How The Petraeus Affair Was Traced Via Email (And How To Avoid It Happening To You)

How The Petraeus Affair Was Traced Via Email (And How To Avoid It Happening To You)

CIA director David Petraeus was forced to step down from his position after an FBI investigation revealed an extramarital affair with his biographer, Paula Broadwell. Curiously, the revelation of the affair came about using location data from Gmail. Here’s how the FBI put together the pieces — and how you can avoid a similar privacy issue of your own.

How Gmail Was Used To Trace The Affair


According to the Wall Street Journal, the original incident that drew the FBI’s attention was a series of anonymous, threatening emails sent to Jill Kelley, a Florida woman who organised military social events. The FBI then traced those threatening emails to their origin — most likely via an IP address supplied by Google — to Paula Broadwell. The FBI then got a warrant to monitor those email addresses, and eventually stumbled upon another email account where Petraeus and Broadwell left drafts of messages for each other:

Rather than transmitting emails to the other’s inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic “dropbox”, the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace.

Unfortunately for them, when the IP address that logs into the account with the drafts is always the same, it can be traced back to a source. Essentially, Petraeus and Broadwell’s affair was outed because Broadwell sent threatening messages over an easily traceable Gmail account to someone, and then used another Gmail account to communicate with Petraeus.

How To Keep You Own Email Private


There are two points to make up front. Firstly, the odds of your email bring investigated are a lot higher if you are having an affair with a prominent military or government official. Bear that in mind.

Secondly, there is no such thing as complete privacy, especially in the face of a legal investigation. The only fool-proof way to leave absolutely no trace online is not to be online in the first place.

That said, there are steps you can take that make you (and your email) less easily traced.

Hide Your IP Address

Broadwell’s emails were trace because the associated IP address was constant and easily discovered. To avoid that, you’d need to hide your IP address. For that we recommend the incredibly secure combination of VPN service Hamachi and web proxy Privoxy. If you don’t need that level of security, a VPN alone will do the trick. You will have to use the VPN every time you log in to your email for this to work — multiple instances from your home IP address will eventually lead someone directly to you.

Use Disposable Email Addresses

Broadwell got herself in trouble because she was using multiple Gmail accounts to do multiple things. In one account she and Petraeus were leaving drafts of emails for each other so they weren’t easily traceable (an often-used trick). In another account, she was sending harassing messages to a woman in Florida.

The obvious solution here would be to not send all those messages through the same email provider. It’s unlikely Petraeus and Broadwell’s affair would have come to light if she had used another provider for each set of emails. An even more permanent solution is to use disposable email addresses that self-destruct after they’re read.

Keep All Your Private Stuff Offline

As we’ve pointed out before, the only real way to keep private information entirely private is to hand over that information in person. Email, even when it’s encrypted or hides an IP address, can always be photographed and saved for later. If they can see it, they can copy it.

The tricks we’ve recommended for anonymous browsing and covering your tracks are just as effective with a webmail account as with anywhere else. But the only real protection is to keep your data offline.


  • There is another way of keeping private stuff private: Use encryption. We use the Syncdocs Google app to encrypt stuff we don’t want others seeing.
    One would have thought the head of the CIA would have had the intelligence to encrypt, but maybe he wasn’t thinking with his head.

  • He was just thinking with the wrong head. Just search “private secure encrypted” and you will be presented wIth several options, some free, that can be used to protect private conversations from unauthorized access. If Patraeus had chosen, for example, perhaps their secret online conversations, would still be secret.

  • Using Privoxy and Hamachi wouldn’t help at all. All traffic routed through that would come from wherever you have your Hamachi/privoxy ‘server’, presumably your home PC. That’d be worse than just using a laptop in various internet cafes which would actually help anonymise use by using multiple IP addresses.

    Looks like your mistaking security as in ‘harder to eavesdrop on’ with security as in ‘harder to trace’.

Show more comments

Log in to comment on this story!