Carnivore Update - Washington Post 11/21/00

["Pickett, Mclean" <mclean.pickett () digex com>]

To view the entire article, go to
http://washingtonpost.com/wp-dyn/articles/A48737-2000Nov21.html

Study: FBI Tool Needs Honing


The FBI's hotly debated Internet wiretap program is a sound law enforcement
tool but needs modification to protect people's routine e-mail and other
communications from being intercepted unlawfully, according to a draft study
released yesterday by the Justice Department.

The study, undertaken by the Illinois Institute of Technology Research at
the request of the Justice Department, said although "Carnivore" can be
"more effective" in protecting privacy and enabling lawful surveillance than
other alternatives, it does not eliminate the risk of unauthorized
monitoring of electronic communications by FBI agents. The report
recommended that Carnivore be modified, subjected to further outside review
and ultimately have its underlying "source code"--the technical details of
how its software works--released to the public.

Some privacy advocates say the institute, which the Justice Department paid
$175,000 to review Carnivore, was biased in favor of the new technology.
They also sa!
y the FBI cannot be trusted to use Carnivore because the program can pick up
all communications that pass through an Internet service provider--such as
America Online--rather than monitoring e-mail traffic between suspects under
surveillance.

House Majority Leader Richard K. Armey (R-Tex.), a longtime Carnivore
critic, said the selection of the evaluation team determined the nature of
the report.

"The Department of Justice selected reviewers and set the rules in order to
ensure they would get the best possible review," Armey said.

Justice officials said yesterday that the study confirms Carnivore is a
legitimate law enforcement tool that can be refined to address concerns.
They said the recommendations in the study would enable them to simplify and
improve Carnivore's operation.

"We are pleased with the findings and the constructive recommendations made
in today's draft report," said Donald M. Kerr, head of the FBI's laboratory
division. 

"From the beginning, we have welc!
omed this review for two main reasons: First, subjecting Carnivore to
outside scrutiny allows for practical criticism, feedback and suggestions
for improvements which will ultimately benefit everyone," Kerr said.
"Secondly, a review such as this presents the public with a clearer
understanding of the facts, which is critical in maintaining public
confidence in law enforcement's ability to effectively investigate and
prevent serious crimes."

The study said Carnivore poses no operational or security risks to Internet
service providers, some of which feared that having the program installed
would disrupt communications.

The report also said that when the technology is used correctly under a
valid court order, it gives investigators appropriate access to information.
However, it said that since Carnivore poses the risk of going beyond
court-permitted information collection in some instances, multiple versions
of the wiretap system need to be developed.

"This is a very fair repo!
rt," a Clinton administration official said. "It doesn't give [Carnivore] a
clean bill of health, but says Carnivore has better safeguards than other
alternatives and has recommendations for how to improve the use of this
technique. It also has suggestions for how to avoid accidental over-use."

The report warned that while Carnivore was designed to perform fine-tuned
searches, it is also capable of broad ones.

"Incorrectly configured, Carnivore can record any traffic it monitors," the
study said. But the study rejected fears that FBI agents would be reading
all of the routine e-mail traffic of a given Internet service provider,
saying that Carnivore "does not have nearly enough power" to do so.

The FBI has legitimate reasons to oppose public release of Carnivore's
underlying source code; the current version's technical limitations could
enable hackers and others to defeat surveillance, the study said. The bureau
needs to work toward public release of Carnivore's source code!
  by eliminating "exploitable weaknesses." Until that public release,
outside, independent monitoring is needed to assess the effectiveness and
risk of over- or under-collection of data, the study said. In addition, the
bureau needs to simplify Carnivore and employ a formal development process
in its next version to reduce errors.

James Lewis, senior fellow at the Washington-based Center for Strategic and
International Studies, said Carnivore is critical for law enforcement, but
said selecting the name "Carnivore" has created a public relations problem
for the bureau.

"Right before Thanksgiving, 'Vegetarian' is the name I would go for," he
said.

McLean Pickett
digex, Inc.