It was a shock when David Petraeus—a respected and highly-decorated Army general—abruptly stepped down from his post as the director of the CIA earlier this week. It was even more of a jolt to learn that his resignation was due to an extramarital affair. But, the real story might be the fact that the affair came to light more or less accidentally as a result of poor email and privacy practices.
First, a little background on how things went down. The affair between David Petraeus and his biographer Paula Broadwell seems like something from the Showtime series “Homeland,” or perhaps a James Bond plot line, but the events that led to the FBI investigation that uncovered the affair are a bit more “Fatal Attraction.”
Broadwell sent anonymous threatening emails to another woman she considered to be competition for Petraeus’ affection, and that woman—Jill Kelley—initiated the investigation that eventually unraveled the affair and led to the downfall of one of this generation's greatest American heroes.
I don’t want to teach anyone how to cover their illicit tracks better, or how to have a more clandestine affair, but let’s take a look at where Petraeus and Broadwell went wrong so you can understand how to cover your tracks better in general, and how to secure your email and protect your privacy online.
Hide your IP address
Broadwell thought she was being clever by sending emails from an anonymous Gmail account originating from different locations as she travelled about. What she failed to do, though, is hide her IP address.
Your IP address is the online equivalent of your fingerprints. In Petraeus's case, the email account he and Broadwell used was anonymous, but the FBI was able to trace the emails back to the source IP addresses—which turned out to be assigned to hotels. FBI agents simply compared the guest lists of the various source hotels to narrow down the potential suspects and determine that Paula Broadwell was coincidentally the only person it could be.
All of the major Web browsers include some sort of private mode, but private mode browsing does not obscure your IP address—it just prevents the browser from saving cached data or your browsing history. To hide your IP address, you need to connect using a VPN of some sort—like Anonymizer Universal. Keep in mind, though, that the VPN provider will still have a record of the true source IP that could be subpoenaed or surrendered upon a government request.
Use different email services
The investigation into the anonymous threatening emails might not have led to General Petraeus or uncovered the affair, but the FBI discovered that someone at the same suspect IP address was also accessing another Gmail account—an account that belonged to the director of the CIA.
General Petraeus and Paula Broadwell didn’t actually send emails to each other: They used a trick from the terrorist playbook and simply wrote messages that were saved as drafts in a Gmail account that belonged to Petraeus, and they would each log into the same account to read the drafts and respond.
If you wish to remain anonymous, and avoid having someone connect the dots that lead back to you, you should use different service providers. While it would still be possible with enough digging to determine all of the activity for a given IP address, it would not immediately jump out as a red flag as it did in this case.
Don’t leave your messages online
Petareus and Broadwell had their reasons for using secret drafts rather than sending emails to each other. Perhaps the two reasoned that the email messages couldn’t possibly be intercepted or traced if they were never sent. That is true to an extent, but it means that the messages are stored online—more or less permanently—allowing them to be stumbled upon at a later date.
While it’s true that messages might be intercepted in transit, it would be more secure to download the emails to a local email client and remove them from the server. At least then you only need to worry about securing and protecting your own PC, and you don’t need to be as concerned about a possible breach or violation of privacy on the email server or webmail provider end.
You may not be a decorated military officer or high-profile government official, and you probably aren’t even the biographer of one. But, this sordid affair is a stark illustration of just how easy it can be to trace someone’s tracks online, and uncover information that was meant to be secret. Make sure you follow the tips here to avoid falling victim yourself.