Carnivore is software that is installed by the FBI on ISPs' networks. There are complex legal restrictions on its use, and we examine them in detail. ISPs should know that Earthlink was able to drop it when Carnivore crashed Earthlink's service.

by Patricia Fusco
of internetnews.com

car·ni·vore From Latin carnivorous Date: 1840 Any of an order (Carnivora) of typically flesh-eating mammals that include dogs, foxes, bears, raccoons, and cats; broadly: a carnivorous animal.

Car·ni·vore From FBI Labs Date: 2000 Federal court-ordered electronic surveillance system, which is typically placed at network operation centers of Internet service providers to sniff out illicit e-mail, criminal chat room banter, and illegal Web destinations; broadly: a carnivorous animal.

The Federal Bureau Investigation contends that the nation's communications networks are routinely used in the commission of serious criminal activities, including acts of terrorism and espionage. According to the nation's top crime fighter, organized illicit groups rely on telecommunications to plan and execute unlawful activities.

Law enforcement agencies consider the ability to conduct e-surveillance of communications critical for acquiring evidence of criminal behavior. Unlike eye witness evidence that can be subjective and readily discredited in court, e-surveillance provides jurors an opportunity to review the facts of a case based on a defendant's own words.

The FBI contends that e-surveillance secured the convictions of more than 25,600 felons over the past 13 years. In many cases, agents insist that there was no substitute for e-surveillance, as the evidence could not be obtained through traditional investigative techniques.

Take a bite out of crime
The Bureau has encountered an increasing number of criminal investigations in which suspects use the Internet to communicate. According to the FBI, many Internet service providers lacked the ability to sort packets in search of criminal correspondence. FBI labs designed and developed a diagnostic tool, dubbed Carnivore, to eat its way through the deluge of data, leveraging bits to take a bite out of crime.

Carnivore is cable of filtering through millions of e-mails each second. It scans all incoming and outgoing e-mail of suspects under surveillance.

Max Ray Butler of Max Vision Network Security offers free security analysis for ISP technicians and private networks administrators that want an outside review of their network's bulwarks.

Butler said although he does not have access to the Carnivore software, he understands the FBI's search focus and capabilities are very different from its commercial security tools.

"Carnivore is focused on gathering application-level data such as the contents of e-mail, and possibly the Web addresses that users visit or IRC discussions that they hold. It technically impossible for the FBI to capture all of the data sent and received by an ISP, as the storage and processing requirements are outside of their present budget," Vision said.

"However, they can capture a large amount of information, especially if they are limiting their capture to content with certain keywords (as in echelon). For example, rather than capturing every e-mail, they may only catch emails with 'bomb,' 'explosive,' or the names of chemical precursors for the manufacture of controlled substances."

Butler said commercial packet sniffing programs captured by its arachNIDS database are meant to watch for intrusion events, like a DoS event, in order to catch intruders.

"Although it is possible to configure Snort to act in a manner similar to Carnivore, it would be a stretch. The recommended configuration will only detect hacking attempts or probes, and only logs single packets that pertain to the attack detected — the entire session is not logged," Butler said.

According to the FBI, Carnivore works like commercial packet-sniffing program that network technicians use as diagnostic tools for shoring up network security. But the agency insists that Carnivore has the ability to distinguish between what communications it may lawfully intercept from those which it may not.

Who will watch those selfsame guardians?
Privacy advocates and the American Civil Liberties Union asked that Congress put a leash on Carnivore.

Barry Steinhardt, Associate Director of the ACLU compared Carnivore technology with allowing government agents to rip open Post Office mailbags and scan every piece of mail in search of one specific letter whose address they already know.

The ACLU also filed a request under the Freedom of Information Act for correspondence, programming code, technical manuals, and specifications of Carnivore. The FOIA is usually reserved for public requests for official government documents, not Net-sniffing computer code. The Bureau has 20 business days to respond to the FOIA request.

It is unlikely that the House or Senate will take action on privacy concerns over Carnivore during its 106th session.

The FBI insists that criminal e-surveillance laws are in place to gather hard evidence, not for eavesdropping to gather intelligence. Carnivore provides law enforcement officials with a surgical interception and that collected communications are the subject of lawfully attained court orders.

Under Title III, applications for interception require the authorization of a high-level Department of Justice official before the local U. S. Attorneys offices can apply for such orders.

Interception orders must be filed with federal district court judge, and unlike typical search warrants, federal magistrates are not authorized to approve e-surveillance.

Wire tapping and e-surveillance is limited to certain specific federal felony offenses.

Applications for e-surveillance must demonstrate probable cause and specifically state the crime under investigation, the telecom facility or place from which the subject's communications will be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses.

Court orders are limited to 30 days and interceptions must cease if the objective of the e-surveillance is fulfilled. Extensions of the order are permitted, if justified, for up to another 30 days.

Seeing the invisible dog
The FBI believes Carnivore's packet sniffing abilities are invisible, but EarthLink, Inc. technicians know otherwise.

Last week EarthLink reached an agreement with the FBI to avoid future use of the Bureau's Carnivore surveillance device. After months of negotiations, the national ISP is free to use other means of packet-snooping if the FBI issues a court-ordered e-mail tap.

EarthLink was forced to install the super-snooping software early this year by a court order. The interface with the system disrupted user service and killed EarthLink servers.

Kurt Rahn, EarthLink spokesperson, said privacy is critical for its subscribers.

"EarthLink won't even share subscriber information with Sprint. Corp., which owns 30 percent of the national ISP," Rahn said.

Although EarthLink could not comment about the specifics of its experience with Carnivore, Rahn said it tossed the FBI's program out of its system when it disrupted services for EarthLink subscribers. The ISP honored the court order by installing a Carnivore alternative that provided the Bureau with the e-surveillance it required.

Rahn could not say whether its court-ordered e-snooping program was a home brew system or commercial software application. He did say that unlike Carnivore, the program did not disrupt customer services.

A network engineer said that Carnivore can read e-mails, and identify packets in an ISP's network, but by no means does it have access to all packets on the particular ethernet switch or router to which it is attached.

You can't teach an old dog new software
He added that the FBI only has 20 of the Carnivore units and its storage capacity could not possibly pick through all packets traversing a network. The engineer said that by itself does not crash ISP servers. He said the network access servers only crashed when the ISP installed older versions of software on it so that Carnivore could read the messages. If the ISP had left their original software on the NAS, the NAS would not have crashed . Of course, Carnivore would not have been able to read the messages either.

Carnivore use by FBI is subject to oversight from internal FBI controls, the U. S. Department of Justice, U.S. Attorney General Office, and by the Court. So, there are four e-mail-sniffing dogs wagging the same tail.

The Bureau insists that there are significant penalties for misuse of the tool, including exclusion of evidence, criminal and civil penalties as enforced by the DOJ. Unfortunately, the neither the FBI nor the DOJ would not comment if there were any reported abuses of Carnivore programming.

According to federal officials, Carnivore is not susceptible to abuse because it requires expertise to install and operate; the system and such operations are conducted in close cooperation with the ISPs. This means that some 15-year-old with nothing better to do than embarrass federal agencies is likely to break the system and post private FBI surveillance on a very public Web before the year is through.

The FBI announced it is sharing information regarding Carnivore with the industry at this time to help develop open standards for complying with wiretap requirements. Such programs typically use public information and committee formation to quiet the storm of privacy concerns, and let the issue pass with time, never resolving the real issue.

U.S. Attorney General Janet Reno last week said she would review Carnivore to make sure that new technology balances with the rights of all Americans after the White House pressed for a check and balance on the system.

"We are looking at it to see what is needed, if anything,'' Reno said. "If additional regulations are needed, we will pursue those. "I just want to make sure that industry, privacy interests, law enforcement interests are all fully advised so that we can consider anybody's concerns and make sure that we address them."

The review is a worthless exercise because EarthLink already proved that it is not necessary to unleash Carnivore on an ISP's network. There is no reason to allow the Bureau to take down a network to set up Carnivore, when alternative programs are available, regardless of what the program sniffs out of a system.

Carnivore is a dog
As long as an ISP has the legal and technical resources to comply with a court order issued to G-men, Carnivore does not have to dine on server data for a service provider to company with FBI e-surveillance when they come knocking at your NOC's door.

—End