CDR: Carnivore Probe Mollifies Some
A report is to conclude that the FBI's e-mail surveillance system does not threaten civil liberties. Privacy advocates remain unconvinced. By Jennifer DiSabatino Privacy advocates said they remain leery about the FBI's Carnivore e-mail surveillance system following last night's release of a draft report on the technology by an independent review team, despite the report's conclusions that the controversial software essentially does what it was designed to do Ð track specific digital communications with the permission of a court order. But others, including the FBI, said the report prepared by the Chicago-based IIT Research Institute (IITRI) shows that Carnivore just needs to be fine-tuned and then closely monitored itself in order to prevent the system from being improperly used by law-enforcement officials. "I believe, at least at a basic level, that this established that Carnivore doesn't bite off more than it can chew," said Kenneth Segarnick, assistant general counsel at messaging services vendor United Messaging in West Chester, Pa. "Now we need to put a leash on it and make sure that it's only unleashed under a certain set of circumstances. Carnivore still can do quite a bit. They call it Carnivore for a reason." For example, Segarnick Ð who has testified before Congress on workplace e-mail security measures Ð suggested that regulations be put in place "so that the FBI does not have the automatic right to trap the 'to' and 'from' lines on e-mails" while using Carnivore to investigate suspected criminal activities. And he said legislation also needs to be enacted to make sure the software doesn't collect data on people who aren't being investigated. Carnivore is a software program that monitors packets of data passing through an Internet service provider's network. Officials at the FBI and the DOJ have said the surveillance system can only be legally deployed to monitor allegedly criminal activity under a court order, similar to the regulations that govern the use of telephone wiretaps. The report by IITRI, which was edited by officials at the U.S. Department of Justice before being released, said Carnivore isn't powerful enough to monitor "almost everyone with an e-mail account" at an ISP or to follow individual Internet users as they surf the Web. But the report added that the software "can record any traffic it monitors" if it has been incorrectly configured by investigators (see story). Privacy advocates seized on that point as a confirmation that Carnivore could be used to collect broad swaths of data on individuals. The Electronic Privacy Information Center (EPIC), a Washington-based privacy group that's seeking the release of all the FBI's Carnivore-related documents through a Freedom of Information Act request, yesterday issued a statement charging that the IITRI report "raises more questions than it answers." "If it's that easy for the FBI to accidentally collect too much data, imagine how simple it would be for agents to do so intentionally," said David Sobel, EPIC's general counsel. "This supports our belief that Carnivore raises extremely serious privacy concerns." But FBI spokesman Paul Bresson said those kinds of concerns are overstated. "We never denied that it had the capability to capture more [data than an investigation requires]," he said. "What we maintained was that it had the filtering devices to capture only the data pertaining to the court order." Bresson added that the FBI is now looking at improving the Carnivore software so it would only target the subject of an investigation without collecting information about other people whose e-mail messages are transmitted across an ISP's network as part of the same packet of data. But Jennifer Granick, an attorney and privacy advocate in San Francisco, said the FBI should have done that from the start. "If the device intends to adhere to the law, then design it that way," she said. Granick acknowledged that the likelihood of unintentional privacy violations is limited, but she said Carnivore gives individual employees within the FBI the ability to monitor anyone they want to track. That kind of rogue usage is the real threat, Granick said. Jennifer DiSabatino writes for the IDG News Service
At 9:56 PM -0500 11/27/00, anonymous@openpgp.net wrote:
A report is to conclude that the FBI's e-mail surveillance system does not threaten civil liberties. Privacy advocates remain unconvinced. By Jennifer DiSabatino Privacy advocates said they remain leery about the FBI's Carnivore e-mail surveillance system following last night's release of a draft report on the technology by an independent review team, despite the report's conclusions that the controversial software essentially does what it was designed to do - track specific digital communications with the permission of a court order.
But others, including the FBI, said the report prepared by the Chicago-based IIT Research Institute (IITRI) shows that Carnivore just needs to be fine-tuned and then closely monitored itself in order to prevent the system from being improperly used by law-enforcement officials.
No mention of a basic objection: this so-called Carnivore _might_ be authorized by a specific court order in a specific case, but: a) it had better not pick up communications NOT PART OF THE ORDER. and b) it must be removed immediately after use oh, and c) all costs related to disruptions of service, downtime, etc. must be paid-for by the law enforcement agency or court ordering the operation. I'm surprised I don't see more ruckus about b). Look at it simply. Alice is operating a couple of machines for her small ISP. Some guys in uniform, or maybe just ninjas in black, arrive with a court order saying that their Pentium III Carnivore box must be attached to her system. She consults with her lawyer and says "OK, you can begin your attachment when we have a scheduled down time tonight at midnight." Maybe they agree, maybe they demand immediate installation. Anyway, it somehow gets installed. Assuming it doesn't have the deleterious effects Earthlink was reporting, let's assume it sits there and does its thing. Ten days later, Jim Bell^h^H^H^H^Hthe perp is busted. Alice calls the cops and says: "Come on over and pick up your machine." Ah, but what we are hearing about Carnivore is that these would be semi-permanent installations. Well, if I ran a small ISP, I think I'd say: "You got a wiretap order for one person. That order has now run its course. Get your machine out of my cage." There is nothing in the Constitution about one particular search warrant then magically meaning access is forever granted! "We got a search warrant two years ago so we can enter this house at any time." More in tune with discussions I used to see (and participate in) on the Cyberia-L list, there _might_ be some "innkeeper's interpretation" (so to speak) about how a hotel owner can authorize access to the rooms of patrons without specific warrants for the patrons, by name. I believe, though I don't have any cites, that this power is not so broad. And a warrant served against the San Francisco Hyatt Regency in, say, October 1997, does not mean that cops can wander through hotel rooms at will a year or three later. My understanding of search warrants and wire taps is that the specific party, time and place, must be named. There is no provision for Carnivore boxes being "resident." CALEA has some onerous language in it, but it doesn't trump the Fourth Amendment. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
I believe ECPA speaks to this explicitly, and where common law may (at least arguably) be ambiguous about meatspace, U.S. statutory law regarding electronic communications is not. I may look this up and provide a cite if nobody else does in the next day or so. -Declan On Mon, Nov 27, 2000 at 10:36:44PM -0500, Tim May wrote:
More in tune with discussions I used to see (and participate in) on the Cyberia-L list, there _might_ be some "innkeeper's interpretation" (so to speak) about how a hotel owner can authorize access to the rooms of patrons without specific warrants for the patrons, by name. I believe, though I don't have any cites, that this power is not so broad. And a warrant served against the San Francisco Hyatt Regency in, say, October 1997, does not mean that cops can wander through hotel rooms at will a year or three later.
Tim May wrote: [...snip...]
Well, if I ran a small ISP, I think I'd say: "You got a wiretap order for one person. That order has now run its course. Get your machine out of my cage."
[...snip...] Of course if they leave the machine in the cage you can always stop feeding it electricity. Or take it home to show the neighbours. It might make a good conversation piece at dinner. Or maybe use it as an ashtray. Ken
At 06:54 AM 11/28/00 -0500, Ken Brown wrote:
Of course if they leave the machine [Carnivore] in the cage you can always stop feeding it electricity. Or take it home to show the neighbours. It might make a good conversation piece at dinner. Or maybe use it as an ashtray.
At 10:36 PM 11/27/00 -0500, Tim May wrote: CALEA has some onerous language in it, but it doesn't trump the Fourth Amendment.
You could try the Carnivore box against an implemention of your Second Amendment rights. Unless the chassis were hardened you'd win.
At 5:48 PM -0500 11/28/00, David Honig wrote:
At 06:54 AM 11/28/00 -0500, Ken Brown wrote:
Of course if they leave the machine [Carnivore] in the cage you can always stop feeding it electricity. Or take it home to show the neighbours. It might make a good conversation piece at dinner. Or maybe use it as an ashtray.
At 10:36 PM 11/27/00 -0500, Tim May wrote: CALEA has some onerous language in it, but it doesn't trump the Fourth Amendment.
You could try the Carnivore box against an implemention of your Second Amendment rights. Unless the chassis were hardened you'd win.
I think a reasonable "quartering troops" (Third) case could be made, as requiring a government box to be quartered on one's property is certainly exactly what the Founders were worried about when they included the Third. Generally, I hope CALEA/Carnivore gets challenged all the way to the Supreme Court. Requiring someone to have a government machine on their property, recording _all_ traffic, is fully comparable to a requirement that t.v. cameras or microphones be permanently installed on private property. Violates the Fourth, for sure, and probably the Third, and possibly the First, and perhaps others parts of the Constitution. I want Bush to become President so I can see at least a few years of another party in power before going ahead and advocating that they ALL be killed and that Weapons of Mass Destruction be used to eliminate the nest of vipers on the Potomac. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
I've been thinking about Carnivore for days. I can't really see the data that it collects/spews forth being anywhere near uncontestable. On Tue, 28 Nov 2000, Tim May wrote:
At 5:48 PM -0500 11/28/00, David Honig wrote:
At 06:54 AM 11/28/00 -0500, Ken Brown wrote:
Of course if they leave the machine [Carnivore] in the cage you can always stop feeding it electricity. Or take it home to show the neighbours. It might make a good conversation piece at dinner. Or maybe use it as an ashtray.
At 10:36 PM 11/27/00 -0500, Tim May wrote: CALEA has some onerous language in it, but it doesn't trump the Fourth Amendment.
You could try the Carnivore box against an implemention of your Second Amendment rights. Unless the chassis were hardened you'd win.
These are probably obvious points but.. Is Carnivore going to be simply a software/OS specification, or all round including hardware? What's to stop the provider being in collusion with whoever's being monitored, and 'unplugging' the UTP whenever sensitive data is being sent out? Worse still, what's to stop spoofed packets/data being injected (by your friendly law officers) into carnivore to incriminate those being monitored. Likewise, is there some sort of protocol to on similar situations (well same ball-park), say voice-wiretaps, that prevents evidence tampering? Is there some sort of specification for this thing, or was the so called research performed on this thing done under complete NDA?
Generally, I hope CALEA/Carnivore gets challenged all the way to the Supreme Court.
I don't see how it holds up in any court. Peter --
On Tue, Nov 28, 2000 at 11:40:10PM -0500, Tim May wrote:
I want Bush to become President so I can see at least a few years of another party in power before going ahead and advocating that they
Maybe. But there is a substantial law and order wing in the Republican Party led by snoophappy folks like Bill McCollum, who shared the stage with Bush at rallies. That by itself guarantees that at least some GOPers will be pushing for more surveillance than done under Clinton. Further, many of the important day-to-day decisions are left up to mid-level bureaucrats and not all are among the 2,000 or so presidential appointees. Finally, some of the conservative groups that have been most vocal in Carnivore-opposition will not be as eager to criticize a Bush administration. And I can't see liberals at PFAW etc. being quite as aggressive. I should write an article about the above.
ALL be killed and that Weapons of Mass Destruction be used to eliminate the nest of vipers on the Potomac.
Sure you haven't done that already? :) -Declan
At 06:54 -0500 on 11/28/00, Ken Brown wrote:
Tim May wrote:
[...snip...]
Well, if I ran a small ISP, I think I'd say: "You got a wiretap order for one person. That order has now run its course. Get your machine out of my cage."
[...snip...]
Of course if they leave the machine in the cage you can always stop feeding it electricity. Or take it home to show the neighbours. It might make a good conversation piece at dinner. Or maybe use it as an ashtray.
I'm personally of the opinion that every server room should be hosed our regularly. And it would of course be against the law for you to remove the machine or unplug it without an appropriate court order... -- "As nightfall does not come at once, neither does oppression. In both instances, there is a twilight when everything remains seemingly unchanged. And it is in such twilight that we all must be most aware of change in the air--however slight--lest we become unwitting victims of the darkness." -- Justice William O. Douglas ____________________________________________________________________ Kevin "The Cubbie" Elliott <mailto:kelliott@mac.com> ICQ#23758827
At 06:54 AM 11/28/00 -0500, Ken Brown wrote:
Of course if they leave the machine [Carnivore] in the cage you can always stop feeding it electricity. Or take it home to show the neighbours. It might make a good conversation piece at dinner. Or maybe use it as an ashtray.
At 10:36 PM 11/27/00 -0500, Tim May wrote: CALEA has some onerous language in it, but it doesn't trump the Fourth Amendment.
You could try the Carnivore box against an implemention of your Second Amendment rights. Unless the chassis were hardened you'd win.
I seriously doubt they make NT boxes that are hardened against a .50 BMG. -- A quote from Petro's Archives: ********************************************** "Despite almost every experience I've ever had with federal authority, I keep imagining its competence." John Perry Barlow
participants (8)
-
anonymous@openpgp.net -
David Honig -
Declan McCullagh -
Ken Brown -
Kevin Elliott -
Peter Tonoli -
petro -
Tim May