"The Justice Department wants to follow the rules for pen registers in using the device. Those rules are far less restrictive than the regulations governing wiretaps...." ������������������ New York Times December 5, 2000 Carnivore Privacy Concerns Remain By JOHN SCHWARTZ Despite winning a favorable review by an outside group, the F.B.I.'s Carnivore Internet wiretap system continues to raise strong concerns about privacy and the legal limits of government surveillance, a prominent panel of computer security experts said yesterday. The new report could mean further trouble for a system that has drawn criticism since its existence was first revealed in July. The new report responds to a review of Carnivore by the Illinois Institute of Technology's Research Institute, which released a draft report on Nov. 17. While lauding the Justice Department and the Illinois group for a good-faith effort to examine the Internet wiretap system, the computer experts said that that study was designed too narrowly to answer the most pressing questions. The "limited nature of the analysis described in the draft report simply cannot support a conclusion that Carnivore is correct, safe, or always consistent with legal limitations," the scientists wrote. The authors include some of the best-known names in computer security, including Steven M. Bellovin and Matt Blaze of AT&T Labs, David J. Farber of the University of Pennsylvania, Peter Neumann of SRI International and Eugene Spafford of the Center for Education and Research in Information Assurance and Security at Purdue University. Members of the informal group of computer scientists were initially contacted by the Justice Department to review the Carnivore system. "I honestly believe they didn't call us in to win us over," Mr. Blaze said in an interview yesterday, adding that the officials wanted "to actually hear what we wanted to say." Still, Mr. Blaze said, when the Illinois review was published, "we were disappointed by the limited scope of the report." The group concluded, "Serious technical questions remain about the ability of Carnivore to satisfy its requirements for security, safety and soundness." The Illinois review, the group said, should have included a thorough search for programming flaws, and should have more deeply explored whether the system provides the kind of precise records that wiretapping calls for � especially in systems that can be operated remotely, such as Carnivore. Carnivore is a modified version of a common piece of software known as a packet sniffer that is used by Internet service providers to maintain their networks. The Carnivore version is installed during criminal investigations at the office of the suspect's Internet service provider. The system has been used dozens of times in criminal and national security cases under federal wiretap authority. It is designed to be adjustable so that it can skim only some information from the flood of data that make up online communication; law enforcement officials assert that it provides a tool for the Internet similar to "pen register" and "trap and trace" devices, which capture the telephone numbers of criminal suspects and those who call them. What worries privacy advocates and lawmakers critical of Carnivore is that the Justice Department wants to follow the rules for pen registers in using the device. Those rules are far less restrictive than the regulations governing wiretaps. Justice Department officials confirmed that the system has been used, in most cases, under the less-restrictive rules. Since the system can be used to collect much more than Internet addresses, lawmakers and civil liberties advocates contend that the government should not be able to use the less-stringent standards of proof. Another review of the Illinois report from the Privacy Foundation, which is based in Denver, sounded similar notes of concern about auditing Carnivore's use and its place in the legal system. "Carnivore is, potentially, an appropriate law enforcement tool," said Philip L. Gordon, a Denver lawyer and a fellow of the foundation. "But there are technical deficiencies that have to be addressed," as well as legal questions. Henry H. Perritt Jr., dean of the Chicago-Kent College of Law and head of the panel that produced the Illinois report on Carnivore, said the panel of scientists was a "first-rate group." Mr. Perritt stood by his work but said he agreed with two of the criticisms: that the legal framework for wiretapping must be revised for the digital age, and that the system must undergo continuing review. "Software is a moving target," Mr. Perritt said, and a one-time review "doesn't tell you what you need to know about future versions." The final report of the Illinois group is due later this month. A spokesman for the Federal Bureau of Investigation, Paul Bresson, said officials had not yet seen the critical report and could not comment on it.
