Jay Arneson Prof. Shapiro CS 305 3-11-03
Carnivore and its Problems
Introduction Privacy is and will always be a concern for the people of the United States. Their concern would easily explain the controversy that surrounds the FBI’s surveillance program called Carnivore. The purpose of this paper is to inform the reader about Carnivore. I will do that as follows: First Carnivore must be introduced, attempting to detail what Carnivore is and how Carnivore is used. After the introduction is a section revealing one of the primary obstacles to having faith in Carnivore. Third is a section that looks at issues that revolve around software engineering, and how in some ways Carnivore is the result of bad engineering. Next comes the section of the paper that focuses on issues raised by an independent review of the system. The next part of the paper deals with the privacy rights groups’ demand for the release of the source code for Carnivore. The final section is an opinion of the author.
The What and How of Carnivore Carnivore is a program designed to intercept electronic communications going over the Internet, for suspects in federal investigations. Since it first made the headlines around July 2000 Carnivore has been a source of controversy, particularly with organizations concerned with privacy. “The ACLU and the Electronic Privacy Information Center in Washington filed a Freedom of Information request …for all records, source code and object code related to Carnivore” (Harrison, p. 6). Most of the concern revolves around the reliability of the program to filter out the data that a warrant permitted the FBI access to. But first things first, the question of “how is carnivore used” needs to be answered. In order for Carnivore to be utilized it must be installed at an Internet Service Provider (ISP), near a server that the suspect’s Internet traffic will pass through. Because of this there have been some objections by the ISPs. Earthlink in particular indicated, “We didn't feel comfortable having something on our network that we didn't have control over.”(Harrison, p. 6) The installed materials are rumored to be a black box computer, using an Iomega Jaz drive to store the gathered evidence. The computer is connected to ISP equipment (Graham, Section 1.5). After installing Carnivore all of the traffic through the server also passes though the black box, where Carnivore searches for the information that it is set up to collect. Here is where the controversy lies; theoretically Carnivore could collect all of the information passing through it. Once installed and running, all of the relevant data is stored on the Jaz drive, requiring someone to come and pick the disk up at some period of time. At this point the disk should only contain data that the law enforcement official has authorization to collect. To further complicate the issue, Carnivore can only be used if the ISP does not have the capabilities to do the monitoring on its own. Lack of Public Validation One of the main concerns with Carnivore is that the FBI has never offered conclusive proof that Carnivore does what it is claimed to. The closest that the FBI has ever come to offering proof that Carnivore is a precision tool that will not incorrectly collect data outside the authority of a warrant is an independent review of the system done by the Illinois Institute of Technology Research Institute (IITRI). The critics of this review have gone on record saying, “This report is, at best, a fuzzy snapshot of Carnivore, and it will be obsolete in two months when the F.B.I. comes out with the next version of Carnivore."(Foster, p. A36) The report released December 8, 2000 reveals some disturbing facts. Although the reviewers recommendation is to “Continue to use Carnivore rather than less-precise, publicly available sniffer software, such as EtherPeek, when precise collection is required and Carnivore can be configured to reflect the limitations of a court order” (Smith, p. 69). The recommendation reflects a limitation that exists on just about any software. It begged the question of whether the feature exists or not, which brings us back to the pervious quote, and the question of how often does the FBI have to add new features, or settings to Carnivore, to attempt to fulfill the non-standard requirements that can be ordered by a judge. This is disturbing in that if the feature does not exist, the FBI most likely uses the closest existing setting for a search; with the risk of losing all the information collected due to possible over-collection and violation of personal rights.
Software Engineering problems Adding updates like developing software requires money and time. For the FBI both are an issue. “FBI agents were actually using it {Carnivore} in 1997 before it was finished and tested” (Hayes, p. 94). Using an untested product speaks of desperation, for the results of their search affects people’s lives. That the FBI was using this software before it was released is worrisome as it raises the question of what kind of authorization the FBI needed/got when they deployed prior to the software’s release. Furthermore, Carnivore escaped inspection by higher-level administrators because of it price tag, under $100,000 (Hayes, p. 94). Carnivore is an upgrade from an earlier version, called Omnivore. That Carnivore has been developed iteratively is encouraging. On the other hand, knowing that there have been problems with Carnivore says that the FBI’s system of development is somehow flawed. In fact, in the review done by IITRI, it stated “No formal development process was used for Carnivore through version 1.3.4”(Smith, p. 62). This is a disquieting concept, particularly in view of the nature of this software. A portion of the problem may lie in the apparent ease of developing this kind of software. “The author of this FAQ wrote ‘Altivore’ that is an exact duplicate of Carnivore in a weekend”(Graham, Section 4.1). Due to the reported problems with the Carnivore software there must be a great deal of special cases involved. For although there is a claim of similar software being developed in a weekend, Carnivore still failed 5 test categories of 13 that the IITRI preformed, as noted in Appendix C of their review.
Other Issues Raised by IITRI The failed tests are not the only thing that IITRI examined. The IITRI team also questioned the methodology of ensuring that the computer that is running Carnivore was secure; they found that in many ways it is not. For example, they indicate a “Lack of physical control of the Carnivore collection computer engenders some risk of compromise by untrustworthy ISP personnel” (Smith, p. 65). Further IITRI faults the accountability of the officers who use the system. The system does not contain any record of which person sets up the collection computer, and who accesses the collection computer while collection is in progress (Smith, p. 65). These two issues go back to the topic of the ISP using its own equipment to gather the data. For if the integrity of the ISP personnel were in doubt then the ISP would also have to create a secure way that only the FBI agents using their system would be able to access the data collected and the collection method. If the ISP had a collection system, and a system of data control, this would, for some situations, be the best solution. However, the review by IITRI brings another difficulty into the mix, for they state “the details of some highly sensitive investigations should not be disclosed to ISPs, many of whom may present risks of inappropriate disclosure” (Smith, p. 62). In some ways this quote states that a tool like Carnivore will always be necessary regardless of ISPs implementing their own collection system. The results of the tests and reviews done by IITRI still had the Electronic Privacy Information Center (EPIC) looking to make the source code fall under public review.
Release of the Source Code EPIC’s court battle for release of all pertinent documents still continued even after the release of the independent review. In fact, EPIC released a statement about the review that included “a close reading of the reviewers' conclusions in fact validates much of the public and congressional criticism that has been expressed since the existence of the surveillance system was revealed earlier this year” (Sobel). In August 2001 EPIC still continued to search for pertinent information through the Freedom of Information Act. In May of 2002 the last set of documents was released regarding EPIC’s litigation. The EPIC web site contains five documents, which showed the versions of Carnivore that were in use in the year 2000 were flawed. Even with these documents being released, the source code has not been released at the time of this writing. Most likely, the source code will never be released as the independent reviewers stated that “The FBI is restricted, by license, from releasing the commercial code that forms the basis of the tool” (Smith, p. 68). Part of the commercial code that is referenced is code to directly interface with the Iomega Jaz drive, but that would not be a basis of the tool, as most likely the Jaz drive interface was abstracted out into a class (Carnivore was written in C++). So that would not be an obstacle to release of the code, as that part could just be omitted. Most likely the FBI does not want to release the source code because Carnivore has “technical limitations that could be exploited to defeat surveillance if they were revealed” (Smith, p. 68). However, all software would have the problem of technical limitations, thus the source code probably will not be revealed until use of the software is discontinued.
My Opinion This is an ethical opinion, based on utilitarian reasoning. My opinion is that the government is right to use Carnivore. It really all comes down to the fact that freedom and security are not free, and Carnivore is a tool that must be balanced between the two concepts. The freedom advocates will argue that Carnivore is to unrefined, and simply too powerful, citing much of the same kinds of evidence as used above. They will say that the negative cost of using Carnivore is huge because of these flaws. Conversely, the security minded argue that Carnivore should be used, but only in the settings that it has proven to work, and if it is used in that way the negative cost is not large. On the positive side, the security minded will say that with a tool that is so powerful, even if it is bug ridden, there are many ways to attack evidence gathered with this tool, thus making prosecutors careful in how this evidence is used. I fall into the side of the security minded, for what is the point of freedom if I live in fear. I am not the only person that thinks this way; it is the overall reflection of the courts. “The Judges appointed in recent years have a tendency to assume that the government wouldn’t be asking if they weren’t entitled” (Schwartz, p 52). The argument is furthered by the fact that the judges that deal with these kinds of cases are elected officials. I guess my response to those that come down on the side of freedom would be to say that nothing is free, and to complain about a tool that can so easily be overcome is a waste of time. For Carnivore cannot decrypt messages, it can record encrypted messages (Smith, p. 68). Besides, it is foolish to assume that while on the Internet you are not being watched, whether you are at work or at home, for what other purpose do all of those cookie files achieve. My conclusion is that in my opinion the negative cost of Carnivore is not great but its positive benefit is very large, so by the utilitarian principle, on balance it should be used. Works Cited
Foster, Andrea L. “Institute Gives FBI’s Carnivore a Thumbs Up” Chronicle of Higher Education 8 Dec. 2000: 15
Graham, Robert. “Carnivore FAQ.” http://www.robertgraham.com/pubs/carnivore- faq.html Retrieved 3-9-2003
Harrison, Ann. “Critics Knock Proposal For Surveillance Standards” Computerworld 24 Jul, 2000: 6
Hayes, Frank. “Quick and Dirty” Computerworld 11 Dec. 2000: 94
Schwartz, Ephraim. “FBI phone tapping and locating cell phones making 911 calls.” InfoWorld, 15 Jan, 2001: 52.
Smith, Stephen P., Perritt Jr, Henry. Independent Review of Carnivore System http://www.epic.org/privacy/carnivore/carni_final.pdf
Sobel, David L. “EPIC comments on Carnivore Technical Review (12-1-00)”, http://www.epic.org/privacy/carnivore/review_comments.html 3-12-2003