The Electronic Frontier Foundation offers the following information about how this type of investigation is permissable and how it can be thwarted:
The Electronic Communications Privacy Act (ECPA) is a 1986 law that Congress enacted to protect your privacy in electronic communications, like email and instant messages. ECPA provides scant protection for your identifying information, such as the IP address used to access an account. While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider. But obtaining the account’s IP address alone does not establish the identity of the emails’ sender.
Broadwell apparently accessed the emails from hotels and other locations, not her home. So the FBI cross-referenced the IP addresses of these Wi-Fi hotspots “against guest lists from other cities and hotels, looking for common names.” If Broadwell wanted to stay anonymous, a new email account combined with open Wi-Fi was not enough. The ACLU has an in-depth write-up of the surveillance and security lessons to be learned from this. (Source)
It appears that, as Glenn Greenwald has suggested, those who have become part of the military-industrial-surveillance state have fallen prey to the very system they have helped to empower.