Carnivore: National Security

Versus Personal Privacy Erik Small

Overview tion of outgoing communications; trap-and-trace, logging the source of In the honorable name of pursuing increased national security and de- incoming communications; and Þnally content-wiretap, listening to all terring criminal communication through cyberspace, the FBI has devel- communication details. oped a software package dubiously named Carnivore. The subject of no The problem, according to many critics, is that Carnivore has the small amount of controversy, Carnivore is a network tool potential to violate the privacy of unintended targets of the system [1]. that is designed to ÒsniffÓ out and analyze transmitted information that This fear can be partially attributed to the fact that the FBI will not originates from or is destined to a speciÞc target. Much like telephone release the source code to the program, thus the public does not truly wiretapping, the Carnivore system gives the Government the ability to and deÞnitively know exactly what limitations and guidelines the sys- identify and gather evidence on suspects for whom the appropriate war- tem abides by. rant has been issued. However, Carnivore itself is not government-mandated, as some seem to believe. When surveillance is authorized, a court orders that the Evolution of a Carnivore ISP in question provide some mechanism for adequate surveillance, at the ISPÕs discretion (so long as it meets the FBIÕs functional require- It is widely thought that the FBI initially used EtherPeek network ments). The FBI provides Carnivore for those ISPs who do not purchase analysis software for investigative work over computer networks. This, or develop their own surveillance packages, or are otherwise Òunwilling undoubtedly with some FBI modiÞcation, is what most likely became or unable to discriminate communications to identify a particular sub- Omnivore in 1997, a predecessor to Carnivore. Omnivore ran on Sun jectÕs message to the exclusion of othersÓ [1]. In the case of Earthlink, Microsystems hardware, using their Solaris operating system. it was felt that the installation of Carnivore was a threat to privacy and Carnivore was developed on the Windows NT platform with the availability on their network, and so refused to have it installed, prefer- purpose of being able to achieve 100% surveillance of the network onto ring to use alternative software. which it is attached. To achieve its goal, Carnivore itself is accompanied by the Packeteer and Coolminer utilities [2], developed to aid Carnivore in processing network data. These are the ÒworkhorseÓ programs, as the Thought Police real problem is not merely attaching and listening to trafÞc, but more Some take paranoia a step further, and claim that Carnivore is attached so being able to pick out speciÞc suspicious or incriminating messages. to major network backbones and is scanning all Internet trafÞc that it The Carnivore package made its debut in June 1999. can, searching for suspicious keywords. This is most likely not the case, The existence of Carnivore was revealed to the public in 2000; the as Carnivore itself is not an entity present throughout the Internet, but collective reaction was considerably negative. In February of 2001, Car- instead a rather unsophisticated computer that attaches to the network of nivore underwent a name change (one that obviously didnÕt quite stick), ISPs only when a surveillance warrant has been issued. to the less menacing title DCS1000. This name change was plainly an Another fabled surveillance system, known as Echelon, is said to effort to improve public opinion of Carnivore, but experienced little suc- match this description better than Carnivore. Echelon is a co-op between cess. (With an original name like ÒCarnivoreÓ, it would be a PR feat the United States, Canada, Australia, and the UK, about which little is indeed to make such a surveillance system seem benign!) known [3]. The U.S. has scarcely admitted its existence, but other coun- The latest installment in the Carnivore package (initially called tries have made references to it. If Echelon does indeed exist, it clearly Dragon Net), claims to also have the ability to monitor wireless commu- represents a serious violation of privacy. nication in much the same way that the Internet and telephone systems Many other countries have their own Internet surveillance systems are monitored. in place: In 1998, the PeopleÕs Republic of China started a special Inter- net police agency that is responsible for several Òcyber-surveillance ini- Preferred Diet tiatives,Ó with plans for more sophisticated systems on the way; France is rumored to have created a French version of Echelon (which they The Carnivore system, in theory, is one that is heavily regulated and de- claim has stolen secrets from them). pendent on authorization from U.S. courts. No surveillance can be per- The United States has more than Carnivore, though, to keep track formed unless a court Þnds that there is due process and probable cause, of a plethora of private information. In 2003, the TIA (Terrorism Infor- and then issues a warrant. Furthermore, the warrant issued speciÞes one mation Awareness) program began [5]. (Curiously, prior to 9/11 TIA of varying degrees of surveillance: pen-register, recording the destina- 53 stood for Total Information Awareness.) TIA, like the Carnivore project, specializes in detection and deciphering of communications. This proj- A Necessary Evil ect, led by DARPA (Defense Advanced Research Projects Agency) [5] Carnivore represents the fundamental sacriÞce of privacy for better seems to have more imposing privacy implications than Carnivore. security, and with modern encryption technology, the practicality of Carnivore for intercepting high-proÞle communication is coming into Quelling the Beast question. However, as communication gets ever easier and the world Unfortunately, it may be that Carnivore is best at snooping on innocent relies more upon it, the need for effective cyber-surveillance is height- bystandersÕ transmissions rather than those of the real criminals. Pre- ened. Carnivore and surveillance in general may incur a violation of sumably, any sort of major organized crime or terrorist organization by privacy, but inevitably sacriÞces must be made, for they are among the this time uses some form of data encryption or other method of defeat- only available tools to help ensure security in our cyber-world. ing surveillance. Circumventing Carnivore is disappointingly easy to do, and there are many ways to do it: EDITORÕS NOTE: This is a research paper that was written for Com- puter Science 494, . ¥ Perhaps the most intuitive way of defeating Carnivore is to use data encryption. Carnivore, as any other unauthorized onlooker, will References not be able to decode your message (easily) without knowing the [1] Electronic Privacy Information Center. http://www.epic.org/privacy/ appropriate cipher keys. It is almost unbelievable that any major carnivore/ criminal or terrorist organization transmits sensitive information without data encryption [2] Carnivore FAQ. Robert Graham. http://www.robertgraham.com/ ¥ Proxies/Anonymizers are services that are run by a foreign host pubs/carnivore-faq.html that act as a middleman to your connection from point A to point B. Some (here called Anonymizers) actually remove the ÒsourceÓ [3] Echelon Watch / ACLU. http://www.echelonwatch.org/ information from your request, so that it may be untraceable. ¥ Simply avoid sending trafÞc through networks/mediums that [4] Altivore. Network ICE. http://www.robertgraham.com/altivore/ may be running Carnivore. To this end, dial-up connections with modern compression technology are very difÞcult to spy on, so [5] Defense Advanced Research Projects Agency. http://www.darpa.mil/ criminal organizations may be likely to use direct modem connec- body/tia/tia_report_page.htm tions. [6] CarnivorePE. http://www.rhizome.org/carnivore/ In March 2000, there was a case where the Carnivore system didnÕt even need to be circumvented -- it malfunctioned while making crucial in- terceptions [1]. The actual software malfunction only made the system gather additional data on unintended targets, which was in violation of federal wiretap law, but still provided effective surveillance on the target. However when the privacy violation was discovered, the ÒFBI technical person was apparently so upset that he destroyed all the E-Mail take, including the take on [the authorized target]Ó [1]. This case has since gained in notoriety, as the target of the lost surveillance was revealed in 2002 to be the mastermind of the September 11, 2001 attacks.

Alternatives Now, there exist alternatives to Carnivore. Altivore, developed by Net- work ICE [4], is an implementation of the Carnivore speciÞcation that is open source. Another, more unique and interesting alternative, is Carni- vorePE developed by RSG (Radical Software Group) [6]. Network ICE developed Altivore for the purpose of making avail- able an alternative to the public so that any organization that didnÕt want Carnivore on their networks could turn to Altivore. The main appeal of this package is that it is open-source: the source code used to create the program is publicly available for scrutiny, so that its functionality and integrity can be veriÞed. CarnivorePE by RSG appeals to a different crowd: it is not only a network surveillance and analysis tool, but also a form of artistic ex- pression. In addition to snifÞng network packets, CarnivorePE provides a ßexible interface that allows client programs to be created that inter- pret the intercepted data (usually by counting ÒkeywordsÓ) in interesting and creative ways, ranging from creating geometric patterns and visual effects to driving RC cars [6]. This package is decidedly more for sta- tistical use than for eavesdropping on suspected criminals as the FBIÕs Carnivore. 54