Privacy and the Stealthy Carnivore

(In keeping with this site's design goal of extreme editing to save readers' time, the latest update on this story is posted in the first paragraphs. Readers wanting some background are encouraged to review the portions written earlier below. An editorial comment is posted at the bottom.)

Updated March 2, 2001

The government hasn't killed off Carnivore, but has tried to make it a little more warm and fuzzy by changing its name from Carnivore to DPS 1000. This change is one of the firsts put into effect since the study group at IIT Research Institute gave their suggestions.

Updated December 12, 2000

The Department of Justice has had a series of researchers working on an evaluation of the Carnivore system since October. As of recently, they have produced a draft of their findings which report favorably in some aspects but draws the conclusion that Carnivore does exceeds the legal restrictions that are in place. Although the Department of Justice contends that Carnivore will only be used in conjunction with a court order, the researchers determined that it is very easy for someone to use the system in a manner that prevents others from knowing who is monitoring what. In other words, the system has the capability to be used to monitor items other than email; and it is set up such that if someone went beyond email monitoring, it would be difficult to identify such misuse.

In order to alleviate some of the concerns that the public has with Carnivore, the researchers have suggested that the source code be available for the public.

October 7, 2000 Update

The Carnivore story refuses to die. Rather increasing controversy is arising from the government's efforts to preserve this predator. Several weeks ago, the Justice Department announced that it would submit Carnivore data (not including source code) to a university team for examination, in the hope that such an independent review would quell concerns about privacy invasions. Bids were solicited from university teams for the project, and a team from Illinois Tech was ultimately awarded the job.

However, the bid request for proposal terms and the award to Illinois Tech are under attack. Apparently many universities refused to bid on the project because the terms required that the Department of Justice (DOJ) be given an opportunity to perform the final edit on the report before its being made public. To add fat to the fire, DOJ posted the terms of the winning proposal on its website with the names of the team members blacked out. To its dismay, the black out was quickly reversed with software and the names publicly posted elsewhere.

Now DOJ is being attacked both for its final edit requirement and for giving the project to a team with substantial government ties. The ACLU, which was one of the first to attack Carnivore, issued statements questioning the independence of the chosen investigation team. But of greater concern in this election year, House majority leader Dick Armey (R) joined the attack issuing a statement saying, "This Department of Justice proposal has confirmed my worst fears. This important issue deserves a truly independent review, not a whitewash." All of this follows criticism of the initial release of information by the FBI to EPIC as inadequate.

In this light, it is not surprising that the House Judiciary Committee has favorably reported out H.B. 5018, which increases protection of e-mail privacy. Among other things the bill would exclude illegally obtained e-mail from evidence in criminal trials.

Background portions of story written prior to October 2000 begin here:

The FBI has announced that it will be turning over substantial written material to EPIC pursuant to its Freedom of Information Act request for information on Carnivore. The first papers should be delivered to EPIC within 45 days, with subsequent deliveries in intervals as documents are processed. The FBI says the large amount of responsive material is the cause of the staged deliveries. EPIC has responded that the proposed schedule inadequate and that it may go back to court to have the scheduled release of data set by court order. The FBI proposed schedule does not say what data will be released when, nor does it give a final date by which all information will be released.

Original Story Begins Here

Privacy groups are again at odds with the government in relation to a new system, “Carnivore,” which allows the government to read senders’ and recipients’ email addresses as well as email content. Recently the ACLU joined the outcry with an open letter to the relevant congressional committee, and a request to the FBI under the Freedom of Information Act for source code and other information regarding the program. The FBI has announced that it will fight the FOIA request. The ACLU has been joined by the Electronic Privacy Information Center (EPIC) in seeking Carnivore's secrets. The purpose of Carnivore, which has been in use since early this year, is to allow FBI agents to view email addresses and subject lines for suspected criminal activity and then decide whether to view and copy the actual email content. In contrast to a traditional telephone “wiretap,” Carnivore is controlled only by law enforcement agencies, not the telephone companies. Internet e-mail users must act on pure trust that the FBI will utilize Carnivore only against criminal suspects and not intrude in others’ privacy. The FBI has not released exactly how the device works, spurring more mystery to the controversy.

The FBI runs Carnivore on its own computer which is connected to the Internet at ISP's. One ISP, EarthLink, fought the effort on the grounds that it invaded the privacy of its customers and that the installation would require EarthLink to run inferior software degrading its performance. The court hearing this case ruled in favor of the FBI, requiring the ISP to cooperate. It has now been reported that EarthLink and the FBI have negotiated an agreement regarding Carnivore and the EarthLink system.

In reaction to the rising controversy, Attorney General Janet Reno is reported to have announced a review of the Carnivore system implementation plans, and the Clinton administration has indicated that it will re-examine the whole issue of wiretap laws in light of the Internet. However, Reno has recently announced that Carnivore will remain in operation while the review is taking place. The latest statements from the Justice Department indicate that a contract might be given to some, yet to be selected, university to review Carnivore and report on it to Congress and certain other interested parties. Meanwhile, a movement has begun in Congress to reign in Carnivore's unbridled use. not ready to give in - even to Congress - the FBI has rebuffed Representative Bob Barr's efforts to obtain information.

Not content with the slow progress on disclosure EPIC went to court seeking expedited handling of its own FOIA request for details on Carnivore's functioning. On August 2, 2000 the judge ordered the FBI to prepare to release information and return for further court hearings soon.

Advice

E-mail users are often quite casual in their communications. It may come to pass that jokes about crime on Internet e-mail are treated like jokes about hijacking at airport checkpoints. Until this matter is resolved, users should e-mail knowing that the contents might be viewed by unknown eyes.