FBI's Carnivore Devours Internet Privacy|
By Net4TV Voice Staff
(July 16, 2000)
The United States Federal Bureau of Investigations has been using its Carnivore program to sift through web traffic and e-mails in search of illegal behavior. While the FBI defends the Carnivore as a surgical search designed to protect the privacy of the innocent, privacy watchdogs call it overkill. Attorney General Janet Reno has ordered an investigation even as a congressional oversight committee is scheduled to hold its own hearing. The existence of Carnivore was first revealed publicly in a House Judiciary hearing on April 6, 2000.
The FBI has quietly obtained court orders allowing it to install mysterious devices code-named "Carnivore" within the networks of various Internet Service Providers (ISPs), including EarthLink. The Carnivore device is an off the shelf personal computer with Windows 2000 and top-secret software developed in the FBI's computer labs in Quantico, Virginia.
Carnivore sits within an ISP's computer network and sifts through all network traffic, looking for evidence of illegal behavior. Upon finding possible evidence, Carnivore records it onto a removable hard drive that is later collected by an FBI agent. The FBI can also control the device through a dedicated modem connection, rather than through the Internet itself. The device resides on the premises of the ISP within a metal cage designed to prevent tampering. Only the FBI can control the device. The FBI dubbed the device "Carnivore" because of its ability to chew through to "the meat" of all the data it encounters.
Privacy watchdogs and industry experts alike are alarmed at the use of Carnivore as its method of operation is largely unknown. The FBI regards the workings of the software to be top secret, despite a request filed by the American Civil Liberties Union (ACLU) under the Freedom of Information Act for "letters, correspondence, tape recordings, notes, data, memoranda, email, computer source and object code, technical manuals, (and) technical specifications" relating to Carnivore. The FBI is required to respond within 20 working days and is expected to fight the request, citing that such disclosure would hinder investigations.
"Right now, the FBI is running this software out of a black box," said Barry Steinhardt, Associate Director of the ACLU. "The FBI is saying, ‘trust us, we're not violating anybody's privacy.' With all due respect, we'd like to determine that for ourselves."
The Carnivore device is able to read through a large quantity of e-mail per second and determine which contain elements that match the criteria set by the FBI. The FBI claims that Carnivore is a "diagnostic tool" similar to commercially available packet sniffers. ISPs use programs called packet sniffers to detect problems in computer networks. Information from users is split into small packets and sent over the Internet. Each packet has address information so that it can be reassembled into the original file when it arrives at its destination. The FBI's software is able to read these packets, determine which ones are of interest, and retrieve all the parts related to the packet. The device then stores the packets for later analysis by human agents.
The FBI says it can only legally gather information that matches the criteria of a Federal or state court order. To be granted a court order, the FBI must demonstrate probable cause and they must state with "particularity and specificity" the offenses being committed, the telecommunications facility or place from which the subject's communications are to be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses that are anticipated to be intercepted.
For example, a Federal judge may okay a digital wiretap of e-mail to and from an individual. The FBI says although Carnivore can sift through all the traffic passing through the network, it only pays attention to data that matches the criteria stated in the court order. Since only that information is actually collected and read by a human, the FBI believes that they are in compliance with the wiretapping laws.
In a typical phone tap, the FBI would obtain a court order that would require the phone company to place the physical connection to a specific phone line or lines. The FBI would only have access to information gleaned from those lines. Sometimes, the information is who called whom, when, and how long did they talk. Other times, the court order includes the contents of the conversations.
According to the FBI, the Carnivore device provides the FBI with a "surgical" ability to intercept and collect the communications which are the subject of the lawful order while ignoring those communications which they are not authorized to intercept. The FBI says that this type of tool is necessary to meet the stringent requirements of the federal wiretapping statutes.
But privacy advocates point out that with Carnivore, the FBI places the tap on everyone using the network. Only the FBI operates the equipment, and only the FBI knows what content is being stored for later analysis. Privacy advocates also point out that although Carnivore supposedly only stores targeted data, in fact it reads through all the data on the network.
Carnivore is the latest attempt by the FBI in gathering evidence through digital wiretaps. A previous technology, called Omnivore, was less picky at the kind of information it catalogued. Purportedly, it was able to devour six gigabytes of information per second.
Carnivore has been in use since early 1999. Evidence gathered by Carnivore has largely been used in "infrastructure protection" cases, which is FBI-speak for fighting hackers. Other cases included drug-trafficking and counter-terrorism.
The FBI justifies the use of Carnivore on its website: "The ability of law enforcement agencies to conduct lawful electronic surveillance of the communications of its criminal subjects represents one of the most important capabilities for acquiring evidence to prevent serious criminal behavior. Unlike evidence that can be subject to being discredited or impeached through allegations of misunderstanding or bias, electronic surveillance evidence provides jurors an opportunity to determine factual issues based upon a defendant's own words."
The FBI says on its website that Carnivore is only used to gather evidence of a crime and is not used to gather intelligence that would lead it to discover other crimes. Such use would run afoul of the wiretapping laws and wouldn't be admissible in court. Also various civil and criminal penalties would apply in a case where Carnivore was used inappropriately, according to the FBI.
The FBI use of the Carnivore system is subject to oversight from internal FBI controls, the U. S. Department of Justice (both at a Headquarters level and at a U.S. Attorney's Office level), and by the Court. The FBI claims the Carnivore system is not susceptible to abuse because it requires expertise to install and operate, and because it is conducted with close cooperation with the ISPs. The ISPs claim that they have no say in the matter and do not know much relating to the workings of the Carnivore device.
Currently, the FBI says it has 20 Carnivore units at its disposal. It is unclear how many are currently deployed or what ISPs have them installed as use of the Carnivore is typically coupled with a court order prohibiting the ISP to make any statements about the existence of a wiretap. Such wiretaps are typically in place for 45 days, but can be renewed by court order.
In an effort to garner industry support for modern wiretapping, and to develop open standards for complying with wiretap requirements, the FBI recently showed Carnivore to Internet industry experts at the request of the Communications Assistance for Law Enforcement Act (CALEA) Implementation Section, at an industry standards meeting (the Joint Experts Meeting). The meeting was set up in response to an FCC suggestion to develop standards for Internet interception.
ISPs and industry experts are concerned because once the device is connected to an ISP's network, it could sift through all the data on the network, including e-mail, voice telephony, e-commerce transactions, and other Web transactions. The FBI emphasizes that the subject of their search is clearly defined by court order. But it is up to the FBI to police its access to users' information.
Privacy advocates are pushing updated privacy laws to handle situations like Carnivore. The FBI claims that there are no laws prohibiting the use of programs such as Carnivore. Privacy advocates accuse the FBI of taking advantage of outdated wiretap laws that were designed for telephone systems, not for the complexities of the Internet.
ISPs see this as a potential risk to their users' privacy. ISPs are reluctant to allow anyone to run unknown software on their network. Federal law places the burden of a consumers' privacy on the ISP, not on the government. It is up to the ISP to ensure that users' privacy is maintained. The ISPs argue that Carnivore makes this impossible since they can't access it.
EarthLink lost its challenge to the FBI. At 4.2 million subscribers, EarthLink is the number three ISP in the US (behind AOL and MSN). EarthLink was concerned that the FBI would have broad access to all of their users' email and Internet traffic. They lost their case when a federal magistrate ruled against them earlier this year. Subsequently, the Carnivore system caused network outages on EarthLink's system, forcing the FBI and EarthLink to settle on an alternate system of investigation on that network. On Friday, the FBI agreed not to use the Carnivore on EarthLink. In exchange, EarthLink agreed to install snooping software on their network and to provide the FBI with the information they request as part of a court order. EarthLink will be allowed to maintain the integrity of its network.
The House Judiciary Constitution Subcommittee is expected to hold hearings on Carnivore on July 24, 2000.