Internet Wiretapping

and Carnivore

Sarah Boucher
Edward Cotler
Stephen Larson
May 17, 2001

Introduction
Law enforcement needs
Individuals privacy concerns
Emerging technology

Goals
To inform about the current technical,
government, and public opinion state of
U.S. Internet wiretapping policy through a
case study of the FBIs Carnivore system
To discuss concerns about the current state
of U.S. Internet wiretapping policy
To propose changes to improve the U.S.
system of Internet wiretapping

Timeline

1791 The Fourth Amendment to the Constitution

1928 Olmstead v United States
1934 Federal Communications Act
1937 Nardone v United States
1939 Nardone v United States
1967 Berger v United States
1967 Katz v United States
1968 Omnibus Crime Control and Safe Streets Act
1978 Foreign Intelligence Surveillance Act

Timeline
1979 Smith v Maryland
1986 Electronic Communications Privacy Act
1994 Communications Assistance for Law
Enforcement Act
2000 US Telecom v FCC
2000 Hearings in House and Senate committees
2000 Digital Privacy Act, proposed
2000 Electronic Communications Privacy Act,
proposed
2000 Illinois report released

Key Players

ACLU: Opposed to wiretaps in general.

CDT: Sees a place for restricted wiretaps.
EPIC: Acquired key information using the FOIA.
DOJ: In charge of the FBI, project in general.
FBI: Conducted at least 25 Internet wiretaps
already.
Congress: Trying to catch the laws up.

Background

Legislative Background

Fourth Amendment
FCA
Title III
FISA
ECPA
CALEA
Digital Privacy Act of 2000
Electronic Privacy Act of 2000

Legislative Background
Fourth Amendment
The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no warrants shall issue, but upon
probable cause, supported by oath or
affirmation, and particularly describing the
place to be searched, and the persons or things
to be seized.

Legislative Background
Federal Communications Act of 1934
Prohibited the interception and disclosure of
any communication without the consent of at
least one of the parties to the communication.

Legislative Background
Title III of the Omnibus Crime Control and
Safe Streets Act of 1968
Electronic surveillance made illegal, except
pursuant to a court order.

Legislative Background
How to get a court order for electronic
surveillance
Prove probable cause that an indictable crime
has been, is being, or is about to be committed.
Specifically describe the communications to be
intercepted.
Other investigative procedures have failed or
are too dangerous.

Legislative Background
Foreign Intelligence Surveillance Act of
1978
Requires approval from the Foreign
Intelligence Surveillance Court for electronic
surveillance in national security cases.

Legislative Background
Electronic Communications Privacy Act of
1986
Amended Title III protections to cover most
wire and wireless communications.
Requires a court order for the use of pen
register and trap and trace devices.
Delineates regulations for the use of roving
wiretaps.

Legislative Background
Communication Assistance for Law
Enforcement Act of 1994
Requires telecommunications carriers to ensure
the ability of law enforcement agencies to
intercept communications.

Legislative Background
Digital Privacy Act of 2000, proposed in the
106th Congress
Strengthened the requirements for obtaining a
court order for the use of pen register and trap
and trace devices.
Heightened the reporting requirements for
electronic surveillance.

Legislative Background
Electronic Privacy Act of 2000, proposed in
the 106th Congress
Strengthened the requirements for obtaining a
court order for the use of pen register and trap
and trace devices.
Other privacy enhancing changes to current
federal wiretapping laws.

Judicial Background

Olmstead v. US
Nardone v. US
Berger v. US
Katz v. US
Smith v. Maryland
US Telecomm v. FCC

Judicial Background
Olmstead vs. US, 1928
Supreme Court held that wiretaps were not a
violation of the Fourth Amendment.
Justice Brandeis wrote a strong dissent
supporting the extension of Fourth Amendment
rights to wiretapping.

Judicial Background
Nardone vs. US, 1937 and again in 1939
Based on FCA of 1934, the Court ruled that
wiretap evidence could not be used in trial.
In the second case, the Court expanded this
ruling to include any evidence derived from a
wiretap.

Judicial Background
Berger vs. US, 1967
Supreme Court found that a New York State
law that had been used to secure a warrant for
wiretapping was overbroad in its scope.

Judicial Background
Katz vs. US, 1967
Supreme Court effectively overturned Olmstead
v US, saying that the Fourth Amendment
protects people, not places.

Judicial Background
Smith vs. Maryland, 1979
Supreme Court held that there is a lower
expectation of privacy in pen mode
information, therefore no warrant is required to
intercept this information.

Judicial Background
US Telecomm v. FCC, 2000
Challenges to the implementation Order for
CALEA.
Supreme Court held that location information
for wireless communications as well as packetmode data collection can be required by
CALEA.

Executive Background
When does the FBI use Carnivore?
The ISP cannot narrow sufficiently the
information retrieved to comply with the court
order
The ISP cannot receive sufficient information
The FBI does not want to disclose information to
the ISP, as in a sensitive national security
investigation.

Executive Background
Full mode wiretap

Pen mode wiretap

Case agent consults

with the Chief
Division Counsel, and
a Technically Trained
Agent.

Case agent writes up a

request with a
justification for
necessity

Executive Background
FBI shows a judge the relevance of the
information
FBI shows a judge why traditional
enforcement methods are insufficient
FBI submits a request with information
such as target ISP, e-mail address, etc.
FBI waits 4-6 months

Public Policy Background

Federal Title III Wiretaps

700
600
500
400
300
200
100
0

Public Policy Background

Wiretaps influenced by administrative policy
choice
10,000 before Safe Streets Act (1968)
9,000 after Safe Streets Act

Could Carnivore have similar usage patterns?

Log secrecy
1850% increase from 1997 to 1999

Technical Background
Hardware
Software

Hardware Architecture
A one-way tap into an Ethernet data stream
A general purpose computer to filter and
collect data
One or more additional general purpose
computers to control the collection and
examine the data
A locked telephone link to connect the
computers

Hardware Architecture
The Internet

Ethernet Switch

Other
Network
Segments

Tap

Hub

Hub

Target
Bystander

Carnivore
Remote

One Way Tap

The Century Tap
Produced by Shomiti Systems (3rd party)

Filtering/Collection Computer
Pentium-class PC

2 GB Jaz Drive
Generic 10/100 Mbps Ethernet adapter
A modem
Windows NT
pcAnywere

Control/Examination Computer
Another regular computer with:
pcAnywhere
Dragonware

Secure?

Telephone Link
Electronic device that prevents phone line
connection unless you are the key.

Software Architecture
Functionality
Filtering
Filter Precedence
Output
Analysis

Software Architecture

Software Architecture
Filtering
Fixed IP
Dynamic IP

Can choose a range of IP addresses.

Protocol Filtering

One can choose to include packets from TCP,

UDP, and/or ICMP in either Full mode, Pen
mode, or none.

Text Filtering
Port Filtering

One can include packets that contain arbitrary text.

E-mail address
Filtering

One can select to include packets that contain a

particular e-mail address in the to or from fields of
an e-mail.

If not in fixed IP mode, one can choose to include

packets from in either Radius or DHCP mode.

One can select particular ports to include (i.e 25

(SMTP), 80 (HTTP), 110 (POP3)).

Software Architecture
Filter Precedence
Output
.vor
.output
.error

Analysis
Packeteer
CoolMiner

Software Architecture
TapNDIS (written in C) is a kernal-mode driver which
captures Ethernet packets as they are received, and applies
some filtering.
TapAPI.dll (written in C++) provides the API for accessing
the TapNDIS driver functionality from other applications.
Carnivore.dll (written in C++) provides functionality for
controlling the intercept of raw data.
Carnivore.exe (written in Visual Basic) is the GUI for
Carnivore.

Concerns

Legislative/Judicial Concerns
Pen mode collection
Not strictly defined.
Low standard for obtaining a court order for the
interception of this information.
Reporting of pen mode interceptions is
minimal.

Legislative/Judicial Concerns
Minimization of interception:
No formal definition of minimization of search
requirements.
The minimization process only has optional
judicial review.
No requirements on who conducts the
minimization.

Legislative/Judicial Concerns
FISA interceptions:
No notification requirement, unless information
from the intercept will be used in a criminal
trial.
Completely confidential, the only information
reported annually is the number of applications
and the number of orders granted.

Public/Executive Concerns

Trust
Ease of access
Loss of ISP control
Procedural

Trust
Carnivore is roughly equivalent to a wiretap
capable of accessing the contents of the
conversations of all of the phone companys
customers, with the assurance that the FBI will
record only conversations of the specified target.
Barry Steinhardt
Associate Director, ACLU

Trust
Should we trust the government?
Agents overlook, misplace or otherwise
mangle information
FBI still makes record-keeping mistakes
Blanton
Salvati
McVeigh

Ease of Access
I would rather have the government crawl under
barbed wire with a flashlight to install a listening
device in my basement than to have them click a
mouse in an office and gain access to my most
private conversations.
Phil Zimmermann
Inventor, PGP

Ease of Access
Allocation of resources
Self-selects more important wiretaps

Easier to make mistakes

No paper trail in digital age

Loss of ISP Control

The FBI is placing a black box inside the
computer network of an ISP not even the
FBI knows what that gizmo is doing.
James X. Dempsey
Senior Staff Counsel, CDT

Loss of ISP Control

Allows access to non-targets
Is such evidence legally obtained?

Minimization to communications of targets

Non-issues in traditional telephone wiretap

Procedural
The statutory suppression remedy available
for illegal interception of other
communications in Title III is not extended
to electronic communications the data
gathered would not automatically be thrown
out as evidence.
IITRI Review of Carnivore

Procedural
Supervisor auditing mechanism
No way to track which agent is responsible
for error

Public Concerns
Survey
117 responses
Average age: 32
Average time online per week: 13

Survey
Heard of Carnivore?

No

Yes

10
Hours online per week

15

20

Survey
21% heard of Carnivore
Of those who heard of it, 68% view
Carnivore as a threat to their online privacy

Survey
Public Suspicion of FBI
Will abuse email
monitoring rights
Didn't hear
Heard

Currently monitors
Internet activity
Currently monitors
email
2.50

2.60

2.70

2.80

2.90

3.00

Somewhat = 3.0

3.10

3.20

3.30

Survey
Should we allow government monitoring?

Internet activity

Email

Phone conversations

0.00

0.10

0.20

0.30

Heard

0.40

0.50

Didn't hear

0.60

0.70

0.80

Technical Concerns
Design Principles
Problems
Wrong goals
Bad implementation

Hidden functionality?

Design Principles
Oops:
No formal development process was followed for the
development of Carnivore through version 1.3.4. The
Carnivore program was a quick-reaction capability
program developed to meet the needs of the FBI for
operational cases. [] This type of development is
appropriate as a proof of concept, but it is not
appropriate for operational systems. Because of this lack
of development methodology, important considerations,
such as accountability and audit, were missed.
Illinois Report

Design Principles
Goals were misplaced because of the perspective on the
problem. What truths can we add?
1) Internet wiretapping is unlike other kinds of
wiretapping
2) An Internet wiretapping device is a 'mission
critical' device
3) Internet wiretapping devices are in a position to
bear the brunt of public scrutiny
4) Internet wiretaps are not automatically more
confidential just because they are automated.

Design Principles
Overarching lesson:
The technical realities of Internet
wiretapping strongly suggest that devices
used for such purposes be engineered with
extreme care, with special attention paid to
potential failures.

Technical Problems: Wrong Goals

No structured development process
No audit trails
Limited security of data

Technical Problems: Bad

Implementation

Problems with high throughput

Standard Ethernet v. Full Duplex
Security of remote computer
Thwarted by crypto
RADIUS (analysis omitted from Illinois
Report)

Hidden Functionality?
TapAPI provides 45 entry points callable
from Carnivore.dll, only 22 are used.
Commented out code: more sophisticated
filters, real-time viewer, case tracking

Proposals

Legislative/Judicial Proposals

Exclusionary rule
Minimization
Judicial review
Pen mode requirements
FISA amendments
Stored communications amendment

Legislative/Judicial Proposals
Exclusionary rule
Amend to include electronic communications.

Legislative/Judicial Proposals
Minimization
Judicial review of minimization prior to
admittance as evidence.
Minimization conducted by someone not
directly involved in the investigation.
Court orders for electronic surveillance
explicitly specify minimization techniques to be
employed.

Legislative/Judicial Proposals
Judicial Review
Require judicial review to verify that all
electronic surveillance has been conducted in
accordance with the applicable laws.

Legislative/Judicial Proposals
Pen mode requirements
Stricter definition of what pen mode
information may include.
For any technology that pen mode collection
cannot be limited to this definition, no
collection authorized.
Court orders must be based on probable cause.
Reporting requirements must be increased to
the same level as full content intercepts.

Legislative/Judicial Proposals
FISA amendments
Increase reporting requirements for all FISA
interceptions.
Require notification of all US citizens who are
the subject of a FISA intercept just as for Title
III intercepts.

Legislative/Judicial Proposals
Stored communications amendment
Court order is necessary to access any
electronic communication stored for less than
one year at communications provider.
Court order is necessary to access any
electronic communication that has already been
accessed by the user but remains in storage at
the communications provider.

Public Policy Proposals

Trust
Ease of access
ISP control
Public awareness

Trust
Never trust a computer you cant throw out a
window.
Steve Wozniak
Inventor, Apple Computer

Trust
Establish independent review board of
actual cases
Open source Carnivore code

Ease of Access
Because of [differences between the Internet and
the traditional telephone system], it is appropriate
to recognize a reasonable expectation of privacy in
[electronic] information and to establish a higher
evidentiary threshold to obtain a surveillance
order than currently exists.
Robert Corn-Revere
Counsel, Hogan & Hartson

Ease of Access
Require warrant even for pen register
traps
Require more evidence for Title III warrant
Carnivore should be last resort

ISP Control
ISPs are in the best position to understand
their own networks and the most effective
ways of complying with lawful orders.
Alan Davidson
Staff Counsel, CDT

ISP Control
Make Carnivore an available alternative for small ISPs
Let ISP technicians configure system and provide data
to FBI
CALEA
A telecommunications carrier shall ensure that its
equipment, facilities, or services are capable of
expeditiously isolating and enabling the government to
intercept, to the exclusion of other communications,
communications all wire
and electronic communications carried by the carrier within a
service area to or from equipment [and] to access callidentifying information.

Public Awareness
Public sentiment is everything. With it,
nothing can fail. Without it, nothing can
succeed.
Abraham Lincoln
Ten people who speak make more noise than
ten thousand who are silent.
Napoleon Bonaparte

Public Awareness
Shed aura of secrecy
People less intimidated by what they
understand

Publicize privacy-related issues

Write to Congress
Big scandal
Carnigate as Watergate of the 21st Century

Technical Proposals

Get goals right

Open source code
Tamper-proof the local data
Provide secure remote configuration
Auto-post logs to website

Get goals right

To protect citizens, not to make them
paranoid
Treat as a mission critical system
Solidify parameters for device design in law

Open up the Code

The technical community has developed a
method to improve trust in complex
systems: open source review.
Alan Davidson
Staff Counsel, CDT

Open up the Code

What?
Release the source code to the public for
review.
Make updates based on suggestions and
bugs discovered.

Open up the Code

Open systems are based on keys
Almost all popular crypto algorithms are
public knowledge & rely on computational
intractability
Closed systems are based on secret
processes
Closed systems fail: DVD-CSS, SDMI

Open up the Code

Pros:
Accountability: anchor for other protections
More eyes to contribute feedback
Fixing the code instead of the law (Lessig)
Most important if distributed beyond FBI
Cons:
Licensing, security issues require revamp (needed
anyway)

Provide Secure Remote

Configuration
What?
Judicial branch sets the configuration with
court order
Why?
Eliminate ambiguity in court orders
No need to trust the FBI
One order = one search

Provide Secure Remote

Configuration
FBI HQ
Keyring
{Kpub-judge[i]}Kpriv-fbihq

x n

Provide Secure Remote

Configuration
FBI HQ
Carnivore Box
Keyring

Carnivore Box

Provide Secure Remote

Configuration
Carnivore Box
Keyring

Remote User

{Court Order}Kpriv-judge[i]

Provide Secure Remote

Configuration
Carnivore Box
Keyring
{Court Order}Kpriv-judge[i]
(1) Generate Kpriv-carn[i]

FBI HQ

Provide Secure Remote

Configuration
Carnivore Box
Keyring
{Court Order}Kpriv-judge[i]

(2) Send
Kpub-carn[i]

FBI HQ
Kpub-carn[i]

Saved*

Provide Secure Remote

Configuration
Carnivore Box
Keyring
{Court Order}Kpriv-judge[i]

FBI HQ
(3) Receive
Symmetric
Key

Provide Secure Remote

Configuration
Carnivore Box

FBI HQ

Keyring
{Court Order}Kpriv-judge[i]

(4) Receive
Kpub-fbihq

Provide Secure Remote

Configuration
Carnivore Box
Keyring

{Kpub-judge[i]}Kpriv-fbihq
Kpub-fbihq

{Court Order}Kpriv-judge[i]

Provide Secure Remote

Configuration
Keyring

Carnivore Box

{Kpub-judge[i]}Kpriv-fbihq

Verify

Kpub-judge[i]
{Court Order}Kpriv-judge[i]

Kpub-fbihq

Provide Secure Remote

Configuration
Keyring

Carnivore Box

{Court Order}Kpriv-judge[i]

Verify

Court Order

Kpub-judge[i]

Tamper-proof the Local Data

FBI HQ
Kpub-carn[i]

Saved*

Tamper-proof the Local Data

What?
Private key generated with each order is
used to sign output files.
Public key from remote Carnivore unit can
be used to verify data stored.
Why?
Data unprotected on computer, attacker can
alter, delete, etc.

Auto-post Logs to Website

Carnivore Box
Carnivore Box
Carnivore Box

FBI HQ
Web site

Auto-post Logs to Website

Why?
Knowing the source does not tell you how it
is used
Minimization
Time till reporting can be specified in court
order
Central FBI server will be bottleneck for
over-reporting

Conclusions

Legislative/Judicial

Exclusionary rule
Minimization
Judicial review
Pen mode requirements
FISA amendments
Stored communications amendment

Public Policy

Trust
Ease of access
ISP control
Public awareness

Technical

Get goals right

Open source code
Tamper-proof the local data
Provide secure remote configuration
Auto-post logs to website

Conclusion
If youre talking to someone in the next
bathroom stall, the government shouldnt
have to be able to listen in.
Robert Ellis Smith
Publisher, Privacy Journal