Carnivore Highlights Need for Public-Source Review

SAN MATEO (08/21/2000) - The U.S. Federal Bureau of Investigation announced the existence of an Internet wiretapping system called Carnivore. According to the FBI, the purpose of the system is to listen in on the Internet traffic of a suspected criminal in an effort to collect evidence, similar to what a wiretap of a phone system would provide.

But can't Carnivore's listening capabilities be defeated by encryption? Well that depends, according to the FBI. Carnivore's snooping depends on how strong the encryption is that's being used on the e-mail. Of course the FBI is short on details of the exact key size that defeats Carnivore. Nonetheless, this sparks what the insult with Carnivore really is. Who in his or her right mind believes that hackers and cyberterrorists are not smart enough to use strong encryption? So if the criminals use strong encryption and eliminate Carnivore's effectiveness, then what is it for? Maybe that's why the FBI is so reluctant to give up the source code to public scrutiny.

A previous version of Carnivore, reportedly called Omnivore, gobbled up too much information for agents to effectively filter out the desired traffic, so they designed Carnivore. With Carnivore, the FBI is reportedly able to scan millions of e-mails every second. But why would they need to scan millions of e-mails? How many e-mails do criminals need to send?

Carnivore reportedly works by installing the system at the ISP of the suspected criminal. The system, reportedly PC based, is behind lock and key, with only FBI agents having local access. The system is plugged into a "sniffable" port on the ISP's hub or switch. Carnivore can then gobble up enormous amounts of data and filter the undesired user traffic, focusing on the suspected criminal's traffic.

The system reportedly has been used for tracking down hackers, terrorist groups, and drug traffickers, but the fact is that it could be used for anything. The problem with this type of technology is that the possibilities are nearly limitless -- espionage, information warfare, spying on the public -- choose your favorite. You name the devious purpose for this technology and it's likely to be available in Carnivore. The truth is we really know very little about Carnivore and will have a difficult time defending or crucifying it until its design is released to the public. But the FBI seems reluctant to make the source code available (surprise).

If we cannot have a public-source review of Carnivore, who can we trust to police the FBI? Themselves? The traditional means of obtaining a search warrant and allowing agents to listen in on phone calls is one thing, but the Internet houses a flood of data beyond e-mail. Who controls what Carnivore filters? Who confirms that the product is not being abused? Carnivore needs checks and balances.

According to the U.S. Constitution, there is no provision for maintaining a citizen's right to privacy. And in some cases, it's not even a privilege. In the recent Congressional subcommittee hearings, FBI and Department of Justice officials quoted a 1979 Supreme Court decision (Smith vs. Maryland, 442 U.S.

735 [1979]) citing that individuals have no right to privacy regarding telephone call records. This tells these agencies that without a warrant they can monitor whom you call and when. The same holds true, then, for Internet e-mail addresses. Monitoring to whom and when you send e-mail does not require a warrant; instead they consider only the contents of those messages private.

We like to think of privacy as an attainable goal rather than a privilege either bestowed or removed by the government. But the reality is that as long as privacy is considered a privilege rather than a right, the government will be able to give or take liberties with your privacy.

The only real hope for the general acceptance of Carnivore will be a completely open-source review by the public. The FBI reportedly plans on having an independent auditor review the source and vouch for its purpose; but until the public sees the code, there will always be skeptics (like us). Tell us what you think at security_watch@infoworld.com.

Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com).

Join the newsletter!

Error: Please check your email address.

More about Department of JusticeFBIFederal Bureau of InvestigationFoundstoneProvision

Show Comments