RealNetworks is approximately the luckiest group of bastards on the planet when it comes to privacy scandals. Last time the company found itself in a privacy-related peccadillo, Judge Thomas Penfield Jackson handed down his Microsoft findings of fact and knocked that story right out of the limelight. This month, just as independent researcher Steve Gibson broke the news that RealDownload is reporting back to the company the URL of every single file you download, along comes Carnivore.
Nothing like a vast FBI wiretap network, forced onto unwilling Internet Service Providers (ISPs) and capable of chewing through literally every e-mail in its path, to make it seem that the tiny little problems of one dot-com don’t amount to a hill of beans.
The FBI‘s Carnivore e-mail surveillance system has been in place for about two years; it has 25 credited kills — erm, deployments in federal investigations — from an unknown number of ISP installations rumored to be in the ”dozens.“ In theory, the system watches for mail coming from or going to an investigation target, i.e., all the mail written to or by some guy@yeoldeISP.com. If Carnivore sees something suspicious in the To, From or Subject lines, it can make a copy of the e-mail.
Problem is, to accomplish this Carnivore has to sniff every piece of mail coming to or going from Ye Olde ISP, including mail to and from you@yeoldeISP, as well as from you@laweekly readers.com to your pal at yeoldeISP.com. Suddenly, what’s caught in Carnivore‘s sites starts to look like a lightning round of Six Degrees of Kevin Bacon. Imagine the FBI tracking down a bad guy in Southern California by keeping an eye on every aol.com customer; you’ll simply have to trust the government‘s promise that they’ll only record the bad guys.
That‘s a hell of a way to run a wiretap, gentlemen. ACLU head Barry Steinhardt calls it a ”dragnet“ — and a dangerous temptation for a government known to already intrude too far on the privacy rights of American citizens.
Despite its fierce name, Carnivore is just your standard Win2K bucket of silicon. So says the FBI, which claims that Carnivore is merely a special sort of sniffer (a program network admins use to analyze traffic) that has the added ability to decipher the To and From lines in individual e-mails. The information the sniffer sniffs and decodes is supposed to be retrieved from the Carnivore PC after getting a court order (much the way, in theory, a phone wiretap works . . . See? All innocent and stuff) — so harmless, in fact, that no one at the FBI bothered to brief Attorney General Janet Reno on the beast before implementation. So innocent that, in fact, ISPs do this stuff already with, as mentioned, sniffer packages.
And therein lies the tale, according to industry observers. ISPs can and do sniff packets for various reasons. If the government truly needed sniffing done, why reinvent the wheel? Couldn’t they simply ask the ISP to comply with a valid wiretap, instead of having the FBI put its own computer at the ISP — and at a point on the ISP‘s network where Carnivore’s operations could easily interfere with normal ISP processes? (Accidentally, of course. The potential implications of each ISP in America being saddled with a Carnivore box that can shut it down I leave as an exercise for the nervous reader.)
At least one ISP has beaten the Carnivore back from its door after seeing firsthand the damage it can do to normal operations. EarthLink worked with the FBI to install a Carnivore box earlier this year in their Pasadena data center (after losing a federal court decision on the matter, which stated in part that Carnivore was under sole control of the government). The first box wasn‘t compatible with the operating system on EarthLink’s servers, so an older system was switched in; in March, that box crashed servers affecting ”many“ customers. Eventually, EarthLink and the FBI worked out a deal; a the ISP will do the monitoring and gathering, and the FBI will take their box back whence it came.
How did we get here? Carnivore is in some respects just the latest chapter in the ongoing conflict between the government and ISPs, which, due to their relatively small numbers, are the most likely point at which officials can exercise control over online content. (Another example of such control is the Digital Millennium Copyright Act, which indemnifies ISPs from libel- and copyright-related civil suits — but only if they turn over the names of customers allegedly in violation, whether or not a violation has occurred.)
After the deluge of negative publicity, and Congress weighing in, Carnivore is starting to look slightly endangered. (The Clinton administration has unfortunately endorsed Carnivore; however, at press time Al Gore had not yet expressed his opinion on the subject, and one can hope it‘s one of those Pres-vs.-V.P., West Wing–type situations.) As we go to press, the House Judiciary Subcommittee on the Constitution is hearing testimony as to whether Carnivore constitutes a breach of the Fourth Amendment’s search-and-seizure prohibitions. Meanwhile, the ACLU is continuing to press the FBI for details on what Carnivore is and does, filing requests under the Freedom of Information Act for not only correspondence relating to Carnivore‘s implementation but for release of the actual code, tech specs and documentation — in other words, open-sourcing the beast.
Matt Blaze, head of crypto.com, says there is little harm and much good that might be accomplished by shining some light in Carnivore’s lair.