Stopping Carnivore Doesn't Stop FBI Surveillance

WASHINGTON--The FBI has discontinued the use of Carnivore, its controversial and top-secret Internet monitoring program, but your Internet service provider probably has already taken its place as a gatherer of information.

Surprisingly, after all the controversy about the Carnivore program when word of its use first trickled out nearly five years ago, the FBI says it hasn't used the Carnivore program in the past 24 months. Instead, it substitutes commercially available programs that do the same thing--gather information, such as e-mail messages, from the PC of a person under investigation.

Created by the FBI, Carnivore began operating as a surveillance tool in 2000. At the time, members of Congress and privacy groups such as Electronic Privacy Information Center (EPIC) criticized the agency out of fear that the program could retrieve information about people who were not under investigation.

"When we developed [Carnivore], it was, at that time, the best product available," FBI spokesman Paul Bresson says. "We knew because of all the publicity there would be a lot [of software] commercially made available." The FBI did not, according to Bresson, officially stop using the program. The software simply became outdated.

Technology Improves

"What we've seen is the products that are available off the shelf [have] come a long way," says Bresson. The other software, which Bresson now uses in place of Carnivore, is used by the FBI only in the event that an ISP doesn't provide the federal agency with the information it needs.

In fact, according to documents obtained by EPIC through the Freedom of Information Act, the commercial software was used only five times during 2002 and eight times during 2003. FBI officials declined to name the commercially available programs that have replaced Carnivore.

"What this is showing," says Bresson, "is that the ISPs are increasingly performing the intercepts of their own networks." He also says that the ISPs "overwhelmingly have been cooperative" in giving the FBI information it needs.

The Lesser of Two Evils

Asked whether EPIC is worried that ISPs have free reign to monitor their customers' Internet traffic, David Sobel, the advocacy group's general counsel, says, "I think that's ultimately the reality anyway, whether the FBI is in the picture or not. The ISP obviously has access to everything that's on its own network." If outsiders' access is limited, "then at least we're not doing more harm than the status quo," he says.

Gathering information directly from the ISP without the use of FBI or other software, Sobel says, is the "least invasive approach.... The ISP in effect acts as the filter and presumably protects its subscribers who are not named in a court order." In this way, Sobel says, the FBI is prevented from having full access to a network.

"If it is now more feasible for the ISP itself to hand the FBI a CD that contains only the information that the court has authorized, that's obviously better then giving them full range of a network and its traffic."

History

In 2001, the Illinois Institute of Technology's Research Institute at Chicago-Kent College of Law conducted a review of the program, which led to several upgrades. One was a name change to Digital Collection System 1000, or DCS 1000, which the FBI hoped would combat some of the negative public opinion that grew up around the program.

According to the FBI's Bresson, when the program was utilized during the two years it was active, it was used sparingly. "At the end of the day," he said, "we're only interested in obtaining that one thing that helps us solve a crime or prevent a terrorist attack."

Subscribe to the Security Watch Newsletter

Comments