Internet Wiretapping and Carnivore

Internet Wiretapping

and Carnivore









Sarah Boucher

Edward Cotler

Stephen Larson



May 17, 2001

Introduction

• Law enforcement needs

• Individuals‟ privacy concerns

• Emerging technology

Goals

• To inform about the current technical,

government, and public opinion state of

U.S. Internet wiretapping policy through a

case study of the FBI‟s Carnivore system

• To discuss concerns about the current state

of U.S. Internet wiretapping policy

• To propose changes to improve the U.S.

system of Internet wiretapping

Timeline

• 1791 – The Fourth Amendment to the Constitution

• 1928 – Olmstead v United States

• 1934 – Federal Communications Act

• 1937 – Nardone v United States

• 1939 – Nardone v United States

• 1967 – Berger v United States

• 1967 – Katz v United States

• 1968 – Omnibus Crime Control and Safe Streets

Act

• 1978 – Foreign Intelligence Surveillance Act

Timeline

• 1979 – Smith v Maryland

• 1986 – Electronic Communications Privacy Act

• 1994 – Communications Assistance for Law

Enforcement Act

• 2000 – US Telecom v FCC

• 2000 – Hearings in House and Senate committees

• 2000 – Digital Privacy Act, proposed

• 2000 – Electronic Communications Privacy Act,

proposed

• 2000 – Illinois report released

Key Players

• ACLU: Opposed to wiretaps in general.

• CDT: Sees a place for restricted wiretaps.

• EPIC: Acquired key information using the FOIA.

• DOJ: In charge of the FBI, project in general.

• FBI: Conducted at least 25 Internet wiretaps

already.

• Congress: Trying to catch the laws up.

Background

Legislative Background

• Fourth Amendment

• FCA

• Title III

• FISA

• ECPA

• CALEA

• Digital Privacy Act of 2000

• Electronic Privacy Act of 2000

Legislative Background

• Fourth Amendment

– The right of the people to be secure in their

persons, houses, papers, and effects, against

unreasonable searches and seizures, shall not be

violated, and no warrants shall issue, but upon

probable cause, supported by oath or

affirmation, and particularly describing the

place to be searched, and the persons or things

to be seized.

Legislative Background

• Federal Communications Act of 1934

– Prohibited the interception and disclosure of

any communication without the consent of at

least one of the parties to the communication.

Legislative Background

• Title III of the Omnibus Crime Control and

Safe Streets Act of 1968

– Electronic surveillance made illegal, except

pursuant to a court order.

Legislative Background

• How to get a court order for electronic

surveillance

– Prove probable cause that an indictable crime

has been, is being, or is about to be committed.

– Specifically describe the communications to be

intercepted.

– Other investigative procedures have failed or

are too dangerous.

Legislative Background

• Foreign Intelligence Surveillance Act of

1978

– Requires approval from the Foreign

Intelligence Surveillance Court for electronic

surveillance in national security cases.

Legislative Background

• Electronic Communications Privacy Act of

1986

– Amended Title III protections to cover most

wire and wireless communications.

– Requires a court order for the use of pen

register and trap and trace devices.

– Delineates regulations for the use of roving

wiretaps.

Legislative Background

• Communication Assistance for Law

Enforcement Act of 1994

– Requires telecommunications carriers to ensure

the ability of law enforcement agencies to

intercept communications.

Legislative Background

• Digital Privacy Act of 2000, proposed in the

106th Congress

– Strengthened the requirements for obtaining a

court order for the use of pen register and trap

and trace devices.

– Heightened the reporting requirements for

electronic surveillance.

Legislative Background

• Electronic Privacy Act of 2000, proposed in

the 106th Congress

– Strengthened the requirements for obtaining a

court order for the use of pen register and trap

and trace devices.

– Other privacy enhancing changes to current

federal wiretapping laws.

Judicial Background

• Olmstead v. US

• Nardone v. US

• Berger v. US

• Katz v. US

• Smith v. Maryland

• US Telecomm v. FCC

Judicial Background

• Olmstead vs. US, 1928

– Supreme Court held that wiretaps were not a

violation of the Fourth Amendment.

– Justice Brandeis wrote a strong dissent

supporting the extension of Fourth Amendment

rights to wiretapping.

Judicial Background

• Nardone vs. US, 1937 and again in 1939

– Based on FCA of 1934, the Court ruled that

wiretap evidence could not be used in trial.

– In the second case, the Court expanded this

ruling to include any evidence derived from a

wiretap.

Judicial Background

• Berger vs. US, 1967

– Supreme Court found that a New York State

law that had been used to secure a warrant for

wiretapping was overbroad in its scope.

Judicial Background

• Katz vs. US, 1967

– Supreme Court effectively overturned

Olmstead v US, saying that “the Fourth

Amendment protects people, not places.”

Judicial Background

• Smith vs. Maryland, 1979

– Supreme Court held that there is a lower

expectation of privacy in pen mode

information, therefore no warrant is required to

intercept this information.

Judicial Background

• US Telecomm v. FCC, 2000

– Challenges to the implementation Order for

CALEA.

– Supreme Court held that location information

for wireless communications as well as packet-

mode data collection can be required by

CALEA.

Executive Background

When does the FBI use Carnivore?

• The ISP cannot narrow sufficiently the

information retrieved to comply with the court

order

• The ISP cannot receive sufficient information

• The FBI does not want to disclose information to

the ISP, as in a sensitive national security

investigation.

Executive Background

Full mode wiretap Pen mode wiretap



• Case agent consults • Case agent writes up a

with the Chief request with a

Division Counsel, and justification for

a Technically Trained necessity

Agent.

Executive Background

• FBI shows a judge the relevance of the

information

• FBI shows a judge why traditional

enforcement methods are insufficient

• FBI submits a request with information

such as target ISP, e-mail address, etc.

• FBI waits 4-6 months

Public Policy Background

Federal Title III Wiretaps



700

600

500

400



300

200

100

0

69



71



73



75



77



79



81



83



85



87



89



91



93



95



97

19



19



19



19



19



19



19



19



19



19



19



19



19



19



19

Public Policy Background

• Wiretaps influenced by administrative policy

choice

– 10,000 before Safe Streets Act (1968)

– 9,000 after Safe Streets Act

• Could Carnivore have similar usage patterns?

– Log secrecy

– 1850% increase from 1997 to 1999

Technical Background

• Hardware

• Software

Hardware Architecture

• A one-way tap into an Ethernet data stream

• A general purpose computer to filter and

collect data

• One or more additional general purpose

computers to control the collection and

examine the data

• A „locked‟ telephone link to connect the

computers

Hardware Architecture

The Internet





Ethernet Switch





Tap Hub Carnivore

Other

Network

Segments

Hub Target Remote

Bystander

One Way Tap

• The Century Tap

• Produced by Shomiti Systems (3rd party)

Filtering/Collection Computer

• Pentium-class PC

– 2 GB Jaz Drive

– Generic 10/100 Mbps Ethernet adapter

– A modem

– Windows NT

– pcAnywere

Control/Examination Computer

• Another regular computer with:

– pcAnywhere

– Dragonware

• Secure?

Telephone Link

• Electronic device that prevents phone line

connection unless you are the key.

Software Architecture

Functionality

• Filtering

• Filter Precedence

• Output

• Analysis

Software Architecture

Software Architecture

• Filtering

Fixed IP Can choose a range of IP addresses.



Dynamic IP If not in fixed IP mode, one can choose to include

packets from in either Radius or DHCP mode.

Protocol Filtering One can choose to include packets from TCP,

UDP, and/or ICMP in either Full mode, Pen

mode, or none.

Text Filtering One can include packets that contain arbitrary text.



Port Filtering One can select particular ports to include (i.e 25

(SMTP), 80 (HTTP), 110 (POP3)).

E-mail address One can select to include packets that contain a

particular e-mail address in the to or from fields of

Filtering an e-mail.

Software Architecture

• Filter Precedence

• Output

– .vor

– .output

– .error

• Analysis

– Packeteer

– CoolMiner

Software Architecture

• TapNDIS (written in C) is a kernal-mode driver which

captures Ethernet packets as they are received, and applies

some filtering.

• TapAPI.dll (written in C++) provides the API for

accessing the TapNDIS driver functionality from other

applications.

• Carnivore.dll (written in C++) provides functionality for

controlling the intercept of raw data.

• Carnivore.exe (written in Visual Basic) is the GUI for

Carnivore.

Concerns

Legislative/Judicial Concerns

• Pen mode collection

– Not strictly defined.

– Low standard for obtaining a court order for the

interception of this information.

– Reporting of pen mode interceptions is

minimal.

Legislative/Judicial Concerns

• Minimization of interception:

– No formal definition of minimization of search

requirements.

– The minimization process only has optional

judicial review.

– No requirements on who conducts the

minimization.

Legislative/Judicial Concerns

• FISA interceptions:

– No notification requirement, unless information

from the intercept will be used in a criminal

trial.

– Completely confidential, the only information

reported annually is the number of applications

and the number of orders granted.

Public/Executive Concerns

• Trust

• Ease of access

• Loss of ISP control

• Procedural

Trust

“Carnivore is roughly equivalent to a wiretap

capable of accessing the contents of the

conversations of all of the phone company‟s

customers, with the „assurance‟ that the FBI will

record only conversations of the specified target.”



– Barry Steinhardt

Associate Director, ACLU

Trust

• Should we trust the government?

• Agents overlook, misplace or otherwise

mangle information

• FBI still makes record-keeping mistakes

– Blanton

– Salvati

– McVeigh

Ease of Access

“I would rather have the government crawl under

barbed wire with a flashlight to install a listening

device in my basement than to have them click a

mouse in an office and gain access to my most

private conversations.”



Phil Zimmermann

Inventor, PGP

Ease of Access

• Allocation of resources

– Self-selects more important wiretaps

• Easier to make mistakes

• No paper trail in digital age

Loss of ISP Control

“The FBI is placing a black box inside the

computer network of an ISP… not even the

FBI knows what that gizmo is doing.”



– James X. Dempsey

Senior Staff Counsel, CDT

Loss of ISP Control

• Allows access to non-targets

– Is such evidence legally obtained?

• Minimization to communications of targets

• Non-issues in traditional telephone wiretap

Procedural

“The statutory suppression remedy available

for illegal interception of other

communications in Title III is not extended

to electronic communications… the data

gathered would not automatically be thrown

out as evidence.”



– IITRI Review of Carnivore

Procedural

• Supervisor auditing mechanism

• No way to track which agent is responsible

for error

Public Concerns

• Survey

– 117 responses

– Average age: 32

– Average time online per week: 13

Survey

Heard of Carnivore?







No









Yes







0 5 10 15 20

Hours online per week

Survey

• 21% heard of Carnivore

• Of those who heard of it, 68% view

Carnivore as a threat to their online privacy

Survey



Public Suspicion of FBI



Will abuse email

monitoring rights





Currently monitors Didn't hear

Internet activity Heard





Currently monitors

email





2.50 2.60 2.70 2.80 2.90 3.00 3.10 3.20 3.30

Somewhat = 3.0

Survey



Should we allow government monitoring?





Internet activity







Email







Phone conversations





0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80



Heard Didn't hear

Technical Concerns

• Design Principles

• Problems

– Wrong goals

– Bad implementation

• Hidden functionality?

Design Principles

Oops:

“No formal development process was followed for

the development of Carnivore through version

1.3.4. The Carnivore program was a quick-

reaction capability program developed to meet the

needs of the FBI for operational cases. […] This

type of development is appropriate as a „proof of

concept,‟ but it is not appropriate for operational

systems. Because of this lack of development

methodology, important considerations, such as

accountability and audit, were missed.”

–Illinois Report

Design Principles

Goals were misplaced because of the perspective on

the problem. What truths can we add?

• 1) Internet wiretapping is unlike other kinds of

wiretapping

• 2) An Internet wiretapping device is a 'mission

critical' device

• 3) Internet wiretapping devices are in a position to

bear the brunt of public scrutiny

• 4) Internet wiretaps are not automatically more

confidential just because they are automated.

Design Principles

Overarching lesson:



The technical realities of Internet

wiretapping strongly suggest that devices

used for such purposes be engineered with

extreme care, with special attention paid to

potential failures.

Technical Problems: Wrong Goals



• No structured development process

• No audit trails

• Limited security of data

Technical Problems: Bad

Implementation

• Problems with high throughput

• Standard Ethernet v. Full Duplex

• Security of remote computer

• Thwarted by crypto

• RADIUS (analysis omitted from Illinois

Report)

Hidden Functionality?

• TapAPI provides 45 entry points callable

from Carnivore.dll, only 22 are used.

• Commented out code: more sophisticated

filters, real-time viewer, case tracking

Proposals

Legislative/Judicial Proposals

• Exclusionary rule

• Minimization

• Judicial review

• Pen mode requirements

• FISA amendments

• Stored communications amendment

Legislative/Judicial Proposals

• Exclusionary rule

– Amend to include electronic communications.

Legislative/Judicial Proposals

• Minimization

– Judicial review of minimization prior to

admittance as evidence.

– Minimization conducted by someone not

directly involved in the investigation.

– Court orders for electronic surveillance

explicitly specify minimization techniques to be

employed.

Legislative/Judicial Proposals

• Judicial Review

– Require judicial review to verify that all

electronic surveillance has been conducted in

accordance with the applicable laws.

Legislative/Judicial Proposals

• Pen mode requirements

– Stricter definition of what pen mode

information may include.

– For any technology that pen mode collection

cannot be limited to this definition, no

collection authorized.

– Court orders must be based on probable cause.

– Reporting requirements must be increased to

the same level as full content intercepts.

Legislative/Judicial Proposals

• FISA amendments

– Increase reporting requirements for all FISA

interceptions.

– Require notification of all US citizens who are

the subject of a FISA intercept just as for Title

III intercepts.

Legislative/Judicial Proposals

• Stored communications amendment

– Court order is necessary to access any

electronic communication stored for less than

one year at communications provider.

– Court order is necessary to access any

electronic communication that has already been

accessed by the user but remains in storage at

the communications provider.

Public Policy Proposals

• Trust

• Ease of access

• ISP control

• Public awareness

Trust

“Never trust a computer you can‟t throw out a

window.”



– Steve Wozniak

Inventor, Apple Computer

Trust

• Establish independent review board of

actual cases

• Open source Carnivore code

Ease of Access

“ Because of [differences between the Internet and

the traditional telephone system], it is appropriate

to recognize a reasonable expectation of privacy in

[electronic] information and to establish a higher

evidentiary threshold to obtain a surveillance order

than currently exists.”



– Robert Corn-Revere

Counsel, Hogan & Hartson

Ease of Access

• Require warrant even for “pen register”

traps

• Require more evidence for Title III warrant

– Carnivore should be last resort

ISP Control

“ISPs are in the best position to understand

their own networks and the most effective

ways of complying with lawful orders.”



– Alan Davidson

Staff Counsel, CDT

ISP Control

• Make Carnivore an available alternative for small

ISPs

• Let ISP technicians configure system and provide

data to FBI

• CALEA

– “A telecommunications carrier shall ensure that its

equipment, facilities, or services… are capable of

expeditiously isolating and enabling the government…

to intercept, to the exclusion of other communications,

all wire and electronic communications carried by the

carrier within a service area to or from equipment [and]

to access call-identifying information.”

Public Awareness

“Public sentiment is everything. With it,

nothing can fail. Without it, nothing can

succeed.”

– Abraham Lincoln



“Ten people who speak make more noise than

ten thousand who are silent.”

– Napoleon Bonaparte

Public Awareness

• Shed aura of secrecy

– People less intimidated by what they

understand

• Publicize privacy-related issues

• Write to Congress

• Big scandal

– “Carnigate” as Watergate of the 21st Century

Technical Proposals

• Get goals right

• Open source code

• Tamper-proof the local data

• Provide secure remote configuration

• Auto-post logs to website

Get goals right

• To protect citizens, not to make them

paranoid

• Treat as a mission critical system

• Solidify parameters for device design in law

Open up the Code

“The technical community has developed a

method to improve trust in complex

systems: open source review.”



– Alan Davidson

Staff Counsel, CDT

Open up the Code

What?

• Release the source code to the public for

review.

• Make updates based on suggestions and

bugs discovered.

Open up the Code

• Open systems are based on keys

• Almost all popular crypto algorithms are

public knowledge & rely on computational

intractability

• Closed systems are based on secret

processes

• Closed systems fail: DVD-CSS, SDMI

Open up the Code

Pros:

• Accountability: anchor for other protections

• More eyes to contribute feedback

• Fixing the code instead of the law (Lessig)

• Most important if distributed beyond FBI

Cons:

• Licensing, security issues require revamp (needed

anyway)

Provide Secure Remote

Configuration

What?

• Judicial branch sets the configuration with

court order

Why?

• Eliminate ambiguity in court orders

• No need to trust the FBI

• One order = one search

Provide Secure Remote

Configuration



FBI HQ





Keyring





{Kpub-judge[i]}Kpriv-fbihq x n

Provide Secure Remote

Configuration



FBI HQ



Carnivore Box Carnivore Box



Keyring

Provide Secure Remote

Configuration





Carnivore Box

Remote User

Keyring





{Court Order}Kpriv-judge[i]

Provide Secure Remote

Configuration





Carnivore Box

FBI HQ

Keyring



{Court Order}Kpriv-judge[i]



(1) Generate Kpriv-carn[i]

Provide Secure Remote

Configuration





Carnivore Box (2) Send

Kpub-carn[i]

FBI HQ

Keyring

Kpub-carn[i]

{Court Order}Kpriv-judge[i] Saved*

Provide Secure Remote

Configuration





Carnivore Box

FBI HQ

Keyring (3) Receive

Symmetric

{Court Order}Kpriv-judge[i] Key

Provide Secure Remote

Configuration





Carnivore Box

FBI HQ

Keyring



{Court Order}Kpriv-judge[i]

(4) Receive

Kpub-fbihq

Provide Secure Remote

Configuration

Carnivore Box

Keyring {Kpub-judge[i]}Kpriv-fbihq





Kpub-fbihq



{Court Order}Kpriv-judge[i]

Provide Secure Remote

Configuration

Keyring Carnivore Box



{Kpub-judge[i]}Kpriv-fbihq Kpub-fbihq

Verify

Kpub-judge[i]



{Court Order}Kpriv-judge[i]

Provide Secure Remote

Configuration

Keyring Carnivore Box



{Court Order}Kpriv-judge[i] Kpub-judge[i]

Verify

Court Order

Tamper-proof the Local Data







FBI HQ

Kpub-carn[i]

Saved*

Tamper-proof the Local Data

What?

• Private key generated with each order is

used to sign output files.

• Public key from remote Carnivore unit can

be used to verify data stored.

Why?

• Data unprotected on computer, attacker can

alter, delete, etc.

Auto-post Logs to Website



Carnivore Box



FBI HQ

Carnivore Box

Web site



Carnivore Box

Auto-post Logs to Website

Why?

• Knowing the source does not tell you how it

is used

Minimization

• Time till reporting can be specified in court

order

• Central FBI server will be bottleneck for

over-reporting

Conclusions

Legislative/Judicial

• Exclusionary rule

• Minimization

• Judicial review

• Pen mode requirements

• FISA amendments

• Stored communications amendment

Public Policy

• Trust

• Ease of access

• ISP control

• Public awareness

Technical

• Get goals right

• Open source code

• Tamper-proof the local data

• Provide secure remote configuration

• Auto-post logs to website

Conclusion

“If you‟re talking to someone in the next

bathroom stall, the government shouldn‟t

have to be able to listen in.”



– Robert Ellis Smith

Publisher, Privacy Journal