Caught out (Image: ISAF/Getty Images)

Every move we make online leaves a trace. This is a lesson former CIA director David Petraeus and his lover, Paula Broadwell, learned in dramatic fashion a few weeks ago after an FBI investigation – begun in response to an unrelated complaint – found email records of their illicit affair.

Such troubles may seem far from the day-to-day concerns of the average internet user. But federal government searches of user data have been growing rapidly. Last week, Google released its biannual transparency report, which shows that the US government made nearly 8,000 requests for data on its users’ accounts over the past six months – one third more than the previous reporting period. Of those requests, 90 per cent were fully or partially complied with.

The search giant is far from alone. Facebook, Amazon, Yahoo and a host of similar sites all store huge amounts of our personal data. In the US, where many of the biggest internet firms are based, such data are protected under the Stored Communications Act. Law enforcement agencies require a search warrant to gain access to personal online content, just as they would if they wanted to search your home.


In the Petraeus saga, though, the country’s top intelligence officer was betrayed by metadata, seemingly anonymous recordings that internet companies make of when and where someone logged into an email account, a facebook profile or the like. While the FBI was monitoring an email account that was reportedly the source of some harassing emails, it found a series of IP addresses recorded when a user logged in from hotel WiFi networks. By cross-referencing those logins with hotel guest lists, the agency ascertained that Broadwell was the only one who could have logged in.

A second account, in which Broadwell and Petraeus corresponded about their affair by saving messages in the “drafts” folder, was also linked to Broadwell in this way. Ian Goldberg, a computer scientist at the University of Waterloo in Ontario, says the important thing to learn from the Petraeus affair is that metadata is at least as, if not more, important than the content of the emails themselves.

“Who’s talking to whom, where they are logged in from, what device are they using. That information is way less legally protected,” he says.

The problem with trying to use any internet service anonymously, says Chris Soghoian, a privacy technologist at the American Civil Liberties Union, is that once an email address can be tied to where it was accessed – whether a coffee shop, hotel or an internet café – investigators can then hunt for, say, credit card transactions or signals from a cellphone tower to place you there at that time and reveal your identity.

Goldberg is also a director of the non-profit Tor Project, which runs privacy software that is popular with internet activists and dissidents. It could have saved Petraeus and Broadwell from discovery because it bounces the route to webmail servers through a series of other computers, erasing its footprints on the way. Both Goldberg and Soghoian agree that, in the end, the advice for those seeking privacy online is simple: use Tor and turn off your cellphone.

“Look how much surveillance power the FBI has,” Goldberg says. “If they can track down the director of the CIA, what hope is there for normal people?”