2004, Volume 2, Number 2
Carnivore:
National Security Versus Personal PrivacyOverview
In the honorable name of pursuing increased national security and deterring criminal communication through cyberspace, the FBI has developed a software package dubiously named Carnivore. The subject of no small amount of controversy, Carnivore is a network surveillance tool that is designed to "sniff" out and analyze transmitted information that originates from or is destined to a specific target. Much like telephone wiretapping, the Carnivore system gives the Government the ability to identify and gather evidence on suspects for whom the appropriate warrant has been issued.
Evolution of a Carnivore
It is widely thought that the FBI initially used EtherPeek network analysis software for investigative work over computer networks. This, undoubtedly with some FBI modification, is what most likely became Omnivore in 1997, a predecessor to Carnivore. Omnivore ran on Sun Microsystems hardware, using their Solaris operating system.
Carnivore was developed on the Windows NT platform with the purpose of being able to achieve 100% surveillance of the network onto which it is attached. To achieve its goal, Carnivore itself is accompanied by the Packeteer and Coolminer utilities [2], developed to aid Carnivore in processing network data. These are the "workhorse" programs, as the real problem is not merely attaching and listening to traffic, but more so being able to pick out specific suspicious or incriminating messages. The Carnivore package made its debut in June 1999.
The existence of Carnivore was revealed to the public in 2000; the collective reaction was considerably negative. In February of 2001, Carnivore underwent a name change (one that obviously didn't quite stick), to the less menacing title DCS1000. This name change was plainly an effort to improve public opinion of Carnivore, but experienced little success. (With an original name like "Carnivore", it would be a PR feat indeed to make such a surveillance system seem benign!)
The latest installment in the Carnivore package (initially called Dragon Net), claims to also have the ability to monitor wireless communication in much the same way that the Internet and telephone systems are monitored.
Preferred Diet
The Carnivore system, in theory, is one that is heavily regulated and dependent on authorization from U.S. courts. No surveillance can be performed unless a court finds that there is due process and probable cause, and then issues a warrant. Furthermore, the warrant issued specifies one of varying degrees of surveillance: pen-register, recording the destination of outgoing communications; trap-and-trace, logging the source of incoming communications; and finally content-wiretap, listening to all communication details.
The problem, according to many critics, is that Carnivore has the potential to violate the privacy of unintended targets of the system [1]. This fear can be partially attributed to the fact that the FBI will not release the source code to the program, thus the public does not truly and definitively know exactly what limitations and guidelines the system abides by.
However, Carnivore itself is not government-mandated, as some seem to believe. When surveillance is authorized, a court orders that the ISP in question provide some mechanism for adequate surveillance, at the ISP's discretion (so long as it meets the FBI's functional requirements). The FBI provides Carnivore for those ISPs who do not purchase or develop their own surveillance packages, or are otherwise "unwilling or unable to discriminate communications to identify a particular subject's message to the exclusion of others" [1]. In the case of Earthlink, it was felt that the installation of Carnivore was a threat to privacy and availability on their network, and so refused to have it installed, preferring to use alternative software.
Thought Police
Some take paranoia a step further, and claim that Carnivore is attached to major network backbones and is scanning all Internet traffic that it can, searching for suspicious keywords. This is most likely not the case, as Carnivore itself is not an entity present throughout the Internet, but instead a rather unsophisticated computer that attaches to the network of ISPs only when a surveillance warrant has been issued.
Another fabled surveillance system, known as Echelon, is said to match this description better than Carnivore. Echelon is a co-op between the United States, Canada, Australia, and the UK, about which little is known [3]. The U.S. has scarcely admitted its existence, but other countries have made references to it. If Echelon does indeed exist, it clearly represents a serious violation of privacy.
Many other countries have their own Internet surveillance systems in place: In 1998, the People's Republic of China started a special Internet police agency that is responsible for several "cyber-surveillance initiatives," with plans for more sophisticated systems on the way; France is rumored to have created a French version of Echelon (which they claim has stolen secrets from them).
The United States has more than Carnivore, though, to keep track of a plethora of private information. In 2003, the TIA (Terrorism Information Awareness) program began [5]. (Curiously, prior to 9/11 TIA stood for Total Information Awareness.) TIA, like the Carnivore project, specializes in detection and deciphering of communications. This project, led by DARPA (Defense Advanced Research Projects Agency) [5] seems to have more imposing privacy implications than Carnivore.
Quelling the Beast
Unfortunately, it may be that Carnivore is best at snooping on innocent bystanders' transmissions rather than those of the real criminals. Presumably, any sort of major organized crime or terrorist organization by this time uses some form of data encryption or other method of defeating surveillance. Circumventing Carnivore is disappointingly easy to do, and there are many ways to do it:
*Perhaps the most intuitive way of defeating Carnivore is to use data encryption. Carnivore, as any other unauthorized onlooker, will not be able to decode your message (easily) without knowing the appropriate cipher keys. It is almost unbelievable that any major criminal or terrorist organization transmits sensitive information without data encryption
*Proxies/Anonymizers are services that are run by a foreign host that act as a middleman to your connection from point A to point B. Some (here called Anonymizers) actually remove the "source" information from your request, so that it may be untraceable.
*Simply avoid sending traffic through networks/mediums that may be running Carnivore. To this end, dial-up connections with modern compression technology are very difficult to spy on, so criminal organizations may be likely to use direct modem connections.
In March 2000, there was a case where the Carnivore system didn't even need to be circumvented -- it malfunctioned while making crucial interceptions [1]. The actual software malfunction only made the system gather additional data on unintended targets, which was in violation of federal wiretap law, but still provided effective surveillance on the target. However when the privacy violation was discovered, the "FBI technical person was apparently so upset that he destroyed all the E-Mail take, including the take on [the authorized target]" [1]. This case has since gained in notoriety, as the target of the lost surveillance was revealed in 2002 to be the mastermind of the September 11, 2001 attacks.
Alternatives
Now, there exist alternatives to Carnivore. Altivore, developed by Network ICE [4], is an implementation of the Carnivore specification that is open source. Another, more unique and interesting alternative, is CarnivorePE developed by RSG (Radical Software Group) [6].
Network ICE developed Altivore for the purpose of making available an alternative to the public so that any organization that didn't want Carnivore on their networks could turn to Altivore. The main appeal of this package is that it is open-source: the source code used to create the program is publicly available for scrutiny, so that its functionality and integrity can be verified.
CarnivorePE by RSG appeals to a different crowd: it is not only a network surveillance and analysis tool, but also a form of artistic expression. In addition to sniffing network packets, CarnivorePE provides a flexible interface that allows client programs to be created that interpret the intercepted data (usually by counting "keywords") in interesting and creative ways, ranging from creating geometric patterns and visual effects to driving RC cars [6]. This package is decidedly more for statistical use than for eavesdropping on suspected criminals as the FBI's Carnivore.
A Necessary Evil
Carnivore represents the fundamental sacrifice of privacy for better security, and with modern encryption technology, the practicality of Carnivore for intercepting high-profile communication is coming into question. However, as communication gets ever easier and the world relies more upon it, the need for effective cyber-surveillance is heightened. Carnivore and surveillance in general may incur a violation of privacy, but inevitably sacrifices must be made, for they are among the only available tools to help ensure security in our cyber-world.
EDITOR'S NOTE: This is a research paper that was written for Computer Science 494, Computer Security.
References
[1] Electronic Privacy Information Center. http://www.epic.org/privacy/ carnivore/
[2] Carnivore FAQ. Robert Graham. http://www.robertgraham.com/ pubs/carnivore-faq.html
[3] Echelon Watch / ACLU. http://www.echelonwatch.org/
[4] Altivore. Network ICE. http://www.robertgraham.com/altivore/
[5] Defense Advanced Research Projects Agency. http://www.darpa.mil/ body/tia/tia_report_page.htm
[6] CarnivorePE. http://www.rhizome.org/carnivore/