Hunting the Paper Carnivore
by BrotherBen
I am sure most 2600 readers out there have heard about Carnivore. If not, I advise all parties interested in privacy and Internet security to do a quick search on [carnivore FBI] and do a little a reading.
Carnivore (originally called "Omnivore") is a system designed to analyze huge amounts of email traffic and extract any mail sent to or from individuals for whom wiretapping warrants have been issued. By law the device should not be used to indiscriminately scan all public Internet communications. Naturally that is against the law and at least on paper neither Carnivore, traditional wiretaps, nor the "mythical" ECHELON can be used against U.S. citizens without a court order. But more on that later.
I have been informed by sources close to the FBI (think Infrastructure) that Carnivore is nothing more than a glorified sniffer. The media is describing the device as an email scanner that collects all traffic received by targeted ISPs and "selects" messages sent by individuals for whom the FBI has received wiretapping warrants.
There are many ways this could be accomplished, such as installing a script on the mail gateway that greps for certain messages and sends them on to an analysis machine, but in fact the deadly "Carnivore" simply sniffs all traffic at strategic bottlenecks on the ISP to perform its mission. There are literally a dozen different scenarios I could envision for sniffing an ISP's mail gateway, but the end result is the same: Carnivore sniffs all port 25 traffic, collects the data, examines the mail headers for target senders and recipients, and finally archives those messages.
An agent shows up daily at the ISP to collect a floppy/Zip/whatever archive of the messages (interestingly enough, the PC housing the Carnivore software (script?) is reportedly locked in a cage 24-7). Note that Carnivore could collect traffic from any port, but almost all of the printed quotes from FBI officials refer to the device as an "email scanner."
However, the current state of wiretapping laws in the USA may allow sniffing of just about any type of traffic, including web surfing. In fact, I am sure the FBI would begin collecting HTML traffic if a target were using Hotmail or Deja as a mail service.
The media has hyped Carnivore heavily in recent months due to privacy issues raised by certain groups (such as the ACLjU and EPIC), but the concept of Carnivore is nothing new. In fact, the ACLjU is far too late to play the role of alarmist, as the FBI has been conducting limited Internet surveillance operations without Carnivore for years - and getting similar results. What has raised media interest lately is the fact that at least one ISP has been ordered to allow the FBI to scan their email traffic on a daily basis.
The problem here is that the FBI presumably collects all TCP/IP traffic and discards that information not pertinent to the current mission. In theory then, the FBI must at least temporarily "listen in" on all email sent to a given ISP in order to track one or two suspects. Likewise, depending on the configuration of the scanner, the FBI could be receiving all TCP/IP traffic routed to that subnet (see above).
We are left to trust that the FBI will only use the information it needs to accomplish its mission, and that these "needs" are modest and lawful in scope.
The point of this article is not to present a paranoid rant about yet another invasion of our privacy - we have all experienced our share of government ignorance, oppression, lies, etc. In fact the Carnivore device itself is quite mundane, assuming it doesn't end up in a role similar to ECHELON, in which private communications are subjected to a logic engine that evaluates messages for threat conditions. The capability is there, of course, and once again we have to trust the establishment to control itself - something our government was never designed to do. In the FBI's defense, I have been told that there are oversight committees designed to prevent abuses of power, but technology issues are very difficult to oversee because members of oversight committees are not always technically proficient enough to understand the actual threats involved. We see similar problems occurring with the depositions in the MPAA v. 2600 case.
The critical issue with Carnivore is the level of access initially granted to the FBI for operations. All traffic could likely be collected and examined at the whim (or misconfiguration) of an agent. Current wiretapping laws are simply incapable of adequately dealing with email, because the amount of traffic and technology concerns differ greatly from the POTS systems of the past decades (in fact, one could argue that modern telephone systems have outgrown traditional wiretapping statutes).
Wiretapping laws have been modified over the past few years, but in fact a real understanding of global, switched data communications is still in development. The recent court order concerning ISPs and Carnivore proves this perfectly - we now have tap and trace regulations being applied to a medium in which "bad" communications are tightly interwoven with "good" ones, and the FBI is left picking through our lives in search of a few bad apples. I hope this trend changes soon but patience alone will not institute such a change.
Naturally I understand that cryptography appears to be a panacea for the Carnivores amongst us. Even though I advise all serious privacy advocates to use cryptography whenever necessary, viewing cryptography as a final solution is flawed for two reasons. For one, it is not enough to reactively avoid bad legislation by using "loopholes" such as cryptography. We cannot assume that our current algorithms are indecipherable, or that cryptography will soon become mainstream. We must act to stop the trends in legislation by proactively voicing our discontent.
Secondly, if the powers of the FBI are circumvented by our regular application of strong crypto, we may see another push to increase surveillance powers, such as registering private keys - probably in the name of stopping terrorism. The end result will be the increased control over communication lines by various agencies. As stated earlier, the use of public mail services such as Hotmail and chat protocols like IRC will certainly prompt the FBI to monitor other types of IP traffic.
I have never seen the government back suit down from a fight just because they were outsmarted (arguably, prohibition may be an exception to this). If we allow broad powers of search and seizure to exist, I seriously doubt that overt secrecy will act as anything more than a speed bump for our watchmen. The ultra-paranoid will always have a "solution" to problems such as Carnivore. SSH connections to remote systems running Sendmail, dedicated, encrypted dial-up connections, and other VPN solutions all come to mind. Though using such methods is advisable, it is comparable to the tuna out-swimming the shark in the belly of the whale. The greater issue must be addressed.
The fact that exporting 128-bit encryption from the USA is viewed as a felonious offense should tell us how seriously our government misunderstands and over-legislates technology. We must normalize and distribute strong cryptographic systems, while simultaneously restricting the power of governmental institutions to control and prohibit technology. One cannot occur before the other.