07/24/00 Committee on the Judiciary

Carnivore's Challenge to Privacy and Security Online"

Testimony of

Alan B. Davidson

Staff Counsel

Center for Democracy and Technology

http://www.cdt.org

Before the

House Committee on the Judiciary

Subcommittee on the Constitution

July 24, 2000

"Carnivore's Challenge to Privacy and Security Online"

Testimony of Alan B. Davidson

Center for Democracy and Technology

before the

Subcommittee on the Constitution of the House Judiciary Committee

July 24, 2000

Summary

Mr. Chairman and Subcommittee Members, thank you for calling this hearing and giving CDT the opportunity to testify on the FBI's "Carnivore" initiative and its implications for the Fourth Amendment. Carnivore is the latest in a series of wake-up calls about the future of personal privacy online. The deployment of Carnivore itself creates new threats to the privacy and security of Internet communications. More fundamentally, Carnivore raises broad issues about the need for greater privacy protections in the outdated statutory and constitutional framework that today governs surveillance and privacy online.

Among the specific points I would like to make about Carnivore:

Carnivore has access to much more information than it is legally entitled to collect. Yet there is little understanding of how monitoring is limited, and little chance for oversight. Such a situation is ripe for mistake or misuse. As a start, Carnivore should embrace an open source model allowing public scrutiny of its operations and design.

ISPs should control their own networks. Installing a closed Carnivore system outside of Internet Service Provider (ISP) control introduces new risks. And ISPs are in the best position to respond to law enforcement request while protecting user privacy.

Carnivore's application of pen registers to the Internet raises privacy concerns. Pen registers are much more revealing on the Internet than on a telephone. Their use online should be limited, and the low legal standard authorizing their use should be raised.

More broadly, Carnivore shows how our traditional conceptions of wiretapping and the Fourth Amendment, developed in an era of central-switch telephone networks, do not neatly translate onto the packetized, decentralized Internet. For example, "wiretapping" the Internet may provide government with access to vast streams of information, requiring greater oversight and protection. Pen register orders applied to the Internet reveal far more than the "numbers dialed" they once provided for telephones.

In the future, access to a person's electronic data will likely provide a more complete window into their actions, relationships, and thoughts than any previous form of surveillance. The Internet is exploding the home. Sensitive papers and possessions once kept in a desk drawer are now finding their way out onto network servers, where they lack the Fourth Amendment protections given to items at home.

Our electronic surveillance laws, last reworked in 1986, are rapidly falling behind this changing world. Revisions to those laws are needed to provide heightened protections and staunch the growing erosion of personal privacy in the digital age. At the same time, the desire to translate every current offline surveillance capability into the online world - regardless of consequences - should not be allowed to create a new technical surveillance architecture with huge privacy and security risks.

The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue.

1. Context: Privacy and Surveillance Online

The Internet is at once a new communications medium and a new locus for social organization on a global basis. Because of its decentralized, open, and interactive nature, the Internet holds out unprecedented promise to promote expression, spur economic opportunity, and reinvigorate civic discourse. Individuals and groups can create new communities for discussion and debate, grassroots activism and social organization, artistic expression and consumer protection. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries. According to a December 1999 Harris poll, 56% of American adults are online, 6 times higher than 4 years ago.

Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about children - once kept securely in a home or office - now travel through the network. Electronic mail, online publishing and shopping habits, business transactions and Web surfing profiles can reveal detailed blueprints of people's lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.

While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that the digital revolution has been a boon to government surveillance and information collection as well. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 percent. Computer files are a rich source of evidence: In a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to "data mine" these public and private sources of digital information for their intelligence value.

So while the changing electronic landscape has made some of law enforcement's traditional functions more difficult, it has also provided tremendous new opportunities for data collection. It is in this context that the FBI's Carnivore initiative must be viewed.

2. Privacy Concerns Raised by "Carnivore"

Recent press reports, along with testimony before this Subcommittee in April, have revealed the existence of the new FBI wiretapping device known as "Carnivore." Not much is known about this device, which appears to have been developed with little or no public oversight. What is known raises serious questions about the application of electronic surveillance laws and the Fourth Amendment on the Internet.

Carnivore reportedly serves at least two functions. Installed on the network of an ISP, it monitors communications on the network and records messages sent or received by a targeted user. This is presumably designed to respond to an electronic "wiretap" order served on an ISP. Because of the intrusive nature of wiretaps, a high legal standard must be met for their issuance, requiring a showing of probable cause and strict judicial oversight.

Carnivore can reportedly also provide the origin and destination of all communications to and from a particular ISP customer. This is presumably designed to satisfy what law enforcement claims is the Internet equivalent of "pen register" and "trap and trace" orders, which in the telephone context provide digits dialed and incoming phone numbers. (Note that there are fundamental questions about whether and how pen register and trap and trace orders apply in the Internet context, addressed below.) Since the digits dialed in a phone call are less revealing than the contents of communication, pen registers and trap and trace orders have traditionally been authorized under a significantly lower legal standard. Each year the government executes many more pen registers than wiretaps.

Both the "Internet wire tap" and "Internet pen register" functions of Carnivore raise important privacy and security concerns.

Carnivore Has Access to More Data Than it is Legally Entitled to Collect

According to published accounts, Carnivore operates by monitoring all traffic on the network link where it is installed. In theory, Carnivore examines traffic and only stores data appropriate to the order under which it operates - i.e., data relating to the target of an order, or even narrower information pertaining to pen register or trap and trace orders.

Does Carnivore only reveal the information that is legally entitled under a particular wiretap or pen register order? Since Carnivore operates openly on a network link, it has the potential to capture the traffic of customers who are not the subjects of an order. It also has the potential to capture the content of communications even when a pen register order would limit collection to addressing information.

Isolating network traffic can be technically difficult, and it is not at all clear how the Carnivore device operates. For example, Internet Protocol (IP) addresses may be used to identify the communications of a target. But in many systems such addresses are dynamically allocated and changed over time, making it quite possible to either miss communications or monitor the wrong user. Moreover, identifying the source or destination of an email message or a web site query might require a detailed examination of the contents of a data packet. It is not clear that such an analysis is permitted under a narrow pen register order.

Such a system - with easy access to unauthorized data and no current potential for oversight - creates tremendous potential for misuse. Without a detailed understanding of Carnivore's operations, it is easy to believe Carnivore could be exceeding the legal authority of a particular order - quite possibly by mistake or error.

The technical community has developed a method to improve trust in complex systems: open source review. Review of the source code and design specifications by a community of experts might reveal mistakes, bugs, or security holes unknown to the FBI. Such mistakes are quite common in the design of complex technical systems. More importantly, open source review of Carnivore's hardware, software, and technical design is essential to improving public understanding of what Carnivore does and does not do. And it is essential to ensuring that Carnivore does not exceed its legal authority.

Some will likely argue that revealing source code will compromise the effectiveness of Carnivore. If true, one must question the general security and usefulness of a system that can be so easily circumvented by anyone with knowledge of its operation.

Carnivore is not Controlled by ISPs

Even with open review of Carnivore's system, installation of a "black box" out of an ISPs control creates new privacy and security risks.

Is Carnivore itself a secure system? Can it be compromised? Does it provide secure audit trails, and is it tamper resistant? Without a fuller understanding of how Carnivore works, it is difficult to answer these questions. But the risks are high: If Carnivore, an eavesdropping device with access to a vast stream of traffic independent of any ISP control, were itself somehow compromised, the damage could be tremendous.

Even with a more complete understanding of its operations, the parameters for how Carnivore is used once installed are likely to be extremely important. Such parameters could control who the targets are, how they are identified, and what information is collected about them. With Carnivore ISPs appear to have no control over how the system operates. Such a system again provides no checks on its use, and is an invitation for misuse or mistake.

ISPs themselves are in the best position to comply with lawful orders for electronic surveillance. ISPs have a dual duty, to both produce information for law enforcement and to protect the privacy of their customers by only revealing such information where required by lawful order. Moreover, ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders. They are also in the best position to understand potential implications or threats from installation of a Carnivore device.

Pen Registers do not Translate Neatly Onto the Internet

Carnivore's apparent attempt to extend "pen registers" and "trap and trace" orders for telephone surveillance into the Internet is not a simple matter. Capturing Internet origin and destination addresses instead of "numbers dialed" could create a much more intrusive form of surveillance that is not clearly supported by law, and is not justified given the current low standard for authorization.

The Electronic Communications Privacy Act of 1986 (ECPA) adopted the pen register and trap and trace statute, 18 USC � 3121 et seq., governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." (A pen register collects the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and a trap and trace device collects "the originating number" for incoming calls. While the functions provided by these devices are different, for simplicity I refer mainly to pen register orders; analogous arguments hold for trap and trace orders.) To obtain such an order, the government need merely certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC �� 3122-23.

Extending the use of pen registers in new telephone devices and services - such as pagers, or numbers dialed after a call is completed - has been the subject of great debate.⁽¹⁾ But Carnivore is indicative of a whole new and problematic expansion of the pen register to the Internet.

The origin and destination of a particular Internet message are not easily defined. In the packet-switched Internet, the literal "destination" of an intercepted message is often an end-point of the link on which it is observed. Origin or destination depends on what layer of the Internet protocol stack one looks at. For a single email packet, the destination could be viewed as the header Ethernet address it is being sent to on a local network; the IP address of an ISPs mail server (also in the packet header); the To: line of an email message buried within the packet's body; or even other routing information within the email message ("Give this message to Harry," or instructions for a remailer). Finding the addressee of an email or the name of a web site being visited - if that is what law enforcement is seeking - will often require analysis of the content of packets, not just the header information.

For example, attached in Example 1 is a sample IP packet captured from CDT's network on its way to our ISP. The packet is an email message from me to Paul Taylor, a member of the Committee staff. The header of the message shows the IP addresses of the packet's origin (a computer at CDT) and destination (our ISP's mail server, which will next send the packet to the House mail server). To find out whom the email inside the packet is addressed to, one would need to read and analyze the contents of the packet. Example 2 shows a similar example for a visit to Chairman Canady's web page; finding the "destination" Uniform Resource Locator, or URL (the web site address, like http://www.cdt.org/), would require looking in the body of the packet. We have no idea if this is what Carnivore is doing, but to the extent that law enforcement seeks origin and destination addresses that are more than link IP addresses they will be forced to analyze the contents of packets.

Origin and destination on the Internet are also much more revealing pieces of information than "numbers dialed." In the case of someone visiting a website, the URL can disclose specific pages visited, books browsed, or items purchased. And as people move more of their lives online, a list of emails sent or web sites visited can provide a very detailed dossier of activities - all available without the heightened protections of a wiretap or even a standard Fourth Amendment warrant.

For example, attached in Example 3 is a sample IP packet showing a search for a book on the Barnes and Noble web site. Again, the IP address information is available in the header and finding the URL requires a search through the body of the message. In this case, the URL includes revealing information about what books the user is looking at - here, books on prostate cancer. Taken together, a collection of such "destination" information could generate a revealing dossier of a person's interests and activities.

All of this raises Fourth Amendment questions for pen registers online. Courts have found that consumers have no "expectation of privacy" in the digits they dial on a telephone.⁽²⁾ It may very well be that, given the revealing nature of Internet transactional information, users do have a reasonable expectation of privacy in the URLs of web sites they visit and the email addresses of those with whom they communicate.

At the very least, Congress should raise the standards for use of pen registers in the Internet context. Under the current standards, a judge "shall" approve any request signed by a prosecutor certifying that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC �� 3122-23. This is low standard of proof, similar to that for a subpoena, and judges are given little discretion in the granting of orders. Investigators have broad leeway to seek orders without, for example, any indication that the targets have been involved in criminal wrongdoing themselves, and without the probable cause required for searches under Fourth Amendment standards.

A large number of pen registers are executed each year with little public oversight. Unlike wiretaps, there are no national reporting requirements on the use of pen registers. The Justice Department reports on its own use, but this does not include numerous federal, state and local uses. Congress should extend the wiretap reporting requirements to pen registers.

Reinvigorating the Fourth Amendment in Cyberspace

Electronic privacy and surveillance are today governed by a complex statutory and constitutional framework that has slowly eroded in the face of technological change. (For a complete review of this framework and its evolution, please see CDT's Testimony before the Subcommittee in April 2000.) Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then, including --

the development of the Internet and the World Wide Web as mass media;

the convergence of voice, data, video, and fax over wire, cable and wireless systems;

the proliferation of service providers in a decentralized, competitive communications market;

the movement of information out of people's homes or offices and onto networks controlled by third parties; and

the increasing power of hand-held computers and other mobile devices that access the Internet and data stored on networks.

These changes have left gaps and ambiguities in the surveillance law framework. Most fundamentally, as a result of these changes personal data is moving out of the desk drawer and off of the desktop computer and out onto the Internet. More and more, this means that information is being held and communicated in configurations where it is in the hands of third parties and not afforded the full protections of the Fourth Amendment under current doctrine. The government argues that this is a choice people make - you can keep the data in your own home and you can stay off the Internet if you care about privacy. But in a world where the Internet is increasingly essential for access to commerce, community, and government services, personal privacy should not be the price of living online. Rather, it is necessary to adopt legislative protections that map Fourth Amendment principles onto the new technology.

To update the privacy laws, Congress could start with the following issues:

Increase the standard for pen registers.

Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on Internet service providers.

Add electronic communications to the Title III exclusionary rule in 18 USC �2515 and add a similar rule to the section 2703 authority. This would prohibit the government from using improperly obtained information about electronic communications.

Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.

Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.

Require statistical reports for �2703 disclosures, similar to those required by Title III.

Make it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.

Provide enhanced protection for information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access.

The recent White House announcement⁽³⁾ on privacy and surveillance helpfully adopts many of these proposals. Extension of the wiretapping exclusionary protections to electronic interceptions is a particularly welcome step. Increasing the standard for pen registers is an improvement, but will not be sufficient if such orders are applied broadly (i.e., include URLs) to the Internet. On the other hand, expansion of the Computer Fraud and Abuse Act is an unwelcome criminalization of an unnecessarily broad range of activities online. And the proposal fails to tackle with the need for heightened protections for private data held in the hands of third parties. CDT is prepared to work with Congress and the Justice Department to continue to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for discussion and consensus building on these issues.

4. Conclusion

The Carnivore system demands greater public oversight and attention. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract the real threats to privacy online.

Protecting national security and public safety in this new digital age is a major challenge and priority for our country. On balance, however, we believe that the new sources of data and new tools available will prove to be a boon to government surveillance and law enforcement. These new technologies are likely to make law enforcement's job harder in some ways. And it appears likely that some of the traditional methods of surveillance and information gathering will have to change in this new medium.

Carnivore demonstrates a real danger: The attempt to literally translate all current surveillance capabilities directly onto the Internet may not be possible or desirable in all cases, or may require new privacy protections. The demand that every current offline capability be directly implemented online should not become an excuse for creating a massive technical architecture for surveillance that, given the nature of the Internet, could be far more invasive than anything we have seen to date.

House Rule XI, Clause 2(g)(4) Disclosure: Neither Alan Davidson nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.

Example 1 - Sample IP Packet - Email Message⁽⁴⁾

1 TIME: 17:25:32.394378 (0.314456)

2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP

3 IP: 207.226.3.43 -> 216.32.69.186.25 hlen=20 TOS=00 dgramlen=472 id=3DC2

4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=4B75

5 TCP: port 2064 -> smtp seq=0122753662 ack=4082691367

6 hlen=20 (data=432) UAPRSF=011000 wnd=17520 cksum=C20C urg=0

7 DATA: X-Sender: aaron@mail.cdtmail.org.

8 Message-Id: <p0432041ab59e704b5ca9@[207.226.3.43]>.

9 Date: Fri, 21 Jul 2000 17:27:27 -0400.

10 To: paul.taylor@mail.house.gov.

11 From: Alan Davidson <abd@cdt.org>.

12 Subject: Thanks for your help.

13 Content-Type: text/plain; charset="us-ascii" ; format="flowe

14 d".

15 .

16 Paul,.

17 .

18 Thanks for your help in locating a projector for Monday's he

19 aring. I .

20 will be forwarding my testimony shortly..

21 .

22 Alan Davidson.

23 ..

This data packet was collected from CDT's network while a computer on the network sent an e-mail message from me to Paul Taylor, a member of the committee staff.

The header of the packet includes the source and destination IP addresses (line 3). In this case the source 207.226.3.43 is a computer at CDT and the destination 216.32.69.186.25 is our ISPs mail server (which will receive the packet and send it to the House mail server based on its content.) The header of the packet also contains local Ethernet source and destination information.

This packet is an example of how the "payload" or contents of the packet would have to be analyzed in order to retrieve the address of the email recipient. The e-mail's addressing information is contained in this data section (line 10), which also contains the subject of the message and the actual message text.

Example 2 - Sample Web Packet (Chairman Canady's Web Site)⁽⁵⁾

1 TIME: 15:12:13.326012 (0.722398)

2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP

3 IP: 207.226.3.43 -> 143.231.86.196 hlen=20 TOS=00 dgramlen=372 id=3216

4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=8EB4

5 TCP: port symplex -> http seq=0914855425 ack=1136120663

6 hlen=20 (data=332) UAPRSF=011000 wnd=17520 cksum=7838 urg=0

7 DATA: GET /canady/p74.jpg HTTP/1.0.

8 Referer: http://www.house.gov/canady/.

9 Connection: Keep-Alive.

10 User-Agent: Mozilla/4.72 (Macintosh; U; PPC).

11 Pragma: no-cache.

12 Host: www.house.gov.

13 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

14 image/png.

15 Accept-Encoding: gzip.

16 Accept-Language: en.

17 Accept-Charset: iso-8859-1,*,utf-8.

18 .

This data packet was collected from CDT's network while a computer on the network was viewing a page on Chairman Canady's web site.

The header of the packet includes the source and destination IP addresses (line 3). In this case the source 207.226.3.43 is a computer at CDT and the destination 143.231.86.196 is a House of Representative web server. The header of the packet also contains local Ethernet source and destination information.

This packet is an example of how the "payload" or contents of the packet would have to be analyzed in order to retrieve the web address being viewed. In this case URL of the item being viewed, an image on Chairman Canady's web site, is shown in the contents of the packet at lines 12 and 7 -- www.house.gov/canady/p74.jpg.

Example 3 - Sample Web Packet (Barnes & Noble.com Web Site)⁽⁶⁾

1 TIME: 15:02:27.439225 (0.111930)

2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP

3 IP: 207.226.3.43 -> 208.158.245.141 hlen=20 TOS=00 dgramlen=695 id=6638

4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=79CE

5 TCP: port 1559 -> http seq=3306680833 ack=0184661700

6 hlen=20 (data=655) UAPRSF=011000 wnd=17520 cksum=C1DE urg=0

7 DATA: GET /booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3

8 F70ED HTTP/1.0.

9 Referer: http://www.bn.com/.

10 Connection: Keep-Alive.

11 User-Agent: Mozilla/4.72 (Macintosh; U; PPC).

12 Host: shop.barnesandnoble.com.

13 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

14 image/png, */*.

15 Accept-Encoding: gzip.

16 Accept-Language: en.

17 Accept-Charset: iso-8859-1,*,utf-8.

18 Cookie: SITESERVER=ID=3b671bc4c04048950bc8a20a61c31d96; brow

19 serid=BITS=0&OS=4&VERSION=4%2E72&AOLVER=0&BROWSER=1; Shopper

20 Manager%2FBNShop=SHOPPERMANAGER%2FBNSHOP=2D9DNPCEB6S92MJ1001

21 PQUW93SAR9582; userid=2NW5T2ANM7; SalesURL=Rwww%2Ebn%2Ecom%2

22 F; ASPSESSIONIDQGQGQQCD=NACHKFKCMBPBEANEEODHLDAI.

This data packet was collected from CDT's network a computer on CDT's network was searching for a book on the Barnes & Noble web site relating to "prostate cancer."

The header of the packet includes the source and destination IP addresses (line 3). In this case the source 207.226.3.43 is a computer at CDT and the destination 208.158.245.141 is a web server affiliated with Barnes & Noble.com. The header of the packet also contains local Ethernet source and destination information.

The information about the specific web page that the CDT computer viewed is contained in the packet's data section. The URL shown here:

http://shop.barnesandnoble.com/booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3F70ED

also provides information about what books are being viewed - in this case, books about prostate cancer.

⁰ See, e.g., Brown v. Waddell, 50 F.3d 285, 290-91 (4^th Cir. 1995) (refusing to classify a digital display pager close as a pen register).

⁰ See Smith v. Maryland, 442 U.S. 735 (1979). The Court's reasoning relied in part on its understanding that "pen registers do not acquire the contents of communications."

⁰ See Ted Bredis, Updating of Wiretap Law for E-Mail Age is Urged by the Clinton Administration, Wall St. J., July 18, 2000, at A3.

⁰ The tools used in the packet collection are freeware tools available for UNIX operating systems. The packet sniffing was done by tcpdump written by Van Jacobson, Craig Leres and Steven McCanne of the Lawrence Berkeley National Laboratory. The formatting of the packets into text was done by tcpshow written by Mike Ryan.