Carnivore raises new concernsgreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Fair use for educational/research purposes only
Carnivore raises new concerns New documents and the release of an independent panel's report raise suspicions about the FBI surveillance system.
By Robert Lemos, ZDNet News November 17, 2000 4:21 PM PT
Newly released documents and a report from a highly criticized review panel have privacy experts once again questioning the FBI's motives in developing its Carnivore Internet surveillance system. The Electronic Privacy Information Center (EPIC) has warned that new documents released by the FBI under the Freedom of Information Act (FOIA) showed Carnivore could monitor all Internet traffic -- including e-mail, Web surfing, and file transfers -- something the FBI had previously denied.
"One of the most worrisome things is that (the FBI) constantly keeps seeming to move the goal post," Wayne Madsen, a senior research fellow with Washington-based EPIC, said Friday. "The assistant director told Congress that they didn't have the ability to store unfiltered data, but now they have a successful test of saving raw, unfiltered data on the hard drive."
"They seem to be understating the capabilities of Carnivore," Madsen added. "It has a lot more capabilities than they have advertised."
But an FBI spokesman said a full test of the program, without limiting filters, was needed to gauge Carnivore's performance.
FOIA documents key The new controversy surfaced after EPIC received a second batch of FOIA documents -- about 360 pages. In total, the FBI has reviewed more than 1,000 pages and released about 800 -- although far fewer have survived a censor's black marker.
One document -- a memo dated June 5 -- outlined the results of a performance test conducted by the FBI's Cyber Technology Section in early May on Version 1.3.4 SP1 of Carnivore. The most controversial test -- called a "real world test" in the memo -- gauged the system's compatibility with the two other components of the DragonWare Suite, an integrated package of three snooping applications developed by the FBI.
On a 300MHz Pentium II PC running Windows NT, Carnivore "could reliably capture and archive all unfiltered traffic to the internal hard drive," stated the memo.
Contradictory testimony The FBI has previously denied that such capabilities exist, according to EPIC.
In comments before the Senate Judiciary Committee, Donald Kerr, assistant director of the FBI's laboratory division told senators that "it's critically important to understand that all of those ... other communications are instantaneously vaporized after (they're identified as extraneous). They are totally destroyed; they are not collected, saved, or stored."
"Why did they test something that they said was not a capability?" asked Madsen, of EPIC.
"It's like a car," explained FBI spokesman Steve Barry. "We revved it up to its full parameters without the filter on, which we should, just to see how well it works." Barry called EPIC's questions of the FBI's intentions "really off-base."
"The test showed that we could grab data without the filter, but we can't do it in the real world," Barry said. "That would be illegal."
-- Martin Thompson (email@example.com), November 18, 2000
Write or email your congresspersons and
demand that they put reins on the carnivorous
-- spider (firstname.lastname@example.org), November 18, 2000.
Tuesday November 21 1:54 AM ET E-Mail Surveillance Tool Said OK
By D. IAN HOPPER, Associated Press Writer
WASHINGTON (AP) - The FBI's controversial e-mail surveillance tool works about the way the bureau says and generally doesn't ``overcollect'' evidence, an independent reviewer of the system said. But his remarks failed to calm the fears of privacy advocates.
Henry H. Perritt said in an interview that he had recommended how the so-called Carnivore system could be improved, both for efficiency and privacy, but that all-in-all it performed as advertised.
``I think that it's fair to say that it does pretty much what the FBI says it did. For the most part, it does not overcollect,'' he said Monday.
Perritt, who is dean of the Illinois Institute of Technology's Chicago-Kent College of Law, declined to list his recommended improvements or how Carnivore sometimes overcollected.
The Justice Department was releasing Perritt's findings Tuesday.
Alan Davidson of the Washington-based Center for Democracy and Technology said that while Carnivore may be technically sound, wiretap law still isn't keeping up with new gadgets.
``This finding, if it's true, still doesn't change the basic argument we're having about the standards under which Carnivore should be used,'' Davidson said.
``This sort of finding is in part why we've said a purely technical review of Carnivore's functions is not sufficient,'' he said. ``Policymakers need a review that considers the law under which Carnivore operates and whether that law adequately protects privacy.''
Congress considered several privacy bills during this past legislative term, including some specifically targeted at Carnivore. None of the bills survived, and legislators vowed to take up the issue again next year.
Carnivore was designed by the FBI to collect e-mail going to or from a suspect, in cases in which a suspect may be using electronic communications. Privacy experts have worried about the breadth of Carnivore's capability and its ``black box'' nature.
Privacy advocates were alarmed by an FBI lab report last week stating that Carnivore ``could reliably capture and archive all unfiltered traffic to the internal hard drive.''
The FBI said the lab report was the result of a test to determine Carnivore's ``breaking point,'' and that laws and court orders restricted Carnivore from being used so broadly. Privacy advocates, however, said the test showed that Carnivore was more powerful than the FBI had stated.
Perritt said the FBI was ``completely open and cooperative'' during the review.
Justice spokeswoman Chris Watney said Monday that the Carnivore report was received last week in advance of Tuesday's planned release. The intervening days, she said, were needed to black out parts of the report that mention Carnivore's internal blueprints and other sensitive information.
Shortly after IIT was chosen to perform the review, ordered by Attorney General Janet Reno, critics said the review would not be independent because the reviewers were government insiders.
``This important issue deserves a truly independent review, not a whitewash,'' House Majority Leader Dick Armey, R-Texas, a longtime Carnivore opponent, said in October.
Perritt advised President Clinton's transition team on information policy and performing other tasks for the Clinton administration, as well as previous Republican administrations.
Associate Dean Harold J. Krent, another member of the team, worked at the Justice Department in the 1980s, and several team members have current or former security clearances from the Defense Department, Treasury Department or the National Security Agency.
Perritt said repeatedly he was completely independent, and that his reputation would be damaged if he was anything but impartial.
Most of the nation's elite academic computer departments - including the Massachusetts Institute of Technology, Purdue University and the San Diego Supercomputer Center - either declined to review Carnivore or withdrew their applications after objecting to the requirements the Justice Department placed on the review.
The bureau says Carnivore has been used about 25 times, mostly involving national security.
-- Martin Thompson (email@example.com), November 21, 2000.
The FBI's controversial e-mail surveillance
tool works about the way the bureau says and
generally doesn't ``overcollect'' evidence, an
independent reviewer of the system said. But
his remarks failed to calm the fears of privacy
Whitewash!! :-§ The FBI has a long history of
this type of privacy abuse. In the 60's and
70's they steamed open millions of letters
without court authorization. The temptation
for abuse with Carnivore would be too much
-- spider (firstname.lastname@example.org), November 21, 2000.
UPDATE 1-Critics slam ``whitewash'' of FBI email-tracking tool November 22, 2000
(updates throughout, adds quotes, background)
By Jim Wolf
WASHINGTON (Reuters) - House Republican leader Dick Armey added his voice Wednesday to those accusing an outside review panel of whitewashing a controversial FBI cyber surveillance tool.
``The Department of Justice stacked the deck for this report,'' said Armey, of Texas, a champion of smaller, less intrusive government. ``It selected reviewers and set the rules in order to ensure they would get the best possible review.''
The system, dubbed Carnivore, is used by the FBI to keep court- ordered tabs on a criminal suspect's e-mail Mtraffic, Web surfing and instant messages.
Armey and other critics, including civil liberties groups and privacy advocates, have raised concerns about whether the cybersnooping may go beyond court orders and breach the U.S. Constitution's Fourth Amendment ban on unreasonable searches.
In a draft technical report released Tuesday night, the IIT Research Institute said Carnivore should be fine-tuned to protect routine online communications from interception.
But the institute, tapped by the Justice Department to complete the $175,000 study from a field of 11 vying for the contract, called the computer-based Carnivore system potentially ``more effective in protecting privacy and enabling lawful surveillance'' than alternatives.
When correctly used, ``it provides investigators with no more information than is permitted by a given court order,'' said the institute, an arm of the Illinois Institute of Technology.
The seven-member panel that prepared the draft report included several people with strong ties to law enforcement and the Clinton administration, critics have charged.
In his statement, Armey said: ``This important issue deserves a truly independent review, not a whitewash.''
Richard Diamond, an Armey spokesman, said the newly elected Congress that takes office in January would continue its oversight of Carnivore.
``We don't really know who's going to be running the Department of Justice and that makes a big difference,'' he added, referring to action under way that will determine whether Republican George W. Bush or Democrat Al Gore wins the White House.
Attorney General Janet Reno ordered an independent review of Carnivore's inner workings after a stir in Congress.
Assistant Attorney General Stephen Colgate, head of the review panel that will make recommendations to Reno on Carnivore, defended the institute as fully independent and said its draft report demonstrated this.
PUBLIC COMMENT WELCOME
In addition, the public is welcome to comment on the draft, available at www.usdoj.gov, as a prelude to the institute's presentation of a final version of its review on Dec. 8, he said in a telephone interview.
Colgate said the institute had also scrutinized a test model of the next version of Carnivore, which ``probably will begin being used shortly after the new year.''
Stephen Smith, the IIT Research Institute project manager for the review, said in a telephone interview: ``I would ask people to read the report and decide for themselves if it is fair.''
In its report, the institute found inadequate audit trails for pinning down individual accountability for actions taken during use of Carnivore. Colgate said the problem was being addressed in the system's next version.
He said his panel would make recommendations to Reno on ''improvements that need to be made in the system'' after taking account of the institute's suggestions.
David Sobel of the Electronic Privacy Information Center said nothing in the report released on Tuesday addressed the fundamental legal and constitutional questions surrounding Carnivore.
``The problem with Carnivore is that it gives the FBI access to the communications of hundreds, if not thousands, of innocent Internet users,'' he said. ``It's not sufficient for the bureau to say, 'Trust us, we won't do anything wrong.' Most users want more of an assurance than that.''
The American Civil Liberties Union said the choice of the institute ``guaranteed a pat on the head'' to Carnivore.
``This report is, at best, a fuzzy snapshot of Carnivore, and it will be obsolete in two months when the FBI comes out with the next version of Carnivore,'' ACLU Associate Director Barry Steinhardt said.
-- Martin Thompson (email@example.com), November 22, 2000.
FBI's Carnivore review is mixed"When Carnivore is used correctly under a
Title III order, it provides investigators
with no more information than is permitted
by a given court order," the reviewers found.
However, when Carnivore "is used under
pen [register] and trap [and trace]
authorization, it collects TO and FROM
information, and also indicates the length
of messages and the length of individual
field within those messages, possibly
exceeding court-permitted collection".
A pen register order authorises recording
the phone numbers dialled from a particular
phone; a trap and trace order authorises
recording the phone numbers from which
incoming calls originate. In neither case
may the contents of a call be intercepted.
Thus Carnivore, doing essentially the same
thing with packet traffic, leaves it up to
individual operators to restrain themselves
from recording data not authorised by the
courts, a temptation which, many fear, a
zealous investigator would be unable to resist.
"While operational procedures or practices
appear sound, Carnivore does not provide
[technical] protections, especially audit
functions, commensurate with the level of
the risks," the review notes.
In other words, there is not engineered
into the thing a pen register or trap and trace
'mode' in which message content could be blocked,
or any auditing mechanism for supervisors to
discover if an agent has in fact snuck a peek
at information which s/he is not entitled to
The privacy threat Carnivore poses will
therefore remain infinitely variable, being
commensurate with each operator's fastidiousness
in following court orders. Those who tend to
imagine law enforcement agents as basically
conscientious will find little in the report
with which to alarm themselves, while those
who tend to imagine the Feds as basically
ruthless and eager to cover up each other's
procedural violations will find little in the
way of reassurance.
. . .
'Church Committee' is a popular name for the
Senate Select Committee on Intelligence, whose
Chairman, the late US Senator Frank Church (Democrat,
Idaho), shocked the nation while investigating
illegal US intelligence activities during the
Ford/Carter era. Church had himself been a
member of the US military intelligence
apparatus before commencing his political
The effect of Church's revelations has
been both lingering and sobering on each
subsequent administration. Some more than
others, no doubt; but we've seen evidence
of an almost paranoid zeal in the treatment
of personal data gathered by the US National
Security Agency (NSA), which was one of the
agencies most severely burned by the Church
-- spider (firstname.lastname@example.org), November 23, 2000.