FBI's Carnivore review is mixed
Performs as advertised - with exceptions
A technical review of the FBI's 'Carnivore' e-mail sniffer conducted by the Fed-friendly IIT Research Institute and Illinois Institute of Technology Chicago-Kent College of Law (IITRI) under contract to the US Department of Justice (DoJ), finds that the gizmo generally does not pose a threat to civil liberties as feared by its detractors, so long as the Feds to stick to their legal script.
"When Carnivore is used correctly under a Title III order, it provides investigators with no more information than is permitted by a given court order," the reviewers found.
However, when Carnivore "is used under pen [register] and trap [and trace] authorization, it collects TO and FROM information, and also indicates the length of messages and the length of individual field within those messages, possibly exceeding court-permitted collection".
A pen register order authorises recording the phone numbers dialled from a particular phone; a trap and trace order authorises recording the phone numbers from which incoming calls originate. In neither case may the contents of a call be intercepted.
Thus Carnivore, doing essentially the same thing with packet traffic, leaves it up to individual operators to restrain themselves from recording data not authorised by the courts, a temptation which, many fear, a zealous investigator would be unable to resist.
"While operational procedures or practices appear sound, Carnivore does not provide [technical] protections, especially audit functions, commensurate with the level of the risks," the review notes.
In other words, there is not engineered into the thing a pen register or trap and trace 'mode' in which message content could be blocked, or any auditing mechanism for supervisors to discover if an agent has in fact snuck a peek at information which s/he is not entitled to view.
The privacy threat Carnivore poses will therefore remain infinitely variable, being commensurate with each operator's fastidiousness in following court orders. Those who tend to imagine law enforcement agents as basically conscientious will find little in the report with which to alarm themselves, while those who tend to imagine the Feds as basically ruthless and eager to cover up each other's procedural violations will find little in the way of reassurance.
Aside from choosing the name Carnivore, one of the more self-destructive PR moves the FBI has made recently is the so-called 'punch list' of snoop capabilities it tried to secure for itself under the Communications Assistance to Law Enforcement Act (CALEA). In the Summer of 1999 a compliant US Federal Communications Commission (FCC) interpreted the CALEA pretty much as the FBI had asked, granting five of nine demands and issuing corresponding standards to the communications industry, though one of the five was later shot down in federal court.
The problem here is that the Bureau betrayed a broad, institutional interest in pushing the limits of legal surveillance. Couched in much burbling about the way 'emerging technologies' were thwarting their efforts to bust the bad guys was an obvious ambition to expand the Bureau's authority by means of back-channel regulatory manoeuvring.
It was on the heels of that little PR fiasco that Carnivore made its debut in the press, and few were in the mood to trust the FBI's protests of purely honourable intentions.
Keeping up appearances
Carnivore is not quite the harmless little pup the FBI has been trying to portray it as being; but its potential for misuse in indiscriminate, mass e-mail monitoring and opportunistic trawling as envisioned by conspiracy paranoiacs is more a function of imagination fuelled by the FBI's poor public relations than any agency-wide sinister designs, a senior US intelligence official told The Register.
"I wouldn't work up a sweat about the alleged capability of Carnivore to sweep up everything on the Net. The FBI would need vast amounts of storage capacity to hold anything beyond a day or so's collection from a major ISP," he noted.
Problems explaining, even understanding, Carnivore may be a product of the FBI's focus on law enforcement and consequent lack of expertise in sophisticated surveillance and intelligence gathering -- activities which are perhaps better left to the government's true specialists.
"I don't think anyone [in the intelligence community] is surprised that Carnivore got a mixed review from a friendly reviewer. No one I know thinks that the FBI was trying to avoid, sidestep, or work around existing privacy statutes or civil liberties - but nearly everyone I know thinks the FBI is far less sophisticated in approaching the entire topic of Internet-related law enforcement issues than the technically more sophisticated - and previously Church-Committee-burned - intelligence community," he explained.
'Church Committee' is a popular name for the Senate Select Committee on Intelligence, whose Chairman, the late US Senator Frank Church (Democrat, Idaho), shocked the nation while investigating illegal US intelligence activities during the Ford/Carter era. Church had himself been a member of the US military intelligence apparatus before commencing his political career.
The effect of Church's revelations has been both lingering and sobering on each subsequent administration. Some more than others, no doubt; but we've seen evidence of an almost paranoid zeal in the treatment of personal data gathered by the US National Security Agency (NSA), which was one of the agencies most severely burned by the Church Commission's investigations.
"Intelligence professionals, while understanding the need for law enforcement to be able to collect against Internet traffic just as it can collect against other things, appear to me to be horrified by the foolishness of picking 'Carnivore' for a name," the official observed. "Nothing about law enforcement remains unreported by the press for very long - so what were those guys thinking?"
One explanation is that in its eagerness to acquire something slick, sophisticated and 'next-generation' with which to smarten its image, the FBI bought a bill of goods which it didn't fully understand.
"To intelligence-community types, it sounds like someone sold the FBI on a 'neat collection methodology' and the FBI jumped on it without appreciating how an informed public would react to it or doing sufficiently in-depth preparation for its revelation in the press," the official said.
A very human explanation, and for that reason especially persuasive to us. Vanity and pride, after all, have always been among the trickiest pitfalls for individuals and organisations to avoid. ®
Sponsored: Global DDoS threat landscape report