Feeds

FBI's Carnivore review is mixed

Performs as advertised - with exceptions

  • alert
  • submit to reddit

Boost IT visibility and business value

A technical review of the FBI's 'Carnivore' e-mail sniffer conducted by the Fed-friendly IIT Research Institute and Illinois Institute of Technology Chicago-Kent College of Law (IITRI) under contract to the US Department of Justice (DoJ), finds that the gizmo generally does not pose a threat to civil liberties as feared by its detractors, so long as the Feds to stick to their legal script.

"When Carnivore is used correctly under a Title III order, it provides investigators with no more information than is permitted by a given court order," the reviewers found.

However, when Carnivore "is used under pen [register] and trap [and trace] authorization, it collects TO and FROM information, and also indicates the length of messages and the length of individual field within those messages, possibly exceeding court-permitted collection".

A pen register order authorises recording the phone numbers dialled from a particular phone; a trap and trace order authorises recording the phone numbers from which incoming calls originate. In neither case may the contents of a call be intercepted.

Thus Carnivore, doing essentially the same thing with packet traffic, leaves it up to individual operators to restrain themselves from recording data not authorised by the courts, a temptation which, many fear, a zealous investigator would be unable to resist.

"While operational procedures or practices appear sound, Carnivore does not provide [technical] protections, especially audit functions, commensurate with the level of the risks," the review notes.

In other words, there is not engineered into the thing a pen register or trap and trace 'mode' in which message content could be blocked, or any auditing mechanism for supervisors to discover if an agent has in fact snuck a peek at information which s/he is not entitled to view.

The privacy threat Carnivore poses will therefore remain infinitely variable, being commensurate with each operator's fastidiousness in following court orders. Those who tend to imagine law enforcement agents as basically conscientious will find little in the report with which to alarm themselves, while those who tend to imagine the Feds as basically ruthless and eager to cover up each other's procedural violations will find little in the way of reassurance.

Punch List

Aside from choosing the name Carnivore, one of the more self-destructive PR moves the FBI has made recently is the so-called 'punch list' of snoop capabilities it tried to secure for itself under the Communications Assistance to Law Enforcement Act (CALEA). In the Summer of 1999 a compliant US Federal Communications Commission (FCC) interpreted the CALEA pretty much as the FBI had asked, granting five of nine demands and issuing corresponding standards to the communications industry, though one of the five was later shot down in federal court.

The problem here is that the Bureau betrayed a broad, institutional interest in pushing the limits of legal surveillance. Couched in much burbling about the way 'emerging technologies' were thwarting their efforts to bust the bad guys was an obvious ambition to expand the Bureau's authority by means of back-channel regulatory manoeuvring.

It was on the heels of that little PR fiasco that Carnivore made its debut in the press, and few were in the mood to trust the FBI's protests of purely honourable intentions.

Keeping up appearances

Carnivore is not quite the harmless little pup the FBI has been trying to portray it as being; but its potential for misuse in indiscriminate, mass e-mail monitoring and opportunistic trawling as envisioned by conspiracy paranoiacs is more a function of imagination fuelled by the FBI's poor public relations than any agency-wide sinister designs, a senior US intelligence official told The Register.

"I wouldn't work up a sweat about the alleged capability of Carnivore to sweep up everything on the Net. The FBI would need vast amounts of storage capacity to hold anything beyond a day or so's collection from a major ISP," he noted.

Problems explaining, even understanding, Carnivore may be a product of the FBI's focus on law enforcement and consequent lack of expertise in sophisticated surveillance and intelligence gathering -- activities which are perhaps better left to the government's true specialists.

"I don't think anyone [in the intelligence community] is surprised that Carnivore got a mixed review from a friendly reviewer. No one I know thinks that the FBI was trying to avoid, sidestep, or work around existing privacy statutes or civil liberties - but nearly everyone I know thinks the FBI is far less sophisticated in approaching the entire topic of Internet-related law enforcement issues than the technically more sophisticated - and previously Church-Committee-burned - intelligence community," he explained.

'Church Committee' is a popular name for the Senate Select Committee on Intelligence, whose Chairman, the late US Senator Frank Church (Democrat, Idaho), shocked the nation while investigating illegal US intelligence activities during the Ford/Carter era. Church had himself been a member of the US military intelligence apparatus before commencing his political career.

The effect of Church's revelations has been both lingering and sobering on each subsequent administration. Some more than others, no doubt; but we've seen evidence of an almost paranoid zeal in the treatment of personal data gathered by the US National Security Agency (NSA), which was one of the agencies most severely burned by the Church Commission's investigations.

"Intelligence professionals, while understanding the need for law enforcement to be able to collect against Internet traffic just as it can collect against other things, appear to me to be horrified by the foolishness of picking 'Carnivore' for a name," the official observed. "Nothing about law enforcement remains unreported by the press for very long - so what were those guys thinking?"

One explanation is that in its eagerness to acquire something slick, sophisticated and 'next-generation' with which to smarten its image, the FBI bought a bill of goods which it didn't fully understand.

"To intelligence-community types, it sounds like someone sold the FBI on a 'neat collection methodology' and the FBI jumped on it without appreciating how an informed public would react to it or doing sufficiently in-depth preparation for its revelation in the press," the official said.

A very human explanation, and for that reason especially persuasive to us. Vanity and pride, after all, have always been among the trickiest pitfalls for individuals and organisations to avoid. ®

Related Stories

Carnivore does more than previously thought
Network Ice posts do-it-yourself Carnivore kit
Judge yanks a few of Carnivore's teeth

Build a business case: developing custom apps

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Microsoft: We're making ONE TRUE WINDOWS to rule us all
Enterprise, Windows still power firm's shaky money-maker
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.