Petraeus tripped up by trust in supposedly anonymous email account

Filed Under: Celebrities, Featured, Google, Law & order, Privacy, Spam

David PetraeusIt turns out that a surprisingly naïve trust in the supposed anonymity of pseudonymous email accounts has triggered the downfall of the US's top spy chief.

FBI agents who were investigating what they initially thought was a cyber breach stumbled onto intimate messages on Gmail passed between David Petraeus, who on Friday abruptly resigned from his job as head of the Central Intelligence Agency, and his biographer, Paula Broadwell.

According to the New York Times, the scandal began when a Florida woman, Jill Kelley, received threatening, harassing email from an anonymous person who accused her of flirting with an unidentified man.

Kelley is a volunteer social planner for events at MacDill Air Force Base in Tampa, Florida, also home to the military's Central Command, where Petraeus served as commander from 2008 to 2010 before stepping into his role as head of the CIA.

Wired reports that the anonymous harassment was contained in between five and 10 emails that began to arrive last May and that reportedly warned Kelley to "back off" and to "stay away" from an unnamed man.

Kelley contacted a friend at the FBI, unsure of whether the threats constituted cybercrime.

Investigators took it up, eventually tracing the anonymous account that sent the threatening emails (it's not clear whether this was a Gmail or some other type of account) to a home in North Carolina that belongs to Broadwell and her husband.

Petraeus biography by Paula Broadwell

As Wired points out, it's unclear exactly how investigators tracked Broadwell down, but given our knowledge of email headers, we can make some guesses.

If the threatening mail came from a Gmail account, the FBI would have had to get the IP address from Google, given that Gmail headers only include the IP address and domains of the servers that pass along the email.

But other webmail providers, such as Yahoo, include the sender's IP address in their email header metadata.

However they did it, FBI agents spent weeks piecing together the identity of the harassing emails, the Wall Street Journal reports.

To do so, they determined the locations from which the emails were sent, including not only the Broadwell home but also hotels where Ms. Broadwell was staying when some of the emails were sent.

FBI agents and federal prosecutors then used the information as probable cause to seek a warrant to monitor what other email accounts Ms. Broadwell might have used.

They learned that Broadwell and Petraeus had set up a private Gmail account to communicate, exchanging heaps of sexually explicit messages.

Eventually, in late summer, investigators determined the real identity behind Petraeus's psuedonym.

As it turns out, Petraeus didn't pass on classified documents during his relations with Broadwell. That had been a national security worry when the story first emerged.

IP address. Image from Shutterstock

The saga continues as details emerge, but from a security standpoint, there's a takeaway for all of us who believe that an anonymous email account shields our identities.

If you'd like to see what your own Gmail, Yahoo or other email header is telling the world about you, I found this handy guide for looking at the information of 19 different webmail clients, third-party email applications and third-party webmail clients.

The X-Originating-IP header, which you can find in headers such as Yahoo's, will tell you the IP address of the computer that sent a given email.

You can then use an IP address locator such as WhatIsMyIPAddress to find out the ISP or webhost to which an email account belongs, plus its geolocation.

That's handy when tracking spam email, if you want to track down the owner of the originating IP address of spam in order to lodge a complaint.

It's also handy to do it to yourself, to see how easily people can find information on you, even when you're tucked away behind a supposedly anonymous email account.

Remember, that invisibility cloak has plenty of holes.


IP address image from Shutterstock.

, , , , , , , , , , , ,

You might like

10 Responses to Petraeus tripped up by trust in supposedly anonymous email account

  1. Dagwood Bumstead · 522 days ago

    Naivete from a spy who didn't follow basic tradecraft.

  2. I have to agree with Dagwood Bumstead in this. mail accounts are not the best place for privacy and if in doubt don't use them unless you are encrypting your messages in some manor. So think before you supply information to mail accounts that you don't want anyone else to see.. it seems to me that the law is also inadequate in protecting our e-g- and other accounts however my opinion is that the law should protect any data be online or not. something has to change.

  3. Geir · 522 days ago

    If he had he used VPN, he would not have been caught :)

  4. deonast · 521 days ago

    I suspect his only intention was to not have the email on company servers from a privacy perspective. I doubt he would have figured there would be any kind of investigation into his personal email accounts, particularly if there is no sensitive "business information involved". I don't use my work email accounts for personal email either.

    Though from the article it sounds like they shared the one account (unless I'm mis-reading) which is a bit odd then for Broadwell to email threats from that same account to someone is plain stupid. Maybe I'm missing something and Broadwell used a different account which the FBI used the contents of to work back to who she was corresponding with and found Petraeus.

    • Lisa Vaas · 516 days ago

      Broadwell did, in fact, use a separate account from which to email the accounts.

  5. Jak Rhandier · 517 days ago

    I find it amazing that the director of the CIA would not use freely available and public means to secure his communications like Enigmail email encryption and offshore VPN and email like Unspyable. Where do we find these guys and put them in such positions. Of course being so dumb as to get involved in such a thing in the first place speaks volumes in itself.

  6. David Warner · 268 days ago

    Sometime you do not need to install or buy any software for making fake email id. You can make fake email id using free site and after making fake email you can still receive all emails on your real email ID anonymous email address

  7. What about traceability if the emails are sent from an anonymous email account from a public wifi using a cell phone, tablet or laptop?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.