Feeds

FBI's Carnivore review is mixed

Performs as advertised - with exceptions

  • alert
  • submit to reddit

High performance access to file storage

A technical review of the FBI's 'Carnivore' e-mail sniffer conducted by the Fed-friendly IIT Research Institute and Illinois Institute of Technology Chicago-Kent College of Law (IITRI) under contract to the US Department of Justice (DoJ), finds that the gizmo generally does not pose a threat to civil liberties as feared by its detractors, so long as the Feds to stick to their legal script.

"When Carnivore is used correctly under a Title III order, it provides investigators with no more information than is permitted by a given court order," the reviewers found.

However, when Carnivore "is used under pen [register] and trap [and trace] authorization, it collects TO and FROM information, and also indicates the length of messages and the length of individual field within those messages, possibly exceeding court-permitted collection".

A pen register order authorises recording the phone numbers dialled from a particular phone; a trap and trace order authorises recording the phone numbers from which incoming calls originate. In neither case may the contents of a call be intercepted.

Thus Carnivore, doing essentially the same thing with packet traffic, leaves it up to individual operators to restrain themselves from recording data not authorised by the courts, a temptation which, many fear, a zealous investigator would be unable to resist.

"While operational procedures or practices appear sound, Carnivore does not provide [technical] protections, especially audit functions, commensurate with the level of the risks," the review notes.

In other words, there is not engineered into the thing a pen register or trap and trace 'mode' in which message content could be blocked, or any auditing mechanism for supervisors to discover if an agent has in fact snuck a peek at information which s/he is not entitled to view.

The privacy threat Carnivore poses will therefore remain infinitely variable, being commensurate with each operator's fastidiousness in following court orders. Those who tend to imagine law enforcement agents as basically conscientious will find little in the report with which to alarm themselves, while those who tend to imagine the Feds as basically ruthless and eager to cover up each other's procedural violations will find little in the way of reassurance.

Punch List

Aside from choosing the name Carnivore, one of the more self-destructive PR moves the FBI has made recently is the so-called 'punch list' of snoop capabilities it tried to secure for itself under the Communications Assistance to Law Enforcement Act (CALEA). In the Summer of 1999 a compliant US Federal Communications Commission (FCC) interpreted the CALEA pretty much as the FBI had asked, granting five of nine demands and issuing corresponding standards to the communications industry, though one of the five was later shot down in federal court.

The problem here is that the Bureau betrayed a broad, institutional interest in pushing the limits of legal surveillance. Couched in much burbling about the way 'emerging technologies' were thwarting their efforts to bust the bad guys was an obvious ambition to expand the Bureau's authority by means of back-channel regulatory manoeuvring.

It was on the heels of that little PR fiasco that Carnivore made its debut in the press, and few were in the mood to trust the FBI's protests of purely honourable intentions.

Keeping up appearances

Carnivore is not quite the harmless little pup the FBI has been trying to portray it as being; but its potential for misuse in indiscriminate, mass e-mail monitoring and opportunistic trawling as envisioned by conspiracy paranoiacs is more a function of imagination fuelled by the FBI's poor public relations than any agency-wide sinister designs, a senior US intelligence official told The Register.

"I wouldn't work up a sweat about the alleged capability of Carnivore to sweep up everything on the Net. The FBI would need vast amounts of storage capacity to hold anything beyond a day or so's collection from a major ISP," he noted.

Problems explaining, even understanding, Carnivore may be a product of the FBI's focus on law enforcement and consequent lack of expertise in sophisticated surveillance and intelligence gathering -- activities which are perhaps better left to the government's true specialists.

"I don't think anyone [in the intelligence community] is surprised that Carnivore got a mixed review from a friendly reviewer. No one I know thinks that the FBI was trying to avoid, sidestep, or work around existing privacy statutes or civil liberties - but nearly everyone I know thinks the FBI is far less sophisticated in approaching the entire topic of Internet-related law enforcement issues than the technically more sophisticated - and previously Church-Committee-burned - intelligence community," he explained.

'Church Committee' is a popular name for the Senate Select Committee on Intelligence, whose Chairman, the late US Senator Frank Church (Democrat, Idaho), shocked the nation while investigating illegal US intelligence activities during the Ford/Carter era. Church had himself been a member of the US military intelligence apparatus before commencing his political career.

The effect of Church's revelations has been both lingering and sobering on each subsequent administration. Some more than others, no doubt; but we've seen evidence of an almost paranoid zeal in the treatment of personal data gathered by the US National Security Agency (NSA), which was one of the agencies most severely burned by the Church Commission's investigations.

"Intelligence professionals, while understanding the need for law enforcement to be able to collect against Internet traffic just as it can collect against other things, appear to me to be horrified by the foolishness of picking 'Carnivore' for a name," the official observed. "Nothing about law enforcement remains unreported by the press for very long - so what were those guys thinking?"

One explanation is that in its eagerness to acquire something slick, sophisticated and 'next-generation' with which to smarten its image, the FBI bought a bill of goods which it didn't fully understand.

"To intelligence-community types, it sounds like someone sold the FBI on a 'neat collection methodology' and the FBI jumped on it without appreciating how an informed public would react to it or doing sufficiently in-depth preparation for its revelation in the press," the official said.

A very human explanation, and for that reason especially persuasive to us. Vanity and pride, after all, have always been among the trickiest pitfalls for individuals and organisations to avoid. ®

Related Stories

Carnivore does more than previously thought
Network Ice posts do-it-yourself Carnivore kit
Judge yanks a few of Carnivore's teeth

High performance access to file storage

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.