21 July 2000


To: cryptography@c2.net
Subject: Open Source Wiretapping
Date: Thu, 20 Jul 2000 20:24:19 -0400
From: Matt Blaze <mab@research.att.com>

On Monday, July 24, 2000, the House Judiciary Committee's Subcommittee on the Constitution will be holding hearings on "Fourth Amendment Issues Raised by the FBI's 'Carnivore' Program."  The hearings will be in the Rayburn building, room 2141 at 1pm, for those interested in attending.  There will be witnesses from the FBI and Department of Justice as well as technical experts, civil liberties advocates, and representatives from ISPs.  I've been invited to testify as an expert on the risks of Internet wiretapping generally and on the issues that would be raised by making the Carnivore software open-source in particular.

As we all know by now, the "Carnivore" system runs on an FBI-owned PC that can be installed at an ISP to collect IP traffic as part of a court-ordered wiretap. Not much detail is publicly known about exactly how Carnivore works or what kinds of traffic it collects.  This has contributed to an atmosphere of mistrust and confusion, which would be at least partly addressed if the FBI would provide more information, including making the Carnivore source code available for public scrutiny.

Internet wiretapping raises some very difficult technical, as well as legal, issues.  The wide range of Internet access methods coupled with the fact that the Internet is based on a packet-switched, rather than connection-oriented, model, makes it much more difficult to reliably and faithfully collect exactly the Internet traffic associated with a particular source or destination than it is to perform traditional voice wiretaps.  The security benefits of making software open-source are well understood by the security community; open source could be expected to do much to strengthen a system as complex and security-critical as Carnivore.

Of course, making Carnivore open source is not a complete panacea for protecting against abuses or errors.  First of all, it's likely rather complex, so simply scanning the source code probably won't tell us much about whether it is vulnerable to attack or misbehaves in the kinds of traffic it collects.  That would require extensive, focused review.  Open source code attracts several different kinds of reviewers.  One is made up of people who are interested in and want to study a system for its own sake, but the main source of meaningful review usually comes from people who have to read and understand the code because they want to make useful modifications to it.  Carnivore isn't likely to attract much of that latter (and I think more important) kind of review, at least from among the open community.  On the other hand, groups of focused expert reviewers can (and often do) miss things.  Any meaningful review, therefore, should include both independent expert reviewers as well as releasing the code to the public.

More seriously, I suspect that the meat (so to speak) of any meaningful analysis of Carnivore's security and behavior of lies not in its core source code but rather in the parameters used when it is actually configured and installed.  It is similar to asking whether Unix is secure - we can look at its source code and find (or not find) specific bugs, but the real issue in the security of any particular Unix installation is how it is managed and administered, not what version of the kernel it runs.

Still, releasing the source code is a critical first step in assuring the public that Carnivore can at least be configured to do what it is supposed to do, and I hope the FBI sees fit to take this step soon.

I've submitted as part of my written testimony a position paper I wrote with Steve Bellovin that makes the case that there is little harm, and much good, to be done by releasing the Carnivore code.  It is available at

http://www.crypto.com/papers/openwiretap.html

-matt


Source: US national newspaper, July 20, 2000, p. A28.

POLITICS & POLICY

Carnivore E-Mail Tool Won't Eat Us Privacy, Says FBI 

By TED BRIDIS And NEIL KING JR.

WASHINGTON -- Packed in a slim laptop computer, the Federal Bureau of Investigation's Internet surveillance system, Carnivore, looks downright docile. One of its creators calls it merely a "tool in a tool box" for tracking hackers and terrorists. Its name, the FBI admits, is unfortunate.

It is too late to change the name -- but not too late, the FBI figures, to try to change the opinions of privacy advocates and lawmakers who have spoken harshly of the high-tech sniffer. So the agency has launched an intense, behind-the-scenes campaign to deflect congressional skepticsk and convince wary Internet companies that Carnivore is a much pickier eater than its critics claim.

Since news of Carnivore broke last ueek, FBI officials have swarmed Capitol Hill to demonstrate the system to key members of Congress and their staff. The officials also have shown it to two federal judges and a small group of reporters for The Wall Street Journal. And Tuesday, the FBI published a lengthy article about Carnivore on its Web site, describing it as a "diagnostic tool" that employs new technology "to lawfully obtain important information while providing enhanced privacy pmtection."

The message: Carnivore is a surgical law-enforcement device used rarely and only under strict court orders. And, contrary to fears espoused publicly in recent days, the system doesn't gobble up all passing e-mail in its search for the correspondence of a single suspect. "This device is blind to everything but the packet [information] that it's set to retrieve," says Thomas Motta, an assistant general counsel for the FBI. "It's like a cop who can't see anything but a blue car on a highway."

In advance of a hastily called congressional hearing next week, FBI officials also have been expressing regrets about the system's name. Carnivore was the in-house moniker given to the successor of an earlier surveillance system, which was called Omnivore. No one thought the name would become public. When it did last week, Attorney General Janet Reno called for a name change, and FBI Director Louis Freeh started asking how the bureau could have had such a tin ear.

"Let's just say, we're going to put names through the giggle-test a little differently in the future," says Donald Kerr, director of the special Quantico, Va., lab that developed Carnivore.

The system's critics are likely to demand more than merely cosmetic change. Lawmakers are eager to know how voracious Carnivore could get. Can it vacuum Internet service providers? How can we trust that it does only what the FBI says?

Protecting Citizens

"We want to hear exactly how this system works and make sure it raises no constitutional problems," says Rep. Charles Canady, the Florida Republican who heads the House judiciary subcommittee that will question FBI officials next week. Adds Rep. Asa Hutchinson, an Arkansas Republican and member of the same panel: "We have to protect citizens from inadvertent action as well as snooping by the government."

The system is designed to allow the FBI to conduct efficient wiretaps of e-mail conversations and other online communications involving suspected hackers, terrorists and other criminals. The fear among critics is that Carnivore will scoop up transmissions made between innocent civilians and lay them open to scrutiny.

Internet providers, such as Iconn.Net of New Haven, Conn., say Carnivore is unnecessary because they already can do the monitoring the FBI needs if ordered by a court. "We're able to do it faster, more efficiently and, most importantly, without intruding on the privacy of people not within the scope of the search," says Peter William Sachs, president of Iconn.Net, who is scheduled to testify at next week's hearing. EarthLink Inc., one of the nation's largest Internet service providers says it refused earlier this year to install Carnivore on its network, claiming technical adjustments required to use the device caused disruptions to its customers.

In its meetings with lawmakers and others, the FBI has described the inner workings of the system in unusual detail. In one demonstration this week, the agency was keen to show how the system could tailor its search so it captures only the e-mails moving into and out of one particular account. The FBI said Carnivore is smart enough to capture a suspect's e-mails while leaving untouched messages sent by his or her spouse or children.

'Packet Filters'

The system belongs to a class of tools known as "packet filters" or "sniffers," which look for parcels of data that travel across a network and comprise an e-mail or a visit to a Web site. Using a Windows screen, Carnivore also can be set to capture file downloads and chat-room conversations. It can grab e-mail from the most popular Web-based companies, including Yahoo! Inc. and Microsoft Corp.'s Hotmail. And once it is installed at an Internet service provider, the FBI can dial into Carnivore to make changes and monitor data that have been collected.

The FBI is adamant about dispelling fears that Carnivore could be used for rampant tapping of public e-mail systems. For one, wiretapping requests are closely scrutinized by the Justice Department, and must be approved by a federal judge. Abuse by a rogue investigator is even less likely, the bureau says, because the rogue would need too much cooperation from other FBI techies and the Internet service provider, says Marcus Thomas, a developer of the system at Quantico.

Depending on a judge's instructions, Carnivore can be set to merely trace Internet communications to and from a suspect, called a "pen register" or "trap and trace." Carnivore records the Internet addresses of passing traffic but not, for example, the contents or even the subject line of an e-mail. Since the amount of information gathered is relatively small in these instances, even a week's worth of monitoring can be stored on a single floppy disk, the agency says. With judicial permission, the system also can conduct fuller intercepts, which would gather the contents of the e-mails and other data.

The FBI says Carnivore doesn't monitor the content of passing e-mails, a capability widely rumored to exist in the controversial "Echelon" surveillance network operated overseas by the National Security Agency. Bureau of ficials said watching for key words in passing e-mails was technically possible, but that it would slow Internet traffic unacceptably for all customers. "If you attempt with a machine like this to actually read everything that goes by, you very quickly cannot deal with it." Mr. Thomas says.

The FBI now says it has used Carnivore in fewer than 25 investigations over the past 18 months, most targeting suspected terrorists or computer hackers. In each case, the system was connected to a commercial Internet service provider, where it intercepted data or e-mails in strict compliance with a court order, the FBI says.

Privacy advocates, who haven't been privy to the FBI demonstrations, hunger for much more than explanations. The American Civil Liberties Union wants the FBI to suspend Carnivore's use, arguing that Internet providers can already conduct adequate electronic wiretaps. The ACLU also has filed a request under the Freedom of Information Act for the blueprints of how Carnivore works. Many in the industry want these same plans -- called the "source code" -- to insure that the system isn't open to abuse and won't disrupt business.

The FBI says making Carnivore's inner workings public would allow hackers to defeat it. "Once you know how it works ... it could be fairly trivial to evade it," Mr. Thomas says.

Legislation to quash Carnivore entirely is unlikely, but lawmakers could move to tighten the requirements for its use or to impose rules that would further protect the privacy of innocent Internet users. Many argue that Carnivore points up the need for Congress to wrestle with a larger dilemma: updating the nation's wiretap laws, hatched long before the Internet existed.

[Box]

The Workings of Carnivore

1. All data flows through the Internet.

2. Internet Service Provider traffic the FBI is tapping flows through the Carnivore filter.

3. Copy of the requested data goes to Carnivore's hard drive.

4. All other data, plus the original data matching the filter, flows onward.

5. The FBI retrieves and analyzes captured data.


From FBI Website

http://www.fbi.gov/programs/carnivore/carnivore.htm

The Nation's communications networks are routinely used in the commission of serious criminal activities, including espionage. Organized crime groups and drug trafficking organizations rely heavily upon telecommunications to plan and execute their criminal activities.

The ability of law enforcement agencies to conduct lawful electronic surveillance of the communications of its criminal subjects represents one of the most important capabilities for acquiring evidence to prevent serious criminal behavior. Unlike evidence that can be subject to being discredited or impeached through allegations of misunderstanding or bias, electronic surveillance evidence provides jurors an opportunity to determine factual issues based upon a defendant's own words.

Under Title III, applications for interception require the authorization of a high-level Department of Justice (DOJ) official before the local United States Attorneys offices can apply for such orders. Interception orders must be filed with federal district court judges or before other courts of competent jurisdiction. Hence, unlike typical search warrants, federal magistrates are not authorized to approve such applications and orders. Further, interception of communications is limited to certain specified federal felony offenses.

Applications for electronic surveillance must demonstrate probable cause and state with particularity and specificity: the offense(s) being committed, the telecommunications facility or place from which the subject's communications are to be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses that are anticipated to be intercepted. Thus, criminal electronic surveillance laws focus on gathering hard evidence -- not intelligence.

Applications must indicate that other normal investigative techniques will not work or are too dangerous, and must include information concerning any prior electronic surveillance regarding the subject or facility in question. Court orders are limited to 30 days and interceptions must terminate sooner if the objectives are obtained. Judges may (and usually do) require periodic reports to the court (typically every 7-10 days) advising it of the progress of the interception effort. This circumstance thus assures close and ongoing oversight of the electronic surveillance by the United States Attorney's office handling the case. Extensions of the order (consistent with requirements of the initial application) are permitted, if justified, for up to a period of 30 days.

Electronic surveillance has been extremely effective in securing the conviction of more than 25,600 dangerous felons over the past 13 years. In many cases there is no substitute for electronic surveillance, as the evidence cannot be obtained through other traditional investigative techniques.

In recent years, the FBI has encountered an increasing number of criminal investigations in which the criminal subjects use the Internet to communicate with each other or to communicate with their victims. Because many Internet Service Providers (ISP) lacked the ability to discriminate communications to identify a particular subject's messages to the exclusion of all others, the FBI designed and developed a diagnostic tool, called Carnivore.

The Carnivore device provides the FBI with a "surgical" ability to intercept and collect the communications which are the subject of the lawful order while ignoring those communications which they are not authorized to intercept. This type of tool is necessary to meet the stringent requirements of the federal wiretapping statutes.

The Carnivore device works much like commercial "sniffers" and other network diagnostic tools used by ISPs every day, except that it provides the FBI with a unique ability to distinguish between communications which may be lawfully intercepted and those which may not. For example, if a court order provides for the lawful interception of one type of communication (e.g., e-mail), but excludes all other communications (e.g., online shopping) the Carnivore tool can be configured to intercept only those e-mails being transmitted either to or from the named subject.

Carnivore serves to limit the messages viewable by human eyes to those which are strictly included within the court order. ISP knowledge and assistance, as directed by court order, is required to install the device.

The use of the Carnivore system by the FBI is subject to intense oversight from internal FBI controls, the U. S. Department of Justice (both at a Headquarters level and at a U.S. Attorney's Office level), and by the Court. There are significant penalties for misuse of the tool, including exclusion of evidence, as well as criminal and civil penalties. The system is not susceptible to abuse because it requires expertise to install and operate, and such operations are conducted, as required in the court orders, with close cooperation with the ISPs.

The FBI is sharing information regarding Carnivore with industry at this time to assist them in their efforts to develop open standards for complying with wiretap requirements. The FBI did so two weeks ago, at the request of the Communications Assistance for Law Enforcement Act (CALEA) Implementation Section, at an industry standards meeting (the Joint Experts Meeting) which was set up in response to an FCC suggestion to develop standards for Internet interception.

This is a matter of employing new technology to lawfully obtain important information while providing enhanced privacy protection.