Feeds

ACLU seeks Congress' help against FBI's ‘Carnivore’

Please de-fang this beast before it devours us

  • alert
  • submit to reddit

Security for virtualized datacentres

A slick new e-mail snooping system developed by the FBI and named 'Carnivore' has so concerned the American Civil Liberties Union (ACLU) that the organisation has petitioned the House Constitution Subcommittee to consider drafting legislation to bring it and similar schemes under control.

"The Carnivore system gives [to] law enforcement e-mail interception capabilities that were never contemplated when Congress passed the Electronic Communications Privacy Act (ECPA). Carnivore raises new legal issues that cry out for Congressional attention if we are to preserve Fourth Amendment rights in the digital age," the ACLU wrote in a letter to Subcommittee members Charles Canady (Republican, Florida) and Melvin Watt (Democrat, North Carolina).

Ideally, the Carnivore spy system would only be invoked by a court order, and could then only be used to monitor the communications of an individual named in it. However, because it is plugged into an ISP's network rather than a target's phone line, it has the capability of monitoring all traffic passing through the ISP, and is therefore ripe for abuse by overzealous or corrupt law enforcement officers.

Furthermore, the Feds are required by law to restrict interception of communications not relevant to the investigation when acting upon a wiretap order. "Carnivore is not a minimisation tool. Instead, Carnivore maximises law enforcement access to the communications of non-targets," the ACLU points out.

The FBI claims that the system is configured to trap only information relevant to a particular tap and trace order. Still, regardless whether that's true, there remain significant privacy implications simply because of Carnivore's potential for misuse, and because of the precedent its use might set in future Fourth Amendment disputes. It could quite easily provide a legal slippery slope for further degeneration of individual rights to privacy when the Feds want access to data.

According to the ACLU, "it is not clear whether law enforcement agents use or should use [their] authority....to access a variety of data, including Internet Protocol addresses, dialup numbers and e-mail logs," as the Carnivore system clearly enables them to do. "We certainly do not believe that it is clear that law enforcement can install a super trap and trace device that access to such information for all of an ISP's subscribers."

However, because the ECPA doesn't specify precisely what can and can't be trapped over the Internet, a judge might be inclined to authorise using Carnivore, since the statute doesn't clearly prohibit it. Interpretations here are a matter of the 'spirit' of the law, which the FBI will undoubtedly say leans towards using any and all means to thwart evildoers, but which privacy advocates will undoubtedly say favours a minimalist approach which Carnivore can't accommodate.

Since a judicial approach is likely to find nothing illegal (if nothing particularly legal) about using a shotgun approach to electronic wiretaps like Carnivore, the ACLU has decided to tackle the problem from a legislative angle.

Thus, "the ACLU urges the [Constitution] Subcommittee to accelerate its consideration of the application of the Fourth Amendment in the digital age. Legislation should make it clear that law enforcement agents may not use devices that allow access to electronic communications involving only persons other than a specified target for which it has a proper order."

"Such legislation should make clear that a trap and trace order served on an ISP does not authorise access to the contents of any communication including the subject line of a communication -- and that the ISP bears the burden of protecting the privacy of communications to which FBI access has not been granted."

Now that last bit, while it makes sense by offering a bit more security than FBI self-monitoring might afford, is sure to raise the hackles of industry lobbyists, who routinely rant about any legislation which might involve their clients in anything vaguely resembling a responsibility, and its associated legal liabilities. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.