CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Carnivore redux

The FBI's tool may be shelved, but CNET News.com's Declan McCullagh says the government still has an appetite for Internet wiretaps.

Robert Corn-Revere clearly remembers the day he became the first person to tell the world about the FBI surveillance system once known as Carnivore.

In late 1999, Corn-Revere, a partner at the Davis Wright Tremaine law firm, had been fighting on EarthLink's behalf to keep a government surveillance device off the company's network. A short while later, though, a federal magistrate judge sided with the FBI against the Atlanta-based Internet provider.

Worried about the privacy impact, Corn-Revere revealed the existence of Carnivore in testimony before a House of Representatives subcommittee on April 6, 2000. "They were using a technology called Etherpeek, which was off the shelf," Corn-Revere told me last Friday. "When we challenged it, they said, 'We're not using that. That would be wrong. We have our own software developed. It's called Carnivore.'" (Etherpeek is a Windows surveillance utility from WildPackets that can decode protocols used with e-mail, Web browsing and instant messaging.)

The total number of "electronic" wiretaps has stayed between 4 percent and 8 percent of all reported wiretaps each year.

Now history is repeating itself. A flurry of press reports this month noted that the FBI has ceased using Carnivore, which had been renamed DCS1000. But not all of them mentioned that the government is hardly calling a halt to Internet wiretaps--instead, it's simply buying its surveillance tools from private companies again.

A review of the government's self-reported wiretap statistics from 2000 to 2003, the most recent data available, shows that the total number of "electronic" wiretaps has stayed between 4 percent and 8 percent of all reported wiretaps each year. (In 2003, for instance, there were 1,442 reported non-terrorism wiretaps in total that intercepted 4.3 million communications or conversations.)

That figure, though, is an underestimate. First, it doesn't cover terrorism-related wiretaps, which spiked after Sept. 11, 2001, and last year surpassed the general category for the first time. Second, it doesn't count illegal wiretaps, such as the hundreds unlawfully performed by the Los Angeles Police Department starting in 1985.

Third, those numbers don't include "pen register" and "trap and trace" devices, which tend to be about five to six times as popular as traditional wiretaps. Those awkward names, which hail from the days of analog phone taps, refer to capturing only the addresses of Web sites visited and the IDs of e-mail and instant-messaging correspondents rather than the complete content of the communication.

Translated: The concept of Carnivore isn't going away. If anything, police surveillance of the Internet is increasing over time.

The good ole days?
Whatever its flaws, Carnivore offered one undeniable benefit: It had been the subject of intense scrutiny.

Former House Majority Leader Dick Armey, for instance, carefully monitored how the Justice Department was using it. "I respectfully ask that you consider the serious constitutional questions Carnivore has raised and respond with how you intend to address them," Armey wrote to Attorney General John Ashcroft in June 2001. "This is an issue of great importance to the online public."

At one point, political pressure had grown so great that Attorney General Janet Reno reluctantly ordered an outside review of how Carnivore had been used. The review concluded that Carnivore didn't snatch more from networks than it should, but that it had "no auditing" and "significant deficiencies in protection for the integrity of the information it collects."

Whatever its flaws, Carnivore offered one undeniable benefit: It had been the subject of intense scrutiny.

A group of well-known technologists, including Steven Bellovin of AT&T Labs and Peter Neumann of SRI International, reviewed that report, prepared by IIT Research Institute. Their own conclusions: "Serious technical questions remain about the ability of Carnivore to satisfy its requirements for security, safety and soundness."

The public and the press also were more interested a few years ago. CNET News.com published dozens of articles. A Nexis search turned up 1,334 matches for FBI and Carnivore or DCS1000 between July 2000 and July 2001. But the same search for between July 2003 and July 2004 reported only 45 articles.

Unfortunately, the public knows virtually nothing about how the FBI is conducting Internet eavesdropping today. We don't know the name of its interception technology. We don't know if it vacuums up far more conversations than it should when attached to a network. We don't know if it creates a security risk by permitting secure portions of an Internet provider's network to be accessed from afar. We don't know if it has benefited from any of the outside technical review that Carnivore did.

"The need for oversight these days is much greater than when the FBI picked particularly bad names for its surveillance projects," said Marc Rotenberg, director of the Electronic Privacy Information Center. "There's a lot of money slushing around the federal government's dark budgets."

He's right. Congress should demand more public accountability from the Bush administration. Otherwise, we might end up fondly reminiscing about the good ole days of Carnivore.