FBI defends e-mail surveillance tool
FBI DEFENDS USE OF E-MAIL MONITORING SOFTWARE
FBI makes case for net wiretaps
FBI's 'Carnivore' E-Mail Tool Chewed Up by Lawmakers
Congress Probes FBI's E-Mail Use
By Kevin Johnson USA TODAY WASHINGTON -- Peppered with questions from skeptical lawmakers, the FBI played down concerns Monday that its e-mail surveillance program known as ''Carnivore'' could be used to eavesdrop on the innocent. At a House Judiciary subcommittee hearing that seemed to capture both the promise and pitfalls of new technology for law enforcement, Assistant FBI Director Donald Kerr defended the program as a useful tool for agents. He said any surveillance done with the Carnivore program is limited to those suspects named in court orders. Critics, including an unusual coalition of conservative Republicans and civil liberties advocates, have complained that the program could be used to do broad surveillance. Their fear stems from the way the FBI implements the Internet-wiretapping system. Carnivore works through a suspect's Internet service provider, such as America Online. It allows investigators to identify and view a suspect's e-mails among all e-mails moving through the provider's system. Critics are concerned about giving law enforcement access to the e-mails of innocent people as well as suspects. Although Carnivore can retrieve any e-mails, investigators are restricted to those that have been approved for monitoring by a judge. House Judiciary Committee Chairman Henry Hyde, R-Ill., said the Carnivore debate reflected an ongoing tension between law enforcement and individual rights. ''You can understand people's concerns for privacy? There are people who are skeptical about this culture of privacy and how porous it is,'' Hyde told Kerr and other FBI officials at the House hearing. Meanwhile, Rep. J.C. Watts, R-Okla., urged the Clinton administration to suspend the program, under which the FBI has intercepted e-mails in 25 probes over the past two years. No cases involving Carnivore have come to trial. Justice Department officials also said they are reviewing the program to make sure that federal agents have not been involved in unlawful eavesdropping. Kerr said investigators involved in the Carnivore program have never been provided Internet traffic outside the scope of their probes: ''We don't do broad searches (on Internet traffic) and surveillance that is not authorized by court order.'' This year, the program has been used in 16 cases: six criminal probes and 10 national-security investigations. FBI DEFENDS USE OF E-MAIL MONITORING SOFTWARE By Frank James Washington Bureau July 25, 2000 WASHINGTON -- Privacy experts and lawmakers on Monday criticized the FBI for using technology that monitors e-mail, claiming that it threatens privacy rights. But computer security experts say those concerns miss the point: By its very nature, e-mail is not secure. Electronic messages are among the worst ways to send private information. Speaking after a House Judiciary subcommittee hearing Monday, Tom Perrine, a computer expert, lamented that he ran out of time before he could explain to lawmakers that it's not just government snoops using a special, secret software program like "Carnivore" that threaten e-mail privacy. Anyone with a little computer know-how can catch and read other people's online mail. The answer, he and other experts say, is a simple encryption program that codes the e-mail so others can't read it. "If everyone used strong encryption, large parts of Carnivore would be completely useless," Perrine said. At the 3 1/2-hour hearing, Democratic and Republican skeptics openly doubted the FBI's ability to keep from abusing its Carnivore technology and violating Americans' constitutional rights with the Internet equivalent of a telephone wiretap. For two years, witnesses testified, the agency has quietly used Carnivore to capture the "to" and "from" lines of e-mail between certain suspects and their e-mail buddies. When federal judges have provided the agency with the required authority, the FBI also has captured not just the address information, but the content of targeted e-mails. Privacy experts, lawmakers and others have sharply criticized the FBI for its use of the program; Monday's hearing was filled with accusations of privacy violations. "I think Congress has to act," said Rep. Jerrold Nadler (D-N.Y.), calling for tighter restrictions on the FBI. "Police agencies can't be afforded untrammeled discretion, and we can't assume a lack of bad intent on the part of police or the presence of goodwill is enough to protect people's privacy." The FBI's general counsel, Larry Parkinson, assured the lawmakers: "There are checks and balances with respect to Carnivore. ... It's not a situation where a rogue FBI agent could broaden the coverage of the Carnivore intercept and violate the court order" authorizing the surveillance. What the numerous witnesses defending the use of Carnivore, as well as privacy advocates condemning it, didn't acknowledge, however, was the thing they all agree on--the insecurity of e-mail in general. President Clinton knows. After a speech last March in Silicon Valley, as reported by Dan Gillmor, technology columnist for the San Jose Mercury News, someone asked Clinton if he keeps in touch with his college student daughter, Chelsea, by e-mail while she is away at Stanford University. "I don't do e-mail with Chelsea. Absolutely not--I don't think it's secure," said Clinton. Indeed, said Perrine, manager of security technologies at the San Diego Supercomputer Center, at the University of California-San Diego, everyone worries about protecting their computers, but too many send sensitive information by e-mail. "There's a quote, I wish I could remember who said it, but basically it goes ... `Trying to do secure things over the Internet is like two people in concrete bunkers surrounded by machine guns sending messages to each other written on the back of postcards,'" Perrine said. "There's all this communication that goes across that can be read by anyone" with access to the network and technology called a packet sniffer, he said. E-mail transmitted over the Internet, like all information sent over the global network, is broken into chunks called packets that are bounced from the sender's computer to the recipient's. Because of the way the Internet was constructed, the packets often take different routes to get from point A to point B, bouncing around the Internet until they arrive at their destination and are reassembled. At the right place on the network, a hacker or someone else using a packet sniffer can collect the packets then reassemble them to learn the contents of an e-mail, leading to the security issue Clinton raised. The greatest cause for concern is the possibility of an inside job, someone with access to the powerful computers known as servers, the brains of computer networks, said Richard Smith, an Internet security expert based in Cambridge, Mass. "In the case of Chelsea, the concern I would have as President Clinton or the Secret Service is that somebody at Stanford, or wherever, who maintains the e-mail system was watching that traffic, that they got $10,000 from a tabloid [newspaper] to read those e-mails and spy on Chelsea for whatever reason," he said. Sensitive corporate information and trade secrets are equally vulnerable when they are mentioned in e-mail, which has its roots in an easy-to-read format. "If anything cried out for being encrypted, I would say e-mail does," Smith said. "Maybe over time, that can be a change that happens." Actually, powerful encryption tools are currently available to virtually all computer users, though they take some knowledge of computers to properly employ. Computer experts foresee growing consumer demand for encryption. "We can expect that as people learn that e-mail is not secure, there'll be more interest in using encryption to protect it," said Matt Blaze, a research scientist with AT&T Labs. "Most people now don't use it because they're not interested in it or it's not available to them in the standard configuration that comes with their computer." Perrine said an Internet engineering standards group recently developed guidelines that could hasten the day when people routinely send encrypted e-mail messages. "All traffic between cooperating computers would be encrypted and in most cases this would be transparent to the user," he said. "Those technologies, if they're not already here, are at least on the horizon." By John Schwartz Washington Post Staff Writer Tuesday, July 25, 2000; Federal law enforcement officials defended "Carnivore"--the FBI's controversial Internet wiretap system--through more than two acrimonious hours of grilling by Democratic and Republican lawmakers yesterday, painting a chilling picture of an Internet that would become a safe haven for crooks and terrorists without proper surveillance. "Criminals use computers to send child pornography to each other using anonymous, encrypted communications," FBI Assistant Director Donald M. Kerr told the House Judiciary subcommittee on the Constitution. "Hackers break into financial service companies' systems and steal customers' home addresses and credit-card numbers, criminals use the Internet's inexpensive and easy communications to commit large-scale fraud on victims all over the world, and terrorist bombers plan their strikes using the Internet." Many of the lawmakers seemed just as concerned with the actions of the law enforcement officials. "The potential for abuse here is tremendous," said Rep. Spencer Bachus (R-Ala.). "What you're saying is 'Trust us.' " Carnivore is a modified version of a common network-maintenance program known as a "packet sniffer." Carnivore offers great specificity--the ability to quickly collect just the "to" and "from" information in e-mail messages, for example, and not online banking transactions. That gives law enforcement the equivalent of the telephone world's "pen register" and "trap and trace" data--the origin and destination of all calls related to the subject. Civil liberties groups and Internet service providers say the system raises troubling questions about what constitutes a reasonable search and seizure of electronic data. In sniffing out potential criminal conduct, they note, the new technology also could scan private information about legal activities, taking in vast amounts of information from innocent people as well as the suspect. The critics also note that past experience has shown that law enforcement has overstepped its wiretap authority numerous times in the past. Barry Steinhardt, associate director of the American Civil Liberties Union, said in his testimony: "Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all the phone company's customers, with the 'assurance' that the FBI will record only conversations of the specified target." Officials of Internet service providers who oppose the technology say they are wary of putting equipment designed by others on their networks. They want the FBI to publish information on the software used so that ISPs can be sure that it does what the agency says. The law enforcement officials pledged to present the system to a neutral third party for review but said they cannot release so much information about the system that it will become a target for evasion and hacking. By JACQUELINE NEWMYER, Times Staff Writer WASHINGTON--Federal law enforcement officials faced a bipartisan firestorm of criticism Monday as they testified before Congress about the FBI's new Internet wiretapping technology, which critics argue could violate the privacy rights of law-abiding citizens. At a hearing before the House Judiciary subcommittee on the Constitution, both Republican and Democratic legislators expressed concern that federal authorities could misuse a recently developed software program called Carnivore, designed to screen e-mail messages in felony investigations. Led by subcommittee Chairman Charles T. Canady (R-Fla.) and ranking member Melvin L. Watt (D-N.C.), the panel repeatedly questioned assurances from an FBI technician that the bureau would monitor the use of the system internally. FBI Assistant Director Donald M. Kerr testified that Carnivore has been used 25 times since it was first deployed two years ago, with 16 of those times occurring in the last year. He listed terrorism, child pornography and credit card fraud as crimes now being planned or committed over the Internet and suggested that Carnivore would improve the FBI's ability to prosecute them. To operate the software, the FBI must install it on the servers of an Internet service provider. The system first came under scrutiny from Congress last April, when a lawyer who has represented ISPs complained that Carnivore would violate citizens' 4th Amendment right to protection against unreasonable searches and seizures. Once implanted in an ISP's servers, Kerr said, Carnivore filters the stream of correspondence passing through the ISP and weeds out either complete messages or simply "to" and "from" addresses of court-approved targets. Whether the contents of the e-mail are included along with the address depends on the scope of the court order the FBI has obtained, Kerr said. Rep. John Conyers Jr. (D-Mich.) set the tone for the hearing in his opening statement, when he asked whether Carnivore "minimizes" the interception of nontargeted communication or "maximizes" the FBI's access to private correspondence. "This system should not bite off more than it can chew," he said. "Should we feel comfortable with a 'Trust us, we're the government' approach?" In an interview after the hearing, witness Chris Painter, deputy chief of the Justice Department's Computer Crime and Intellectual Property section, said that extending the FBI's wiretapping ability to the Web does not break with legal precedents. But lawmakers on both sides of the aisle suggested that the new software broadens the scope of federal law enforcement's search activity and unnecessarily extends the FBI's reach into the territory of private ISP companies. "Why do we need to put terminals on site at the ISPs rather than let the ISP itself turn over needed information much in the way that telephone companies do?" Conyers asked. Kerr responded that the FBI's first choice is to let ISPs conduct searches for the bureau and then report their findings, but that Carnivore is needed because not all ISPs have the equipment to filter through their telecommunication traffic. The FBI and Justice Department witnesses also stressed that it would be a violation of federal law for an agent to abuse the intelligence-gathering ability of Carnivore to collect information about non-suspects. Though lawmakers appeared dubious, Tom Talleur, a former federal law enforcement official who recently joined the accounting firm KPMG Peat Marwick as a cyber forensics analyst, said he believes agents would respect existing statutes. "They're not going to unilaterally break the law," he said. "If they do, they're going to go to jail." Law professor Jonathan Zittrain of the Berkman Center for Internet & Society at Harvard Law School reduced the debate over Carnivore to the level of technology. "It used to be that to tap your phone, FBI agents would have to pull up in a truck and sweat it out," he said. "We're just not used to the idea of its being trivially easy for the government to . . . monitor our communications." By D. IAN HOPPER, Associated Press Writer WASHINGTON (AP) - Lawmakers of both parties grilled FBI officials Monday over the bureau's use of "Carnivore," a device designed to monitor and capture e-mail messages in a criminal investigation. Rep. Charles Canady, R-Fla., called the hearings amid concerns from privacy groups about an ordinary computer filled with special software that the FBI calls a "reasonable balance" between privacy and law enforcement in an age where crime has gone online. "Carnivore raises the question as to whether existing statutes protecting citizens from 'unreasonable searches and seizures' under the Fourth Amendment appropriately balance the concerns of law enforcement and privacy," said Canady, chairman of the House Judiciary Committee's Constitution panel. "There seems to me to be a growing level of generalized concern about Big Brotherism that I suspect is being fed by the increasing electronic world," said Rep. Melvin L. Watt, D-N.C. FBI officials defended Carnivore and the bureau's use of the tool to Canady's panel, saying it is used only with proper legal authorization - in many cases coming from both a senior Justice Department official and a judge. The FBI likened Carnivore to a traditional telephone tap, saying both need probable cause to be undertaken. Carnivore is the term used for the entire system, a computer running the Microsoft Windows 2000 operating system and software that scans and captures packets, the standard unit of Internet traffic, as they travel through an Internet Service Provider's network. The FBI can install a Carnivore unit at an ISP's network station and configure it to capture only e-mail going to or from the person under investigation. FBI officials said Carnivore has been used 25 times, including 16 times this year. None of those cases has yet gone to trial, so the FBI would not disclose detailed information about them. Donald M. Kerr, director of the FBI's laboratory division, said Carnivore searches only the sender and recipient lines of e-mail, not the subject line, as was previously reported. It does not search through the message content for keywords, nor does it monitor Web browsing - except for Web-based e-mail - or Instant Messaging, just e-mail traffic, authorities said. Privacy advocates and some lawmakers voiced concern that only the FBI truly knows what Carnivore does, since after it is installed it is neither supervised nor checked by an ISP's technicians; there isn't even a mouse or keyboard attached for someone to access the machine. "When you see some things that have happened here in Washington, it gives one reason to worry," said Judiciary Committee Chairman Henry J. Hyde, R-Ill. To find out, the American Civil Liberties Union filed a Freedom of Information Act request last week for Carnivore's source code, the inner workings of how the device functions. The FBI gave a preview of its objections to the FOIA request, explaining why the bureau wouldn't want Carnivore's innermost details to be public. "We would have a problem with full open disclosure, because that, in fact, would allow anyone who chose to develop techniques to spoof what we do an easy opportunity to figure out how to do that," Kerr said. Deputy Associate Attorney General Kevin V. DiGregory said that for a "rogue FBI agent" to circumvent the law, "he would need to engage the aid of technical people, perhaps even technical people at the Internet service provider, and he would also have to find some way to cover up or change the audit trail that is left by the system so that it doesn't expose his going beyond the court order." Legislators seemed unconvinced. "I don't know if we have any way of verifying that the technological part of the response to my question that you've given me, and I know that unfortunately in the past, we've had many agencies, including law enforcement, that have gone beyond the scope of their responsibility," said Rep. John Conyers, D-Mich., the Judiciary Committee's top Democrat. "There's hardly anything new about that." - On the Net: Hearing testimony: http://www.house.gov/judiciary/con07241.htm
FBI defends e-mail surveillance tool
FBI makes case for net wiretaps
FBI's 'Carnivore' E-Mail Tool Chewed Up by Lawmakers
Congress Probes FBI's E-Mail Use