Carnivore: Where Privacy Meets Security

Carnivore lets the FBI access all ISP traffic. But does this ability make the law-enforcement agency a protector or a perpetrator?

 By Martin Goslar
Page 1 of 2
Print Article

Carnivore, the Federal Bureau of Investigation's new software, sounds as nasty as its name: technology that gulps and spews digital debris disguised as nuggets of righteous data, enabling access to all traffic over an Internet service provider's network, including the e-mail of every ISP customer and all who communicate with them.

Essentially, the FBI installs Carnivore at certain ISP locations to read the e-mail of suspects in criminal and security investigations, primarily to determine with whom those suspects are exchanging messages. The bureau has reportedly used Carnivore in six criminal cases and 10 national security investigations so far this year and collected evidence using this technology 25 times during its investigations.

That is correct: Internet technologies now enable the checking of all information packets to find "target" information for FBI investigations. A very disturbing capability when a court authorizes only communications to or from a specific subject.

What is at stake is the ability to confirm that unauthorized information is not retained and used by the bureau. According to the American Civil Liberties Union (ACLU), "Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the 'assurance' that the FBI will record only conversations of the specified target."

After receiving a letter from the ACLU, the House Constitution Subcommittee decided to investigate Carnivore, with testimony beginning on Apr. 6, 2000. Since that time, the likes of the esteemed Center for Democracy and Technology, the Electronic Privacy Information Center, and the ACLU have joined hands to halt potential privacy infringements.

Unwilling to offer details unveiling how Carnivore operates, FBI technocrats have been looking everywhere to find influential leaders who will support their surveillance actions with this technology. Vint Cerf, an early Internet pioneer and now senior vice president at Clinton, Miss-based WorldCom Inc., received a personal briefing about Carnivore from the bureau. While Cerf publicly commented that the FBI shouldn't be forced to divulge Carnivore details, his position remains the exception. Antipathy is growing against a perceived government intrusion into private communications. The whole situation reminds me of that famous line in the movie Blazing Saddles: "Badge?! I don't need no stinkin' badge!"

Where the Problems Lie

Much of the controversy surrounding Carnivore in the government, with ISPs, and with privacy advocates is that only the FBI knows what Carnivore really does. No independent third party has been able to review the software to determine its ability to store and forward unauthorized information and its built-in safeguards to avoid that occurrence. Judges may also exacerbate the Carnivore privacy issue. While they understandably focus on probable cause, they don't fully understand the technical capabilities inherent in a technology like Carnivore to reach beyond the investigations of target information.

The problem rests with the FBI's use of Carnivore. The FBI has been circumspect and noncommunicative in its stance concerning the software, prompting uncertainty about the bureau's trustworthyness and veracity. FBI public relations and spokespeople have had difficulty projecting an honest and earnest image of the agency, concocting spins to improve perceptions of their actions. It's a double-whammy--the FBI can't lie well enough or tell the truth believably enough to avoid future obstacles in effectively using Carnivore for collecting evidence.

U.S. Representative Bob Barr, R-Ga., who introduced the Digital Privacy Act of 2000 and is very interested in online privacy matters, requested FBI documents containing information about Carnivore. He received a letter noting that the bureau was "not presently in a position" to provide details.

Another concern is the U.S. attorney general's failure to obtain top-rated university experts who could verify that Carnivore would not violate individual civil rights if the FBI were allowed to limit a review of the software. When responding to the attorney general's request for a proposal (RFP) allowing universities to review Carnivore, Jeffrey Schiller, the Massachusetts Institute of Technology's network manager, concluded that, "This [RFP] is not a request for an independent report. They want a rubber stamp."

"On a corporate level, security vendors are preparing the way to counter the likes of Carnivore. Organizations desire e-mail protection strong enough to prohibit cracker or unauthorized agency information intrusion. Welcome to security vendor white hats offering protection from government white hats! "

This article was originally published on Oct 17, 2000
Get the Latest Scoop with Networking Update Newsletter