21

This was in the news recently. Here's what they were said to have been doing:

Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic, one of the law enforcement officials said.

Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic "dropbox," the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace."

What are the benefits of this? Does it work? Is communicating solely through drafts in a temporary GMail (or similar) account considered a secure method of communication, and if so how secure is it?

Jeff Atwood
  • 4,552
  • 6
  • 26
  • 29

5 Answers5

20

The question "does it work" really depends on what threat you are trying to mitigate. For example, in the United Kingdom we are about to introduce legislation to mandate that ISPs keep logs of various types of internet activity.

How and where you might perform this interception is up for debate. For example, if an ISP attempts to intercept mail server communication, many email connections use TLS or the like, so this is (without an SSL proxy and the associated certificate issues) moderately difficult without CA complicity. However, they certainly can log anything sent by their mail server to satisfy the compliance needs. I suspect that the ISPs remit does not extend to logging mail sent by other providers, but might reasonably extend to IP addresses communicated with.

So, in sending an email via your GMail SMTP server, Whitehall would know that you accessed that IP address and they would then know who your email provider was. Depending on the implementation of the snooping, Whitehall can either ask Google, who would legally be required to comply, or they can ask the ISP that passed the packets, as they would have the technical means to provide it. I make this ambiguous because I'm not privy to how it would be done, and do not wish to speculate on an already hot enough topic.

If you do not actually send anything, that record is never created.

Now, that does not mean the message cannot be read. Mail servers store drafts in some format (Maildir, mbox, whatever exchange uses, SQL?) Assuming the government believe that information may or may not be valuable, they can via their legal mechanisms now gain access to the access records of that email inbox and, one assumes, deduce which IP addresses accessed that information.

This is where the problems arise for the government, and the reason for using this technique comes in. The assumption being made, I believe, is that each individual corresponds to an individual email address. As such, when you see that Jeff has sent Joel an email, you can add that to your picture of information about their social interactions. Formally, this field is known as Social Network Analysis. Facebook have been playing in this area with the social graph and there is much research done on the topic.

At a more fundamental level, the existence of evidence records linking A to B can (be attempted to be, I am not a lawyer) used as proof for any criminal act should it arise from the communication.

Anyway, back to the caveat. Logging in as the same user essentially breaks the email account to identity mapping, making it hard to work out who has communicated. This is essentially the same reasoning behind using a dead drop in traditional espionage, with the added difficulty that if both parties are changing their ip addresses regularly, your chances of working out who is communicating with whom reduces to very narrow. Depending on VPN providers used, you may be able to track down individuals; however, I suspect if your VPN provider is based abroad with no incentive to log any information, they would not help. Similarly, assuming no exploitable flaws in Tor, this system would also work nicely.

Interestingly, we had a similar debate on civil liberties and monitoring with the Digital Economy Act, or what was then just a Bill (proposed Act). At the time, the Security Service worried that being too strict on file sharers would essentially accelerate the adoption of encryption, making content snooping impossible. Specifically, effective traffic analysis requires non-encrypted tunnels.

This remains relevant here. I've mentioned VPN providers and using them to mask your IP address. Using a VPN provider from a nation with no interest in law enforcement co-operation, while turning on encryption means your ISP can deduce two things:

  1. That you are using VPN;
  2. Who your VPN provider is.

Unless the VPN provider co-operates in identifying you and the websites you access via their service, this gives the ISP very little of use to report to the government. Moreover, VPN configurations such as OpenSSL or SSTP can be configured to use explicit keys, rather than the CA certificate chain, and as such provided proper key verification occurs (i.e. you know the certificate of the remote end and reject any other certificate), you cannot be fooled into accepting a proxy key. You do have to get this right, and getting it wrong will leave you vulnerable to MITM, but it is possible.

All in all, this is an excellent communication mechanism should you wish to avoid any analysis that relies on your identity being tied to your email address and you use an appropriate technique properly to mask other properties that might uniquely identify you, e.g. IP address. In the interests of brevity, I have not discussed browser fingerprinting either, but that's relevant too.

You do not, of course, mitigate the threat that somebody could actually read that message, or the threat of it not arriving. And of course, if you give away who you are in such a message, the game is up again!

  • governments might legislate, but most services are not ready, and will not comply, with the *version-control approach to mail editing* this scenario requires. (though I bet gmail/hotmail will, or `*cough*` already are) – ZJR Nov 16 '12 at 03:06
6

The idea is that by not sending your mail, you're not triggering whatever monitoring events might be in place to track your communication.

It's not a new technique. It was famously used by the 9/11 terrorists. In fact, it's so commonly used that the FBI's eavesdropping tools are designed to grab draft email specifically because this technique is well known to them.

The fact that the head of the NSA would use a technique known to his own organization and all others to be both insecure and explicitly checked for says more about the the (lack of) security knowledge required to be the head of the NSA than it does about anything else.

tylerl
  • 82,665
  • 26
  • 149
  • 230
2

One major benefit of using this strategy is that is does not leave an email trail between servers and it also makes it a lot harder for someone snooping around to obtain the full email correspondence between the parties.

This method does work and is considered more secure than normal email correspondence however it is not completey secure, as was the case with Patraeus. The messages can still be read in plain text and are not encrypted.

A more secure method of transmitting messages between parties would be to use encrypted messages which can only be decrypted using a private key or passphrase. Hushmail is one example of a provider which offers this service.

Hammo
  • 370
  • 1
  • 4
2

The idea behind the trick is to reduce the number of places in which email can be logged. When a person is sending an ordinary email through gmail, the sender fist send the mail to gmail server and there it waits for a list of addressees. When any of the addressees connects to gmail and gets new mails. During this, the packets can pass through different ISP, and each of them can log the packet. Nevertheless in most of the times the packets are encrypted, it is still possible to at least see how often the person is sending emails by checking for SMTP packets, and from the side of receiver - the POP packets. Attacker can also get the IP address of the server, you are sending emails to.

After getting the address if the attacker is strong and have legal rights, he can forth a service provider to give the logs of the communication of the sender and find ip addresses which were used by receiver. This gives the possibility to estimate the number and locations of receivers. Even in case of encryption which is for sure used by gmail, having enough power the attacker has a chance to encrypt the packets, or having location attacker has a possibility to force one of the group to reveal a password (as it happened during investigation of Madrid bombing in March 2011)

The difference in case of using drop-dead email method:

In the previous answer of Hammo, he stated that

that is does not leave an email trail between servers

which is wrong. There is still communication, when the sender is saving an email in the draft, he connects to the server to save it, but here there is a possibility (I can be wrong) that during this phase you are not using SMTP, and the person who will be getting an email is not using POP. So it obscures the communication, but does not make it much more secure. Another thing that here it is not possible to know how many people are involved and the most important is who have written what. So even when email was decrypted you do not know how much the person A was involved and how many years of prison he has to receive. Neither you do not know was there a person D in communication process, or only A,B and C.

So in my opinion the reasons why drop-dead email might be helpful are:

  • obscurity (harder to monitor the traffic)
  • hiding social graph (harder to estimate the number of people, who might be involved and their role in the communication)
Salvador Dali
  • 1,745
  • 1
  • 19
  • 32
1

Does it work? It depends what your threat model is. It doesn't protect you from government surveillance, as the Petraeus documents.

Chris Soghoian has a blog post that explains well why not. The government was able to deanonymize the communications, using solely its subpoena powers. No warrant was needed: and that means no approval of any judge, no requirement to show probable cause, only "[...] reasonable grounds to believe ... the records ... are relevant and material to an ongoing criminal investigation" (as I understand the legal standard).

How did the government deanonymize the anonymous communicants? Read the blog post for the details. Apparently, Paula Broadwell logged onto the account from multiple locations. The government subpoenaed records from Gmail, obtained the IP addresses in each case, mapped out the location and network of each IP address, then subpoenaed records from hotels and others in the area to obtain guest lists for those who could have been used that IP address on that day, and took the intersection. Also, apparently Paula Broadwell occasionally logged into the anonymous Gmail account from the same IP address she used to log into her own account, and the government was able to use a subpoena to identify this as well.

In short, if your threat model involves the government, then this "dead-drop" email strategy does not provide good security. Read Chris's blog post for more.

D.W.
  • 98,860
  • 33
  • 271
  • 588