EFFector Vol. 13, No. 6 Aug. 4, 2000 editor@eff.org
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
For more information on EFF activities & alerts: http://www.eff.org
Carnivore is an electronic communications surveillance system created by the FBI. It is essentially a PC that runs specialized surveillance software, attached to your Internet service provider's network - something like an e-mail and Web traffic wiretap. But, due to differences between Internet and telephone technologies, Carnivore exceeds FBI legal wiretapping authority.
The Electronic Frontier Foundation (EFF) would like to submit comments to be included for the record regarding the Fourth Amendment* and the issues raised by the FBI's Carnivore system.
EFF is a leading global nonprofit organization linking technical architectures with legal frameworks to support the rights of individuals in an open society. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and openness in the information society. EFF is a member-supported organization and maintains one of the most-linked-to Web sites in the world.
We wish to focus our comments on two specific issues. First, the use of pen registers as applied to traditional land-line telephone systems are not analogous to packet analyzers, such as Carnivore, that are used on the Internet. Second, we will touch on some of the harmful societal effects that will most certainly be wrought should the Carnivore system be implemented in the manner that the FBI wishes.
Pen registers are devices used to record telephone numbers that are dialed from a telephone, whereas trap and trace devices are used to determine where a telephone call originated. Information gathered in this manner is strictly limited to only those phone numbers that are made either to or from the target's telephone number. No other personal information is harvested from the target of the investigation. The contents of the message and the routing or addressing information are independent of each other. Law enforcement cannot rely on pen registers or trap and trace warrants to get at the content of the calls.
In reality, pen registers or trap and trace devices do not exist where the Internet is concerned, because the contents of the messages and the sender/receiver information are not kept separate. Because of this, the potential for law enforcement to over-collect information exists, and it is almost a certainty that law enforcement will receive more information from individuals than is authorized by a traditional pen register or trap and trace warrant. There are several ways that this can happen.
When a person makes a telephone call on a traditional telephone system, a discrete and continuous segment of the telephone system is dedicated to that call, which is handled sequentially. The system first accepts the call routing information (dialed number, number and accounting information of the phone used to make the call, etc.), secondly establishes a connection, and only then opens the line to the content side of the call. The routing information remains wholly separate and severable from the call content, allowing law enforcement easy access to the one but not to the other. The Internet, however is a packet-switched network, meaning that when information is sent over the Net, it is broken into small packets, routed piecemeal over the Net and then reassembled at its final destination. Routing information, as well as content, are both contained in each individual packet, potentially giving law enforcement access to content as well as location routing information.
The Carnivore system has received a lot of press recently, but the FBI has not been forthcoming about how the Carnivore system actually works. Civil liberties groups have often been quoted as noting that Carnivore is a "black box" leaving us to guess at its inner workings.
We have been able to discover that Carnivore is a packet-sniffer, able to gather pen register and trap and trace information by sniffing each packet as it is routed along. It then filters out unwanted e-mail and other communications information from those of the target. This process is problematic for two very important reasons.
First, traditional wiretaps, pen registers and trap and trace devices, are attached to specific telephone lines; law enforcement will only obtain the telephone numbers associated with the target's phone. With Carnivore in place, law enforcement has the potential ability to sift through all of the traffic going through a particular Internet Service Provider's (ISP) network. This far exceeds the scope of any wiretap laws we currently have in place.
Second, analogizing pen register information from a traditional land-line phone system to the Internet is incorrect. The Carnivore system likely can capture content as well as numbers. E-mail addresses for example are personal to an individual rather than to a particular household. We don't know for sure, but it is possible that Carnivore has access to the subject line information of e-mail messages. Subject lines are content. For example, "leaving work at 5pm today - meet me at the bus stop", contains a lot of information about travel plans of a target on a particular day. Carnivore can also track other content information such as the URLs of web sites visited. Seeing the URLs not only give routing information but content as well. For example, someone visiting www.eff.org could presumably be interested in civil liberties issues online.
Currently, there is little if any public oversight over the FBI's use of its Carnivore system. The FBI has not allowed the ISP to inspect the device, nor have any of the advocacy groups been allowed to examine it. In fact, the ACLU has had to resort to filing a FOIA request to try to get at the source code. Allowing the FBI to install and use a device such as this unchecked by any public oversight, threatens the openness we enjoy and expect in our society. Robert Corn-Revere, in his testimony, noted that his case is sealed. We can't even look to that for guidance.
Surveilling the Internet in this way leaves law enforcement with the potential to lower an individual's expectation of privacy as they use the Internet, particularly if we use the majority rule in Smith v. Maryland, that an individual has no legitimate expectation of privacy in the numbers that they dial on their telephones. This is so because law enforcement has so far successfully argued that pen registers on the Internet are analogous to those used on land-line telephone systems. Since routing information on the Net contains content, an expectation of privacy could end up being lowered for an individual's reading habits on the Net. Once individuals realize that they have a lowered expectation of privacy on the Net, they may not visit particular web sites that they may otherwise have visited.
The Court in Smith v. Maryland noted law enforcement's penchant for trying to lower the bar on what is a legitimate expectation of privacy. The majority held that:
situations can be imagined, of course, in which Katz' two-pronged inquiry would provide an inadequate index of Fourth Amendment protection. For example, if the Government were suddenly to announce on nationwide television that all homes henceforth would be subject to warrantless entry, individuals thereafter might not in fact entertain any actual expectation of privacy regarding their homes, papers, and effects. ...In such circumstances, where an individual's subjective expectations had been "conditioned" by influences alien to well-recognized Fourth Amendment freedoms, those subjective expectations obviously could play no meaningful role in ascertaining what the scope of Fourth Amendment protection was. In determining whether a "legitimate expectation of privacy" existed in such cases, a normative inquiry would be proper.
In other words, law enforcement cannot "dumb down" society's subjective notions of what constitutes a legitimate expectation of privacy.
The use of pen registers as applied to traditional land-line telephone systems is fundamentally different than information that is collected using pen registers on the Internet. Allowing a system such as Carnivore to be used unchecked by law enforcement exacerbates the problem of over collection of data and has the potential to harm our open society.
Respectfully,
Deborah S. Pierce
Staff Attorney
Electronic Frontier Foundation
Frequently Asked Questions (FAQ) and Answers about Carnivore
Carnivore is an electronic communications surveillance system created by the FBI. It is essentially a personal computer that runs specialized surveillance software, attached to your ISP network.
Anyone suspected of a host of crimes, and anyone whose communications are suspected to be able to provide information that would aid an FBI investigation.
There are two kinds of warrant under which the FBI can monitor communications. The more wide-ranging is the Title III warrant, which enables the FBI to intercept the actual texts of e-mails. However, this kind of warrant is more difficult to obtain.
Carnivore uses the weaker "trap and trace" and "pen register" warrants, but in a new and wider way. These warrants were designed for the phone system; to trace the number of origin of a phone call or a list of the numbers called from a phone. Carnivore uses these warrants to intercept the headers of all e-mails on the system, and then filters out those not "to" or "from" the surveillance target.
Besides e-mails, Carnivore can also intercept instant-messaging systems, visits to Web sites and Internet relay chat sessions.
Opinions differ. A recent Order involving Earthlink described by Robert Corn-Revere (although he does not reference Earthlink by name) in congressional testimony ruled that government agents could compel an ISP to install Carnivore; to date this is the only decision on public record, and no higher court has yet reviewed the decision.
According to the Electronic Communications Privacy Act, electronic surveillance must be conducted in relation to a single person who is the target of a surveillance warrant. The problem with Carnivore is that it intercepts all messages on the ISP's network before filtering out those not from or to the surveillance target.
Pen registers are devices used to record telephone numbers that are dialed from a telephone, whereas trap and trace devices are used to determine where a telephone call originated. Information gathered in this manner is strictly limited to only those phone numbers that are made either to or from the target's telephone number. No other personal information is harvested from the target of the investigation. The contents of the message and the routing or addressing information are independent of each other. Law enforcement cannot rely on pen registers or trap and trace warrants to get at the content of the calls.
In reality, pen registers or trap and trace devices do not exist where the Internet is concerned, because the contents of the messages and the sender/receiver information are not kept separate. Because of this, the potential for law enforcement to over-collect information exists, and it is almost a certainty that law enforcement will receive more information from individuals than is authorized by a traditional pen register or trap and trace warrant. There are several ways that this can happen.
When a person makes a telephone call on a traditional telephone system, a discrete and continuous segment of the telephone system is dedicated to that call, which is handled sequentially. The system first accepts the call routing information (dialed number, number and accounting information of the phone used to make the call, etc.), secondly establishes a connection, and only then opens the line to the content side of the call. The routing information remains wholly separate and severable from the call content, allowing law enforcement easy access to the one but not to the other. The Internet, however is a packet-switched network, meaning that when information is sent over the Net, it is broken into small packets, routed piecemeal over the Net and then reassembled at its final destination. Routing information, as well as content, are both contained in each individual packet, potentially giving law enforcement access to content as well as location routing information.
Yes. Because Carnivore is a packet-sniffer, it is able to gather pen register and trap and trace information by sniffing each packet as it is routed along. It then filters out unwanted e-mail and other communications information from those of the target. This process is problematic for two very important reasons.
First, traditional wiretaps, pen registers and trap and trace devices, are attached to specific telephone lines; law enforcement will only obtain the telephone numbers associated with the target's phone. With Carnivore in place, law enforcement has the potential ability to sift through all of the traffic going through a particular Internet Service Provider's (ISP) network. This far exceeds the scope of any wiretap laws we currently have in place.
Second, analogizing pen register information from a traditional land-line phone system to the Internet is incorrect. The Carnivore system likely can capture content as well as numbers. E-mail addresses for example are personal to an individual rather than to a particular household. We don't know for sure, but it is possible that Carnivore has access to the subject line information of e-mail messages. Subject lines are content. For example, "leaving work at 5pm today - meet me at the bus stop", contains a lot of information about travel plans of a target on a particular day. Carnivore can also track other content information such as the URLs of web sites visited. Seeing the URLs not only give routing information but content as well. For example, someone visiting www.eff.org could presumably be interested in civil liberties issues online.
Systems like Carnivore have the potential to turn into mass surveillance systems that will harm our free and open society.
In addition to the Fourth Amendment and ECPA problems we have discussed, there are also potential First Amendment problems. Once people begin to realize the scope of the Carnivore system, they may begin to self-sensor their own speech so as not to bring their communications to the attention of law enforcement.
The FBI believes that e-mail filtering before interception is not technically feasible, and that therefore intercepting unfiltered communications is justified. But there is no judicial, press or ISP oversight to make sure that the FBI will follow the law. In effect, they're simply asking us to trust them: an attitude which, according to the ACLU, violates federal wiretapping laws:
"Currently, law enforcement is required to "minimize" its interception of non-incriminating communications of a target of a wiretap order. Carnivore is not a minimization tool. Instead, Carnivore maximizes law enforcement access to the communications of non-targets."
The FBI also argues that as they don't see the contents of the e-mails they intercept, they are not violating innocent people's privacy. They argue that the software only intercepts the "To" and "From" lines of a header, never the subject line; but as they refuse publicly to release their source code, or to allow ISP oversight of their system, there is no way to verify that this is so. They describe Carnivore as a "diagnostic tool" with a "surgical" ability which provides "enhanced privacy protection", and which can automatically distinguish between those materials which are the subject of a lawful order and which are not. They also say that internal oversight, coupled with Department of Justice and Court jurisdiction, constitutes sufficient oversight to prevent not only abuse but also even the possibility of abuse.
Whether filtering before interception is feasible or not, Carnivore violates the ECPA; it also appears to violate the Fourth Amendment, and is believed by many to be manifestly illegal. It is a dangerous and intrusive tool, the responsible use of which depends solely on the good will of the FBI. Consequently, EFF supports the proposal to open the source code of Carnivore to public scrutiny, so that it is possible to understand more clearly what Carnivore can do, and what flaws it has, and EFF in general opposes the continued use of Carnivore.
* Footnote: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The Electronic Frontier Foundation (EFF) is pleased to announce the recent addition of a new board member, Professor Pamela Samuelson, and three new members of the staff, Legal Director Cindy Cohn, Senior Staff Attorney Lee Tien, and Administrative Assistant John Marttila. The expertise of all three prominent attorneys will be an asset to the civil liberties group in its continuing fight to protect every netizen's online rights, and the addition of John to an increasingly busy staff and growing organization will greatly help keep the organization running smoothly.
"What an all-star team we've assembled," commented EFF Executive Director Shari Steele. "Cindy and Lee were instrumental to our success in the Bernstein v. State litigation, which declared source code as speech and freed up the U.S. export controls on encryption. And Pam is one of the most distinguished intellectual property attorneys in the country. EFF is so happy to have these great legal minds join us."
Pamela Samuelson is a Professor of Law and of Information Management at the University of California at Berkeley and a world-renowned expert on cyberlaw and intellectual property. She is also a Director of the Berkeley Center for Law & Technology and provided the endowment for the Samuelson Law, Technology and Public Policy Clinic at Boalt Hall. She has written and spoken extensively on the challenges that digital technologies pose for existing legal regimes, particularly intellectual property law, and more recently has become interested in legal regulation of digital networked environments. Samuelson was named a MacArthur Fellow by the John D. and Catherine T. MacArthur Foundation in 1997.
Cindy A. Cohn specializes in Internet-related civil litigation, including cases involving free speech, encryption, SPAM, domain names, privacy, unfair competition and defamation. In 1997 she was named one of California Lawyers of the Year by California Lawyer magazine for her work on Internet issues. She is a member of the San Mateo County Bar Association and of its legal technology section. Ms. Cohn graduated with honors from the University of Iowa and received her law degree from the University of Michigan Law School in 1989. Before entering private practice, she clerked for the United Nations Centre for Human Rights in Geneva, Switzerland.
Lee Tien has practiced law for nine years, specializing in First Amendment cases. He was co-counsel to Cindy Cohn on the Bernstein case and worked in private practice on cases involving the First Amendment and cyberlaw. He has published such articles as "Who's Afraid of Anonymous Speech? Mcintyre and the Internet," which appeared in the Oregon Law Review (1996), and "Children's Sexuality and the New Information Technologies," which appeared in Social and Legal Studies (1994). Mr. Tien is a longtime user of technology, and is currently co-host of the Legal Conference on the online community at the WELL." He received his law degree from University of California at Berkeley in 1987 and his undergraduate degree from Stanford University in 1979.
"I was astounded at the dedication Cindy and Lee showed in pursuing a difficult case over so many years and against such a powerful opponent. They showed they are a force to be reckoned with and our legal opponents had better watch out," said Brad Templeton, EFF's Board Chairman. "And Pam Samuelson is way ahead of the curve when it comes to cyberspace issues and the law. She'll keep EFF on that forefront with her."
John Marttila, a long-time associate of EFF staffmembers Robin Gross
and Patrick Norager, is (when wearing other "hats") a musician, conductor, and
teacher. His and Patrick's musical projects, including
UKUSA, may be heard in streaming MP3 format at Radio EFF:
http://www.eff.org/radioeff
EFF continues to pursue its long-term mission of educating the public, policymakers, and courts about the issues that arise when traditional expectations conflict with the new worlds created by computers and the Internet. The organization remains focused on civil liberties and civil responsibilities in cyberspace and continues to offer legal advice, referrals, and a large archive of current and historical online civil liberties information.
Founded in 1990, the Electronic Frontier Foundation (www.eff.org) is a nonprofit organization that actively encourages and challenges industry and government to support free expression, privacy, and openness in the information society. EFF is a member-supported organization and maintains one of the most-linked-to Web sites in the world.
For more information on the Electronic Frontier Foundation see:
http://www.eff.org
For information about joining us in our fight to protect your rights, see:
http://www.eff.org/support
See:
http://www.eff.org/support/joineff-paypal.html
to join EFF via PayPal.
PayPal is a free online payment system through which one can effectively e-mail someone else money, in a secure fashion. It is very easy to use, and works either through credit cards or bank withdrawals on the back end (or via "stored" money in PayPal; e.g. if you sold something on an online auction house and were payed via PayPal, you could donate some of those funds to EFF without any interaction between PayPal and your bank account or credit card, since the money is already in the PayPal system).
PayPal's privacy policy is better than most, and they do not appear to have any designs on spamming their users or selling their information to anyone else. Even so, EFF does not endorse PayPal over any other online transaction service. We support PayPal because an increasing number of members have requested it, though we plan to add additional membership/donation transactions options soon.
If you would like to use PayPal but do not already have an account with them,
you can sign up at this URL:
https://secure.paypal.x.com/affil/pal=accounting%40eff.org
By doing so, rather than by signing up through the PayPal front page, you can effectively
add $5 to your donation, free (PayPal, for the time being, is giving $5 "referral bonuses" automatically;
you don't have to add the $5 your total manually).
If you are planning to make a large donation, you may wish to send a check, as PayPal and any credit card-based system incur 2-5% fees to EFF, effectively reducing the amount of your member donation to us.
Thank you for your support! Without it, our work on the DVD cases, stopping Internet censorship legislation, and protecting online privacy could not continue!
Here's full information on the list:
cafe-news@eff.org
News and announcements regarding CAFE and it's activities, including the DVD/DeCSS cases. Messages will be no more frequent than one per day, usually a short summary of any changes or happenings, occasionally including press releases or other documents.
This is a semi-closed list (only the EFF staff can post to it, anyone may subscribe)
To subscribe to the list, submit to majordomo@eff.org a message body (not subject line) of
subscribe cafe-news
NOTE: If you wish to be removed from this mailing list, please send to majordomo@eff.org a message body (not subject line) of:
unsubscribe cafe-newsIf you receive an error, try:
unsubscribe cafe-news your@address.here
where "your@address.here" is your e-mail address. If this still does not work, you can try sending additional unsubscribe commands for alternate e-mail addresses you may have, in case it is not your main one that is on the list. You can put more than one such command per message; each must be on a separate line. If all else fails, write to listmaster@eff.org and ask to be removed manually.
EFF does NOT condone, much less engage in, spamming. We respect your privacy and have made it virtually impossible for you to be added to this mailing list against your will, since the listserver (Majordomo) will send you a confirmation command you must send back to in order to be added to the list.
If you need to change your address, follow the above instructions to remove your old address, and then submit to majordomo@eff.org this:
subscribe cafe-news your@new.address
where "your@new.address" is the address you want to subscribe to the list in place of the old one.
If you would like to have your friends subscribe, please tell them about the list and how to subscribe, rather than attempting to subscribe them yourself (it won't work.)
If you find this list important and informative, please consider
becoming an EFF member and supporting us with a donation. See:
http://www.eff.org/support
for more information. Thank you.
EFFector is published by:
The Electronic Frontier Foundation
1550 Bryant St., Suite 725
San Francisco CA 94103-4832 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
http://www.eff.org
Editor: Stanton McCandlish, Online Communications Director/Webmaster (editor@eff.org)
Membership & donations: membership@eff.org
General EFF, legal, policy or online resources queries: ask@eff.org
Reproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. Press releases and EFF announcements & articles may be reproduced individually at will.
To subscribe to EFFector via e-mail, send message BODY (not subject) of:
subscribe effector
to majordomo@eff.org, which will send you a confirmation code and then add you to a subscription list for EFFector (after you return the confirmation code; instructions will be in the e-mail).
To unsubscribe, send a similar message body to the same address, like so:
unsubscribe effector
Please ask listmaster@eff.org">listmaster@eff.org to manually add you to or remove you from the list if this does not work for you for some reason.
Back issues are available at:
http://www.eff.org/effector
To get the latest issue, send any message to
effector-reflector@eff.org
(or er@eff.org), and it will be mailed to
you automagically. You can also get:
http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html via the Web.
Return to EFFector Newsletter Menu
Please send any questions or comments to webmaster@eff.org