Skip to navigationSkip to content

How email weakness let the FBI spy on the CIA chief and his paramour

AP Photo / ISAF
Characters on the next season of “Homeland”
United StatesPublished Last updated This article is more than 2 years old.

The drip-drip-drip of leaks surrounding David Petraeus’s resignation as director of the US Central Intelligence Agency accelerated over the weekend, revealing new details of how authorities managed to spy on the nation’s spy chief and his paramour, Paula Broadwell. Here is how it appears to have gone down:

Earlier this year, Jill Kelley, a volunteer at an Air Force base in Tampa, Florida, complained to the Federal Bureau of Investigation about harassing emails she had received from an anonymous email account. It’s not clear why that would prompt a federal investigation—except that the FBI agent was a friend of Kelley’s, and the emails alluded to a relationship with Petraeus, according to the New York Times.

IP addresses reveal location

Emails leave behind footprints, known as header fields, that reveal standard information, like the sender and recipient, along with less obvious data, like the sender’s IP address. Email providers—and Facebook—have been criticized for this because an IP address can be used to determine someone’s location, often with a good deal of precision. That appears to be how the emails were ultimately traced back to Broadwell.

Google considers IP addresses to be “sensitive information” and doesn’t include them in the headers of most outgoing Gmail messages, but Microsoft Hotmail and Yahoo Email do whenever possible. We know that Broadwell uses Yahoo for her personal email account, at least in the past, because it was exposed in last year’s unrelated leak of account details for clients of Stratfor, a private intelligence service. (We even know the password Broadwell used for her Stratfor account.)

If Broadwell also used Yahoo for the “anonymous” account she allegedly used to harass Kelley, those emails would have likely contained location-revealing IP addresses. Note to self: when harassing the other-other woman in a love quadrangle with the CIA chief, use Gmail.

Email surveillance the easy way

The FBI apparently matched the IP addresses on those emails to hotels, among other places. How did investigators then match the hotels to Broadwell? That’s not yet clear, but section 215 of the USA PATRIOT Act permits the government to demand hotel records with the permission of a secret court. Since the FBI was at some point in the investigation concerned about the leak of classified material, it’s possible the PATRIOT Act was invoked.

However the emails were linked to Broadwell, that discovery was enough “to seek a warrant to monitor Ms. Broadwell’s email accounts,” according to the Journal. That included a Gmail account she set up specifically to communicate with Petraeus. Google received 12,271 requests for user data from the US government last year and complied with 93% of them, so that’s the most likely way FBI agents got into Broadwell’s email.

It’s also easy to monitor web browsing on computers accessing the internet over public WiFi connections like you might find at a hotel. One company that supplies surveillance equipment to governments, Gamma International’s FinFisher, discusses in marketing materials how public networks can be exploited to install its tracking software and indefinitely monitor computer usage.

Petraeus was also using a Gmail account to send racy emails to Broadwell, but he was using a pseudonym—this scandal’s juiciest, as-yet-uncovered detail—so the FBI didn’t make the connection until late summer, according to reports in the Journal and the Times. The Journal says the FBI never monitored Petraeus’s email accounts, just the missives that ended up in Broadwell’s inboxes.

Update (5:41 p.m. ET): The Associated Press has just published a piece that mostly treads over the same ground but then ends with a staggering new detail:

Petraeus and Broadwell apparently used a trick, known to terrorists and teen-agers alike, to conceal their email traffic.
One of the law enforcement officials said they did not transmit all of their communications as emails from one’s inbox to the other’s inbox. Rather, they composed some emails in a Gmail account and instead of transmitting them, left them in a draft folder or in an electronic “dropbox.” Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail which is easier to trace. It’s a technique that al-Qaida terrorists began using several years ago and teen-agers in many countries have since adopted.

I’m neither a terrorist nor a teenager, which may be why this “dropbox” email trick is new to me. In any event, it certainly casts doubt on previous assertions that the FBI was not monitoring Petraeus’s email. For instance, the Journal reported, “The investigators never monitored Mr. Petraeus’s email accounts, the officials say.” But the AP’s report suggests that the investigators were, in fact, monitoring an email account used by the CIA chief along with his paramour. The court-issued warrant to monitor the account wouldn’t necessarily have had to include Petraeus if the account was registered by Broadwell or could otherwise be considered hers.

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.