Encryption Could Starve Carnivore

Even as the FBI slowly releases details of its Carnivore e-mail wiretap technology, software developers are readying schemes to starve Carnivore of meaningful data.

ChainMail and Sigaba are among the companies promoting encryption technology designed to render any captured e-mail meaningless to third parties. Meanwhile, developers like Privada and Zero-Knowledge offer anonymity to both sender and recipient, so a third party has no idea whose e-mail it is reading. In most cases, you need to rely on your Internet service provider to implement this level of technology, which keeps private your e-mail--right down to its address.

Digital Bloodhound

Carnivore, so named for its capability to "get at the meat" of electronic communications, is a Windows-based "packet-sniffer" program that also runs on an ISP's systems. The FBI uses it to pick out e-mail communications from a party that is under investigation.

Carnivore is the online equivalent of a telephone wiretap, but its capability to snoop is much more pervasive, according to Stephen Satchell, a consultant on Internet performance and security issues. Because no discrete "e-mail line" corresponds to individuals on the Internet, Carnivore actually scans every data packet from every party that uses the ISP. Privacy advocates are concerned that law enforcement could easily abuse this system to spy on people who are not covered by the warrant. (See "ACLU Challenges FBI E-Mail Taps.")

The FBI claims that Carnivore looks only at address information on e-mail, not its content, until it finds correspondence from the party under investigation. Then, Carnivore copies the whole message. But critics doubt that Carnivore ignores content entirely.

"The only reason they could not look at content is because they chose not to look at content, not because they can't," says Richard Bliss, a Sigaba spokesperson.

ISPs Wary of Sharing Servers

Some ISPs seem to have similar regard for both the FBI and encryption vendors. America Online, for example, lets no one near its servers without a court warrant, according to Nicholas Graham, AOL spokesperson.

The FBI has not approached AOL about using Carnivore on its network. But if it did, "Carnivore would not be allowed on our system and would be against our goal and mission of protecting our members' privacy," Graham says. That policy similarly prohibits use of server-based encryption programs. Graham says AOL has not decided whether to offer its own encryption solution to members.

EarthLink, takes a similar position, and has spurned advances of at least one encryption vendor, says Steve Dougherty, director of technology acquisition. Customers may use their own encryption or anonymity scheme, but he does not expect EarthLink will provide such services.

Subscribers don't seem interested, Dougherty adds, but that could change. "This is so new, it's too early to tell what anyone will be doing," he says.

That's what the software developers are banking on as they prepare their server-level tools to thwart Carnivore.