Email privacy: What Petraeus needed to know

Updated 4:54 p.m. ET

In the wake of the sex scandal that led to David Petraeus' resignation from his position as the director of the Central Intelligence Agency, the topic of email privacy has surfaced in the minds of many.

Petraeus submitted his resignation to President Obama last week, citing an extramarital affair. Law enforcement raised concern over emails the former CIA director exchanged with journalist Paula Broadwell, who authored his biography "All In: The Education of General David Petraeus."

The affair between Petraeus and Broadwell was uncovered during a related investigation into allegedly threatening emails received by Jill Kelley -- a Petraeus family friend.

Emails carry unique identifying information called metadata. According to the Wall Street Journal, agents used metadata footprints to trace the origin of the emails back to Broadwell.

• Sources: Paula Broadwell warned Gen. Allen against "seductress" Jill Kelley
• Timeline: The Petraeus affair
• CIA Director David Petraeus resigns

So how did supposed private emails lead to the downfall of the former CIA director? First thing to note is that emails are never 100 percent private. That's not to say that anyone can access your electronic messages, but the possibility is always looming. It is important to understand where privacy ends and public domain begins.

"The system is remarkably similar to the postal system. You can seal the envelope and hide what's inside, but it contains a postmark of where it came from and where it's going," ZDNET's Zack Whittaker explains. "It may even have your fingerprints on it. All of this information outside the contents is 'metadata.'"

Who owns what?

"The government can't just wander through your emails just because they'd like to know what you're thinking or doing," Stewart Baker, a former assistant secretary at the Homeland Security Department who's now in private law practice, told the Associated Press. "But if the government is investigating a crime, it has a lot of authority to review people's emails."

Petraeus and Broadwell used Google-owned Gmail to communicate. According to Google's terms of service, the company may share personal information about an account holder under if Google believes that the data is "reasonably necessary" to:

• Meet any applicable law, regulation, legal process or enforceable governmental request.
• Enforce applicable Terms of Service, including investigation of potential violations.
• Detect, prevent, or otherwise address fraud, security or technical issues.
• Protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

According to Google's transparency report, government surveillance is on the rise. The report says that government agencies from around the world made a total of 20,938 inquiries in the first half of 2012. When Google launched its transparency report in 2010 the number of requests between July to Dec. 2009 was 12,539.

In theory, the government would only have to submit a reasonable request to Google to get vital information. But even if that failed, authorities would just have to obtain a warrant or subpoena to gain access to private data. 

Google released this statement to CBS News:

"Protecting the privacy and security of our users is incredibly important to us. Like all law-abiding companies, we respect valid legal process. Whenever we receive a request, we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it."

Under the 1986 Electronic Communications Privacy Act, federal authorities need only a subpoena approved by a federal prosecutor -- not a judge -- to obtain electronic messages that are six months old or older. To get more recent communications, a warrant from a judge is required. This is a higher standard that requires proof of probable cause that a crime is being committed.

Public interest groups are pressing Congress for the law to be updated because it was written a quarter-century ago, when most emails were deleted after a few months because the cost of storing them indefinitely was prohibitive. Now, "cloud computing" services provide huge amounts of inexpensive storage capacity. Other technological advances, such as mobile phones, have dramatically increased the amount of communications that are kept in electronic warehouses and can be reviewed by law enforcement authorities carrying a subpoena.

What about email drafts?

Petreaus and Broadwell carried out much of their communication using email drafts, instead of sending messages. What they may have failed to realize was that their saved emails were still being stored in Google's servers.

Even if the messages were not sent from one account to another, Google still knows where a Gmail account is logged in from. Additionally, drafts may be more vulnerable to prying eyes. The American Civil Liberties Union point out that sent emails -- as well as drafts -- are not classified as electronic storage, excluding them from warrant protection under the Stored Communications Act.

The bottom line

Your emails my be private from those who are only curious about the content of your messages, but anyone with a warrant or subpoena may be able to gain access to your account, and this might not even be necessary if your email provider agrees.

"You know if the director of the Central Intelligence Agency cannot protect his privacy online, what hope is there for the rest of us?" Chris Soghoian, principal technologist at the ACLU told Marketplace.

"What that means is, if you were trying to hide you tracks, whether from a jealous spouse or even an online advertising company. You have to get everything just right. If you make one small mistake that veil of anonymity that you have put all that work into creating can be pierced and your identity can be revealed."