ACLU calls for limits on FBI's Carnivore system

The American Civil Liberties Union (ACLU) is calling on Congress to update federal privacy laws to ban what it says is the potential large-scale scanning and analysis of e-mail messages by the FBI's Carnivore e-mail interception program.

The move is one of a series of controversies around e-mail monitoring that has surfaced in recent days. Last week, for example, Merck & Co. acknowledged it had disciplined a number of employees for what it termed inappropriate e-mail and Internet usage.

The FBI says Carnivore is needed to sift through huge amounts of electronic data and is capable of targeting the traffic of just one suspect under investigation. But critics say the potential for abuse is high because the system is attached to an Internet service provider's network and can analyze all data traffic as it passes through the service.

At her weekly press conference in Washington yesterday, U.S. Attorney General Janet Reno said she is examining the Carnivore system to make sure it meets constitutional privacy requirements. But advances in technology have called into question the adequacy of federal wiretap laws in protecting the rights of Internet users as provided in the Fourth Amendment of the U.S. Constitution.

"I don't see a technical way for law enforcement to control the software and convince the ISP or the ISP's users that they in fact are only getting the information that they say they are getting," said Susan Landau, a senior staff engineer at Sun Microsystems Inc. and co-author of Privacy on the Line: The Politics of Wiretapping and Encryption. "There is no way of monitoring that kind of network traffic via law enforcement without putting people's privacy at risk."

FBI supervisory special agent Steven Berry insists that Carnivore limits the messages viewable to individuals named in a court order. According to the FBI, Carnivore has been used in fewer than 100 criminal cases since its inception 18 months ago. "It is a very surgical tool and offers extreme precision on those communications that are subject to interception," said Berry. "The tool is necessary to meet the stringent requirements of federal wiretapping statutes."

Carnivore can be used by FBI investigators when they obtain a court order permitting them to intercept the contents of the electronic communications of a specific suspect. The FBI can also request a trap-and-trace or a pen register order, which allows it to collect the "numbers" related to communications to and from the suspect. Such orders typically refer to getting telephone number information.

But unlike the telephone system, which offers just phone numbers, the Internet is a packet-switched network where data packets are interspersed. This type of surveillance on the Internet can produce e-mail addresses, e-mail header information, IP addresses, dial-up numbers and e-mail logs. The system could be used, for instance, to collect the IP addresses of all Web users who access a particular Web page.

"What the Carnivore project has to do is look at all the packets, and there is no way it can do what it claims to do, which is only save packets for which it has a court order," said Landau. She said the FBI is trying to apply an old law to new technology that carries more information and that has a greater impact on users. "What we are relying on is the FBI not saving the information even if it sees it, but given the way the Internet is constructed, it is impossible not to see the information."

The existence of Carnivore was first revealed in April 6 testimony before the House Constitution Subcommittee by attorney Robert Corn-Revere, who represented an Internet service provider that resisted a trap-and-trace order. The provider offered to collect the information itself, but a magistrate overruled its objection.

The ACLU says Internet service providers should bear the burden of protecting the privacy of their users and that they are in a better position to prevent electronic dragnets that could violate the privacy of innocent citizens. The ACLU sent a letter Tuesday to U.S. Rep. Charles T. Canady (R-Fla.), chairman of the Constitution Subcommittee of the House Judiciary Committee, urging the panel to prohibit systems such as Carnivore, which the ACLU insists was never contemplated by Congress when it passed the Electronic Communications Privacy Act of 1986.

"There isn't any clear law that authorizes trap-and-trace devices to the Internet, and even when they have an order to get the content of the information, there is certainly no law that allows them to attach devices to an ISP's network to filter all communications," said Barry Steinhardt, the ACLU's associate director.

FBI insists there is enough oversight

FBI agent Barry said there are significant criminal and civil penalties for misuse of the Carnivore system by the FBI, including the exclusion of any evidence found improperly. He says such monitoring is also subject to intense oversight by internal FBI controls, the U.S. Department of Justice and the court issuing the wiretap order.

But Steinhardt countered that there is no independent court or even the Internet service provider looking over the FBI's shoulder. "We are really in a position of trusting them, and I don't trust them," said Steinhardt. "There is a recent history of the FBI overstepping their constitutional boundaries."

Landau added that trap-and-trace orders don't require a full court order and can be obtained with only a subpoena. "With a court order, there is a higher degree of proof that there is a need for the information as opposed to a subpoena that is rubberstamped by the court," she said.

Barry insisted that the potential for violations is overblown. "The system is less susceptible to abuse than the older systems because it requires expertise to install and operate, and those operations are conducted in close cooperation with the ISPs," added Barry.

Pete Kennedy, an Austin, Texas-based attorney who has represented the Texas ISP Association in Bastrop, Texas, said Internet service providers are caught between pressures to protect their customers' privacy and the needs of law enforcement. He said a provider complying with an FBI court order would be in a good position to fight a lawsuit by customers who felt their privacy was violated. On the other hand, the ISP could lose the trust of its subscribers.

"They offer value-added service, which includes more personal attention and trust than the phone company, but it puts them in a difficult situation if their customers cannot be confident that the FBI is not exceeding the scope of a legitimate investigation," said Kennedy.

Gene Crick, executive director of the Texas ISP Association, said he is just as concerned about hasty legislation to remedy the problem as he is about sweeping enforcement. "There is really a need to have clear guidelines that are understood and agreed by all," said Crick But he noted that when 109 members of his organization sat down with the FBI in Dallas last week to discuss a range of issues, Carnivore wasn't mentioned. "We are wary of anything that could lead to potential abuse of customers' rights and their security," said Crick. "We have to look at the dark side of enforcement as well as potential abuse by customers."

For more security coverage, visit our Security Community page.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon