Privacy advocates said they remain leery about the FBI's Carnivore e-mail surveillance system following last night's release of a draft report on the technology by an independent review team, despite the report's conclusions that the controversial software essentially does what it was designed to do -- track specific digital communications with the permission of a court order.
But others, including the FBI, said the report prepared by the Chicago-based IIT Research Institute (IITRI) shows that Carnivore just needs to be fine-tuned and then closely monitored itself in order to prevent the system from being improperly used by law-enforcement officials.
"I believe, at least at a basic level, that this established that Carnivore doesn't bite off more than it can chew," said Kenneth Segarnick, assistant general counsel at messaging services vendor United Messaging Inc. in West Chester, Pa. "Now we need to put a leash on it and make sure that it's only unleashed under a certain set of circumstances. Carnivore still can do quite a bit. They call it Carnivore for a reason."
For example, Segarnick -- who has testified before Congress on workplace e-mail security measures suggested that regulations be put in place "so that the FBI does not have the automatic right to trap the 'to' and 'from' lines on e-mails" while using Carnivore to investigate suspected criminal activities. And he said legislation also needs to be enacted to make sure the software doesn't collect data on people who aren't being investigated.
Carnivore is a software program that monitors packets of data passing through an Internet service provider's network. Officials at the FBI and the DOJ have said the surveillance system can only be legally deployed to monitor allegedly criminal activity under a court order, similar to the regulations that govern the use of telephone wiretaps.
The report by IITRI, which was edited by officials at the U.S. Department of Justice before being released, said Carnivore isn't powerful enough to monitor "almost everyone with an e-mail account" at an ISP or to follow individual Internet users as they surf the Web. But the report added that the software "can record any traffic it monitors" if it has been incorrectly configured by investigators (see story).
Privacy advocates seized on that point as a confirmation that Carnivore could be used to collect broad swaths of data on individuals. The Electronic Privacy Information Center (EPIC), a Washington-based privacy group that's seeking the release of all the FBI's Carnivore-related documents through a Freedom of Information Act request, yesterday issued a statement charging that the IITRI report "raises more questions than it answers."
"If it's that easy for the FBI to accidentally collect too much data, imagine how simple it would be for agents to do so intentionally," said David Sobel, EPIC's general counsel. "This supports our belief that Carnivore raises extremely serious privacy concerns."
But FBI spokesman Paul Bresson said those kinds of concerns are overstated. "We never denied that it had the capability to capture more [data than an investigation requires]," he said. "What we maintained was that it had the filtering devices to capture only the data pertaining to the court order."
Bresson added that the FBI is now looking at improving the Carnivore software so it would only target the subject of an investigation without collecting information about other people whose e-mail messages are transmitted across an ISP's network as part of the same packet of data.
But Jennifer Granick, an attorney and privacy advocate in San Francisco, said the FBI should have done that from the start. "If the device intends to adhere to the law, then design it that way," she said.
Granick acknowledged that the likelihood of unintentional privacy violations is limited, but she said Carnivore gives individual employees within the FBI the ability to monitor anyone they want to track. That kind of rogue usage is the real threat, Granick said.