Spies do it and so do terrorists. So why not the head of the CIA?
It was a bit of tradecraft that sounded all too familiar to people acquainted with recent security cases.
Law-enforcement sources have told the Associated Press that former CIA director David Petraeus and his biographer-turned-mistress, Paula Broadwell, communicated by using a web-based version of the old drop-box technique.
The trick was uncovered by FBI agents probing allegations that Ms. Broadwell sent harassing e-mails to a perceived rival, Tampa socialite Jill Kelley.
The agents found that Ms. Broadwell exchanged intimate letters with Mr. Petraeus using a private Gmail account which the former general could also access.
One would compose a missive and then save the document into a folder instead of transmitting it. The other person, who also had the password to the web-based e-mail system, then could log onto the same account later and read the draft.
In Canada, the save-but-don’t-send ploy was most recently in the news in the case of Sub-Lieutenant Jeffrey Delisle, the Halifax-based naval intelligence officer who pleaded guilty this fall to spying for Russian operatives.
Under questioning before RCMP Sergeant Jimmy Moffat, SLt. Delisle admitted that he would copy classified documents and smuggle them out on a USB memory stick.
He then shared the documents with his Russian handlers by pasting them in accounts on G-mail and another e-mail service, Gawab, without actually sending.
“I started in 2007,” SLt. Delisle said during his interrogation. “It was just ... get copies of whatever, put it on a stick, put it in a[n] e-mail, non-sending, a shared e-mail account, paste. There you go. And then they would give me money.”
A similar story was heard in 2008, at the trial of Momin Khawaja, an Ottawa computer programmer and bomb builder who became the first person sentenced under Canada’s anti-terrorism laws.
A witness for the prosecution, Mohammed Jumaid Babar, testified that Mr. Khawaja and his London-based ringleader, Omar Khyam, opened a Yahoo account, through which they communicated by saving draft documents without sending them.
"That e-mail account was used by the appellant to communicate with Khyam and others using a 'dead drop-box' or 'save-draft' method whereby the appellant, Khyam, and others would log onto this account using a webmail program, draft a message to any of the others, then without sending the message, it would be saved as a draft in the account," according to a Supreme Court of Canada document in the case.
"The intended recipient would later log onto the account and read the message that had been saved as a draft and, if necessary, prepare a reply which would also be saved as a draft, and so on."
The method minimizes the e-mail trail and makes it harder for investigators to figure out a suspect’s circle of acquaintances.
Still, it is not foolproof. It leaves a footprint in cyberspace that investigators can recover once they have a suspect in mind.
In the Delisle case, Sgt. Moffat told the officer that after the RCMP were tipped about his spying, agents had been monitoring his online communications, keystroke-by-keystroke.
Sgt. Moffatt offered to show SLt. Delisle screen grabs of his web activity.
“We were monitoring everything. Your Gmail. You wanna see Gawab? The screen shot? OK,” Sgt. Moffat said. “So you know, Jeff, we have you, OK. You’re caught. You’re so caught, Jeff.”
SLt. Delisle began then to confess.