Helping people with computers... one answer at a time.

Hiding emails online in the Drafts folder does not add a layer of security. It can still be accessed by the authorities.

Regarding the current scandal involving former CIA director, General David Petraeus, did we learn anything new about email security or the lack thereof? Were you surprised at what the FBI was able to find out about the parties to this scandal before the FBI even obtained a court order or a warrant or subpoena?

In this excerpt from Answercast #74, I look at how email can be accessed easily by the authorities if it is available in an online service.

Hiding emails online

Was I surprised? Absolutely not.

Did we learn anything? Well, I think a lot of people learned something. But it's not something that wasn't already out there to be learned.

The fact is when you store email on a service provider like Gmail or Hotmail or whatever, the email in many cases is legally accessible to law enforcement if they have a good reason.

Online email can be accessed

Now, I don't want to get into the legalities and picking apart the law. For one thing I'm not a lawyer. For another thing the law keeps changing. But as I kind of sort of understand it, if you leave email on your email server for long enough, the email is (currently under the law, I think) deemed as being abandoned, or available, or whatever. What that means is that if you are honestly, truly concerned about the government accessing your email, don't leave it on a common server like Gmail - or your ISP, or wherever.

That's an important lesson to be learned.

Hiding messages in drafts

The other lesson to be learned, by the way, is about this technique they were using: where they didn't actually send mail. They were sharing access to a single account and leaving each other messages in the Drafts folder.

In other words - they would type up a message, but leave it in "Drafts" and never hit send.

That didn't help them. The fact is that the email account is available. These folders are available to law enforcement.

Apparently this is a technique that's been used by others before. I think you can see that it is not something that is particularly secure, and is not something that adds a real layer of security to what you're doing.

Email servers are vulnerable

The important things to take away from this are:

  • Mail on a server is vulnerable to inspection by the authorities.

If that's a problem then you want to take steps to make sure that's not your situation.

  • Your email then needs to be on your PC where it's in your control; or it needs to be encrypted in some way that cannot be decrypted, just by nature of its storage on the service.

(Transcript lightly edited for readability.)

Article C6085 - November 29, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Rahul
November 30, 2012 12:13 PM

So instead of sharing an email account, if I give remote access, through let us say logmein, to me partner and we leave messages there on the pc, would you say our communication is secure enough from prying eyes?

Depends on the prying eyes. And how secure your computer is. I can envision a few ways that it might still be discoverable.
Leo
01-Dec-2012

johnpro2
November 30, 2012 12:27 PM

The true message is, don't come back for second helpings...
Jp

snert
November 30, 2012 4:56 PM

Anybody who expects unencrypted email to be private is seriously fooling themselves if you don't do it, it can't come back and bite you.

Mark J
December 1, 2012 7:56 AM

What I found shocking and had me ROTFL, is the fact that the CIA director would use such an ineffective way of hiding his tracks as that. I mean, if he's that sloppy, how could he have been trusted to oversee the whole country's security???

Ron M
December 2, 2012 3:15 AM

This sort of touches on a previous question in this newsletter re: how much more capable are men at technology than 'older' women. Yep, no question about it. We rock!

A Richter
December 2, 2012 8:53 AM

It is all not as clear cut as some might think.
Informative discussion: http://www.schneier.com/blog/archives/2012/11/webmail_as_dead.html

Robert R
December 3, 2012 11:26 AM

Even encryption may not save you. Either "they" can decrypt it or you can be compelled in a legal case to decrypt it.

Bottom line, the only secure communication is to talk to yourself... and don't do it out loud. :-)

GREG JACKSON
December 5, 2012 5:59 PM

Good News......
It's called Wickr
Its app works like this: You create a text — picture, voice or video — and you set a time for how long you want that message to live. Then you send it to the other person. The timer starts the second they open the message.

When the timer hits zero the message self-destructs. All digital traces of that communication are gone. The app is free. Wickr plans eventually to make money by charging for a version with a few more features, but the basic security will always be the same.
Dec. 4th release -NPR
http://www.npr.org/2012/12/04/166464858/online-privacy-fix

Cell phone app only for now, but they're working to expand....but I believe this addresses the primary phone email concern.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.