The Petraeus Scandal: Q&A with Author Frederick S. Lane ’88
Frederick Lane, BC Law '88
author of the book “Cybertraps for the Young” and "American Privacy"
CIA chief David Petraeus’s affair with his biographer Paula Broadwell raises a host of ethical, privacy, communications, and cyber security issues, all of which impact the legal community. We asked Frederick S. Lane ‘88, a computer forensics expert and author of a number of books on privacy and decency in the cyber age, to provide some perspective.
What is the foremost lesson to be learned from this debacle?
The core lesson of l’affaire Petraeus (or Weiner or Favre or Hudgens or ...) should be scratched onto every monitor, laptop, keyboard, and cell phone: If it’s electronic, it’s not private. Despite the fact that personal computers have been in widespread use for nearly 40 years, and the World Wide Web for almost 20, we still have not fully absorbed the lesson that digital content is inherently slippery and difficult to control. As Stewart Brand presciently noted in 1984, “information wants to be free.” The very design of computers, networks, and the internet incorporates redundancy and recoverability; you cannot send an email from one computer to another without routinely creating multiple copies, all of which can be cached, stored, retrieved, and re-copied in an instant. The durability of digital data is profound.
The fact that the scandal involves top personnel in the nation’s spy agency and military—people who should be particularly sophisticated in matters of security—exposes vulnerability at the highest level of government. What does this tell us about the nature and power of cyber communications?
Based on the information available to me right now, I don’t think this is a case that actually does reveal significant technological vulnerability within the CIA. There is no evidence that General Petraeus’s agency email was compromised or shared with Paula Broadwell, or that she was given inappropriate access to the agency’s network. It does appear that General Petraeus provided her with classified documents but that type of thing happened long before computers existed. The more fundamental lesson here is that even someone as powerful and highly ranked as General Petraeus may not fully understand how easily digital information can be retrieved. It’s tempting to say this is a generational problem, but we have plenty of examples of younger public figures who have forgotten how easily electronic photos and tweets can be viewed by unfriendly eyes. Ultimately, it will take time for new norms to develop and for society to fully absorb the lesson that digital documents are simply different. Once upon a time, you could throw a diary or embarrassing photo in the fire, and watch the evidence of your malfeasance go up in smoke. It’s a lot harder to torch all the corners of the internet where unwanted copies may be lurking.
What does the FBI’s investigation, which began as a look into threatening emails received by a socialite, then unexpectedly led to David Petraeus, reveal about the intersection of the FBI and CIA and overlapping jurisdictions governing things like the code of military conduct and security clearance?
The Petraeus/Broadwell investigation illustrates a fundamental lesson that every programmer is forced to learn at some point: Even the most elegant program is subject to the vagaries of human behavior. I would argue that discovery was probably inevitable, since it is virtually impossible to eliminate all electronic evidence of misconduct, but obviously, the uncovering of the affair was accelerated by Broadwell’s fit of jealousy over a perceived rival. The other valuable lesson is to appreciate both how rapidly the FBI was able to identify Broadwell as the sender of the threatening emails, and how far the trail of emails led the bureau. All of our devices—cell phones, laptops, computers, gaming consoles, etc. —have an Internet Protocol (IP) address (or share one), and those addresses are routinely logged whenever we go online. It takes law enforcement a matter of minutes to match a particular IP address to a subscriber and to a physical address, which then typically leads to the issuance of a search warrant and seizure of whatever electronic devices may be present at the address in question. With an appropriate search warrant, law enforcement can conduct sophisticated forensic analysis of devices and frequently can retrieve information long thought deleted.
The Petraeus case is interesting in no small part because of the competing and overlapping jurisdictions of the various agencies involved. The FBI has primary responsibility for investigating interstate crimes (for instance, using interstate communications such as email to threaten someone) and threats to national security. The CIA is not (ahem!) a law enforcement agency, but it does have the authority to investigate and penalize violations of its internal security procedures. While General Petraeus is no longer an active member of the military (he retired from the Army prior to heading the CIA), he receives an annual pension and is therefore still governed by the provisions of the Uniform Code of Military Justice, which prohibits “conduct unbecoming an officer and a gentleman,” and under a general punitive clause, various offenses, including adultery.
What is the role of Attorney General’s Office in this, if any?
As head of the US Department of Justice, Attorney General Eric Holder is ultimately responsible for the work of the FBI, which is a key part of the DOJ. It is his responsibility to oversee the investigative work of the bureau and to make the final policy decisions regarding the handling of the case. Holder is obviously in a tricky spot; the Attorney General is a political appointment, and policy decisions made at that level inevitably have political ramifications, particularly when they are being made during a heated national election. At the same time, however, Holder is obligated to enforce the law and investigate possible violations without regard to the identity or position of the person being investigated. That is particularly true when the alleged offenses raise concerns about a possible threat to national security. Based on what I’ve seen so far, there’s no credible claim that national security was in fact threatened; left unanswered right now is whether the misconduct, which was uncovered in mid-summer, was serious enough that the President should have been informed prior to election night.
How would this situation have been different if Petraeus had been the CEO of a private corporation rather than the head of the CIA?
The most immediate difference, of course, is that there almost certainly would not have been concerns regarding national security (although it’s easy enough to construct a scenario in which the head of a military defense contractor has an affair, gives his mistress access to secure information, etc.). But for the average corporate CEO, the primary outcome would be the embarrassment of disclosure (assuming no potential charges of sexual harassment stemming from an affair with a subordinate).
From an investigative point of view, much would be similar: If an acquaintance received threatening emails from the CEO’s mistress, she likely would turn to the FBI. Assuming the FBI agreed that interstate communications had been used to make a threat, the bureau would use message information and IP addresses to trace the messages to their origin. Once that information was obtained, the FBI would request search warrants for the sender’s residence and/or offices, conduct forensic analysis on the seized electronic devices, and look for additional evidence of the alleged crime. If in the course of doing that investigation, they discovered that the sender was engaged in an affair with the CEO of a random company, it is unlikely that the FBI would take any action with respect to that information, unless the CEO was somehow conspiring with his mistress to make the threats. Adultery, after all, is not a federal offense. For Petraeus, the peril lay in falling victim to a human failing in an inhumanly political and public environment.
Frederick Lane is an author, attorney, educational consultant, expert witness, and lecturer who has appeared on “The Daily Show with Jon Stewart,” CNN, NBC, ABC, CBS, the BBC, and MSNBC. He has written seven books, including most recently “Cybertraps for the Young” (NTI Upstream, 2011). All of his books are available on Amazon.com or through his Web site.