Carnivore redux

Mon Jan 31 13:42:00 EST 2005

<http://news.com.com/2102-1071_3-5555323.html?tag=st.util.print>

CNET News

 Carnivore redux

 By Declan McCullagh

Story last modified Mon Jan 31 04:00:00 PST 2005

 Robert Corn-Revere clearly remembers the day he became the first person to
tell the world about the FBI surveillance system once known as Carnivore.

 Corn-Revere, a partner at the Davis Wright Tremaine law firm, had been
fighting on EarthLink's behalf to keep a government surveillance device off
the company's network in late 1999. A short while later, though, a federal
magistrate judge sided with the FBI against the Atlanta-based Internet
provider.

 Worried about the privacy impact, Corn-Revere revealed the existence of
Carnivore in testimony before a House of Representatives subcommittee on
April 6, 2000. "They were using a technology called Etherpeek, which was
off the shelf," Corn-Revere told me last Friday. "When we challenged it,
they said, 'We're not using that. That would be wrong. We have our own
software developed. It's called Carnivore.'" (Etherpeek is a Windows
surveillance utility from WildPackets that can decode protocols used with
e-mail, Web browsing and instant messaging.)

 Now history is repeating itself. A flurry of press reports this month
noted that the FBI has ceased using Carnivore, which had been renamed
DCS1000. But not all of them mentioned that the government is hardly
calling a halt to Internet wiretaps--instead, it's simply buying its
surveillance tools from private companies again.
 The total number of "electronic" wiretaps has stayed between 4 percent and
8 percent of all reported wiretaps each year.

 A review of the government's self-reported wiretap statistics from 2000 to
2003, the most recent data available, shows that the total number of
"electronic" wiretaps has stayed between 4 percent and 8 percent of all
reported wiretaps each year. (In 2003, for instance, there were 1,442
reported non-terrorism wiretaps in total that intercepted 4.3 million
communications or conversations.)

 That figure, though, is an underestimate. First, it doesn't cover
terrorism-related wiretaps, which spiked after Sept. 11, 2001, and last
year surpassed the general category for the first time. Second, it doesn't
count illegal wiretaps, such as the hundreds unlawfully performed by the
Los Angeles Police Department starting in 1985.

 Third, those numbers don't include "pen register" and "trap and trace"
devices, which tend to be about five to six times as popular as traditional
wiretaps. Those awkward names, which hail from the days of analog phone
taps, refer to capturing only the addresses of Web sites visited and IDs of
e-mail and instant messaging correspondents rather than the complete
content of the communication.

 Translated: The concept of Carnivore isn't going away. If anything, police
surveillance of the Internet is increasing over time.

 The good ole days?
 Whatever its flaws, Carnivore offered one undeniable benefit: It had been
the subject of intense scrutiny.

 Former House Majority Leader Dick Armey, for instance, carefully monitored
how the Justice Department was using it. "I respectfully ask that you
consider the serious constitutional questions Carnivore has raised and
respond with how you intend to address them," Armey wrote to Attorney
General John Ashcroft in June 2001. "This is an issue of great importance
to the online public."

 At one point, political pressure had grown so great that Attorney General
Janet Reno reluctantly ordered an outside review of how Carnivore had been
used. The review concluded that Carnivore didn't snatch more from networks
than it should, but it had "no auditing" and "significant deficiencies in
protection for the integrity of the information it collects."
 Whatever its flaws, Carnivore offered one undeniable benefit: It had been
the subject of intense scrutiny.

 A group of well-known technologists, including Steven Bellovin of AT&T
Labs and Peter Neumann of SRI International, reviewed that report, prepared
by IIT Research Institute. Their own conclusions: "Serious technical
questions remain about the ability of Carnivore to satisfy its requirements
for security, safety and soundness."

 The public and the press also were more interested a few years ago. CNET
News.com published dozens of articles. A Nexis search turned up 1,334
matches for FBI and Carnivore or DCS1000 between July 2000 and July 2001.
But the same search for between July 2003 and July 2004 reported only 45
articles.

 Unfortunately, the public knows virtually nothing about how the FBI is
conducting Internet eavesdropping today. We don't know the name of its
interception technology. We don't know if it vacuums up far more
conversations than it should when attached to a network. We don't know if
it creates a security risk by permitting secure portions of an Internet
provider's network to be accessed from afar. We don't know if it has
benefited from any of the outside technical review that Carnivore did.

 "The need for oversight these days is much greater than when the FBI
picked particularly bad names for its surveillance projects," said Marc
Rotenberg, director of the Electronic Privacy Information Center. "There's
a lot of money slushing around the federal government's dark budgets."

 He's right. Congress should demand more public accountability from the
Bush administration. Otherwise, we might end up fondly reminiscing about
the good ole days of Carnivore.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com