The following text is copyright 2000 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

The threat of omnivore

By Scott Bradner

I would find it impossible to be a columnist in the Internet space with some concern about Internet privacy and not write about the FBI's adroitly named Carnivore email-surveillance system. I think one of the basic problems with this system has been overlooked.

For the vegetarians among the readers, in this context Carnivore is the name that the FBI gave to a traffic monitoring system that it attaches to Internet service provider networks, ostensibly to monitor email traffic. According to the testimony of FBI assistant director Donald Kerr before a US House subcommittee the device is only installed when a court has authorized electronic surveillance. In his testimony Mr. Kerr described Carnivore as "a very specialized network analyzer or "sniffer" which runs as an application program on a normal personal computer under the Microsoft Windows operating system. It works by "sniffing" the proper portions of network packets and copying and storing only those packets which match a finely defined filter set programmed in conformity with the court order."

In order to work the Carnivore PC is connected to a part of an Internet service provider's network where it can monitor the traffic to and from the subject of surveillance. Such a placement may cause difficulties in some cases since ISP networks are purposely not designed to have all customer traffic pass through any particular point in the network. In the past such network designs have been exploited by hackers to capture user lognames and passwords.

Although Carnivore has been portrayed in the press and in even by some FBI spokesmen as an email intercept device, Mr. Kerr's testimony reveals it to be a general purpose intercept system that can be programmed to capture any type of traffic.

Clearly one of the big issues many people have with Carnivore is to be sure that the operators are only doing the intercept that the court has authorized. The FBI now has announced that it suddenly has a "tamper-proof logging mechanism" so that the court can find out just what was done. But the FBI refuses to open the system to public review claiming that if it did so hackers could figure out a way around it. In fact, if the FBI's description of Carnivore is accurate there are already plenty of ways to get around its filters.

My biggest worry is that Carnivore is a programmable device stuck in the middle of an ISP's network. Such a device is inherently a threat to the integrity of the ISP. It is far from clear that it is possible to create a truly tamper-proof auditing system on such a device or to make the device itself hacker proof. Even if there were no history of abuse of trust by law enforcement Carnivore would be a worry. The law enforcement community does need ways to do legitimate intercept and monitoring but Carnivore seems a blunt and inappropriate tool for the job.

disclaimer: Harvard educates tool makers and managers and I did not ask them for this opinion.