[The Wall Street Journal Interactive Edition]
July 20, 2000
Politics & Policy
FBI Says Carnivore Tool
Won't Eat Up Privacy
By TED BRIDIS and NEIL KING JR.
Staff Reporters of THE WALL STREET JOURNAL
WASHINGTON -- Packed in a slim laptop computer, the Federal Bureau of
Investigation's Internet surveillance system, Carnivore, looks
downright docile. One of its creators calls it merely a "tool in a
tool box" for tracking hackers and terrorists. Its name, the FBI
admits, is unfortunate.
It is too late to change the name -- but not too late, the FBI
figures, to try to change the opinions of privacy advocates and
lawmakers who have spoken harshly of the high-tech sniffer. So the
agency has launched an intense, behind-the-scenes campaign to deflect
congressional skepticism and convince wary Internet companies that
Carnivore is a much pickier eater than its critics claim.
[Go] 1Issue Briefing: Net Privacy
* * *
[Go] 2ACLU Requests More Information on FBI System to Monitor E-Mail
(July 17)
Since news of Carnivore broke last week, FBI officials have swarmed
Capitol Hill to demonstrate the system to key members of Congress and
their staff. The officials also have shown it to two federal judges
and a small group of reporters for The Wall Street Journal. And
Tuesday, the FBI published a lengthy article about Carnivore on its
Web site, describing it as a "diagnostic tool" that employs new
technology "to lawfully obtain important information while providing
enhanced privacy protection."
The message: Carnivore is a surgical law-enforcement device used
rarely and only under strict court orders. And, contrary to fears
espoused publicly in recent days, the system doesn't gobble up all
passing e-mail in its search for the correspondence of a single
suspect. "This device is blind to everything but the packet [of
information] that it's set to retrieve," says Thomas Motta, an
assistant general counsel for the FBI. "It's like a cop who can't see
anything but a blue car on a highway."
In advance of a hastily called congressional hearing next week, FBI
officials also have been expressing regrets about the system's name.
Carnivore was the in-house moniker given to the successor of an
earlier surveillance system, which was called Omnivore. No one thought
the name would become public. When it did last week, Attorney General
Janet Reno called for a name change, and FBI Director Louis Freeh
started asking how the bureau could have had such a tin ear.
"Let's just say, we're going to put names through the giggle-test a
little differently in the future," says Donald Kerr, director of the
special Quantico, Va., lab that developed Carnivore.
The system's critics are likely to demand more than merely cosmetic
change. Lawmakers are eager to know how voracious Carnivore could get.
Can it vacuum up Internet communications from innocent users? How
frequently is it used, and under what legal basis? Is Carnivore hooked
permanently into the country's Internet service providers? How can we
trust that it does only what the FBI says?
Protecting Citizens
"We want to hear exactly how this system works and make sure it raises
no constitutional problems," says Rep. Charles Canady, the Florida
Republican who heads the House judiciary subcommittee that will
question FBI officials next week. Adds Rep. Asa Hutchinson, an
Arkansas Republican and member of the same panel: "We have to protect
citizens from inadvertent action as well as snooping by the
government."
carnivore
The system is designed to allow the FBI to conduct efficient wiretaps
of e-mail conversations and other online communications involving
suspected hackers, terrorists and other criminals. The fear among
critics is that Carnivore will scoop up transmissions made between
innocent civilians and lay them open to scrutiny.
Internet providers, such as Iconn.Net of New Haven, Conn., say
Carnivore is unnecessary because they already can do the monitoring
the FBI needs if ordered by a court. "We're able to do it faster, more
efficiently and, most importantly, without intruding on the privacy of
people not within the scope of the search," says Peter William Sachs,
president of Iconn.Net, who is scheduled to testify at next week's
hearing. EarthLink Inc., one of the nation's largest Internet service
providers, says it refused earlier this year to install Carnivore on
its network, claiming technical adjustments required to use the device
caused disruptions for its customers.
In its meetings with lawmakers and others, the FBI has described the
inner workings of the system in unusual detail. In one demonstration
this week, the agency was keen to show how the system could tailor its
search so it captures only the e-mails moving into and out of one
particular account. The FBI said Carnivore is smart enough to capture
a suspect's e-mails while leaving untouched messages sent by his or
her spouse or children.
'Packet Filters'
The system belongs to a class of tools known as "packet filters" or
"sniffers," which look for parcels of data that travel across a
network and comprise an e-mail or a visit to a Web site. Using a
Windows screen, Carnivore also can be set to capture file downloads
and chat-room conversations. It can grab e-mail from the most popular
Web-based companies, including Yahoo! Inc. and Microsoft Corp.'s
Hotmail. And once it is installed at an Internet service provider, the
FBI can dial into Carnivore to make changes and monitor data that have
been collected.
The FBI is adamant about dispelling fears that Carnivore could be used
for rampant tapping of public e-mail systems. For one, wiretapping
requests are closely scrutinized by the Justice Department, and must
be approved by a federal judge. Abuse by a rogue investigator is even
less likely, the bureau says, because the rogue would need too much
cooperation from other FBI techies and the Internet service provider,
says Marcus Thomas, a developer of the system at Quantico.
Depending on a judge's instructions, Carnivore can be set to merely
trace Internet communications to and from a suspect, called a "pen
register" or "trap and trace." Carnivore records the Internet
addresses of passing traffic but not, for example, the contents or
even the subject line of an e-mail. Since the amount of information
gathered is relatively small in these instances, even a week's worth
of monitoring can be stored on a single floppy disk, the agency says.
With judicial permission, the system also can conduct fuller
intercepts, which would gather the contents of the e-mails and other
data.
The FBI says Carnivore doesn't monitor the content of passing e-mails,
a capability widely rumored to exist in the controversial "Echelon"
surveillance network operated overseas by the National Security
Agency. Bureau officials said watching for key words in passing
e-mails was technically possible, but that it would slow Internet
traffic unacceptably for all customers. "If you attempt with a machine
like this to actually read everything that goes by, you very quickly
cannot deal with it." Mr. Thomas says.
The FBI now says it has used Carnivore in fewer than 25 investigations
over the past 18 months, most targeting suspected terrorists or
computer hackers. In each case, the system was connected to a
commercial Internet service provider, where it intercepted data or
e-mails in strict compliance with a court order, the FBI says.
Privacy advocates, who haven't been privy to the FBI demonstrations,
hunger for much more than explanations. The American Civil Liberties
Union wants the FBI to suspend Carnivore's use, arguing that Internet
providers can already conduct adequate electronic wiretaps. The ACLU
also has filed a request under the Freedom of Information Act for the
blueprints of how Carnivore works. Many in the industry want these
same plans -- called the "source code" -- to insure that the system
isn't open to abuse and won't disrupt business.
The FBI says making Carnivore's inner workings public would allow
hackers to defeat it. "Once you know how it works ... it could be
fairly trivial to evade it," Mr. Thomas says.
Legislation to quash Carnivore entirely is unlikely, but lawmakers
could move to tighten the requirements for its use or to impose rules
that would further protect the privacy of innocent Internet users.
Many argue that Carnivore points up the need for Congress to wrestle
with a larger dilemma: updating the nation's wiretap laws, hatched
long before the Internet existed.
Write to Ted Bridis at [log in to unmask] and Neil King Jr. at
[log in to unmask]
_________________________________________________________________
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|