Feeds

ACLU seeks Congress' help against FBI's ‘Carnivore’

Please de-fang this beast before it devours us

  • alert
  • submit to reddit

Top three mobile application threats

A slick new e-mail snooping system developed by the FBI and named 'Carnivore' has so concerned the American Civil Liberties Union (ACLU) that the organisation has petitioned the House Constitution Subcommittee to consider drafting legislation to bring it and similar schemes under control.

"The Carnivore system gives [to] law enforcement e-mail interception capabilities that were never contemplated when Congress passed the Electronic Communications Privacy Act (ECPA). Carnivore raises new legal issues that cry out for Congressional attention if we are to preserve Fourth Amendment rights in the digital age," the ACLU wrote in a letter to Subcommittee members Charles Canady (Republican, Florida) and Melvin Watt (Democrat, North Carolina).

Ideally, the Carnivore spy system would only be invoked by a court order, and could then only be used to monitor the communications of an individual named in it. However, because it is plugged into an ISP's network rather than a target's phone line, it has the capability of monitoring all traffic passing through the ISP, and is therefore ripe for abuse by overzealous or corrupt law enforcement officers.

Furthermore, the Feds are required by law to restrict interception of communications not relevant to the investigation when acting upon a wiretap order. "Carnivore is not a minimisation tool. Instead, Carnivore maximises law enforcement access to the communications of non-targets," the ACLU points out.

The FBI claims that the system is configured to trap only information relevant to a particular tap and trace order. Still, regardless whether that's true, there remain significant privacy implications simply because of Carnivore's potential for misuse, and because of the precedent its use might set in future Fourth Amendment disputes. It could quite easily provide a legal slippery slope for further degeneration of individual rights to privacy when the Feds want access to data.

According to the ACLU, "it is not clear whether law enforcement agents use or should use [their] authority....to access a variety of data, including Internet Protocol addresses, dialup numbers and e-mail logs," as the Carnivore system clearly enables them to do. "We certainly do not believe that it is clear that law enforcement can install a super trap and trace device that access to such information for all of an ISP's subscribers."

However, because the ECPA doesn't specify precisely what can and can't be trapped over the Internet, a judge might be inclined to authorise using Carnivore, since the statute doesn't clearly prohibit it. Interpretations here are a matter of the 'spirit' of the law, which the FBI will undoubtedly say leans towards using any and all means to thwart evildoers, but which privacy advocates will undoubtedly say favours a minimalist approach which Carnivore can't accommodate.

Since a judicial approach is likely to find nothing illegal (if nothing particularly legal) about using a shotgun approach to electronic wiretaps like Carnivore, the ACLU has decided to tackle the problem from a legislative angle.

Thus, "the ACLU urges the [Constitution] Subcommittee to accelerate its consideration of the application of the Fourth Amendment in the digital age. Legislation should make it clear that law enforcement agents may not use devices that allow access to electronic communications involving only persons other than a specified target for which it has a proper order."

"Such legislation should make clear that a trap and trace order served on an ISP does not authorise access to the contents of any communication including the subject line of a communication -- and that the ISP bears the burden of protecting the privacy of communications to which FBI access has not been granted."

Now that last bit, while it makes sense by offering a bit more security than FBI self-monitoring might afford, is sure to raise the hackles of industry lobbyists, who routinely rant about any legislation which might involve their clients in anything vaguely resembling a responsibility, and its associated legal liabilities. ®

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.