Gmail drafts and Pastebin: could they evade the email snoops?
The revelation that US intelligence agencies and GCHQ have been spying on email communications has prompted plenty of discussion within the information security community, as you might expect.
One of the more interesting debates took place between our very own Real World Computing editor Dick Pountain and an old friend of his, who happens to be a professor of criminology and is currently involved in a cybercrime study. Over a pint, the prof wondered whether internet snooping of the type highlighted by Edward Snowden might be thwarted by employing throwaway webmail accounts, in particular by using the “save as draft” facility these offer.
You post your data on Pastebin and only allow restricted access with a password
Here’s the theory: either Criminal A in the UK or Criminal B in the US sets up a Gmail account to which both have access via the same login. Criminal A composes a message that contains nefarious details of a proposed crime, meant for Criminal B’s eyes, but instead of hitting Send, he saves it as a draft. At some predetermined time in the future, Criminal B logs in to the same account and heads straight to the Drafts folder, where he reads the message. He then deletes the draft, removing any evidence of the message.
As such, the two criminals are able to communicate securely and confidentially in plain text, since their messages are never actually sent using normal email protocols across the open internet. Therefore, they remain invisible to surveillance agents.
Would this trick actually work in practice? It seems it’s pretty secure – until and unless you’re already being directly monitored by The Powers That Be. Take the case of former CIA director General David Petraeus and his “secret” extramarital affair.
It’s been widely reported that the FBI uncovered messages Petraeus and his girlfriend, Paula Broadwell, exchanged using Gmail drafts in order to avoid leaving a communications trail. Although both parties used disposable Gmail accounts under false names, the game was up when Broadwell used her account to “anonymously” email Jill Kelley, a socialite and family friend of Petraeus.
Kelley complained that she was being harassed, and turned her emails over to the FBI, which used US laws – similar to laws in the UK – pertaining to the investigation of communications that may be involved in the execution of a crime to access the account.
Since Broadwell didn’t employ proxy servers such as Tor to cover her tracks, merely using public Wi-Fi hotspots, she was easily identified as the anonymous account-holder by matching locations, dates and times with hotel guest names and personal movements.
I spoke to Andy Crocker, a former senior investigator at the UK National Hi-Tech Crime Unit, about the Gmail draft technique. Perhaps surprisingly, he admitted to using this kind of “dead-letter dropbox” himself. However, he warned that despite the emails never having been sent, and so apparently leaving no record, “everything is there for the authorities to see”.
“If surveillance was being carried out on the individual, they would be monitoring his account, and the data [would still be] there and [could] be seen,” he says.
Crocker pointed out that, in such cases, there’d be no need to intercept the emails in transit, since the account itself would be monitored, and so the Drafts folder would be visible to the people doing the monitoring. In short, the trick might work to avoid attracting surveillance in the first place, but it would fail once surveillance started.
Don’t press send
In the Petraeus case, Broadwell was caught because she broke the trick by actually sending an email. This resulted in the FBI monitoring the account, making the status of the messages in the Drafts folder irrelevant: Google would have a record of them on its servers, where they’d be stored for a set period of time, and it would have no qualms handing the details over to the likes of the FBI when presented with suitable warrants or court orders.
Even using a “hide my IP”-type VPN service in an effort to obscure the harassing email that started this particular investigation would have made little difference: many of these are required to keep IP logs, which would also be accessible to investigators and would reveal the origin of a connection.
The lesson to be learned from the Petraeus scandal is this: if the director of the CIA can have his “covert communications” broken wide open, don’t imagine for a second yours can’t be too.
Similar methods of avoiding surveillance are available, but how secure are these? Pastebin, the programming scrapbook-come-notepad service that lets people share code, can also be used to avoid snoopers in much the same way as the Gmail draft technique. “You post your data on Pastebin and only allow restricted access with a password,” Crocker explains. “It does exactly the same thing as Gmail drafts, but because it isn’t email, it may be missed by the authorities if they’re just looking for email communications.”
Sam Golden, another IT security expert, went so far as to suggest an email version of the disposable “burner” phones used by drug dealers, with email accounts being used only once and then discarded.
The idea is that you could use numerous disposable email accounts to send parts of an encrypted message to the recipient via equally numerous and disposable mailboxes. The whole message could then be pieced together offline and decrypted, after which it would be shredded using an application such as Eraser, which applies the 35-pass Gutmann method for secure-as-it-gets deletion.