Carnivore diagnostic software

By Candy MacMillen
Network World Technology Executive Newsletter, 04/02/01

Carnivore has been in the news lately, and it's privacy rights activists, not animal rights activists, who are concerned about this beast.

Carnivore - whose name is changing to the less controversial DCS1000, so it sounds less like a predatory device - is diagnostic software designed and developed by the FBI for the purpose of fighting crimes executed through cyberspace. Americans anxious about their right to privacy have raised concerns about the use of this tool. Should you, too, be concerned?

The short answer is " no. " Not if you are a law-abiding citizen, that is. But there are legitimate concerns about the technology and the accountability of law enforcement agents that you should be aware of.

The FBI developed Carnivore to combat acts of terrorism, espionage, information warfare, hacking and other serious crimes occurring over the Internet. Carnivore works by tapping data flowing between an ISP and a specific client - the suspect. The software then sends the filtered information from an e-mail or a visit to a Web site to the Carnivore system to be analyzed by FBI investigators. The agents are looking for digital evidence of a crime in the planning or execution phase. In essence, Carnivore provides a sophisticated, computerized wiretap, similar to telephone taps that have been used for decades.

What's so controversial about this process is the fact that the Carnivore system has the ability to capture, store, analyze and archive all of the incoming information that an ISP receives. Law-abiding citizens would have a legitimate reason for concern about privacy rights, if the FBI weren't restricted by law on what information the agency can rightfully collect.

The Department of Justice would like to allay criticisms that the program is a wholesale risk to privacy. With the enactment of the Electronic Communications Privacy Act of 1986, Congress created statutory legal protection for all types of wire and electronic communications' content, including those computer- and Internet-based. Under Title III, " applications for electronic surveillance must demonstrate probable cause and state with particularity and specificity: the offenses being committed, the communications facility regarding which the subject's communications are to be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses. "

" This system is very tailored precisely to the court order. We neither capture nor read streams of information from anybody other than the subject, " stated Larry Parkinson, general counsel for the FBI, in an online interview with the Public Broadcasting Service's Ray Suarez.

The FBI has used the Carnivore system just two dozen times in the past 2 years. In every case and at all times, the system has been used pursuant to a judicially-granted court order or lawful consent. To dissuade any unlawful use, the penalties for violating the electronic surveillance laws are severe.

So, why should the average honest citizen and even some lawmakers raise objections that Carnivore infringes on the privacy of innocent people and businesses not under investigation? Results of a government-sponsored technical review of Carnivore, performed by the Illinois Institute of Technology Research Institute (IITRI), give us an indication. The review found that FBI agents operating the Carnivore system can inadvertently collect more private communications than permitted by law, underscoring the potential dangers of the invasive technology. That lack of accountability means that FBI agents could pry into the communications of suspected criminals, public figures and the average citizen with equal ease and without a court order - and all without leaving any evidence that they had done so.

Another problem pointed out in the IITRI analysis is the possibility that one or more buffer overflows exist in the code. A buffer overflow refers to a situation where data put into the system - in this case the Carnivore software loaded onto an ISP's server - exceeds, or overflows, the available space. Occasionally, such incidents can allow attackers to run malicious code or take over a system. Such a configuration turns any security hole into a critical flaw, since an unauthorized user on the machine has complete power.

Most Internet-enabled crime is conventional crime (fraud, extortion, drug dealing, identity theft, money laundering, sexual exploitation of minors), in which cybertechnology happens to be used. But law enforcement considerations could adversely affect (and greatly burden) Internet businesses and freedom of expression. It could also inhibit the development of the Internet and e-commerce. Surveillance of Web site visits undermines confidence in the Internet as a means of communication.

ISPs are not very happy with this arrangement either. Under present law, ISPs are civilly liable if they reveal subscriber information or e-mail to the government without first requiring a warrant, court order or subpoena. And, they may be liable if the government obtains information through the use of improper subpoenas. ISPs have little control over the Carnivore box, and few ways of protecting the privacy of all the customers who aren't drug lords or cyberterrorists.

The public debate about the use of technology such as Carnivore in the U.S. is likely to continue as the very need for it increases. The world grows more dependent on computer-enabled communications and commerce each day, and the opportunities for cyber-crime become more prevalent.

Candy MacMillen is a business consultant with Currid & Company.