Researchers fault independent review of Carnivore
December 6, 2000
A group of researchers that helped the U.S. Department of Justice identify technical issues that should be studied during an independent review of the FBI's Carnivore e-mail surveillance system this week said they still have "serious concerns" about the controversial technology, despite a generally favorable draft report by the review team.
In a document released Sunday, the group of five researchers from organizations such as AT&T Laboratories and the University of Pennsylvania said the Carnivore review done by the Chicago-based Illinois Institute of Technology Research Institute (IITRI) "appears to represent a good-faith effort at [an] independent review" of the surveillance system. But, they added, the "limited nature of the analysis described in [IITRI's] draft report simply cannot support a conclusion that Carnivore is correct, safe or always consistent with legal limitations."
The researchers, who met with DOJ officials in early October after being asked by the agency's chief scientist to help in the preparations for the independent review, suggested in the document issued this week that the government release Carnivore's source code for public review in order to create more confidence about the use of the technology.
Carnivore is a software program that monitors packets of data passing through an Internet service provider's network. Officials at the FBI and the DOJ have said the surveillance system can only be legally deployed to monitor alleged criminal activity under a court order, but privacy advocates are worried that the software could lead to widespread and random surveillance of e-mail messages.
The DOJ released a draft version of IITRI's report two weeks ago, and the final report is due this Friday. The draft report raised some questions about Carnivore's ability to monitor more than the e-mail and Internet activities of suspected criminals being investigated by the FBI, but it concluded that the software essentially does what it was designed to do -- track specific digital communications with the permission of a court order (see story).
But the five-man group of researchers said people concerned about potential misuse of Carnivore "should not take much comfort" from the draft report. The group took particular issue with what it believes to be vague and changeable audit trails within the Carnivore system. Without a definitive audit trail, the researchers said, it would be impossible to determine who had been monitoring what.
The researchers also claimed there were problems with the scope of the IITRI review. "While the IITRI report does represent a good starting point for answering these questions, we were disappointed that more attention was not paid to operational and 'systems' issues," they said. "It is simply not possible to draw meaningful conclusions about isolated pieces of software without also considering the computing, networking and user environment under which they are running."
Peter Neumann, principal scientist at the SRI International Computer Science Laboratory in Menlo Park, Calif., was one of the five researchers critical of the draft report. In an interview yesterday, he described Carnivore as "just another technology that may or may not work efficiently."
Neumann also took issue with what he said was the government's lack of information as to how the Carnivore technology will be set up when it's put into use during a criminal investigation. "That system can be configured to monitor absolutely anything if it's misconfigured," he said.
The DOJ was helpful as Neumann and his colleagues conducted their review and "seriously wanted to know what the vulnerabilities were" with the surveillance system, he added.
A DOJ spokeswoman said the document prepared by the researchers will be submitted to the U.S. Attorney General's office by the end of this month, along with IITRI's report and all other Carnivore-related submissions. "We will certainly pay attention to their findings, and we appreciate their help," she said.
Barry Watson, senior vice president for IITRI's systems technology sector, said the comments by the researchers also will be reflected in its final report, although he added that IITRI's conclusions about Carnivore aren't expected to differ from what was included in the draft version.
Although Watson agreed with Neumann that it would be prudent to review networking issues related to the surveillance technology, he said such a review wasn't possible under the scope and time frame that IITRI was given by the DOJ. However, Watson said IITRI does support the idea that the government should make Carnivore's source code public.
The suggestion to release Carnivore's source code also was embraced by the Electronic Privacy Information Center (EPIC), a Washington-based privacy group that has been pushing for that to take place. "If the FBI really wants to provide any type of public assurance as to what Carnivore can and can't do, there is no substitute for releasing that source code," said David Sobel, EPIC's general counsel.
For complete coverage of this issue, head to our Focus on Carnivore page.
Michael Meehan, ComputerWorld.com/