In Jurassic Park, the raptors were far more dangerous than the giant T. rex because they were quick, vicious, agile, and seemingly everywhere. Given the similarities, I think the FBI should have named their latest monster Raptor instead of Carnivore. Carnivore, in case you didn't know, is a neat little software package the FBI uses to intercept e-mail messages of criminal suspects passing through an Internet service provider (ISP).
To date, Carnivore has been a well-kept secret. Most network administrators have never heard of it. However, with the recent Congressional interest in privacy rights and the Internet, Carnivore may be making headlines for some time to come. A hot debate is now underway between the government and privacy advocates who feel the software casts too wide a net in its attempts to catch suspected criminals. Their fear is that Carnivore will capture legal communications from innocent people, whether intentional or not. Also, the potential for abuse is making many representatives uncomfortable. Accordingly, the U.S. government has vowed to review Carnivore for its implications and has several of its experts looking at the source code.
Want to know more about protecting your network?
Check out these TechRepublic articles on safeguarding your e-mail:
- “Does e-mail security pose a risk to e-commerce?”
- “The right corporate policy: E-mail and Internet monitoring”
- “When a stranger calls: Use outsiders to safeguard your e-mail”
Skepticism aside, many IT professionals have different ideas about what the government should do. In a recent commentary, Gartner research analyst John Pescatore suggests, “Although the FBI has made statements to the public and the U.S. Congress that Carnivore does not violate privacy laws, Gartner believes an open review of the source code is needed to engender public trust and ensure that the technology is spoof-resistant.”
What you need to know
So how does all this high-level tampering affect you? Corporate espionage does take place on the Internet. If you are reading this article, you probably have some impact on security administration for your company. If you are not aware of the potential security holes within your own network, you might be putting your systems at risk. And if you think your job is limited to keeping viruses off the company network, you may not be long at your current position.
As a security administrator, you might have to deal with federal investigators wanting to use Carnivore if someone on your network becomes a suspect in one of their investigations. For example, if someone sends unencrypted e-mail on your network and he or she is under suspicion by the FBI for criminal activity, the agency may obtain a court order to tap his or her messages. Even if they don't have probable cause to get a court order, they can still get the e-mail address of everyone that person communicates with. This is similar to a law enforcement agency having the right to obtain a copy of your phone bill if it suspects you of wrongdoing. The same rule applies to e-mail addresses.
Here’s another thing to consider: Wiretap court orders are secret. You will not know if there's one against you or your business. Also, keep in mind that there was little knowledge of Carnivore in the first two to three years of its use. How many other Carnivore-like systems are in use today by the IRS, Secret Service, NSA, or local police agencies?
Am I paranoid? Maybe, but that’s why I’ve been around so long. The FBI maintains that they are very careful not to get any information for which they do not have a court order. In the interim, however, the FBI seems to be taking advantage of this new technology and has vowed it has a place in helping catch criminals. Keep an eye on this debate as Congress moves forward with its investigation of Carnivore.
John McCormick is a security consultant and technical writer (five books and 15,500-plus articles and columns) who has been working with computers for more than 35 years.
Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.