Contract No. 00-C-0328 IITRI CR-030-216 Independent Technical Review of the Carnivore System Final Report 8 December 2000 Contract No. 00-C-0328 IITRI CR-030-216 Independent Review of the Carnivore System Final Report Prepared by: Stephen P. Smith J. Allen Crider Henry H. Perritt, Jr. Mengfen Shyong Harold Krent Larry L. Reynolds Stephen Mencik 8 December 2000 IIT Research Institute Suite 400 8100 Corporate Drive Lanham, Maryland 20785-2231 301-731-8894 FAX 301-731-0253 IITRI CR-030-216 CONTENTS Executive Summary.................................................................................................................. vii ES.1 Introduction................................................................................................................... vii ES.2 Scope............................................................................................................................. vii ES.3 Approach....................................................................................................................... viii ES.4 Observations ................................................................................................................. viii ES.5 Conclusions................................................................................................................... xii ES.6 Recommendations......................................................................................................... xiv Section 1 Introduction 1.1 Purpose.......................................................................................................................... 1-1 1.1.1 Technical Concerns........................................................................................... 1-2 1.1.2 Concern of Privacy Advocates.......................................................................... 1-3 1.1.3 Concerns Expressed via Internet....................................................................... 1-4 1.2 Objective....................................................................................................................... 1-5 1.2.1 Address Four Key Questions ............................................................................ 1-6 1.2.2 Convey Understanding of the System............................................................... 1-6 1.3 Scope............................................................................................................................. 1-6 Section 2 Approach 2.1 Process Assessment ...................................................................................................... 2-1 2.2 Architecture Evaluation ................................................................................................ 2-2 2.3 Software Source Code Examination ............................................................................. 2-2 2.4 Laboratory Test ............................................................................................................. 2-3 Section 3 Findings 3.1 The Legal Framework for Electronic Surveillance....................................................... 3-1 3.1.1 Title III Intercepts of Electronic Information.................................................... 3-1 3.1.2 Pen and Trap Provisions ................................................................................... 3-2 3.1.3 Foreign Intelligence Surveillance Act............................................................... 3-2 3.2 The Electronic Surveillance Process............................................................................. 3-3 3.2.1 The Decision to Use Carnivore......................................................................... 3-3 3.2.2 Deployment of Carnivore.................................................................................. 3-4 3.2.3 Analysis of the Information Retrieved by Carnivore ........................................ 3-5 3.3 External and Internal Checks on the Process................................................................ 3-6 3.3.1 External Checks ................................................................................................ 3-6 3.3.2 Internal Checks ................................................................................................. 3-8 3.3.3 Overall Effectiveness of Controls..................................................................... 3-9 3.4 System Architecture...................................................................................................... 3-10 3.4.1 The Ethernet Tap............................................................................................... 3-10 3.4.2 Computers......................................................................................................... 3-11 3.4.3 Telephone Link ................................................................................................. 3-12 3.4.4 Carnivore Software Program ............................................................................ 3-13 3.4.5 Throughput........................................................................................................ 3-18 3.4.6 Operational Considerations............................................................................... 3-18 IITRI/IIT—DoJ Sensitive Page i IITRI CR-030-216 CONTENTS (Cont) 3.5 Software Architecture ................................................................................................... 3-18 3.5.1 TAPNDIS Driver .............................................................................................. 3-19 3.5.2 TAPAPI Driver ................................................................................................. 3-20 3.5.3 Carnivore.dll ..................................................................................................... 3-20 3.5.4 Carnivore.exe.................................................................................................... 3-23 3.5.5 Development Process........................................................................................ 3-23 3.6 Laboratory Tests............................................................................................................ 3-23 3.6.1 Test 1 Noncontent E-Mail Collection............................................................... 3-24 3.6.2 Test 2 Noncontent Web Browsing Collection .................................................. 3-24 3.6.3 Test 3 Noncontent File Transfer Activity Collection........................................ 3-25 3.6.4 Test 4 Full Collection on a Fixed IP Address ................................................... 3-25 3.6.5 Test 5 E-Mail Content Collection..................................................................... 3-25 3.6.6 Test 6 Alias E-Mail Collection ......................................................................... 3-25 3.6.7 Test 7 Filtering Text String on Web Activity Collection.................................. 3-26 3.6.8 Test 8 Power Failure and Restoration............................................................... 3-26 3.6.9 Test 9 Full Mode Collection for All TCP Ports................................................ 3-26 3.6.10 Test 10 Collect from a DHCP-Assigned IP Address ........................................ 3-27 3.6.11 Test 11 Filtering on Text String for E-Mail Collection .................................... 3-27 3.6.12 Test 12 Filtering on Text String and E-Mail Address or E-Mail User ID for E-Mail Collection........................................................................................ 3-28 3.6.13 Test 13 Filtering on Text String for FTP Collection......................................... 3-28 Section 4 Conclusions 4.1 Assumptions.................................................................................................................. 4-1 4.2 General Conclusions ..................................................................................................... 4-2 4.2.1 Need for Carnivore............................................................................................ 4-2 4.2.2 Legal and Organizational Controls ................................................................... 4-2 4.2.3 Collection.......................................................................................................... 4-3 4.2.4 Audit and Accountability.................................................................................. 4-5 4.2.5 Integrity............................................................................................................. 4-5 4.2.6 Carnivore Development Environment .............................................................. 4-6 4.2.7 Miscellaneous Concerns ................................................................................... 4-7 4.2.8 Carnivore Limitations ....................................................................................... 4-8 4.2.9 Release of Carnivore......................................................................................... 4-8 4.3 DoJ Questions ............................................................................................................... 4-9 4.3.1 DoJ Question 1.................................................................................................. 4-9 4.3.2 DoJ Question 2.................................................................................................. 4-9 4.3.3 DoJ Question 3.................................................................................................. 4-10 4.3.4 DoJ Question 4.................................................................................................