Carnivore needs to be caged

Editors note: The following is a copy of a statement that Associate Director of the American Civil Liberties Union Barry Steinhardt made before the House Judiciary Committee's Subcommittee on the Constitution on July 24. Steinhardt has expanded on his original remarks slightly for the benefit of Computerworld readers.

The FBI made a major public relations blunder when it dubbed its new Internet surveillance system "Carnivore." But it did the American public a favor by so aptly describing this new black box and focusing our attention on the technological innovations that give law enforcement sweeping new surveillance capabilities.

Before turning to Carnivore itself, let me try to put the current controversy in some historical context. Wiretapping is a growing practice in this country and is already at record levels. In 1995 and 1996, for the first time in history, the federal government placed more wiretaps than all of the states combined.

Last year, the Clinton administration conducted more wiretaps in one year than ever in history, and the number of "roving wiretaps" (wiretaps of any phone a target might use, without specifying a particular phone) nearly doubled.

Perhaps most ominously, more and more innocent conversations are being intercepted. According to the government's own records, when Title III first went into effect 30 years ago, approximately 50% of all of the conversations intercepted contained what law enforcement regarded as "incriminating" information. In the mid to late 1990s, the percentage of "incriminating conversations" plummeted to less than 20%. In other words, more than 80% of all intercepted communications are, by the government's own standards, innocent. Last year, approximately 2 million innocent conversations were intercepted in law enforcement electronic surveillance.

Both trends - more and more intercepts and more and more innocent conversations being intercepted - are likely to accelerate because of the advent of digital communications. The interception of old-fashioned analog telephone conversations is very labor-intensive and consequently costly. A law enforcement agent must actually listen to all or part of the conversation. Digital communications, especially those that are textual such as e-mail, offer law enforcement the opportunity to intercept and process much greater volumes of communications. Much of the initial evaluation and processing of the communication can be done by computers - machines - that are relatively cheap and easy to operate.

The consequence is that law enforcement will be sorely tempted to intercept an ever increasing number of communications, and with increased numbers and less precision in the targeting, the percentage of innocent communications likely to be intercepted will grow.

Carnivore is a dramatic example of that phenomenon.

The Carnivore system -- essentially a computer running specialized software -- is attached directly to an Internet service provider's (ISP) network. Carnivore is attached either when law enforcement has a Title III order from a court permitting it to intercept in real time the contents of the electronic communications of a specific individual, or a trap and trace or pen register order allowing to it obtain the "numbers" related to communications from or to a specified target.

But unlike the operation of a traditional pen register, trap and trace device, or wiretap of a conventional phone line, Carnivore gives the FBI access to all traffic over the ISP's network, not just the communications to or from a particular target. Carnivore, which is capable of analyzing millions of messages per second, purportedly retains only the messages of the specified target, although this process takes place without scrutiny of either the ISP or a court.

Carnivore permits access to the e-mail of every customer of an ISP and the e-mail of every person who communicates with them. Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the "assurance" that the FBI will record only conversations of the specified target. This "trust us, we are the government" approach is the antithesis of the procedures required under our wiretapping laws. Those laws authorize limited electronic surveillance of the communications of specified persons, usually conducted by means of specified communications devices. These laws reflect Fourth Amendment values of limited searches aimed at particular targets when there is good cause to suspect them of criminal activity.

They place on the provider of the communications medium the responsibility to separate the communications of persons authorized to be intercepted from other communications. Law enforcement is required to "minimize" its interception of nonincriminating communications of a target of a wiretap order. Carnivore is not a minimization tool. Instead, Carnivore maximizes law enforcement access to the communications of nontargets.

In essence, Carnivore is a black box into which flows all of the service provider's communications traffic. The service provider knows what goes in, but it has no way of knowing what the FBI takes out.

For that reason, the ACLU has filed a Freedom of Information Act request with the FBI that asks for all documents describing Carnivore's operation, including the source code for its software. We believe that the only way to understand Carnivore's capabilities is to subject the computer code to examination by experts genuinely independent of the FBI. A carefully controlled and rehearsed demonstration by the FBI is not likely to reveal Carnivore's full capabilities and potential uses.

In recent testimony to the House Judiciary Subcommittee on the Constitution, attorney Robert Corn-Revere described the experience of his client, an ISP later identified as EarthLink that was required to install Carnivore when presented with a trap and trace order. The particular case he described involved a trap and trace order. He detailed his client's concerns that a trap and trace order in the context of the Internet revealed information that Congress did not contemplate when it authorized their limited use.

In the traditional telephone context, those orders reveal nothing more than the numbers dialed to or from a single telephone line. In the Internet context, these orders, and certainly Carnivore, likely involve ascertaining the suspect's e-mail address, as well as header information that may provide information regarding the content of the communication. Corn-Revere described his client's frustration at not knowing what information law enforcement was collecting and whether it was actually limited to that allowed by a trap and trace order.

He also described his client's willingness and ability to cooperate with law enforcement and law enforcement's rejection of an offer to provide it with the communications traffic authorized by the order without having to use Carnivore.

From his testimony and the public comments of other providers, it is clear that the ISP community is willing and able to cooperate with law enforcement and to provide it with the targeted communications information to which it is entitled under a court order. ISPs can give the FBI what it is entitled to without resorting to the use of Carnivore. ISPs fear both for their subscribers' privacy and the security of their networks. Introducing a device like Carnivore into an ISP's network creates both a potential security hole and the possibility of the sort of service degradation and interruption that EarthLink clients experienced.

The FBI insists it will record only the communications to which it is entitled. The FBI asks us to take an enormous leap of faith that it will stay strictly within the confines of the law. It asks to be trusted with carte blanche, unsupervised access to the entire stream of communications over an ISP's network, which can amount to literally millions of innocent communications.

Even if we assume that the FBI, which over the years has engaged in illegal spying on Americans, will not defy a congressional enactment or the terms of a court order, recent history tells us that the FBI cannot be expected to keep its promises on communications surveillance issues. Recent history tells us that we can fully expect the FBI to push the envelope of the law and to eventually break out.

In 1994, Congress passed the Communications Assistance to Law Enforcement Act (CALEA). CALEA was a hotly debated law. It required that the new generation of digital telephone networks be built to be surveillance-ready. At the time, law enforcement and the FBI, in particular, argued that it was necessary to preserve their existing capacity to engage in electronic communication surveillance and assured Congress that they were seeking only to preserve the status quo and were not seeking any additional power or capacity.

It is fair to say that the FBI made a bargain with Congress that it would not use the implementation process to require telephone service providers to build in new surveillance capabilities and that it would respect the privacy of Americans.

The FBI did not keep its end of the bargain. The CALEA implementation process, which was supposed to involve only the setting of technical standards by the industry, has been highly contentious. The FBI has consistently sought greater capacity and new surveillance features that did not exist in 1994. In some cases, it has sought capabilities that it specifically promised Congress it would not seek.

A prime example of the FBI's broken promises involves the use of cellular telephones as location tracking devices. Cellular networks have the capability of identifying the physical location of a caller, within a reasonably small range. Congress recognized that this raised difficult constitutional and privacy issues and sought the assurance of the FBI that CALEA would not be used to force cellular providers to provide law enforcement with location information.

FBI Director Louis J. Freeh willingly gave that assurance. He testified that:

"[Call setup information] does not include any information which might disclose the general location of a mobile facility or service, beyond that associated with the area code or exchange of the facility or service. There is no intent whatsoever, with reference to this term, to acquire anything that could properly be called 'tracking' information." [37] Joint Hearings on HR 4922 and S 2375, 103rd Congress 29 (1994).

Despite that on-the-record promise to Congress, the FBI has fought tooth and nail to include complete location tracking information in the CALEA requirements, and we have now been forced to take the issue to the courts.

Carnivore needs to be caged. Congress should step in to make it plain to the FBI that it cannot use surveillance devices that give it access to a service provider's entire network.

Have an opinion on this issue? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).

Copyright © 2000 IDG Communications, Inc.

Shop Tech Products at Amazon