The T. Rex of Surveillance

New FBI System Could Abolish Internet Privacy

by Neil McAllister, Special to SFGate
(Originally published Thursday, July 20, 2000. Editor: Amy Moon)

Shades of J. Edgar Hoover: it seems the FBI is still up to its old tricks. Not content with merely tapping phones and opening mail, the Bureau recently unveiled a new program, this one aimed at intercepting and monitoring Internet traffic.

Dubbed "Carnivore," the Bureau has been employing the system secretly in criminal investigations since early 1999.

And though they claim only to have used Carnivore in less than 100 cases to date, the revelation of its existence has sent a shockwave through privacy advocacy organizations and civil liberties groups.

Even the recent White House proposed legislation setting legal requirements for surveillance in cyberspace by law enforcement authorities has not quelled their fears.

Described, the Carnivore system sounds much like what you'd expect of a government Internet surveillance project. The FBI knocks on your ISP's door and says, "In the interest of law enforcement, we'd like to install this device on your premises."

Once connected, the Bureau's black box sits like a spider on the ISP's network, aware of every packet of network traffic, in or out.

Then, given a court order, agents can send instructions to the machine telling it to trap and file away network packets they deem relevant to ongoing investigations. Any packets — from email to e-commerce transactions — can potentially be monitored, invisibly.

The implications have privacy advocates up in arms. In the face of such technology, how can you be certain your personal emails aren't being secretly intercepted, read, and analyzed? Disturbingly enough, the answer may be that, unless the emails are encrypted, you can't.

Legal precedent in the United States holds that computer users aren't always guaranteed complete privacy when they send email. In 1996, the decision in Smyth v. the Pillsbury Co. supported Pillsbury's right to fire an employee after intercepting what it considered inappropriate messages sent using its corporate email system.

The judge in the case ruled that Smyth could not have reasonably assumed traffic on Pillsbury's private email system would not be monitored, despite his never having been notified of the practice.

But that same year, the case of United States v. Maxwell established that, in general, individual computer users do have the expectation of privacy when sending email. In other words, we take for granted that emails sent from our personal Internet accounts are at least as private as normal telephone conversations or letters sent by postal mail, under most circumstances.

Without prior notice, we expect neither commercial concerns nor the government to be reading over our shoulder when we're in our own homes. And because of this, any such monitoring, if it took place, would constitute a violation of our Fourth Amendment right to privacy.

Fair enough; but the one long-standing exception to all such assurances is in the case of law enforcement's use of surveillance in the course of investigation of a crime. Organizations like the FBI have the right to snoop — provided they think you've done something wrong, or that information you possess may help them to catch someone who has.

They can't just go leafing through your diary on a whim, however. For every breach of your personal privacy, investigators must first request a search warrant from the court.

Search warrants are documents that lay out in no uncertain terms when, where and how evidence can be gathered. They were designed specifically as a balancing force to keep law enforcement's power to invade our privacy in check.

One way warrants do this is by requiring that investigators state very specifically the type of evidence they're searching for. For example, if agents thought you'd stolen an elephant from a nearby circus, they might obtain a warrant to search your home for the animal.

Such a warrant wouldn't grant them license to look through your dresser drawers, however — because no one could reasonably assume that an elephant could be concealed in such a small space.

According to the FBI, upholding the spirit of established legal procedure is exactly what Carnivore is all about. At the heart of the system is a sophisticated filtering engine, designed to trap those network packets pertinent to FBI investigations while allowing the rest of the traffic to continue on, unobserved.

Carnivore's flexible engine could be configured to capture an investigation subject's email, for example, but ignore his Web surfing habits if they weren't covered under a search warrant.

But it seems unlikely that the system would truly only be used to uncover evidence pertinent to existing investigations.

Going back to the earlier example, agents couldn't ransack your dresser if they were only looking for an elephant. But if they obtained a warrant that also included, for instance, a possible bill-of-sale for an elephant — then your drawers would be fair game for search.

And if in the course of that search they found a bag of marijuana in one of those drawers, then you could be arrested and prosecuted for the crime of narcotics possession — even if the elephant was never found.

Consider the implications for Carnivore. The device monitors every packet sent across an ISP's network, trapping any that match its programmed filtering criteria. Those criteria might include certain email addresses, or even Web sites — whatever agents and the courts agreed was pertinent.

The net effect is something like a giant shrimp-fishing net, amassing data on anyone who happens to correspond with the subject of an FBI investigation. Whatever information was uncovered would be fair game for further examination.

And that's just assuming everything Carnivore does is legal. The system determines which network traffic to forward to the Bureau based on analysis of its content, a process that treads dangerously close to violating the spirit of search and seizure law.

Mark Rasch, an attorney specializing in computer crimes, compares the procedure to "listening to everybody's phone calls to see if it's the phone call you should be monitoring."

The Bureau claims the Carnivore software is actually nothing new — it just does its job better for law enforcement purposes. "The Carnivore device works much like...network diagnostic tools used by ISPs every day," reads a press release on the FBI's Web site, "except that it provides the FBI with a unique ability to distinguish between communications which may be lawfully intercepted and those which may not...This is a matter of employing new technology to lawfully obtain important information while providing enhanced privacy protection."

Got that? As far as Internet privacy is concerned, you're actually better off now than before the new system was put in place. With Carnivore, the FBI has only your best interests in mind — or so the Bureau's PR spin goes.

If you're not buying it, you're not alone. On July 14, the American Civil Liberties Union formally requested all information, correspondence, computer code, and other data pertinent to Carnivore, under the Freedom of Information Act.

"The FBI is saying, 'trust us, we're not violating anybody's privacy,'" explained ACLU Associate Director Bill Steinhart. "With all due respect, we'd like to determine that for ourselves."

The ACLU's concern has echoes in Congress as well. On July 12, House Majority Leader Dick Armey, R-Texas, called upon the FBI to stop using the Carnivore system until Fourth Amendment issues can be properly addressed. In response to his request, Attorney General Janet Reno has already agreed to open an investigation on the matter.

By law, the FBI must respond to the ACLU's Freedom of Information Act request by August 18. On July 24, the House Judiciary Committee Subcommittee on the Constitution will hold a hearing on Carnivore. And Janet Reno's preliminary inquiry is already underway.

But some say that the system's existence alone is proof that it's too late to hope for an Internet free of widespread surveillance. To these privacy advocates, strong encryption technologies like PGP and Gnu Privacy Guard are the only hope for keeping network communications free from the government's prying eyes.

Anything not encrypted, should the FBI's plans get the green light, could become just more fresh meat for Carnivore.



2000 Article IndexArticles HomeNeil's Homepage

Valid XHTML 1.1!