Carnivore: Where Privacy Meets Security
Carnivore, the Federal Bureau of Investigation's new software, sounds as nasty as its name: technology that gulps and spews digital debris disguised as nuggets of righteous data, enabling access to all traffic over an Internet service provider's network, including the e-mail of every ISP customer and all who communicate with them.
Essentially, the FBI installs Carnivore at certain ISP locations to read the e-mail of suspects in criminal and security investigations, primarily to determine with whom those suspects are exchanging messages. The bureau has reportedly used Carnivore in six criminal cases and 10 national security investigations so far this year and collected evidence using this technology 25 times during its investigations.
That is correct: Internet technologies now enable the checking of all information packets to find "target" information for FBI investigations. A very disturbing capability when a court authorizes only communications to or from a specific subject.
What is at stake is the ability to confirm that unauthorized information is not retained and used by the bureau. According to the American Civil Liberties Union (ACLU), "Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the 'assurance' that the FBI will record only conversations of the specified target."
After receiving a letter from the ACLU, the House Constitution Subcommittee decided to investigate Carnivore, with testimony beginning on Apr. 6, 2000. Since that time, the likes of the esteemed Center for Democracy and Technology, the Electronic Privacy Information Center, and the ACLU have joined hands to halt potential privacy infringements.
Unwilling to offer details unveiling how Carnivore operates, FBI technocrats have been looking everywhere to find influential leaders who will support their surveillance actions with this technology. Vint Cerf, an early Internet pioneer and now senior vice president at Clinton, Miss-based WorldCom Inc., received a personal briefing about Carnivore from the bureau. While Cerf publicly commented that the FBI shouldn't be forced to divulge Carnivore details, his position remains the exception. Antipathy is growing against a perceived government intrusion into private communications. The whole situation reminds me of that famous line in the movie Blazing Saddles: "Badge?! I don't need no stinkin' badge!"
Where the Problems Lie
Much of the controversy surrounding Carnivore in the government, with ISPs, and with privacy advocates is that only the FBI knows what Carnivore really does. No independent third party has been able to review the software to determine its ability to store and forward unauthorized information and its built-in safeguards to avoid that occurrence. Judges may also exacerbate the Carnivore privacy issue. While they understandably focus on probable cause, they don't fully understand the technical capabilities inherent in a technology like Carnivore to reach beyond the investigations of target information.
The problem rests with the FBI's use of Carnivore. The FBI has been circumspect and noncommunicative in its stance concerning the software, prompting uncertainty about the bureau's trustworthyness and veracity. FBI public relations and spokespeople have had difficulty projecting an honest and earnest image of the agency, concocting spins to improve perceptions of their actions. It's a double-whammy--the FBI can't lie well enough or tell the truth believably enough to avoid future obstacles in effectively using Carnivore for collecting evidence.
U.S. Representative Bob Barr, R-Ga., who introduced the Digital Privacy Act of 2000 and is very interested in online privacy matters, requested FBI documents containing information about Carnivore. He received a letter noting that the bureau was "not presently in a position" to provide details.
Another concern is the U.S. attorney general's failure to obtain top-rated university experts who could verify that Carnivore would not violate individual civil rights if the FBI were allowed to limit a review of the software. When responding to the attorney general's request for a proposal (RFP) allowing universities to review Carnivore, Jeffrey Schiller, the Massachusetts Institute of Technology's network manager, concluded that, "This [RFP] is not a request for an independent report. They want a rubber stamp."
|"On a corporate level, security vendors are preparing the way to counter the likes of Carnivore. Organizations desire e-mail protection strong enough to prohibit cracker or unauthorized agency information intrusion. Welcome to security vendor white hats offering protection from government white hats! "|
The U.S. Justice Department reportedly expects universities and associated contractors to agree not to publish anything "sensitive," such as innovative high-speed data search and retrieval approaches. Researchers are to be limited to examining only those matters the government allows them to examine. And research teams must agree to clear all personnel working on the evaluation with the government. So, it's background checks for one and all--and bright red flags for academic types.
To their credit, the agency has done an outstanding job of making the electronic frontier safer from marauding bands of cyber-banditos. The FBI has also been a major player in developing The Internet Fraud Center, training law enforcement agencies in state-of-the-art cyber-investigation techniques such as identifying perpetrator electronic signatures, and working with a variety of organizations worldwide to establish systematic cyber-crime communication and cooperation.
The National Infrastructure Protection Center (NIPC) is located at the
FBI and responds to cyber-attacks in telecommunications and
information, energy, banking and finance, transportation, government
operations, and emergency services infrastructures. Among other
things, it offers:
Check out the Cyber Threat and Computer Intrusion Incident Reporting Guidelines Form at: http://www.nipc.gov/i ncident/incident.htm.
What's at Stake, and What We Can Do
As you've undoubtedly noticed, two security worlds are evolving: electronic and physical. Like it or not, the electronic version is often more interesting--and more threatening--than the real world. Beyond the e-glitter is a world far more complex than most real world citizens can fully understand.
On Sept. 6, 2000, before the U.S. Senate's Committee on the Judiciary, assistant FBI director Donald Kerr said, in part, "during all the filtering/processing no FBI personnel are seeing any information--all of the information filtering/processing, [which is] purely in a machine-readable format, is occurring exclusively 'within the box.' ''
But the question remains; should U.S. citizens accept Kerr's statements? Well, yes and no. Yes, because we've got to believe in our law enforcement agencies. But no, because we should, in the words of Mikhail Gorbachev, "trust, but verify."
On a national level, our efforts should be focused on establishing independent auditing and verification organizations to certify the compliance and cooperation of agencies and industries alike. While most of the U.S. attorney general's efforts to obtain an independent Carnivore evaluation appear to be for one-time certification, ongoing auditing of Carnivore and other investigative systems is needed. Open and cooperative communication must be the backbone of this effort.
On a corporate level, security vendors are preparing the way to counter the likes of Carnivore. Welcome to security white hats offering protection from government white hats! Vendors are taking advantage of this privacy threat obstacle to market new e-mail security services. While some companies, including ChainMail Inc., in Charlottesville, Va., tout encryption products such as Antivore, other firms, including start-up Sigaba Corp., in San Mateo, Calif., stand to benefit from surveillance fears. What we need is more security market sophistication to establish a "meeting of the good guys to defeat the bad guys."
The old agency attitude that all those individuals outside of law enforcement are "civilians" is irrational. Industry safeguards, including background checks and effective internal and external audits, remain mandatory. According to Craig McLaughlin, cofounder and CTO of Privada Inc., in Sunnyvale, Calif., protecting his company's identity privacy services is needed to counter privacy breaches--regardless of which organization is the illicit perpetrator.
Bottom line: If your firm wants to ensure the confidentiality of its online business activity, a privacy infrastructure is needed pronto. Don't depend on either a government agency or any other security "white hat" that might turn color to protect you. If your firm is a multinational one, electronic highways often supercede geopolitical borders. Privacy protection in this global arena is magnified by the potential of multiple rogue agencies and organizations, each with different laws and technology approaches.
Welcome to the world of private and enterprise counterintelligence operations. //
Dr. Goslar is principal e-security analyst of E-PHD LLC, an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.