i see through your eyes how much they cann find out about a person, especially one that needs a job.

    it reminds me of being back in china where everyone was careful of what they said in public places. there they didn’t need computers, they had billions of eyes and ears who would rat someone out for a pittance.

    america better wake up because now those billion of eyes an ears of the poor all over the world now have computers as well.
    now who i am
    i worked in law enforcement, “search” and rescue so i know about camera locations, bugged public phones, cell phones, etc. it is very scary,

    i was in a bad accident that broke my neck forwars and backward, and the whole left side of my body & right leg. i have had to fill out soooo mant gov, docs and medical releases, it scares me. i stayed off the grid, no cell, no web, credit cards, etc for years, but when you are injured like this and your insurance runs out, i can walk into any hospital and they know who i am.

    are you or anybody developing software that can protect our privacy there? HIPPA is a joke. i am now disabled on social secuirty disability and will be for the next couple of years they say I have left.

    also, i am afraid of microsoft as well. i sent you an email through outlook which they made me move to and they read it all before it goes out. they did not want me conversing with your company. I have 2 of your products allowed by them on IE9 & 10. but, everytime i go check those settings, yours has been disabled.

    i no longer feel in control of my own computer. they make threats, they move you from program to program without asking. somehow all of my digital cert’s and certs went away, and only 2 of mine were hooked to adobe.

    i don’t have much money as you would guess, what i have is a hope of some type of privacy,

    i have tried to download all of your programs through Firefox – but I can’t get the ones I really need. so if i can get some assistance there that would be wonderful.

    lastly, can i use your programs in MS if they ever get my system working again – i don’t know who is worse, ms or hp.

    i can’t offer you much more than a huge thank you, and i can spread the word about your programs. people think i’m some kind of wiz – sooo not true they are just older than me and need your protection as well.

    sorry for the long “comment”/epistle. but as you said as i say all the time information is power. they say i watch to much of a tv show person of interest.

    thank you in advance for whomever is the guardian & real wiz that can help me and those I know.

    Run The Race That Has Been Set Before You.

    With Gratitude,
    hope carey

    • Sarah Downey says:

      Hi Hope, and thanks for your comment and compliments. Are you saying that your employer is blocking the use of our add-ons? If so, that can happen in the workplace, depending on if you’re using their equipment and network. If you’re saying that Microsoft is blocking our products, that’s pretty unlikely: we’ve actually made privacy tools for Microsoft, like our IE Tracking Protection List. As for HIPPA and medical privacy, it’s definitely a key area that we’re watching, but we don’t have plans right now for moving into it. We’re starting with the consumer web and expanding from there, so it’s possible.

  • Jonathan says:

    Are you (Abine) willing to bring this to the Public Eye with petitions on Change.org and Care2 Petition Site?

    This glaring omission in the law is very disturbing, just like the “Use it or lose it” mentality. It is not the FBI, CIA, or other Government entities that I worry about – it is the unethical [individuals] that degrade the public service they provide. Specifically, to inform.

  • rima remlawi says:

    reme estate for real estate services

  • rima remlawi says:

    reme estate led by real estate expert rima remlawi

  • Tim says:

    Great post Sarah, I think more people need to know the dangers of free email providers. I have also recently switched my email from gmail to thexyz.com which offers an ad free and highly secure email service. I was recommended here by a friend who works for MI6 and said that Thexyz is a fully compliant and secure email service provider. Thanks for getting the word out!

  • Hi Sarah

    Just found this blog. Thanks for sharing the info. I’d like to add to the list of options – my company ShazzleMail has a private and secure email application (iOS, Android and a version for desktop/laptops). We have patented technology that sends email directly from sender to recipient, bypassing servers. You can check out our website or I’d be happy to give you a call / demo. And our app is free for consumers.

    Thanks

    Doug

    • Jax says:

      I considered your Shazzlemail as it seemed to be a good alternative to the useless ‘Outlook’ that is now. The only problem is that my choice is NOT to have a smartphone and it is not available to download onto my computer. Is there an alternative?

  • Eric says:

    USE THIS! https://www.encryptfree.com

    The recent revelations of the extent to which our privacy is being violated by governments and companies have inspired me to create a gratis encryption service that everyone can use. It is free of charge, it’s extremely easy to use, and it is completely anonymous (no need to register).
    https://www.encryptfree.com

    Essentially, you use the service to encrypt text you want to protect, paste the encrypted text into a tweet, email, Facebook post, Google+ post, etc., and give the decryption password to the intended recipient. The recipient uses the site to decrypt the content using the password you chose (only someone who knows the password can decrypt it).

    It is very easy to use. Nothing to install and nothing to configure. And as the name suggests, is free and always will be.

    If you know someone who can benefit from the site, please tell them about it.
    https://www.encryptfree.com

  • Vina says:

    Just found this blog.
    Thank you for sharing the knowledge.
    Unfortunatelly, Silent Circle and Lavabit no longer around. :(

  • Bill says:

    For what it’s worth, Runbox has it’s company and servers located in Norway and will not (because they don’t have to) comply with U.S. court orders.

  • joe says:

    i like this article.i always had suspect yahoo and facebook spy me and read my mails , now i have a question how could we protect our chatting in their messengers ?

  • John says:

    Hi, I once saw an american film wherby somone at some stage mentioned that a from the point of view of the CIA a coin has four sides…
    Well, without desrespect for all the honest hard working people who try to make our lives better, I wish to forward a question here.

    Who is to say that all these advices and site suggestions are not leading us into a trap of yet another personal date spying system, for all I care, straight into the the hands of those who these articles are trying to portray as perpertrators of acts of spying? Can we really trust everyóne for that matter?

    Interesting is that at this moment, everytime i wish to get something out google, I get a captche request. Was not happening before. But since I started to visit ABINE pages and read your articles, this is taking place. Curiosly true.

    • If you’re using GoogleSharing, that’s why you’re getting a CAPTCHA request. That’s because your searches are run through a group of anonymous Google IDs before they’re returned to you, so that Google doesn’t know *you’re* the one doing a search. When Google gets a lot of searches from a particular ID, they enable the CAPTCHA. Just disable GoogleSharing and you’ll stop getting that CAPTCHA.

  • My advice would be to use a secure and private email service like https://www.mailfence.com

Leave a Reply

Your email address will not be published.

Comment

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>