Does Carnivore devour too much of our privacy?

Carnivore, the FBI's tool for monitoring the Internet, is a hungry beast. It has implications for those running small and large ISPs. In this Daily Feature, James McPherson explores those implications.

Now that the major chaos has died down regarding the FBI’s controversial digital wire tapping device, code named Carnivore, it is time to rationally consider whether the FBI’s construct is a technically reasonable solution and what potential impact it will have on those in the IT world who may be required to comply with it.

What is Carnivore?
The information we have comes from the FBI’s intentionally vague online description of the device and various statements made to the Senate and House of Representatives. According to the FBI’s Web site, “The Carnivore device works much like commercial ‘sniffers’…it provides the FBI with a unique ability to distinguish between communications which may be lawfully intercepted and those which may not.…Carnivore serves to limit the messages viewable by human eyes to those which are strictly included within the court order.” On a performance note, Donald M. Kerr, an assistant director in the FBI, told the United States Senate Judiciary Committee that “Specifically, it filters binary code—streams of O's and 1's that flow through an ISP network, for example, at 40 mega-bits per second and often at much higher speeds. Carnivore operates real time with these speeds.”

Tom Perrine, security director for the San Diego Supercomputer Center, was given the opportunity to observe a Carnivore system. The particular Carnivore system he saw was a PC, running an unspecified version of Microsoft Windows, with a network adapter and a Jaz or Zip disk attached to it. It was operated by a simple GUI used to configure the search parameters. It also included a modem interface to allow the FBI’s Engineering Research Facility to provide technical support, determine when the removable media should be changed, or correct mistakes in the filtering settings.

Thus Carnivore is a system with the capacity to scan IP traffic for multiple types of transactions and store a number of possible bits of information designed to be used by nontechnical FBI Special Agents. Furthermore, it was intended to be used in relatively high-speed (T3-class) network segments. What is not known are the methods Carnivore uses to interpret the data, the full range of data that it might read, or the particular buffering mechanisms used to work on and store the data.

Where is it located?
One aspect of Carnivore that is somewhat unclear and poses the most vexing question to the IT industry, is where the Carnivore server is located within a network topology. It would, in theory, be located in a position that limits Carnivore’s exposure to other users’ data. The FBI tries to liken this to a single trunk-line telephone tap to make it seem less threatening. The accuracy of this analogy is questionable given the typical network layout.

Here it is easy to see that with traditional wiretaps, the hard-wired nature of telephone lines ensures that tapping a single customer will not expose others’ privacy (Figure A).

Figure A
A standard wiretap only exposes one line.

However, the Internet is not so neat and tidy. Regardless of the size of an ISP, it is forced to expose every customer in the region to Carnivore’s inspection. This does not imply that the FBI has a choice; if they want to be sure of capturing all of a suspect’s digital communication, they have no choice but to do things this way.

From a networking point of view, Carnivore needs to be placed at the primary network junctions to capture all data. For complex networks with redundant routes, this may require multiple interfaces. Regardless, this can result in downtime if the existing hardware does not have network ports available (Figures B and C).

Figure B
For Carnivore to work, small ISPs would place the device between the modem bank and the Internet, exposing all communications.

Figure C
For large ISPs to make all communications searchable, Carnivore would most likely be located outside the switch.

Is Carnivore the only option?
Part of the initial uproar was from the technical community pointing out the many, many alternatives that can be used to capture or reroute electronic communications. Surprisingly, the FBI does not intend to rely entirely on Carnivore. But it all depends on the type of wiretap.

The most common wiretaps monitor phone transactions, i.e., who called whom but not what was discussed. Electronic wiretaps specify the types of communication (e-mail, IRC, chat, etc.) that may be monitored. For a “typical” e-mail wiretap, where the e-mail in question is handled by the ISP’s mail server, the ISP’s mail logs can provide that information. If the suspect is using multiple mail services (their ISP and Hotmail, for example) or if multiple types of communication are being monitored, the FBI would be required to interact with a number of organizations. Some paperwork and coordination is required, but the plan is usually quite feasible.

Less common but more troublesome are the comprehensive wiretaps. These taps record some or all of the communications of the suspect in addition to the transaction information. This causes several nontrivial technical issues. While routers, mail servers, and proxy servers may be set to monitor transaction information, there are no easy solutions to intercept a specific user’s communications, from e-mail to instant messaging, reliably or securely. This is the place for Carnivore.

What is the deal with reviewing Carnivore’s code?
The FBI has been hesitant to make the source for the Carnivore software available for public review, fearing that savvy criminals could find ways to circumvent its operation. Their fears are valid but misplaced. The mechanisms that Carnivore uses for data analysis are widely understood; any third-year programming or computer science college student should be able to write a Carnivore-esque application as it must follow the protocols of the Internet.

A criminal who wishes to avoid electronic wiretaps does not need to know Carnivore’s code but the law regarding Carnivore’s operation. It was the laws passed by Congress and the rules of Internet functionality that dictated to the FBI how Carnivore must operate. Those laws also inform criminals how to avoid telephone wiretaps, if they wish to make the effort. It requires time, effort, and money, but the tools needed are available and almost impossible to control.

In the FBI’s defense, there is a precedent for controlling the technology used for wiretaps. If you know how a conventional wiretap operates, you can detect it by monitoring any changes in your telephone signal. The Internet operates under different rules. Since packets can be reproduced perfectly, without any degradation to the data, completely invisible monitoring devices are possible.

What are the corporate concerns for a Carnivore installation?
In a phrase, the lack of checks and balances. The ISP is forced to expose a significant number of customers to the tap and, since it is solely FBI staff, equipment, and software involved in gathering and recording the specified information, the ISP has no way of knowing for sure if the FBI is only gathering the information allowed by the wiretap.

The FBI defends itself by saying “The system is not susceptible to abuse because it requires expertise to install and operate, and such operations are conducted, as required in the court orders, with close cooperation with the ISPs.” Exactly what “close cooperation” consists of has not been explained and likely only consists of locating the proper installation point and choosing a time of installation that would minimize downtime. The FBI also points out that electronic wiretaps differ from telephone wiretaps in that a federal district judge, not a magistrate, reviews the request.

History tells us that expertise does not forestall abuse, and if the knowledge is too closely held then it is impossible to confirm or disprove abuse. While review by judges will be more likely to prevent unnecessary taps from being sanctioned, unless the judges understand the unique risks posed by the Internet, the judicial branch will be unable to adequately evaluate the continued use of an electronic wiretap.

The corporate world should work to create a system that allows the judiciary branch and the ISP suitable oversight capacity to protect customers without hampering the FBI’s efficiency. From a technological standpoint, the capacity for that oversight system exists. The modem link on Carnivore could be used by the judicial branch, the ISP, or any other oversight group to monitor Carnivore. Alternately, the configuration of Carnivore could be removed from the FBI’s control and placed directly in the hands of an agent of the courts. The data collected by the FBI could be monitored by requiring Carnivore to use two removable media devices; one that is given to the FBI and another that is stored with the court records to verify the data collected. Any number of systems could be developed and readily implemented that would provide an acceptable level of oversight.

Sadly, I expect it will take some time until that occurs. The FBI is loath to expose any of their wiretapping technology to scrutiny. What is most disheartening is that it will likely require a scandal of some kind to force the FBI’s hand—if they only realized that by giving up a bit of their privacy everyone would be happy.
You can find more information about Carnivore at the following Web sites (used as sources for this Daily Feature):The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox