IP: FBI may not appreciate the risks with Carnivore sniffing E-Mail: [risks] Risks Digest 21.82

[David Farber <dave () farber net>]

Date: Wed, 05 Dec 2001 11:57:43
From: "Fredric L. Rice" <frice () skeptictank org>
Subject: FBI may not appreciate the risks with Carnivore sniffing E-Mail

Probably everyone who reads RISKS has read about the United States' law
enforcement agencies wish to implement anti-terrorism measures which
adversely impact people's privacy.  As reported in Yahoo Magazine, November
2001, the FBI has been pushing to get its Carnivore package installed at
major Internet Service Providers like AOL and EarthLink so that subscriber's
inbound and outbound E-mail can be flagged and read by the FBI.

Before the terrorist attacks on New York, activists had been trying to
disrupt Carnivore and like-minded software packages by stuffing their Web
sites, E-Mail messages, Usenet postings, and mailing list messages with
likely terms and phrases that would trigger collection by Carnivore so that
some hapless FBI stooge has to spend half a minute apiece looking through
tens out thousands of messages.  By now, I'd expect, the FBI has tailored
its implementations of Carnivore to detect such repeated, invariant attempts
to choke off their software's usefulness but did the FBI really consider all
of the risks of using Carnivore?  I doubt that they did.

You know what happens next, humans being ornery and downright stupid.  What
happens next is that activists and idiots both will start farming AOL and
EarthLink E-Mail addresses and software will be written to start spamming
those hundreds of thousands of addresses with variant message texts
containing all the likely terrorism-related keywords inserted Mad-Lib
fashion.  Tens of thousands of people will get E-Mail messages with forged
return addresses containing Mad-Lib-like generated terrorist plans and
Carnivore will flag on them.  Then when the subscriber who gets the spam
forwards it to both uce () fbi gov and Norfolk () fbi gov, Carnivore gets two more
hits.  If the subscriber is stupid enough to reply to the E-Mail (and let's
face it: They're using AOL or EarthLink so you know they're not very bright)
and now Carnivore sees a bi-directional link.

The risks are plenty.  How many people will the FBI take off of real
criminal investigations and put onto the project to monitor and review bogus
Carnivore hits?  If they hire new people, who's going to pay for them?  How
many people are going to be visited by the FBI because some idiot keeps
sending them terrorist attack plans?  The biggest risk is obvious and I have
to wonder why nobody in the FBI seems worried about it: Real terrorists will
slip through Carnivores' filtration criteria simply because you damn well
know that activists and idiots will be the ones who get to decide what
Carnivore filters and what it hits on.

How will activists get to drive Carnivore?  Every time someone gets
questioned by the FBI or finds out from their neighbors that they've been
investigated, the victim will report the fact on the Internet maybe even
posting the E-Mail they received that triggered the software, prompting
activists and idiots to adopt the terms and methodologies which worked,
prompting the FBI to tailor Carnivores' filtration until the next time.

I can't see anything coming out of the struggle besides a pile of useless
software running on ISP's servers fingering innocent people and failing to
point at a single bad guy.

For archives see:
http://www.interesting-people.org/archives/interesting-people/