CDR: Carnivore 3.0: The Wrath of Olympus

[Anonymous]

By Robert X. Cringely

I wouldn't want to be a cop. It is a difficult and generally thankless job performed by people who are often unappreciated and certainly not overpaid. Most of us think of the police as the givers of undeserved though probably earned speeding and parking tickets. But when real troubles come, we expect the police to be there, to protect public safety. For their part, the law enforcement people I have known generally see themselves as a tribe a body of professionals who do a job the rest of us don't want to do and are, by the nature of that job, special. Ask a cop the last time he or she got a speeding ticket, then ask them whether they ever exceed the speed limit. Cops generally judge themselves by different rules than they judge the rest of us. 

When there is a pressing problem of public safety, we tend to expect the police to fix it, and we usually give them whatever tools they require to do the job. This explains why so many cities have Special Weapons and Tactics (SWAT) teams. It's not that every city faces problems that require SWAT response, but having a SWAT team is one way of keeping up with the other cities. It's cool. And if the perceived threat is bad enough and real enough, there is probably no limit, short of the U.S. Constitution, on the tools we will give our defenders. Bazookas, anyone? 

Now we jump, for the third and I hope last time, back into the Carnivore debate. You'll remember Carnivore is a sealed box that the FBI proposes to install in the Network Operations Centers of Internet Service Providers that are known to serve users who are criminal suspects and who are under a court-ordered e-mail tap. The way it was originally explained, Carnivore boxes would copy and store e-mail to and from the bad guy for decryption and examination by appropriate officials. ISPs don't like Carnivore because it is a box they don't control or have access to that can potentially screw-up the whole network. Privacy advocates don't like Carnivore because it might be intercepting and storing e-mails other than just those of the bad guys. They worry about the potential for abuse by law enforcement agencies. 

This is a thorny issue and shows how much technology has changed law enforcement. Part of the problem is that the Internet -- formerly a province of academic nerds -- is now a part of mainstream life, which is to say it has become a crime scene. Enter the police. When people use the Internet to deliver threats or commit crimes, the technology makes it conducive for law enforcement to deal with it. All that good spy technology used by the major intelligence agencies can be used to detect of crime on the Internet. 

I wonder whether the end of the Cold War may have accelerated this law enforcement trend as intelligence agencies try to stay in business by re-targeting their efforts on terrorism, the new bogeyman. 

The scary part about these intelligence-gathering technologies is that they are very scaleable. It isn't that much harder to read the mail of a thousand people than to read the mail of one person if a machine is doing the reading. And since the Carnivore boxes need to be directly in the flow of all e-mail at an ISP, this is doubly concerning. Now for the first of two disturbing facts: While the FBI has kept generally quiet about Carnivore, the government has maintained that it is intended for surgical use. One crook, one e-mail address. Is that why the name Carnivore was chosen? Because it is my understanding that the Carnivore program was begun under a different name, Omnivore. So much for surgical strikes. 

For the second disturbing fact we jump to the Olympics -- not this year's games in Sydney -- but the 2002 Winter games in Utah. Given the 1996 bombing at the Atlanta games and the 1972 hostage crisis in Munich, I really, really wouldn't want to be responsible for public safety at an Olympic games anywhere. So it isn't surprising that the security plans for Salt Lake in 2002 are very robust -- perhaps too robust for some people, including me. 

At the Utah games there will be a network of kiosks set up for athletes, journalists, and the public to use for e-mail and Net access. This will be the easiest way for many people to communicate in an area that will probably have its cellphone circuits maxed-out most of the time. Try making a cellphone call in Las Vegas during Comdex or the Consumer Electronics Show and you'll know what I mean. Well, the FBI has some rather specific requirements for Olympic data security, including the ability to not only COPY e-mail from these kiosks containing passwords from users' secret list, but to actually INTERCEPT e-mail and deliver it to a security office address rather than to the intended recipient. The person manning that address is supposed to make summary decisions about what to do with the reviewed email -- maybe it gets passed along as intended by its author, maybe bounced as "undeliverable" for myriad reasons, or... 

Seriously, that's a technical requirement, for which a vendor has not yet been chosen. The FBI gets to read mail, steal passwords, and divert mail. By the nature of the system, they have to look at all the mail -- even yours, if you are there. Remember, given the high-roller nature of Olympic audiences, the passwords being recorded to a database will likely include America's business elite. Of course those passwords would never be used for any illegal purpose, right? 

And the truly amazing part of this story is that there is nothing illegal about the data gathering, itself. Since the kiosk doesn't belong to you or me, we are bound by terms of usage that allow the kiosk provider to do pretty much whatever they want with the bits we run through their system. By simply using their machine, we give up our privacy without even knowing it. 

Okay, so maybe I have just blown the lid off a plan that could save lives, but it is hard for me to imagine a scenario in which some terrorist will stop on his way to plant a bomb to e-mail the boss about that bomb's location. This looks to me like overkill, and I don't like it. Or am I the only one who feels this way