9:40PM EST November 13. 2012 -
Paula Broadwell, ex-mistress of former CIA chief David Petraeus, could
have used several methods to hide her identity if she sent anonymous,
threatening e-mails to Tampa socialite Jill Kelley, experts say.
But
the FBI has many techniques available to trace such communications,
said Shawn Henry, who retired in March as the FBI's executive assistant
director in charge of all civil and criminal cyber investigation.
"Somewhere
along the way, her IP address was captured," Henry said. An IP address,
or internet protocol address, is a string of numbers unique to a
particular computer or device on the internet. With it, authorities can
usually track the identity of the person who sent an e-mail or visited a
website.
Someone trying to remain anonymous can hide e-mails by
routing them through different servers and using public computers that
don't keep activity logs, he said. Broadwell may have thought she had
done everything to hide her tracks, but often people make mistakes,
leaving their e-mails traceable by investigators, he said.
The
Associated Press, citing a law enforcement source who declined to be
identified, reported that Petraeus and Broadwell apparently used a
"dropbox" to conceal their e-mail traffic.
Rather than
transmitting e-mails to the other's inbox, they composed at least some
messages and left them in a draft folder or in an electronic "drop box,"
the AP reported. Then the other person could log onto the same account
and read the draft e-mails, avoiding the creation of an e-mail trail
that might be easier to trace.
The scandal has widened, with the
top U.S. commander in Afghanistan under investigation for alleged
"inappropriate communications" with Kelley.
Defense Secretary
Leon Panetta revealed that the Pentagon had begun an internal
investigation into thousands of pages of e-mails from Gen. John Allen to
Kelley. A senior Defense official described the e-mails as
"flirtatious."
It's not clear whether there was an effort to hide that e-mail trail, and Allen has denied wrongdoing.
Covering
up your online tracks can be time-consuming — even for high-powered men
who manage secret operations, said Janet Sternberg, a communication and
media studies professor at Fordham University.
"Being anonymous
would take so much trouble, you wouldn't have time to do the behavior
you were trying to hide," said Sternberg, who argues that almost all
forms of electronic communication leave traces. "What's surprising is
how much there is to discover. Look at his (Petraeus') cellphone and
text messages. If he left this evidence around there is probably more
evidence to discover."
With cloud services, long e-mail chains,
and more storage capabilities, e-mail inboxes and drop boxes can contain
thousands of pages of e-mails that users may think are gone but may
simply be stored out of sight but within reach of searching authorities, experts said.
"Every circumstance is going to be a little
different," Henry said. "It may have been relatively easy or difficult
for FBI investigators. It depends on how hard someone tried to hide
their transactions. And they can try really hard and then make a [ONE] mistake."
The FBI would deploy its resources to uncover the
sender of an anonymous e-mail depending on the credibility of the
suspicious e-mail, the severity of the threat and the target, said
Henry, who worked at the FBI for 24 years and is now president of
CrowdStrike Services, a cybersecurity firm.
"You absolutely would
have to look at the totality of the situation," he said. "There are a
whole host of things you factor in."
Before pursuing any
investigation, FBI agents would seek an opinion from a prosecutor to
determine whether it's possible that laws had been broken, he said.
"We
would rarely pursue an investigation without going to an independent
prosecutor," he said. "These types of cases are not atypical. They
happen relatively frequently."
Usually, the cases are worked with local law enforcement, Henry said.
"If
the bureau decided to work it, it would indicate to me that there was
more to it," Henry said. "If the target is named and it's a high-level
official, that would raise people's attention. It indicates to me that
there was more to this, not just a random e-mail."
How long such
an investigation takes would vary with the number of leads that need to
be run down and the complexity of the cybertrail, he said.
"In
these types of cases, there are many complexities," Henry said. "If they
discovered the director of CIA is involved you want to make sure you
get all the facts because it's going to impact a lot of other people.
The bureau would want to collect all of the evidence and really fully
flesh this out before it went public."
In Petraeus' case,
Sternberg and others believe e-mail hosts worked with authorities to
access the drop box he and Broadwell used. "You can tell that Google
must have given the government information about the IP address of every
computer that ever accessed that inbox," Sternberg said.
Google
acknowledges that it does receive requests from government agencies
around the world to "provide information about users of our services and
products," according to a Google policy statement posted online.
The company scrutinizes such request to make sure it complies with
local laws, and "may refuse to produce information or try to narrow the
request."
Of all the free webmail services, Google collects and
correlates the most data from users of its free Gmail service, including
IP addresses, key words in e-mail text and information from search
queries and web page visits, said Caitlin Johanson, security strategist
at CORE Security.
The data is primarily used to profile users of
Google's online services for advertising purposes. It is technically feasible for the company to map out the successful login activities of a
Gmail account holder who is using several aliases and logging in from
the same network, Johanson said.
"The information is there for
Google to get, but you just can't ask Google for it," Johanson said. "I
believe you'd have to get a subpoena or supply enough information as to
why they should give you that documentation."
Orlando
Scott-Cowley, an e-mail expert who works for Mimecast, a London-based
cloud e-mail management vendor, said he stresses to clients that e-mail —
business and personal — comes with limited privacy.
"When we
talk to businesses about how they use e-mail, we teach users that e-mail
isn't secure and that you shouldn't use it to receive or send
confidential information," he said.
It's the reason why credit card numbers and hospital patient information aren't sent via e-mail, he added.
People
have been trying to find a way to communicate secretly for years but
have not really achieved that goal, said Paul Hill, a senior consultant
with SystemExperts, a security consulting firm.
He said drop boxes have been used for years by people trying to hide information with varying success.
His advice: "Don't cheat on your spouse, and don't leave around all the
evidence because sooner or later someone is going to find it."
Of course, life isn't that simple.
For high-powered
men juggling careers, frequent travelling and family responsibilities,
having an affair or sending inappropriate e-mails comes down to emotions
and attraction, says Sheri Meyers, who has a doctorate in psychology
and works as a marriage and family therapist.
Sending secure communications and coding e-mails to make them indiscoverable took a back seat to passion.
"I
blame it on humanity," she said. "There is a need for connection. Their
arousal and how good contact felt overruled all reason or worry that
they were going to get caught."
Contributing: Byron Acohido