Among the more common reactions to the David Petraeus cheating scandal has been some variation of "How does the head of the CIA -- an organization built on spies and secrecy -- get caught?!"
Well it turns out, Petraeus and his mistress Paula Broadwell made one* big mistake which all of us who assume we have some degree of Internet privacy can learn from.
OK, probably more like two, since just having an affair to begin with is also a big error.
They used emails to correspond with each other. And even the stealthy maneuver they employed is not beyond detection by Internet sleuths.
We now know Petraeus and Broadwell used a shared Gmail account to write messages to each other, which were saved in the drafts folder as opposed to actually being transmitted. No easily tracked digital trail is left this way, as notes can be written, read and deleted without ever having been sent.
It's a technique used not only by cheating spouses and sneaky high schoolers, but terrorists as well.
In the case of the Petraeus affair, once Jill Kelley informed the FBI about the threatening, anonymous emails she was receiving, the one vulnerability of this "dropbox" method was exposed: You can still track down a user's IP address.
Read more: Why your 'secret' email account isn't
An Internet Protocol address is a unique series of numbers assigned to a computer. Email hosts, like Google, can be asked by law enforcementto provide those addresses when trying to determine which email accounts accessed a given computer (Interestingly, providers including Microsoft Outlook and Yahoo Mail include the IP address in their metadata, so agents don't even need to issue subpoenas to track their sender).
This is likely how Broadwell -- and thus Petraeus -- was undone.
As Lifehacker's Thorin Klosowskiexplains, "Unfortunately for them, when the IP address that logs into the account with the drafts is always the same, it can be traced back to a source. Essentially, Petraeus and Broadwell's affair was outed because Broadwell sent threatening messages over an easily traceable Gmail account to someone, and then used another Gmail account to communicate with Petraeus." So Broadwell likely accessed both email accounts from the same computer/IP address.
And still, they almost got away with it.
Had Broadwell used different email providers for each of those two accounts (the one she used for communicating with Petraeus and the one which she used to send the emails to Kelley) as opposed to using Gmail for both, the messages would have been much more difficult to trace back to her.
Or put another way: Make all the cracks you want about the decline of Yahoo, but simply using one of their email addresses might have been all the security America's top spy needed to cover up his affair.