Report finds risk but supports Carnivore email surveillance

The report said that Carnivore provides investigators with no more information than is permitted by a given court order and that it poses no risk to Internet service providers.

At the same time, the report warned that Carnivore "does not provide protections, especially audit functions, commensurate with the level of the risks," and that the lawfully collected information could be lost or corrupted by "physical attacks, software bugs or power failures."

Carnivore was designed by the FBI to track the electronic correspondence of suspects. Privacy experts have raised concerns that the program, which is installed at Internet service providers, is capable of also collecting the email of people who are not under investigation.

In response to those concerns, the Department of Justice commissioned the Illinois Institute of Technology (IIT) to examine the technology. In its report released Tuesday, IIT said Carnivore "reduces, but does not eliminate" the risk of unauthorized interception of electronic communication by the FBI.

"We are overall pleased with the findings," said FBI spokesman Paul Bresson. "They are quite positive and substantiate the contentions that we've made all along--that when the Carnivore system is performed accurately it only provides investigators with the information it is designed for under a court order."

Critics of Carnivore, however, said the review raised more questions than it answered.

The Electronic Privacy Information Center (EPIC), which has sued the FBI to release its Carnivore-related documents, said the report showed that Carnivore could easily be used to collect private information not permitted under the law.

"If it's that easy for the FBI to accidentally collect too much data, imagine how simple it would be for the agents to do so intentionally," EPIC attorney David Sobel said in a statement. "This supports our belief that Carnivore raises extremely serious privacy concerns."

Even before the release of the report Tuesday, the review process itself had been under attack.

Several prominent universities, including the Massachusetts Institute of Technology (MIT), backed out of the application process after the Justice Department released the guidelines for the study, saying restrictions placed on the scope of the review took away from its independence.

When IIT was chosen to perform the review, critics said it would not be independent because the IIT reviewers were government insiders.

For example, Dean Henry H. Perritt from the university advised President Clinton's transition team on information policy. Other members of the university's review team have either worked in the past on government projects or hold active security clearances.

The Justice Department had blacked out this information when it released a document about the selected team. However, people reading the documents with Adobe software were able to view the unaltered document, which adds to suspicions about the review process.

To avoid a similar mishap, Tuesday's release of the review was delayed by several hours, said Justice representative Chris Watney. The documents are available on the DOJ's Web site.

In contrast to the conclusions in IIT's review, EPIC, which is conducting its own review, has lambasted the FBI for the program, which it describes as an invasion of privacy.

EPIC sued the FBI for information through the Freedom of Information Act and is conducting its own analysis.

In a second batch of paperwork received from the FBI last week, EPIC concluded that Carnivore can capture and archive "unfiltered" Internet traffic--contrary to FBI assertions.

"The little information that has become public raises serious questions about the privacy implications of this technology," EPIC general counsel David Sobel said in a statement. "The American public cannot be expected to accept an Internet snooping system that is veiled in secrecy."