This story appeared on Network World Fusion at

'Net Insider:

The threat of omnivore
By Scott Bradner
Network World, 08/07/00            

I would find it impossible to be a network industry columnist with some concern about Internet privacy and not write about the FBI's adroitly named Carnivore e-mail surveillance system. I think one of the basic problems with this system has been overlooked.

For the vegetarians among readers, Carnivore is the name the FBI gave to a traffic-monitoring system that it attaches to ISP networks, ostensibly to monitor e-mail traffic. According to the testimony of FBI Assistant Director Donald Kerr before a U.S. House subcommittee, the device is only installed when a court has authorized electronic surveillance. In his testimony, Kerr described Carnivore as "A very specialized network analyzer, or 'sniffer,' which runs as an application program on a normal personal computer under the Microsoft Windows operating system. It works by 'sniffing' the proper portions of network packets and copying and storing only those packets which match a finely defined filter set programmed in conformity with the court order."

In order to work, the Carnivore PC is connected to an ISP network where Carnivore can monitor the traffic to and from the subject of surveillance. Such a placement in some cases may cause difficulties because ISP networks are purposely designed to avoid having all customer traffic pass through any particular point. In the past, such network designs have been exploited by hackers to capture user logon names and passwords.

Although Carnivore has been portrayed in the press and even by some FBI spokespeople as an e-mail intercept device, Kerr's testimony reveals it to be a general-purpose intercept system that can be programmed to capture any type of traffic.

Clearly one of the big issues many people have with Carnivore is whether it's possible to be sure that the operators are only doing the intercept that the court has authorized. The FBI announced recently it suddenly has a "tamper-proof logging mechanism" so that the court can find out just what Carnivore has been used for. But the FBI refuses to open the system to public review, claiming if it did so, hackers could figure out a way around it. If the FBI's description of Carnivore is accurate, there are already plenty of ways to get around the device's filters.

My biggest worry is that Carnivore is a programmable device stuck in the middle of an ISP's network. Such a device is inherently a threat to the integrity of the ISP.

It is far from clear that it is possible to create a truly tamper-proof auditing system on such a device or to make the device itself hacker-proof. Even if there were no history of abuse of trust by law enforcement, Carnivore would be a worry. The law enforcement community does need ways to do legitimate intercept and monitoring, but Carnivore seems a blunt and inappropriate tool for the job.

Disclaimer: Harvard educates tool makers and managers, and I did not ask the university for this opinion.

All contents copyright 1995-2002 Network World, Inc.