NOTE; Electronic Surveillance: Protecting the Privacy Ecosystem from the Federal Bureau of Investigation's Carnivore.

Spring 2003

Reporter 28 Okla. City U.L. Rev. 291 *

Length: 19153 words

Author: Gideon Andrew Lincecum *

* The author of this Note, Gideon A. Lincecum, is a 2002 graduate of Oklahoma City University School of Law, and is currently working for Holladay, Chilton & DeGiusti in Oklahoma City, Oklahoma.

Text

[*291]

This Note explores the current privacy debate over the use of the Federal Bureau of Investigation's new electronic surveillance device, Carnivore. Privacy advocates argue that the current wiretap legislation is inadequate to protect the privacy interests of Internet users against new Internet wiretapping capabilities, while the Department of Justice advances the need for new investigative methods to cope with increased criminal activity on the World Wide Web. The opposing sides are in conflict over whether packet mode transmission is conducive to the data interception requirements of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 and the Electronic Communications Privacy Act of 1986. This Note surveys the emergent evolution of Internet wiretapping and the Fourth Amendment crisis that Carnivore has created.

I. Introduction

In the 1970s, Francis Coppola's movie, The Conversation 1 displayed the scarred American psyche resulting from the political conspiracies of the Watergate-era. Set in an Orwellian age of wiretapping and surveillance, the movie reflected the distrust of government that existed among the American public during that turbulent period. A quarter century later, the movie Enemy of the State, 2 directed by Tony Scott, harkened back to the paranoia of the 1970s. In this "present day," high-tech thriller, the audience catches up with Harry Caul, 3 The [*292] Conversation's obsessive surveillance expert. In traditional film noir 4 fashion, the movie began with the assassination of a United

1 See The Conversation (Paramount Pictures 1974). 2 See Enemy of the State (Jerry Bruckheimer Films & Touchstone Pictures 1998). 3 Although Gene Hackman's character in Enemy of the State is named Brill, Hackman's portrayal of the character is consistent with his prior role of Harry Caul, an obsessive surveillance expert, in The Conversation. 4 Literally meaning 'black film,' film noir refers to a style or mode of filmmaking, which flourished between 1941 and 1958, that presents narratives involving crime or criminal actions in a manner that disturbs, disorients, or otherwise induces anxiety in the viewer." John Belton, American Cinema/American Culture 349 (McGraw-Hill, Inc. 1994). Page 2 of 24 28 Okla. City U.L. Rev. 291, *292

States Congressman as part of a political cover-up regarding the passing of a new electronic surveillance bill. This film also captured the American people's continuing distrust--exacerbated by technological enhancements--of government surveillance. Ironically, Enemy of the State was released while the Federal Bureau of Investigation (FBI) was privately developing its new Internet wiretapping system.

In 1928, Justice Brandeis warned that "the progress of science in furnishing the government with means of espionage 5 is not likely to stop with wiretapping." 6 As predicted, the technological developments of the late 1990s have provided the government with a means for reproducing documents in court "without removing papers from secret drawers." 7 The invention of Carnivore transformed Justice Brandeis' foresight into reality. Leading to this reality, and propelled by the popularity of the Internet, 8 emergent telecommunications technology dramatically changed how individuals conduct business and communicate with family and friends. 9 Advancements in digital communications, especially electronic [*293] mail 10 and instant messaging, 11 have made intimate interactions online increasingly popular. 12

As social and commercial activities migrate to the Internet, law enforcement agencies struggle to maintain vigilance against cyber-criminals such as computer hackers, child pornographers, hate groups, and con artists. 13 Although recognizing the need for law enforcement in this burgeoning Internet society, privacy advocates strive to protect the Fourth Amendment guarantees against "unreasonable searches and seizures." 14 As one commentator explained, "that the individual shall have full protection in person and in property is as old as the common law; but it has been found necessary from time to time to define anew the [*294] exact nature and extent of such protection." 15 As a result, the debate over the proper balance between law enforcement needs and privacy expectations has been reinvigorated by the birth of Carnivore.

The time "to define anew" was signaled by a Wall Street Journal article reporting that the FBI had deployed a surveillance system that could "scan millions of e-mails a second" and "would give the government, at least theoretically, the ability to eavesdrop" on all digital communications of an Internet Service Provider's (ISP)

5 Common usage of this term implies the practice of spying on foreign governments or competing companies; however, Justice Brandies' usage is more consistent with the basic definition of espionage, that is, the practice of spying to obtain secret information. See The American Heritage College Dictionary 469 (3d ed. 1997) (Defining espionage as, "the act or practice of spying or of using spies to obtain secret information.").

6 Olmstead v. United States, 277 U.S. 438, 474 (1928) (Brandeis, J., dissenting). 7 Id. 8 The references "Information Superhighway" and "Cyberspace" are catchall terms used to describe the Internet.

9 See ACLU v. Reno, 929 F.Supp. 824, 831 (E.D. Pa. 1996). This communications medium allows any of the literally tens of millions of people with access to the Internet to exchange information. These communications can occur almost instantaneously, and can be directed either to specific individuals, to a broader group of people interested in a particular subject, or to the world as a whole. Id.

10 See id. at 834. One-to-one messaging. One method of communication on the Internet is via electronic mail, or 'e-mail,' comparable in principle to sending a first class letter. One can address and transmit a message to one or more other people. E-mail on the Internet is not routed through a central control point, and can take many and varying paths to the recipients. Unlike postal mail, simple email generally is not sealed or secure, and can be accessed or viewed on intermediate computers between the sender and recipient (unless the message is encrypted). Id.

11 See id. at 835. Page 3 of 24 28 Okla. City U.L. Rev. 291, *294 customer. 16 Through the article, and many that followed, the public was introduced to the new "privacy predator," accordingly named Carnivore. 17 After development at a special agency lab in Quantico, Virginia, the FBI named its new Internet wiretapping system Carnivore for its ability to get to "the meat" of enormous amounts of data. 18 Privacy advocates and ISPs were immediately concerned by the Carnivore system's means of deployment and ability to eavesdrop on all digital communications, from electronic mail to online banking and web navigation. 19 Coupled with law enforcement's increasing reliance on electronic surveillance, Carnivore poses a new threat to privacy.

As emphasized by privacy groups, law enforcement voice and data interceptions are a growing practice. In the last ten years, the number of federal intercept applications authorized increased ninety-four percent from 1989 to 1999, while state applications authorized have risen sixtyfive percent since 1989. 20 The most active federal intercept occurred in the Southern District of New York, where an average of 490 [*295] interceptions occurred per day. 21 For state authorizations, the most active investigation was in Oklahoma County, Oklahoma, which produced an average of 296 intercepts per day. 22 More importantly, "the average percentage of incriminating intercepts per order increased from 19 percent of interceptions in 1998 to 20 percent in 1999." 23 In other words, eighty percent of the intercepted communications were innocent as determined by law enforcement standards. Based on these statistics, privacy advocates fear "more and more intercepts and more and more innocent conversations being intercepted--are likely to accelerate because of the advent of digital communications." 24 Because of its ability to

Real time communication. In addition to transmitting messages that can be later read or accessed, individuals on the Internet can engage in an immediate dialog, in "real time," with other people on the Internet. In its simplest forms, "talk" allows one-to- one communications and "Internet Relay Chat" (or IRC) allows two or more to type messages to each other that almost immediately appear on the others' computer screens. IRC is analogous to a telephone party line, using a computer and keyboard rather than a telephone. With IRC, however, at any one time there are thousands of different party lines available, in which collectively tens of thousands of users are engaging in conversations on a huge range of subjects. Moreover, one can create a new party line to discuss a different topic at any time. Some IRC conversations are "moderated" or include "channel operators." Id.

12 See Nielsen//NetRatings, Hot Off The Net, available at http://209.249.142.22/ hotoffthenet.asp?country=north+america (last visited Feb. 6, 2001). (To view the latest Internet usage information from the Nielsen//NetRatings Audience Measurement Service). 13 See Electronic Surveillance: Hearing on Electronic Surveillance Before the S. Comm. on the Judiciary, 106th Cong. (Sept. 6, 2000) (statement of Mr. Kevin V. DiGregory, Deputy Assistant Attorney General, Criminal Division Department of Justice), 2000 WL 1268433 (F.D.C.H.). Page 4 of 24 28 Okla. City U.L. Rev. 291, *295 easily and to costeffectively collect large quantities of electronic communications, Carnivore is an example of how law enforcement will use new technologies as a means to expand its electronic surveillance capabilities.

Has the FBI used Carnivore to expand its electronic surveillance capabilities beyond the limits of Fourth Amendment? Are Internet communications analogous to the "plain old telephone service" (POTS) communications? This Note surveys the evolution of Internet wiretapping and examines the development of Carnivore. Part I of this Note will discuss how the American public learned of the FBI's new electronic surveillance techniques. Part II will examine the growing use of data interception. Part III will outline the constitutional principles of the Fourth Amendment. Part IV and V will present the judicial and legislative restraints on law enforcement use of wiretaps. In Part VI, the difficulties of applying the current legislation will be explained. Part VII, VIII, IX, and X will explain how Carnivore is authorized and operated under the federal wiretap laws. The debate over whether the Executive should be trusted with blanket authority when conducting a search will be examined in Part XI. Information concerning the release of technical documents will be covered in Part XII. Part XIII will present a legal analysis based on the doctrine of precedent. Suggested remedies will be discussed in Part XIV and XV. Finally, Part XVI will conclude with general observations. [*296]

II. Data Interception Trends and the Deterioration of Privacy Protections

Law enforcement officials stress that new tools and techniques are required to handle evolving computer and network technologies. In accordance, the need for new surveillance techniques is often justified because cybercriminals use the Internet to commit crimes and to harm the safety, security, and privacy of others. 25 Although the FBI claims digital technology has created these new challenges, the adverse seems to be more reflective of reality. 26 Electronic surveillance has increased steadily alongside the rapid changes in telecommunications technology. One commentator suggests that "the digital revolution has been a boon to government surveillance and information collection." 27 While wiretapping the Internet is fundamentally different

14 U.S. Const. amend. IV.

15 James X. Dempsey, Communications Privacy in the Digital Age: Revitalizing the Federal Wiretap Laws to Enhance Privacy, 8 Alb. L.J. Sci. & Tech. 65, 67 (1997) (quoting from Louis D. Brandeis & Samuel D. Warren, The Right to Privacy, 4 Harv. L. Rev. 193 (1890)) (emphasis added.). 16 Neil King Jr. & Ted Bridis, FBI's Wiretaps to Scan E-mail Spark Concern, Wall St. J., July 11, 2000, at A3, available at 2000 WL-WSJ 3035880. 17 See Carnivore and the Fourth Amendment: Hearing on Carnivore and the Fourth Amendment Before the House Comm. on the Judiciary, 106th Cong. (July 24, 2000) (statement of Donald M. Kerr, Assistant Director Federal Bureau of Investigation), 2000 WL 1073246 (F.D.C.H.); see also Nick Wingfield, ACLU Asks Details On FBI's New Plan To Monitor the Web, Wall St. J., July 17, 2000, at A3, available at 2000 WL-WSJ 3036639; Ted Bridis, Updating of Wiretap Law for EMail Age is Urged by the Clinton Administration, Wall St. J., July 18, 2000, at A3, available at 2000 WL-WSJ 3036727. 18 See King & Bridis, supra note 16. 19 See Nick Wingfield & Don Clark, Internet Companies Decry FBI's E-Mail Wiretap Plan, Wall St. J., July 12, 2000, at A3, available at 2000 WL-WSJ 3036017. 20 See Admin. Office of the U.S. Courts, 1999 Wiretap Report: For the Period January 1 through December 31, 1999 at 5 (2000) [hereinafter 1999 Wiretap Report]. 21 See id. at 10. 22 See id. 23 See id. Page 5 of 24 28 Okla. City U.L. Rev. 291, *296 from traditional wiretap technology, trends in electronic surveillance demonstrate increasing reliance by law enforcement on wiretaps to collect evidence. This is true, in part, because wiretaps are relatively inexpensive and easy to implement. In addition, federal and state judges rarely deny applications for authority to conduct electronic surveillance.

Every year, the Administrative Office of the United States Courts (AO) is required to report to congress the number and nature of wiretap applications. 28 The report covers the interception of wire, oral, and electronic communications, including the offenses under investigation, the location of the intercept, the cost of surveillance, and the number of arrests, trials, and convictions resulting from intercepts. The 1999 Wiretap Report reveals a trend of increasing surveillance activity among law enforcement agencies. In 1999, 1,350 wiretap requests were approved. 29 Not surprisingly, no wiretap request was denied that year. 30 Over the past decade, only three applications were denied--two in 1998 [*297] and one in 1996. 31 Meanwhile, from 1990 to 1999, 10,849 applications were approved. 32 While the Supreme Court has indicated a preference for wiretaps of limited scope and duration, the longest running wiretap in 1999 was 510 days. 33 In addition, the average number of communications intercepted was approximately 1,921 of which only 390 (twenty percent) were deemed incriminating. 34 With Carnivore used in only a few cases in 1999 35, these wiretap numbers are expected to increase 300% over the next decade. 36

While the wiretap laws establish important protections, privacy advocates argue that increased surveillance statistics reveal what is considered the "watering down" of certain components of the balanced legislative scheme of the Electronic Communications Privacy Act of 1986 (ECPA). 37 Citing cases like United States v. Garcia, 38 one commentator complains that "courts authorize electronic surveillance even when law enforcement agencies have not exhausted all other reasonable" investigative techniques. 39 Judicial officers may authorize interception of wire or oral communications if they find that "normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous." 40 However, courts often interpret this

24 High Tech Investigations: Hearing on the Fourth Amendment and Carnivore Before the House Comm. on the Judiciary, S. Comm. on the Constitution, 106th Cong. (July 24, 2000) (statement of Barry Steinhardt, Associate Director, American Civil Liberties Union), 2000 WL 1207245 (F.D.C.H.). 25 See Electronic Surveillance: Hearing on Electronic Surveillance Before the Senate Comm. on the Judiciary, 106th Cong. (Sept. 6, 2000) (statement of Donald M. Kerr, Assistant Director, Federal Bureau of Investigation), 2000 WL 1268432 (F.D.C.H.). 26 See High Tech Investigations, supra note 24. 27 Internet Security and Privacy: Hearing on Internet Security and Privacy Before the S. Comm. on the Judiciary, 106th Cong. (May 25, 2000) (statement of James X. Dempsey, Senior Staff Counsel, Center for Democracy and Technology), 2000 WL 19304249 (F.D.C.H.).

28 See 18 U.S.C. § 2519(2) (2000) (Requires the submission of wiretap reports no later than January 31 of each year). 29 See 1999 Wiretap Report, supra note 20 at 7. 30 Id. 31 Id. at 32. 32 Id. 33 Id. at 8. 34 Id. at 32.

35 Electronic Privacy Information Center, Carnivore FOIA Documents, available at http://www.epic.org/privacy/Carnivore/ deployments.html (last visited Feb. 6, 2001). (To view Carnivore deployments from 1999). 36 See Internet Security and Privacy, supra note 27. Page 6 of 24 28 Okla. City U.L. Rev. 291, *297 provision to require law enforcement agencies to try some techniques, without requiring the exhaustion of all available techniques. 41 [*298]

Although Congress sought to minimize interception of communications not subject to the wiretap order, the judiciary has not strictly enforced the requirement. 42 In cases where law enforcement has made essentially no effort to minimize the intrusion, courts have effectively eliminated the requirement by allowing the capture of even innocent conversations. 43 Judges rarely rule that a wiretap was illegally carried out for failure to minimize. This broad latitude given to law enforcement agencies further demonstrates how privacy protections have been "watered down" when electronic surveillance is involved.

III. The Fourth Amendment and Internet Privacy

The Fourth Amendment provides:

The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. 44

Aside from the possible exception of the First Amendment, the strongest protection against infringement of personal privacy comes from the Fourth Amendment. The Fourth Amendment was adopted in response to the general warrants and writs of assistance by which British soldiers were permitted to conduct limitless searches of American colonists' [*299] homes. 45 The absence of judicial oversight during this period was regarded as one of the primary evils inherent in the writs. 46 As a result, the Framers "sought to protect Americans in their beliefs, their thoughts, their emotions, and their sensations. They conferred, as against the government, the right to be let alone-- the most comprehensive of rights and the right most valued by civilized men." 47

37 See Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in scattered sections of 18 U.S.C. including § § 2510-21, 2701-10, 3121-26).

38 See United States v. Garcia, 785 F.2d 214, 223 (8th Cir. 1986) (holding that "the affidavit need not explain away all possible alternative techniques because investigators are not required to use wiretaps or eavesdropping devices only as a last resort."). 39 Dempsey, supra note 15, at 76-77.

40 18 U.S.C. § 2518(3)(c) (2000).

41 See, e.g., United States v. Bennett, 219 F.3d 1117, 1122 (9th Cir. 2000) (stating that the government need not exhaust every conceivable investigative technique to show necessity required to obtain wiretap authorization.); see also United States v. Thompson, 210 F.3d 855, 858-59 (8th Cir. 2000) (explaining that under the wiretap statute, the requirement that applicant seeking wiretap state whether other investigative procedures have been tried and failed, or why they reasonably appear to be too dangerous or unlikely to succeed, seeks to insure that wiretaps are not routinely employed as the initial step in an investigation, but it does not require that law enforcement officers exhaust all possible techniques before applying for a wiretap.).

42 See 18 U.S.C. § 2518(5) (2000) ("Every order and extension thereof shall contain a provision that the authorization to intercept shall be executed as soon as practicable, shall be conducted in such a way as to minimize the interception of communications not otherwise subject to interception under this chapter.").

43 See, e.g. Ozar v. United States, 50 F.3d 1440, 1448 (8th Cir. 1995) ("The agents used the 'two minutes up/one minute down' minimization technique recommended in the Department of Justice Manual, a procedure we reviewed favorably in both United States v. Smith, 909 F.2d 1164, 1166 (8th Cir.1990), cert. denied, 498 U.S. 1032, 111 S. Ct. 691, 112 L.Ed.2d 682 (1991), and United States v. Losing, 560 F.2d 906, 909 n. 1 (8th Cir.), cert. denied, 434 U.S. 969, 98 S. Ct. 516, 54 L.Ed.2d 457 (1977).").

44 U.S. Const. amend. IV. 45 See Whitfield Diffie & Susan Landau, Privacy on the Line: The politics of Wiretapping and Encryption 154 (1998). Page 7 of 24 28 Okla. City U.L. Rev. 291, *299

Understanding the constitutional principles of the Fourth Amendment is the first step in identifying the source of current privacy concerns. To establish probable cause to search, a judicial officer must determine based upon the facts presented that it is more likely than not that the specific items to be searched for are connected with criminal activities and these items will be found in the place to be searched. 48 That "place" must be described with particularity. 49 In addition, contemporaneous notice of the search and an inventory of the items taken must be provided. 50 The notice requirement is derived from the Fourth Amendment's ban on unreasonable searches. 51 Because the self-restraint of law enforcement agencies does not provide adequate safeguards for privacy, searches conducted without a warrant have been found "presumptively unreasonable" and the fruits of those searches are subject to the exclusionary rule. 52

If an individual knowingly exposes private information to the public, then the disclosed information is not subject to the protections of the Fourth Amendment. The Fourth Amendment "protects people instead of places" and information that an individual seeks to keep private may be protected even where such information falls into the public domain. 53 [*300] Consequently, the Fourth Amendment inquiry centers upon the "reasonableness" of the search or seizure. Whether a search is reasonable is generally determined by applying a two-prong test: first, does an individual have an actual, subjective expectation of privacy in the thing being searched or seized; and second, is society prepared to accept that expectation as reasonable. 54 The reasonableness inquiry often involves balancing the government's interest in effective law enforcement with the individual's interest in privacy and personal security.

IV. Application of Fourth Amendment to Electronic Surveillance

In what is considered the first wiretapping case, Justice Brandeis cautioned, "the progress of science in furnishing the government with means of espionage is not likely to stop with wiretapping." 55 Expressed in 1928, the warning bears practical significance for twenty-first century technological developments. New digital communication technologies offer law enforcement the opportunity to intercept and process greater volumes of communications than ever anticipated in current congressional authorizations. As a consequence, the current practice of data interception poses a threat to the original balance that the framers of the constitution established between personal

46 See Tracey Maclin, The Central Meaning of the Fourth Amendment, 35 Wm. & Mary L. Rev. 197, 224 (1993).

47 Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting).

48 See Illinois v. Gates, 462 U.S. 213 (1983).

49 See U.S. Const. amend. IV. (requiring that warrants "particularly" describe "the persons or things to be seized.").

50 See Marron v. United States, 275 U.S. 192, 196 (1927) ("The requirement that warrants shall particularly describe the things to be seized makes general searches under them impossible and prevents the seizure of one thing under a warrant describing another.").

51 See Miller v. United States, 357 U.S. 301, 313 (1958) (Brennan, J. stating, "The requirement of prior notice of authority and purpose before forcing entry into a home is deeply rooted in our heritage and should not be given grudging application.").

52 Katz v. United States, 389 U.S. 347, 357 (1967) (finding that warrantless searches "are per se unreasonable under the Fourth Amendment.").

53 Id. at 351.

54 See id. at 361.

55 Olmstead v. United States, 277 U.S. 438, 474 (1981) (Brandeis, J., dissenting). Page 8 of 24 28 Okla. City U.L. Rev. 291, *300 privacy and the needs of law enforcement. Advocates for civil liberties argue and the courts have recognized that electronic surveillance constitutes a general search that is inherently indiscriminate. 56

Today, the inherent risk of electronic surveillance is compounded by the vast amounts of information available to law enforcement traveling through telecommunications lines and networks. With the advent of cyberspace, Internet surveillance has created an even greater cause for concern. Everyday, Americans use the Internet to send and receive information once kept private in their homes and offices. Research polls indicate that time spent online has increased dramatically by both adults and children. 57 Because of its decentralized, open network architecture, [*301] the Internet has, in fact, become an information superhighway--a superhighway upon which "vehicles" are subject to highjack at anytime by anyone who has the capability of hacking into the telecommunications system. Yet, Americans use the Internet as a daily means to access financial information, transmit medical records, purchase goods and services, and communicate with business associates, friends, and family worldwide. The result has been a dramatic increase in the amount of sensitive information flowing through a communications medium that lacks the Fourth Amendment protections of a home or office.

The Carnivore system provides a capability that is far broader and more scalable than the old analog telephone system. Carnivore provides the FBI with access to all traffic over the ISP's network, even though law enforcement is generally required to "minimize" its interception of nonincriminating communications. 58 Such indiscriminate use of Internet wiretaps in law enforcement "raises grave constitutional questions under the Fourth . . . Amendment, and imposes a heavier responsibility . . . in its supervision of the fairness of the procedures." 59

V. Legislative Regulation of Electronic Surveillance

Overruling the property-based conception of Fourth Amendment rights, the Supreme Court in Katz v. United States held that electronic eavesdropping upon conversations was a search and seizure. 60 Following the Supreme Court decisions of Berger v. New York 61 and Katz v. United States, 62 the first major piece of electronic surveillance legislation was the enactment of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III). 63 The legislation was designed to protect the privacy of wire and oral communications by providing accountability and supervision for the wiretap process. 64 After its adoption, interception of wire communications required a judicial finding of probable cause before a warrant could be issued. 65 Notice of the search and seizure was [*302] required previously; however, in response to the government's argument that contemporaneous notice would defeat

56 See Electronic Privacy: Hearing on Legislation To Protect the Privacy of Electronic Communications, H.R. 5018, H.R. 4987, and H.R. 4908 Before the House Comm. on the Judiciary, 106th Cong. (April 6, 2000) (statement of Gregory T. Nojeim, Legislative Counsel, American Civil Liberties Union), 2000 WL 23832310. 57 See Nielsen//NetRatings, supra note 12. 58 See High Tech Investigations, supra note 24.

59 Berger v. New York, 388 U.S. 41, 56 (1967).

60 See Katz v. United States, 389 U.S. 347, 357 (1967).

61 Berger, 388 U.S. at 56.

62 Katz, 389 U.S. at 357.

63 The Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 197, 211 (1968) (codified at 18 U.S.C. § 2510 et seq.). 64 See S. Rep. No. 90-1097 (1968), available on WL at S. Rep. 90-1097.

65 See 18 U.S.C. § 2518(3)(a) (authorizing the court to issue an order to intercept communications when probable cause to believe individual is committing, has committed, or is about to commit offense listed in § 2516). Page 9 of 24 28 Okla. City U.L. Rev. 291, *302 the effectiveness of the wiretap, Congress sacrificed the requirement. 66 To compensate, Congress added protections that go beyond those of the Fourth Amendment. Wiretaps would only be authorized in cases involving one of the specified crimes. 67 High-level Department of Justice approval is required before the application may be submitted to a judicial officer for authorization. 68 Agencies are required to exhaust all other less intrusive investigation techniques. 69 Law enforcement agencies must minimize the interception of innocent conversations. 70 Additionally, Congress established a statutory suppression rule. 71 Finally, annual reports concerning the number and nature of intercepts are required. 72

It was not until the Electronic Communications Privacy Act of 1986 (ECPA) 73 that Congress amended Title III to incorporate electronic mail and other forms of electronic communications. 74 The ECPA was the second most important piece of legislation covering wiretap procedures. Until the Act's adoption in 1986, Title III had been limited to voice communications, either person to person or by wire. 75 Designed to "update[] and clarify Federal privacy protections," the ECPA extended the provisions of Title III to wireless voice and electronic communications, especially e-mail and other network communications. 76 Congress determined that the dramatic changes in computer and telecommunications technology had upset the delicate balance between privacy and law enforcement, much to the detriment of privacy. 77 ECPA was an attempt to prevent the erosion of privacy as new technologies continued to be developed. In addition, the legislation was intended to promote the development and use of these new technologies by obtaining [*303] the trust of the American people through online privacy protections. 78 These protections recognized the transactional nature of telecommunications systems. The ECPA also defined procedures for the use of pen registers and trap and trace devices. 79 Further, the ECPA established rules for identifying a subscriber of an electronic communications service. 80

The system of protections inherent in Title III, as amended by the ECPA, contained tightly regulated provisions. The interception request must first be approved before submitting the application for court authorization. 81 An application for wire or oral interception requires approval from the United States "Attorney General, Deputy Attorney General, Associate Attorney General, or any Assistant Attorney General, any acting Assistant Attorney General, or

66 See S. Rep. No. 90-1097.

67 See 18 U.S.C. § 2516 (2000). 68 See id. § 2516(1). 69 See id. § 2518(3)(c). 70 See id. § 2518(5). 71 See id. § 2518(10)(a). 72 See id. § 2519(2).

73 The Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in scattered sections of 18 U.S.C.).

74 See 18 U.S.C. § 2510(12) (2000). 75 See S. Rep. No. 90-1097 (1968). 76 Dempsey, supra note 15, at 73. 77 See id. 78 See id. 79 Id. at 74. 80 Id.

81 18 U.S.C. § § 2510(7) & 2518(1)(a) (2000). Page 10 of 24 28 Okla. City U.L. Rev. 291, *303 any Deputy Assistant Attorney General or acting Deputy Assistant Attorney General in the Criminal Division specially designated by the Attorney General." 82 However, an application for the interception of electronic communications only requires approval by "any government attorney." 83 Judicial authorization is required to be based on probable cause to believe that a specific individual has committed a crime specifically listed in the statute 84 and that the intercept will furnish evidence about the crime. 85 Authorization would be allowed only after other investigative techniques were attempted and failed, or reasonably appeared likely to fail or be dangerous. 86 Surveillance of innocent conversations would be minimized, and at the conclusion of the investigation, notice would be provided. Of the provisions, the minimization of innocent interceptions is considered essential in passing constitutional muster under the Fourth Amendment. 87 Outside these brief provisions, wiretapping would not be authorized.

In the early 1990s, the FBI began to complain about the difficulty new technologies had created for law enforcement interception [*304] capabilities. 88 During hearings conducted in 1994, the FBI identified problems, many of which existed in analog communication systems, but were compounded by digital switches. 89 Among the list of problem areas, the FBI cited problems intercepting calls re-routed through forwarding services, identifying the outgoing number of calls using a speed-dialing feature, and isolating future communications streams on networks using multiplexed transmission technologies and fiber cables. 90

In response to the law enforcement situation, Congress passed the Communications Assistance for Law Enforcement Act of 1994 (CALEA). 91 The legislation required that telephone companies take steps to prevent broad technological innovations from eliminating law enforcement access to communications of targeted individuals. 92 Congress intended to maintain the existing privacy protections and accordingly sought assurances from the FBI that the legislation would maintain the balance among law enforcement needs, privacy, and technological innovation established by the drafters of the ECPA. 93 However, the FBI was prohibited from dictating network or design standards. 94 Since the implementation of CALEA, a struggle has persisted through which the FBI has attempted to broadly interpret the requirements of the legislation. 95 The CALEA marks what has been regarded as the best example of the disregard for telephone privacy rights. 96 Inherent in the legislation is a

82 Id. § 2516(1). 83 Id. § 2516(3). 84 Id. § 2516(a)-(p). 85 Id. § 2516(b). 86 Id. § 2516(c). 87 See id. § 2518(5). 88 See Dempsey, supra note 15, at 89. 89 Id. at 90. 90 Id.

91 See The Communications Assistance for Law Enforcement Act of 1994, Pub. L. No. 103-414, 108 Stat. 4279 (codified at 47 U.S.C. § § 1001-1010 and scattered sections of 18 U.S.C. and 47 U.S.C. (1994)). 92 See Dempsey, supra note 15, at 90. 93 Id. 94 Id. at 91. 95 See id.

96 See American Civil Liberties Union, Big Brother in the Wires, available at http://www.aclu.org/issues/cyber/wiretapbrother.html. (March 1998). Page 11 of 24 28 Okla. City U.L. Rev. 291, *304 wiretapping scheme that has fueled a growing disregard for privacy protections, perhaps opening the door to the current debate over privacy protections for e-mail and other electronic communications.

VI. Procedural and Conceptual Difficulties

Critical distinctions exist between the authorization and enforcement of general wiretaps versus electronic surveillance under Title III. [*305] Concerning real time or contemporaneous interception, only a highranking official can approve a wiretap application. As compared to electronic communications, any government attorney is allowed to authorize an application for an order to intercept e-mail and other electronic communications. A wiretap is permitted only for specified, mostly serious, crimes. 97 However, e-mail and other electronic communications can be intercepted with a court order based on probable cause issued in connection with any federal felony. 98 Surprisingly, the statutory exclusionary rule that encourages compliance with the proper procedures for electronic surveillance does not apply to the interception of electronic communications. 99

Title I 100 and Title II 101 of the ECPA offer further cause for concern. Under Title I, law enforcement is prohibited from the interception and the use or disclosure of wire, oral, or electronic communications without judicial authorization. 102 Similarly, Title II prohibits the unauthorized access to and disclosure of stored wire and electronic communications. 103 Title I intercepts are authorized only by court order, as compared to Title II authorizations for accessing stored communications by search warrant. 104 Accordingly, violations of Title I procedures carry greater criminal and civil sanctions than Title II violations. 105 In other words, by waiting an instant until the message is delivered and "stored," the requirement of a court order with continuing judicial oversight, the statutory requirement for minimization procedures, the substantial fines and prison time for violating the statute, and the requirement that the communication be eavesdropped upon only as an investigative technique of last resort, are all avoided.

Although ISPs are specifically excluded from CALEA, 106 law enforcement officials have been indirectly requiring them to conform to CALEA-type demands. 107 Privacy advocates argue that Carnivore is the [*306] FBI's attempt to force CALEA-like standards on the electronic communications industry. 108 However, the Internet is fundamentally different from the original analog telephone systems--not to mention that almost all legislation like CALEA, legal precedent, and knowledge about monitoring the Internet come from an analog telephone system

97 18 U.S.C. § 2516(a)-(p) (2000). 98 Id. § 2516(3). 99 Id. § 2518(10). 100 See id. § § 2232, 2510-2513, 2516-2521, 3117. 101 See id. § § 2701-2710. 102 Id. § § 2232, 2510-2513, 2516-2521, 3117. 103 Id. § § 2701-2710. 104 Compare id. § § 2232, 2510-2513, 2516-2521, 3117 with id. § § 2701-2710. 105 See id. 106 See H.R. Rep. No. 103-827 (1994) (Also excluded from coverage are all information services, such as Internet Service Providers or services such as Prodigy and America-On-Line.). 107 See Mark Rockwell, FBI Surveillance Technology Raises ISPs' Hackles, Tele.com, Aug. 14, 2000, available at 2000 WL 10907913. 108 Id. (quoting Barry Steinhardt, Associate Director of the American Civil Liberties Union, claiming, "This is the FBI's attempt to force CALEA-like standards on ISPs."). Page 12 of 24 28 Okla. City U.L. Rev. 291, *306 mentality. 109 This is especially true for legislation concerning pen registers and trap and trace devices, which are the least intrusive forms of eavesdropping, capturing only the telephone numbers "to" and "from" a particular phone. 110 The ECPA adopted the pen register and trap and trace statute governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." 111 Because such devices could only obtain the phone numbers dialed and the number of incoming callers, obtaining a search warrant for this type of surveillance is subjected to far less scrutiny. 112 To obtain an order, the government needs only to certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 113 To further complicate the matter, the Supreme Court in Smith v. Maryland 114 held that individuals do not have a reasonable expectation of privacy in the information that can be acquired by these types of devices. 115 The Court explained, "neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers." 116 However, capturing Internet origin and destination addresses instead of "numbers dialed" creates a far more intrusive form of surveillance. 117 [*307]

Determining the addressee of an e-mail or the name of a website visited will involve a more extensive analysis of the packet's contents. On the Internet, the destination of an intercepted message is often the end-point of the link on which it is observed. 118 Testifying before the House Judiciary Subcommittee, Alan Davidson, staff counsel for the Center for Democracy and Technology, argued that using Carnivore as a pen register device creates a "whole new and problematic expansion of the pen register to the Internet." 119 He explained that

for a single e-mail packet, the destination could be viewed as the header Ethernet address it is being sent to on a local network; the IP address of an ISPs mail server; the To: line of an e-mail message buried within the packet's body; or even other routing information within the e-mail message. 120

Because interception of the "To:" and "From:" information on the Internet reveals content information, users may actually have a reasonable expectation of privacy. 121

109 See Carnivore and The Fourth Amendment: Hearing on Carnivore and The Fourth Amendment Before the House Comm. on the Judiciary, S. Comm. on the Constitution, 106th Cong. (July 27, 2000) (statement of Tom Perrine, Computer Security Office, San Diego Supercomputer Center), 2000 WL 23831820. 110 See Diffie & Landau, supra note 45, at 154. 111 Dempsey, supra note 15, at 73. 112 See id.

113 18 U.S.C. § 3122 (b) (2000).

114 Smith v. Maryland, 442 U.S. 735 (1979). 115 Id.

116 Id. at 741. 117 See Carnivore and the Fourth Amendment: Hearing on Carnivore and the Fourth Amendment Before the House Comm. on the Judiciary S. Comm. on the Constitution, 106th Cong. (July 24, 2000) (Testimony of Alan B. Davidson Staff Counsel Center for Democracy and Technology), 2000 WL 23831816. 118 See id. 119 Id. 120 Id. 121 See id. Page 13 of 24 28 Okla. City U.L. Rev. 291, *307

The recent decision of the United States Telecom Ass'n v. FCC 122 highlights this issue. Vacating portions of an order requiring telecommunications providers to implement certain advance surveillance capabilities pursuant to CALEA, the court held that the FCC had given insufficient weight to CALEA's requirement that, in requiring carriers to provide all "dialed digits" in response to a pen register order, the FCC "protect the privacy and security of communications not authorized to be intercepted." 123 The court noted that subjects using the telephone system enter account numbers for automated banking services, passwords to voice-mail systems, messages on digital pagers, and prescription numbers when renewing prescriptions. 124 Judge David Tatel clarified further that even when considering the Internet's particular mode of data transmission--where communications are broken into many different "packets" of data that are sent separately and then reassembled at their destination--the contents of those packets cannot be turned over to law [*308] enforcement officials under the lesser standards that govern callidentifying information. 125

VII. Carnivore: The Government's New Internet Wiretapping System.

The loss of personal privacy often concerns Americans more than things like terrorism, crime, or even the economy. Law enforcement proponents argue that the ability to conduct lawful electronic surveillance of communications of criminals represents one of the most important capabilities for acquiring evidence to prevent serious criminal behavior. 126 Testimony before the House Judiciary Subcommittee revealed that criminals use computers to send child pornography to each other using anonymous, encrypted communications; and hackers break into financial service company systems to steal customer and credit card information. 127 This non-inclusive list of computer-related crimes is attributed to the ease of using electronic communications and the inexpensive nature of the communications medium. Officials are quick to point out that electronic surveillance has resulted in the conviction of more than 25,600 dangerous felons over the last thirteen years. 128 Because of the increased criminal activity on the Internet and the inability of some ISPs to comply with court orders for information, the FBI designed Carnivore as a diagnostic tool that would allow them to obtain the information they sought. 129

Carnivore is a specialized network analyzer, commonly referred to as a "packet sniffer." 130 A "sniffer protocol analyzer has the capability of capturing every packet on a network and decoding all seven layers of the OSI protocol model." 131 The sniffer runs as an application program on a normal personal computer under the Microsoft Windows operating system. 132 Capture frame selection is based on several different filters. 133 These filters are programmed in conformity with the court order allowing [*309] the use of the device. 134 This gives the FBI the

122 United States Telecom Ass'n v. FCC, 227 F.3d 450 (2000).

123 Id. at 462. 124 Id.

125 See id. at 465. 126 See Electronic Surveillance, supra note 25. 127 See id. 128 Id. 129 See id. 130 Id.

131 Packet Sniffer, available at http://www.ascc.net/course/unix-overview/node26.html. 132 Carnivore and the Fourth Amendment, supra note 17. 133 Packet Sniffer, supra note 131. 134 See Carnivore and the Fourth Amendment, supra note 17. Page 14 of 24 28 Okla. City U.L. Rev. 291, *309 ability to collect all transmissions that comply with pen register orders, trap and trace orders, and Title III interception orders. 135

Carnivore provides law enforcement with a "surgical ability" to intercept and collect authorized communications. 136 Contrary to popular belief, law enforcement officials state that the application does not search through the contents of every message and collect those that contain certain keywords. 137 Rather, Carnivore is alleged to select messages--based on the criteria of the court order--transmitted "to" and "from" a particular account or a particular user. 138 The FBI explains that Carnivore serves to limit the messages viewable by the human eye to those that are strictly included in the court order. 139 The argument is that this type of tool is necessary to meet the stringent requirements of the wiretap laws. 140 Law enforcement officials claim the use of the system is subject to intense oversight from internal FBI controls, the U.S. Department of Justice, and by the courts. 141

VIII. The Implementation of Carnivore

The implementation of Carnivore requires the cooperation and technical assistance of ISP technicians and engineers. 142 First, law enforcement agents and the ISP work together to identify an access point containing all traffic from the suspect named in the court order. 143 After isolating the targeted communications, the FBI connects a one-way tapping device at the designated access point. 144 This tap produces an exact duplicate of all data flowing through the access point. 145 In addition, the tap is supposed to provide electrical isolation from the ISP's network, thereby preventing the Carnivore system from interfering with the functionality [*310] of the ISP's system. 146 The duplicate traffic then flows into the collection system where the data is filtered. 147 Data passing through the filter is archived on permanent storage media. 148 No other information is recorded. 149 Finally, all information collected is maintained and, in the case of full content interceptions, is sealed under the order of the court. 150 Information obtained from the process may be subsequently made available by the court to the defendant. 151

IX. Functionality of the Carnivore System

135 See id.

136 See Federal Bureau of Investigation, Carnivore Diagnostic Tool, available at http://www.fbi.gov/hq/lab/Carnivore/Carnivore2.htm (last visited Nov. 30, 2003). 137 See Carnivore and the Fourth Amendment, supra note 17. 138 See id. 139 See Federal Bureau of Investigation, supra note 136. 140 See id. 141 See id. 142 See id. 143 Id. 144 Id. 145 Id. 146 Id. 147 Id. 148 See id. 149 Id. 150 Id. 151 Id. Page 15 of 24 28 Okla. City U.L. Rev. 291, *310

Carnivore's filtering operates in stages. During the first stage, the binary code streams--0s and 1s--are filtered at approximately forty mega-bits per second. 152 Within that second, Carnivore attempts to identify whether the data contains the information identifying the criminal subject. 153 After the subject's identifying information is detected, the packets associated with the identifying information are segregated for additional filtering or storage. 154 All other information not associated with the subject of the order are "vaporized" within that second. 155 The process is then repeated. 156 Upon exclusively segregating the subject's information, the second stage of filtering is then performed. 157 The Carnivore program then determines if it is supposed to collect comprehensively--in a full Title III mode--or, alternatively, whether it is only to collect pen register or trap and trace transactional and addressing information. 158 Based upon the determination, Carnivore then collects the information using the criteria set by the order, which is preset into the filter. 159 At the end of all filtering and processing, the information is then stored for review by the human eye. 160 Finally, [*311] Carnivore appends to the event file for each collection the filter configuration used in that collection. 161

X. The Legal Process for Unleashing Carnivore

The interception of Internet communications is authorized by Title III and portions of the ECPA. 162 The legal standard that law enforcement agencies must satisfy to obtain authorization for electronic surveillance of computer and Internet-based communications depends upon whether they seek to intercept the communications' content or transactional record information. 163 Under the ECPA, all electronic surveillance efforts require some form of a court order, either a full Title III (probable cause based) court order for collecting the content of the communication, or an ECPA created court order based upon the relevancy for communications addressing and transaction records. 164 Emergency provisions are available in certain situations where electronic surveillance is permitted when (1) high level Department of Justice authorization is obtained, and (2) a court order is filed within forty-eight hours. 165

Before authorizing a wiretap application, a judge must determine that: (1) "normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous"; (2) there is probable cause for believing "that an individual is committing, has committed, or is about to commit" one of the specifically enumerated crimes; (3) that the wiretap will intercept particular communications about the enumerated offence; and (4) that the communications facilities to be tapped are either being used in the commission of the

152 Electronic Surveillance, supra note 25. 153 Id. 154 Id. 155 Id. 156 Id. 157 Id. 158 Id. 159 Id. 160 Id. 161 Id.

162 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in scattered sections of 18 U.S.C. including § § 2510-21, 2701-10, 3121-26).

163 United States Telecom Ass'n v. FCC, 227 F.3d 450, 453 (2000).

164 See 18 U.S.C. § 2518(3)(a) (authorizing a court to issue an order to intercept communications when probable cause to believe individual is committing, has committed, or is about to commit offense listed in § 2516.). 165 Electronic Surveillance, supra note 25. Page 16 of 24 28 Okla. City U.L. Rev. 291, *311 crime or are commonly used by the suspect. 166 Therefore, applications for electronic surveillance under Title III must demonstrate probable cause and state with particularity and specificity the offenses being committed, the communications facility regarding [*312] which of the subject's communications are to be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses. 167

Court orders are initially limited to thirty days, with extensions possible, and must terminate sooner if the objectives are met. 168 Ensuring close and on-going oversight of the electronic surveillance, judges require periodic reports to the court, typically every seven to ten days, advising it of the progress of the interception effort. 169 Law enforcement agencies are required to "minimize the interception of communications not otherwise subject to the interception." 170

XI. The Government versus Civil Libertarians: The Debate over Trust

After months of technical and constitutional debate over electronic surveillance, "trust" has emerged as the most contentious issue. The FBI insists that the American public should trust the FBI's conduct of electronic surveillance, and, in particular, its use of the Carnivore System. 171 Civil Libertarians counter by arguing that the basic premise of the Fourth Amendment is that law enforcement cannot be trusted with unsupervised authority, especially when conducting searches. 172 Lawmakers such as Representative Spencer Bachus, inter alia, also expressed concern with such actions by law enforcement officials. Representative Bachus, responding to law enforcement testimony before the House Judiciary Subcommittee, stated "the potential for abuse here is tremendous . . . . What you're saying is 'Trust Us.'" 173 Essentially, the key question, here, is whether law enforcement should be entrusted with this authority, or whether that trust should be placed upon another party to carry out the interception order. 174

Arguing before the Senate Judiciary Committee, FBI Assistant Director Donald Kerr proclaimed, "the FBI cannot and does not [*313] 'snoop.'" 175 He argued further that law enforcement agents would not "risk their integrity, their jobs and their futures" by abusing wiretap laws. 176 In explaining the basis for trusting the FBI, Kerr pointed to the agency's outstanding record of complying with federal electronic surveillance laws. 177 Dismissing assertions of widespread "illegal FBI wiretapping," Kerr offers the absence of complaints from federal court dockets as proof of the integrity of the FBI's electronic surveillance techniques. 178 "Trust in the use of Carnivore," Kerr attests, "should

166 United States Telecom Ass'n, 227 F.3d at 453. 167 See Carnivore and the Fourth Amendment, supra note 17. 168 Id. 169 See Federal Bureau of Investigation, supra note 136.

170 18 U.S.C. § 2518(5) (2000). 171 See Electronic Surveillance, supra note 25. 172 See High Tech Investigations, supra note 24.

173 John Schwartz, FBI Makes Case for Net Wiretaps, Wash. Post, July 25, 2000 at E1, available at http://www.washingtonpost.com.

174 See Ariana Eunjung Cha, Carnivore Debate Centers On FBI Trustworthiness, Wash. Post, Sept. 7, 2000 at E03, available at http://www.washingtonpost.com. 175 Id. 176 See Schwartz, supra note 173, at E1. 177 See Electronic Surveillance, supra note 25. 178 Id. Page 17 of 24 28 Okla. City U.L. Rev. 291, *313 at least, in part, rest upon the FBI's openness and willingness to discuss the device." 179 More importantly, Kerr suggests that the extensive efforts to develop a tool with the purpose of "better satisfying the Constitutional standard of particularity and the Title III and ECPA precepts of minimization" demonstrates the FBI's trustworthiness. 180

Privacy advocates insist what the FBI asks requires an enormous leap of faith. 181 Barry Steinhardt, Associate Director of the American Civil Liberties Union (ACLU), argues that to accept this premise would be to reject the Fourth Amendment which is "built upon the opposite premise: that the Executive cannot be trusted with carte blanche authority when it conducts a search." 182 Steinhardt charges, "Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all the phone company's customers, with the 'assurance' that the FBI will record only conversations of the specified target." 183 Even if such assurances that law enforcement agencies will not "engage in spying on the First Amendment activities" or other past abuses, Steinhardt cautions that recent history demonstrates the willingness of the FBI to "push the envelope of the law and to eventually breakout." 184 He offers FBI promises made during the hotly debated CALEA legislation as affirmative proof that the FBI, in fact, will not adhere to the strictures of the law. 185 Representative Bachus, too, reminded everyone that government agents have abused their authority in [*314] the past to investigate innocent people. "J. Edgar Hoover--look at what he did," Bachus said. 186 Although Congress accepted the FBI's assurance that the legislation would be used only to maintain existing law enforcement surveillance capabilities, the FBI has consistently sought greater capacity and new surveillance features that did not exist in 1994. 187 Representatives of civil liberties organizations argue that the FBI used the implementation process of CALEA as a "power grab." 188 One commentator cites the attempt by the FBI to require cell phone manufacturers and service providers to have tracking capabilities built into their systems as "the most notable and troubling aspect" of the FBI's failed assurances. 189 Offering other examples of how the FBI went against their assurance given to Congress, Steinhardt concluded that Carnivore gave the FBI far too much discretion, creating a risk that the FBI will again "burst through the envelope" of Fourth Amendment protections and any additional legislative restraints. 190

However, the question still exists whether the American public would rather trust big business or big government with control of the Carnivore system. Internet pioneer Vinton Cerf, stating the obvious, explained that the Carnivore system "could be abused if it were used wrongly." 191 Cerf also stated, however, that the potential for abuse was no different from that which exists in any other commercially available technologies capable of analyzing e-mail and

179 Id. 180 Id. 181 See High Tech Investigations, supra note 24. 182 Id. 183 Id. 184 Id. 185 Id.

186 Bryant Jordan, FBI's Carnivore to be put to privacy test: Committee members fear that program threatens basic constitutional protections, IDGNet News, available at http://www.idg.net (July 27, 2000). 187 See High Tech Investigations, supra note 24. 188 Id. 189 Dempsey, supra note 15, at 91-92. 190 See High Tech Investigations, supra note 24.

191 Patrick Thibodeau, Vinton Cerf Reviews FBI's Carnivore, Computerworld, available at http://www.computerworld.com. (Sept 11, 2000). Page 18 of 24 28 Okla. City U.L. Rev. 291, *314 other forms of electronic communications. Expressing a preference, Cerf went on to say that placing Carnivore in the hands of private industry would be quite alarming because the "ISP geeks would be less familiar with restraints than the FBI gentlemen." 192 Nevertheless, members of both the Republican and Democrat parties expressed "strong concerns that the administration is infringing on Americans' basic constitutional protections against unwarranted search and seizures." 193 Representative Jerrold Nadler expressed his discontent that under the laws that govern [*315] pen register surveillance, Carnivore could be used without the probable cause requirement needed for telephone wiretaps. 194 The determination of who should be trusted with this new electronic surveillance authority is not likely to be resolved until after Congress takes up the legislation for further enhancing the privacy protections of the ECPA. Currently the Electronics Communications Privacy Act of 2000, 195 and the Digital Privacy Act of 2000, 196 are currently under committee review; however, action is not expected until later in this legislative session.

XII. Putting Carnivore to the Test

After the initial reports on Carnivore, the ACLU, in an unprecedented move, requested all FBI records related to "cybersnoop" programs, including "letters, correspondence, tape recordings, notes, data, memoranda, e-mail, computer source and object code, technical manuals, and technical specifications." 197 Relying on two federal appeals court rulings holding that computer code is a "form of speech, no different than any other written document," the ACLU argued that the Freedom of Information Act (FOIA) gives broad rights to obtain information held by the Government. 198 In addition to the ACLU request, the Electronic Privacy Information Center (EPIC) filed its own FOIA request for similar information. 199 After the FBI failed to respond within the statutory deadline, EPIC filed suit in U.S. District Court. 200 In the August hearing, Judge James Robertson ordered the FBI to quantify the documents and develop a release schedule. 201

On October 3, 2000, the FBI released the first set of documents about Carnivore. 202 Privacy advocates were disappointed, but not surprised by the lack of information contained in the documents. 203 EPIC [*316] charged that the documents on Carnivore did not include enough information to evaluate the technology for possible privacy violations. 204 The FBI's first release of documents withheld 200 pages; another 400 pages were sanitized, some

192 Cha, supra note 174, at 603. 193 Schwartz, supra note 173, at E1. 194 Id. 195 Electronic Communications Privacy Act of 2000, H.R. 5018, 106th Cong. (1999). 196 Digital Privacy Act of 2000, H.R. 4987, 106th Cong. (1999).

197 American Civil Liberties Union, In Unique Tactic, ACLU Seeks FBI Computer Code On "Carnivore" and Other Cybersnoop Programs, available at http://www.aclu.org/ news/2000/n071400a.html (July 14, 2000). 198 Id. 199 See id.

200 See Electronic Privacy Information Center, The Carnivore FOIA Litigation Documents, available at http://www.epic.org/privacy/Carnivore (last updated May 28, 2002). 201 Id. 202 Id. 203 See Robert Lemos, FBI releases first Carnivore data, ZDNet News from ZDWire, available at 2000 WL 4021776 (Oct. 3, 2000). 204 See Ann Harrison, Privacy Group Critical of Release of Carnivore Data EPIC says Evaluating first set of papers is difficult because of lack of information, Computerworld, available at 2000 WL 2177479 (Oct. 9, 2000). Page 19 of 24 28 Okla. City U.L. Rev. 291, *316 bearing only a page number. 205 To further delay, the FBI refused to provide the Carnivore Source Code. The FBI contends that such proprietary information has been deemed immune from FOIA requests in the past. 206

Again on November 16, 2000, the FBI released documents as part of the court order. 207 The documents indicated that Carnivore actually might capture more information than the FBI has claimed publicly. One of the documents was a report that indicated Carnivore, contrary to the FBI's testimony before the House and Senate Judiciary Subcommittees, is capable of capturing and archiving "unfiltered" Internet traffic. 208 The report stated:

Carnivore was tested on a real world deployment deletion having recently come back from a deployment. The machine had a single 300MHz PII processor running Win NT4 SP6 Workstation. There were 384MB of RAM but the hard disk was relatively small at 1.19GB. This deletion has both Zip and Jaz drives. This PC could reliably capture and archive all unfiltered traffic to the internal hard drive (HD) at deleted. 209

The information in the reports is inconsistent with the testimony that the system only captures traffic that has been isolated by a software filter that "minimizes" collection and limits it to the particular information authorized for seizure in a court order. On September 9, 2000, FBI Assistant Director Donald M. Kerr testified:

If the subject's identifying information is detected [by the filter], the packets of the subject's communication associated with the identifying information that was detected, and those alone, are [*317] segregated for additional filtering or storage. However, it is critically important to understand that all . . . other communications are instantaneously vaporized after that one second. They are totally destroyed; they are not collected, saved, or stored. 210

With inconsistencies such as these and the FBI's reluctance to provide all information requested and authorized under the FOIA, there is little justification left for the FBI's "trust us" argument. David Sobel, General Counsel for EPIC, insists, "the little information that has become public raises serious questions about the privacy implications of this technology." 211

The Department of Justice selected the Illinois Institute of Technology Research Institute (IITRI), as the contractor to independently review the Carnivore system. After completing its findings, the IITRI released a draft report dated November 17, 2000. 212 Asked by the Chief Scientist of the United States Department of Justice to identify technical issues with Carnivore, industry experts studied the report and issued their opinion. 213 On December 3, 2000, the group expressed serious concerns relating to the Carnivore System. 214 The reviewers were especially concerned about the "serious limitations of the analysis presented." 215 Among the problem areas cited are: (1) a

205 See id. 206 See Lemos, supra note 203. 207 See Electronic Privacy Information Center, supra note 200. 208 Id. 209 Id. 210 Id. 211 Id.

212 United States Department of Justice, Independent Review of the Carnivore System Draft Report, available at http://www.usdoj.gov/jmd/publications/Carnivoredraft1.pdf.

213 See Center for Democracy and Technology, Comments on the Carnivore System Technical Review, available at http://www.cdt.org/security/Carnivore/001203comments.html. 214 See id. 215 Id. Page 20 of 24 28 Okla. City U.L. Rev. 291, *317 lack of analysis of operational and "systems" issues, where many potential security flaws and collection errors are likely to be found; (2) no evidence of a systematic search for bugs, not even for such common--and serious--errors as string buffer overflows or URL or header parsing problems; and (3) inadequate discussion of audit and logging, deemed especially serious in light of the use of "PC Anywhere" and "Administrator" logins for remote access, which permit any files to be uploaded or changed, including the logs and audit trails. 216 The most [*318] serious deficiency the group cites is Carnivore's inability to "produce meaningful or secure audit trials." 217 This deficiency is particularly troublesome because Donald Kerr cited this feature as "another piece of important functionality." 218 Again, Kerr's testimony is inconsistent with what Carnivore can provide--in Kerr's words--"the world, including a court, defense counsel, and a jury--what mode the device was operating in . . . so as to allay any suspicion that more information was being passed along to FBI personnel." 219 Overall, the group expressed serious concerns about the security, safety, and soundness of the system.

XIII. Legal Analysis: Applying the Doctrine of Precedent

Carnivore should only be used in compliance with the strictest statutory privacy protections. The FBI contends that when Carnivore is used to capture origination and destination information of electronic messages they need only to comply with the statutory constraints of Pen Register and Trap and Trace legislation. 220 This position is incorrect. The use of Carnivore to obtain "to" and "from" information is fundamentally different from obtaining numbers of incoming and outgoing calls. First, the legal standard that law enforcement agencies must satisfy to obtain authorization for electronic surveillance of telecommunications depends on whether they seek to intercept telephone conversations (subject to Title III probable cause requirements) or to secure a list of the telephone numbers (subject to the lesser Pen Register and Trap and Trace showing of relevance) of incoming and outgoing calls on a surveillance subject's line. Rather than the strict probable cause showing necessary for wiretaps, pen register orders require only certification from a law enforcement officer that "the information likely to be obtained is relevant to an ongoing criminal investigation." 221

Digital and wireless communications do not fit neatly into the existing analog telephone legislation. Distinguishing conventional circuit-mode telecommunications and digital packetswitched networks, the court in United States Telecom Association v. Federal Communications Commission, explained a "digital packet has two components: it contains a portion of the communications message, and it [*319] bears an address to ensure that it finds its way to the correct destination." 222 Packet mode communication is distinctly different from analog communication where "a single circuit is opened between caller and recipient and all electronic signals that make up the communication travel along the circuit." 223 Digital communications are broken into data packets and travel independently through the network along different routes. 224 Address information is contained in packet "headers" composed of both

216 Id. 217 Id. 218 Electronic Surveillance, supra note 25. 219 Id.

220 See United States Department of Justice, supra note 212.

221 18 U.S.C. § 3122 (b) (2000).

222 United States Telecom Ass'n v. FCC, 227 F.3d 450, 464 (2000). 223 Id.

224 See ACLU v. Reno, 929 F.Supp. 824, 832 (E. D. Pa. 1996) Messages between computers on the Internet do not necessarily travel entirely along the same path. The Internet uses "packet switching" communication protocols that allow individual messages to be subdivided into smaller "packets" that are then sent independently to the destination, and are then automatically reassembled by the receiving computer. While all packets of a given Page 21 of 24 28 Okla. City U.L. Rev. 291, *319 identifying information and content. 225 The "content" of a communication includes any information concerning the substance, purport, or meaning of the communication. 226 Therefore, any packet mode data provided under existing Pen Register and Trap and Trace orders will inevitably include some content information.

Although the court in United States Telecom Association was evaluating CALEA legislation that "does not cover 'information services' such as e-mail and Internet access," Circuit Judge Tatel's analysis of packet mode communication--which is the Internet's particular mode of data transmission--resulted in a finding that the contents of those packets cannot be turned over to law enforcement under the lesser standards that govern callidentifying information. 227 Although concerning more general technical standards for modern wiretapping, the implications of the United States Telecom Association decision on the use of Carnivore are significant. While scanning e-mail traffic on the ISP's network, Carnivore receives both the contents of e-mail messages and their identifying data. 228 If Judge Tatel's decision is consistent with the doctrine of precedent, then the rule of law emerging from the proposition descriptive of United States Telecom Association [*320] will be applied to the "next similar situation." 229 Carnivore undoubtedly represents that "next similar situation" and it must be held to the strictest statutory privacy protections embodied in Title III.

Carnivore is distinctly different from Pen Register and Trap & Trace Devices (Pen-Trap Devices). A pen register device is attached to a telephone line, which records all telephone numbers dialed from a telephone on that line. 230 A trap and trace device is also attached to a telephone line, which records the number of each telephone dialing into that telephone line. 231 Carnivore, however, collects "to" and "from" information, including information indicating the length of messages and individual fields within those messages. 232 As stated in the independent report on Carnivore, the access to the length of the individual fields does not appear to have a parallel in telephone pen-trap surveillance. 233 Further, Carnivore is not attached to a telephone line, but is connected to a 10Base-T Ethernet using a Century Tap through any open port on the ISP's hub. 234 The FBI's analogy of the "to" and "from" lines in e-mail communications to a telephone number is flawed.

A telephone number does not identify the parties of the conversation. The ECPA adopted the pen register and trap and trace statute governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." 235 In Smith v. Maryland, the Supreme Court held that the numbers collected by a pen register on a

message often travel along the same path to the destination, if computers along the route become overloaded, then packets can be re-routed to less loaded computers. Id. 225 See Internet Security and Privacy, supra note 27.

226 See Smith v. Maryland, 442 U.S. 735, 741 (1979).

227 United States Telecom Ass'n v. FCC, 227 F.3d 450 (2000). 228 High Tech Investigations, supra note 24. 229 See Edward H. Levi, An Introduction to Legal Reasoning 2 (The University of Chicago Press 1949).

230 See Privacy Foundation, Legal Analysis in Response to the IITRI Report on Carnivore, available at http://www.privacyfoundation.org/pdf/CarnivLT.pdf. 231 Id. 232 Id. 233 Id. 234 Id. 235 Id. Page 22 of 24 28 Okla. City U.L. Rev. 291, *320 telephone line reveal so little about a person's communication that they are not constitutionally protected. 236 The court added in United States v. New York Tel. Co., "neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers." 237 In the context of Internet communications, however, the only time numbers are "dialed" by a telephone is when a user connects to an ISP using a dial up modem. 238 [*321]

In packet-switched Internet communications, the "destination" of an intercepted message is often the Internet Protocol (IP) address with the Ethernet address. 239 Found in the packet header, the IP and Ethernet address can easily be separated from the content of the e-mail. 240 This information would be roughly equivalent to telephone numbers dialed. Yet, the analogy used by the FBI using the "to" and "from" lines of an e-mail message is often within the packet's content. 241 The commingling of this information creates a situation similar to "subjects calling automated banking services and entering account numbers," or "calling pharmacies to renew prescriptions and entering prescription numbers." 242 As United States Telecomm Association recently made clear, intercepting addressing information that is commingled with content requires authority to intercept content. 243

By its own admission, the IITRI report stated that "when Carnivore is used under pen-trap authorization, it . . . indicates the length of messages and the length of individual files within those messages, possibly exceeding court- permitted collection." 244 Further, the report cautions that "unless correctly configured, Carnivore can over-collect under a pen-trap order." 245 Section 4.3.3 of IITRI's report acknowledges the potential for intentional or unintentional misuse of Carnivore warning that pen-trap statutes do not adequately protect the public against potential abuse. 246

These concerns are compounded by the lack of external privacy controls. First, any federal government attorney may authorize an application for a pen register order. 247 Second, no probable cause needs to be shown the information to be obtained only needs to be relevant to the ongoing criminal investigation. 248 Third, there is no requirement that an Article III judge issue the order because under the pen-trap statutes a federal judge or a federal magistrate judge may grant an application for an interception order. 249 Finally, the judge does not have to determine [*322] that other investigative procedures have failed or will not succeed--providing the information

236 Smith v. Maryland, 442 U.S. 735 (1979).

237 Id. at 741 (quoting United States v. New York Tel. Co., 434 U.S. 159, 167 (1977)). 238 Privacy Foundation, supra note 230. 239 See id. 240 See id. 241 See id.

242 United States Telecom Ass'n v. FCC, 227 F.3d 450 (2000).

243 See id. at 465-66. 244 Privacy Foundation, supra note 230. 245 Id. 246 See id. 247 See id. 248 See id. 249 See id. Page 23 of 24 28 Okla. City U.L. Rev. 291, *322 required to be included in the application is sufficient. 250 In the Internet e-mail context, pen-trap statutes do not provide the protection for conversation content that Congress intended.

XIV. Alternative Solutions: Network Analyzers Developed in the Private Sector

The system problems encountered by Earthlink after installing Carnivore on its network have prompted the development of alternative network analyzers. Altivore was developed after the Federal Magistrate's order requiring that Atlanta-based ISP Earthlink install Carnivore on its system. 251 A spokesman for Network ICE explained that the company sought to give ISPs a means to comply with court orders for electronic surveillance without having put the FBI's "black-box" on their system. 252 Altivore, the Network ICE Corporation's Network Analyzer, offers ISPs an alternative to using Carnivore. An Earthlink spokesperson said they were currently testing Altivore against its own technology to see which one was better. 253 An official from the FBI praised the new program stating, "it may be the best for everyone, as long as the program is in compliance with wiretapping statutes and developers are willing to provide information on how the data was intercepted and who had access to it." 254 Ironically, the FBI wants the same information about Altivore and other Carnivore alternatives that it has been unwilling to provide outside an independent investigation to the public.

XV. Taming the Beast: Legislative Proposals for Enhancing Internet Privacy

The Electronics Communications Privacy Act of 2000 (H.R. 5018) 255 and the Digital Privacy Act of 2000 (H.R. 4987) 256 represent a step in the [*323] right direction in resolving privacy issues implicated by the FBI's use of Carnivore. The provisions include increased reporting requirements, thereby presenting a more comprehensive picture of the current extent of electronic surveillance. Testifying before Congress, Robert CornRevere explained that "H.R. 5018 and H.R. 4987 also would create a stricter standard for the issuance of orders authorizing the use of pen registers and trap and trace devices." 257 Under H.R. 5018, law enforcement would be required to demonstrate "specific and articulated facts that reasonably indicate that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of a crime." 258 Under H.R. 4987 privacy protections would be enhanced by expanding the period that stored data would be considered in short term storage. 259 As a result, requests to acquire the contents of such data would require a warrant. 260 The proposals of both bills represent a viable solution to re-establish the balance between legitimate law enforcement interests and the need to protect the privacy of American citizens.

XVI. Conclusion

250 See id.

251 Ann Harrison, Security Software Vendor Develops Carnivore Alternative, Computerworld, available at http://www.computerworld.com (Sept. 21. 2000).

252 See Network ICE, Altivore, available at http://www.networkice.com/press/altivore.html. 253 Harrison, supra note 251. 254 Id. 255 Electronic Communications Privacy Act of 2000, H.R. 5018, 106th Cong. (1999). 256 Digital Privacy Act of 2000, H.R. 4987, 106th Cong. (1999). 257 Electronic Privacy: Hearing on H.R. 5018, Electronic Communications Privacy Act of 2000; H.R. 4987, Digital Privacy Act of 2000; and H.R. 4908, Notice of Electronic Monitoring Act Before the House Comm. on the Judiciary S. Comm. on the Constitution, 106th Cong. (Sept. 6, 2000) (statement of Robert Corn-Revere), 2000 WL 1268415 (F.D.C.H.). 258 Id. 259 See id. 260 See id. Page 24 of 24 28 Okla. City U.L. Rev. 291, *323

Carnivore cannot be lawfully deployed under a pen register order without meeting the probable cause requirement of a Title III wiretap warrant. Determining the addressee of an e-mail or the name of a website visited will involve a more extensive analysis of the packets' contents. Consequently, any packet mode data provided under existing Pen Register and Trap and Trace orders will inevitably include some content information. As the court in United States Telecom Association, made clear, intercepting addressing information that is commingled with content requires authority to intercept content. The ECPA should be amended to increase the standard for pen register and trap and trace orders. In addition, ISP customers should receive notice of any interception of their Internet communications. As an additional safeguard, the exclusionary rule should be extended to protect [*324] improperly obtained electronic communications. The original balance that the framers of the Constitution established between personal privacy and the needs of law enforcement will not again be attained until electronic surveillance laws are modernized.

Oklahoma City University Law Review Copyright (c) 2003 Oklahoma City University

End of Document