ACLU seeks Congress' help against FBI's ‘Carnivore’

Please de-fang this beast before it devours us

A slick new e-mail snooping system developed by the FBI and named 'Carnivore' has so concerned the American Civil Liberties Union (ACLU) that the organisation has petitioned the House Constitution Subcommittee to consider drafting legislation to bring it and similar schemes under control.

"The Carnivore system gives [to] law enforcement e-mail interception capabilities that were never contemplated when Congress passed the Electronic Communications Privacy Act (ECPA). Carnivore raises new legal issues that cry out for Congressional attention if we are to preserve Fourth Amendment rights in the digital age," the ACLU wrote in a letter to Subcommittee members Charles Canady (Republican, Florida) and Melvin Watt (Democrat, North Carolina).

Ideally, the Carnivore spy system would only be invoked by a court order, and could then only be used to monitor the communications of an individual named in it. However, because it is plugged into an ISP's network rather than a target's phone line, it has the capability of monitoring all traffic passing through the ISP, and is therefore ripe for abuse by overzealous or corrupt law enforcement officers.

Furthermore, the Feds are required by law to restrict interception of communications not relevant to the investigation when acting upon a wiretap order. "Carnivore is not a minimisation tool. Instead, Carnivore maximises law enforcement access to the communications of non-targets," the ACLU points out.

The FBI claims that the system is configured to trap only information relevant to a particular tap and trace order. Still, regardless whether that's true, there remain significant privacy implications simply because of Carnivore's potential for misuse, and because of the precedent its use might set in future Fourth Amendment disputes. It could quite easily provide a legal slippery slope for further degeneration of individual rights to privacy when the Feds want access to data.

According to the ACLU, "it is not clear whether law enforcement agents use or should use [their] authority....to access a variety of data, including Internet Protocol addresses, dialup numbers and e-mail logs," as the Carnivore system clearly enables them to do. "We certainly do not believe that it is clear that law enforcement can install a super trap and trace device that access to such information for all of an ISP's subscribers."

However, because the ECPA doesn't specify precisely what can and can't be trapped over the Internet, a judge might be inclined to authorise using Carnivore, since the statute doesn't clearly prohibit it. Interpretations here are a matter of the 'spirit' of the law, which the FBI will undoubtedly say leans towards using any and all means to thwart evildoers, but which privacy advocates will undoubtedly say favours a minimalist approach which Carnivore can't accommodate.

Since a judicial approach is likely to find nothing illegal (if nothing particularly legal) about using a shotgun approach to electronic wiretaps like Carnivore, the ACLU has decided to tackle the problem from a legislative angle.

Thus, "the ACLU urges the [Constitution] Subcommittee to accelerate its consideration of the application of the Fourth Amendment in the digital age. Legislation should make it clear that law enforcement agents may not use devices that allow access to electronic communications involving only persons other than a specified target for which it has a proper order."

"Such legislation should make clear that a trap and trace order served on an ISP does not authorise access to the contents of any communication including the subject line of a communication -- and that the ISP bears the burden of protecting the privacy of communications to which FBI access has not been granted."

Now that last bit, while it makes sense by offering a bit more security than FBI self-monitoring might afford, is sure to raise the hackles of industry lobbyists, who routinely rant about any legislation which might involve their clients in anything vaguely resembling a responsibility, and its associated legal liabilities. ®

Sponsored: Network DDoS protection