A report is to conclude that the FBI's e-mail surveillance system does not threaten
civil liberties. Privacy advocates remain unconvinced.
By Jennifer DiSabatino
Privacy advocates said they remain leery about the FBI's Carnivore e-mail surveillance
system following last night's release of a draft report on the technology by an
independent review team, despite the report's conclusions that the controversial
software essentially does what it was designed to do Ð track specific digital
communications with the permission of a court order.
But others, including the FBI, said the report prepared by the Chicago-based IIT
Research Institute (IITRI) shows that Carnivore just needs to be fine-tuned and then
closely monitored itself in order to prevent the system from being improperly used by
law-enforcement officials.
"I believe, at least at a basic level, that this established that Carnivore doesn't
bite off more than it can chew," said Kenneth Segarnick, assistant general counsel at
messaging services vendor United Messaging in West Chester, Pa. "Now we need to put a
leash on it and make sure that it's only unleashed under a certain set of
circumstances. Carnivore still can do quite a bit. They call it Carnivore for a
reason."
For example, Segarnick Ð who has testified before Congress on workplace e-mail
security measures Ð suggested that regulations be put in place "so that the FBI does
not have the automatic right to trap the 'to' and 'from' lines on e-mails" while using
Carnivore to investigate suspected criminal activities. And he said legislation also
needs to be enacted to make sure the software doesn't collect data on people who
aren't being investigated.
Carnivore is a software program that monitors packets of data passing through an
Internet service provider's network. Officials at the FBI and the DOJ have said the
surveillance system can only be legally deployed to monitor allegedly criminal
activity under a court order, similar to the regulations that govern the use of
telephone wiretaps.
The report by IITRI, which was edited by officials at the U.S. Department of Justice
before being released, said Carnivore isn't powerful enough to monitor "almost
everyone with an e-mail account" at an ISP or to follow individual Internet users as
they surf the Web. But the report added that the software "can record any traffic it
monitors" if it has been incorrectly configured by investigators (see story).
Privacy advocates seized on that point as a confirmation that Carnivore could be used
to collect broad swaths of data on individuals. The Electronic Privacy Information
Center (EPIC), a Washington-based privacy group that's seeking the release of all the
FBI's Carnivore-related documents through a Freedom of Information Act request,
yesterday issued a statement charging that the IITRI report "raises more questions
than it answers."
"If it's that easy for the FBI to accidentally collect too much data, imagine how
simple it would be for agents to do so intentionally," said David Sobel, EPIC's
general counsel. "This supports our belief that Carnivore raises extremely serious
privacy concerns."
But FBI spokesman Paul Bresson said those kinds of concerns are overstated. "We never
denied that it had the capability to capture more [data than an investigation
requires]," he said. "What we maintained was that it had the filtering devices to
capture only the data pertaining to the court order."
Bresson added that the FBI is now looking at improving the Carnivore software so it
would only target the subject of an investigation without collecting information about
other people whose e-mail messages are transmitted across an ISP's network as part of
the same packet of data.
But Jennifer Granick, an attorney and privacy advocate in San Francisco, said the FBI
should have done that from the start. "If the device intends to adhere to the law,
then design it that way," she said.
Granick acknowledged that the likelihood of unintentional privacy violations is
limited, but she said Carnivore gives individual employees within the FBI the ability
to monitor anyone they want to track. That kind of rogue usage is the real threat,
Granick said.
Jennifer DiSabatino writes for the IDG News Service
