07/24/00 Committee on the Judiciary

Statement of Tom Perrine

Computer Security Office, San Diego Supercomputer Center

Subcommittee on the Constitution

Monday, July 24, 2000

Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on this important subject.

From the beginning of my career in computer security, I have always been an advocate of personal privacy, unrestricted personal access to strong encryption, and less government oversight and intervention in the lives of law-abiding citizens. In the course of my career I have also designed and developed computer systems to protect classified government information, deployed nation-wide security systems to protect privacy and intellectual property and consulted on computer security to educational institutions, the Department of Defense and public and private organizations. Due to my work in detecting and analyzing computer intrusions, I also understand and support legitimate law enforcement access to Internet traffic.

Introduction

I believe that this current debate over the FBI's new digital wiretap tool, commonly known as "Carnivore", is really about the risks in naively attempting to simply translate the policies, law and practices of telephone wiretaps into the digital realm of the Internet. The Internet is fundamentally different from the telephone system. As we attempt to provide access to Internet traffic for the legitimate purposes of law enforcement, we must be exceptionally careful to avoid extending the scope and depth of current wiretap and surveillance access in new and unintended ways.

However, in order to get to the heart of the matter, it is necessary to describe the Carnivore system and describe its abilities to monitor the Internet. Additionally, I will describe how the Internet is different from the telephone system, and illuminate some problem areas that may open the door to extending the government's ability to monitor citizens in unintended and intrusive directions.

Privacy and Security at the San Diego Supercomputer Center

In my current duties, I wear two hats, one as a protector of privacy and the other as a security researcher.

As the security officer for the San Diego Supercomputer Center (SDSC) my primary and overriding mission is to protect the privacy and intellectual property of the users of the Center. SDSC is a national laboratory for computational science and engineering. With about 6000 users, several hundred computers and five supercomputers, including he world's 9^th fastest supercomputer (Blue Horizon), with Terabytes of data and numerous high-speed network connections and we are under constant attack by would-be computer intruders. SDSC's users are performing basic research in fields as wide-ranging as astro-physics, engineering, life sciences, ecology and medicine. Premature publication, destruction, modification or theft of their data could have implications ranging from academic embarrassment through the theft of intellectual property worth millions (or possibly even billions) of dollars.

As a security researcher and the Principal Investigator of the Pacific Institute for Computer Security (PICS), I am constantly working to determine future threats to the computers attached to the public Internet, as well as threats to the actual Internet infrastructure itself. Researchers at PICS have in the past discovered software flaws in popular operating systems as well as vulnerabilities in the basic protocols of the Internet. I provided testimony on this topic to the President's Commission on Critical Infrastructure Protection.

The San Diego Supercomputer Center, the Pacific Institute for Computer Security and other security activities are sponsored in large part by U. S. Government activities. These include the National Science Foundation, the National Institutes of Health, the Department of Defense, the Institute for Defense Analyses, the National Security Agency and the FBI. PICS' involvement with the FBI has been limited to a small amount of technical assistance for the San Diego office. PICS and other SDSC staff have provided expert testimony in cases involving child pornography and computer intrusions.

It was as a PICS researcher, discussing critical infrastructure vulnerabilities with the FBI, that I became aware of and was afforded a chance to see the hardware and software product known as "Carnivore". The date was June 20^th of this year, and the location was the FBI's Engineering Research Facility (ERF) in Quantico.

There are several important issues at play here, and the capabilities and purpose of Carnivore may be the least important. All of my observations concerning Carnivore itself must be considered in the context of my very limited access to Carnivore. I can only testify about what I was told and what I observed concerning Carnivore over a very short period of time.

What is Carnivore?

First of all, what is Carnivore? In technical terms, Carnivore is a high-speed packet "sniffer" with aggressive filtering capabilities. It examines all the data packets passing through a network, and filters out data that does not meet its filtering criteria. In layman's terms, Carnivore is a digital wiretap capable of discarding all information that is not to or from or concerning the subject of the wiretap order.

In fact, other than its fancy, easy to use graphical user interface, and its ability to monitor high-capacity networks, Carnivore is not very different from the various packet sniffer programs available to network managers, system administrators, home computer users and so-called "hackers".

By analogy, if the network is the cellular phone system, packet sniffers are radio scanners, capturing or listening to all data that goes by in the air or on the wire. Also by analogy, Carnivore is a "smarter" scanner, capable of detecting and recording only those phone calls to or from a specific person, or containing certain key words, and not listening to all the other users of the cellular system.

Carnivore's major technical novelty is its apparent aggressive intent to avoid capturing data concerning those that are not the subjects of a wiretap order. It is functionally very similar to software written by Dr. Andrew Gross (of the Kevin Mitnick case) while he was the Principal Investigator of PICS in 1997.

Physically, Carnivore is a personal computer with a network interface, and ZIP or Jaz removable disk drive, running a version of the Microsoft Windows operating system, with the Carnivore software loaded. In order to use Carnivore, it must be physically attached to the network to be monitored. The Carnivore software has a Graphical User Interface (GUI) which presents the user with an easy-to-use way to describe the filters that are to be used in accepting (and recording) or rejecting network data seen by the system. The user interface was designed to be used by a less-technical user, such as an FBI Special Agent in the field. The version of Carnivore I saw, as it was described to me had few provisions for remote access to the gathered data, but did have the capability to be monitored itself from a remote site via telephone. As described to me, this was so that the technical support staff at the ERF could assist with technical problems, and so the assigned Special Agent could determine when the removable media needed to be changed. This remote access method would also allow a remote user to change the filtering criteria from a remote site via a telephone call.

As described to me, all gathered data was written to a ZIP or JAZ removable disk drive, and the data would be physically collected by a Special Agent visiting the site. There are issues involving the collection, storage, custody, and admissibility of digital evidence. I believe that this physical collection of the evidence is a conscious effort to move this "digital" evidence into the realm of physical evidence, which is well understood by and more comfortable to the legal system. Although the system is capable of transmitting some gathered data via the telephone connection, this is impractical given the relative bandwidth of the telephone and the high-speed networks being monitored.

What is Carnivore Not?

Carnivore does not appear (on its face) to be an ECHELON-like "monitoring infrastructure", capable of real-time monitoring of millions of phone calls and network connections. Based on my limited examination of Carnivore, and technical discussions with its developers, it appears to be a tool specifically designed to meet the rigid requirements of a Title III wiretap order. Such an order is supposed to be a narrowly drawn and rigidly interpreted permission from a judge to monitor the electronic activities of a specific person or persons.

Quite frankly, Carnivore appears to be the best available technology to try to implement the limited permissions to monitor granted by a judge. The device is capable of filtering out information concerning those not subject to the wiretap order.

However, Carnivore is just a tool, and its capabilities must be considered in the context of how it could be used, the potential for intentional and unintentional abuse, and the critical need to consider the privacy and constitutional rights of citizens.

Privacy is "Extrinsic" to technology

Carnivore is just a tool. It is a tool that appears to be designed to be able to allow the FBI to balance the rights of citizens against the permission to monitor granted by a judge in a wiretap order. However, it is how the tool is used that will actually determine whether or not the privacy of innocent and uninvolved people will be violated.

Carnivore has the ability to filter out all "un-allowed" information, but like any network sniffer, the actual data collected or rejected is a matter of the configuration of the device. It is obvious that there is nothing to stop a person from using Carnivore (or any other packet sniffing tool) to gather all the network information they can store.

The fundamental issue really boils down to:

How do we balance the government's legitimate need to monitor suspects in ongoing criminal investigations without trampling the rights of other citizens who happen to share the Internet with them?

Carnivore appears to be an attempt to strike such a balance. However,

It still may open too many possibilities for abuse, error and other unintended consequences.

Any technology, once created, can be abused. Automobiles enabled bank robbers in fleeing across state lines; and pagers, cellular and portable telephones enable the illegal drug dealer. Packet sniffers are one tool of the "hacker", but are also needed by the network manager. These are all "dual-use" technologies, having both legitimate and non-legitimate uses. It is the use that determines intent and effect; the technology just enables the capabilities.

Of course, the ultimate concern of citizens should be the possibility of "mass monitoring" of all the users at an Internet Service Provider (ISP), a company, a University, or a state or a country. The technology already exists, it is simply a matter of time and money to deploy this technology on the scale required to achieve the goal.

The Internet is Different

The Internet is fundamentally different from the original analog telephone system. This is important to understand, because almost all of our legislation, legal precedent and practice in monitoring the Internet are derived from the old analog telephone system.

The telephone system is a collection of tightly integrated systems, operated by various companies, sharing a common switching technology. Without this underlying common technology, the various parts of the system would be unable to communicate with each other in order to provide a telephone connection between the callers. In the telephone world, a wiretap order is often implemented the telephone service provider. In this case, the law enforcement agency delivering a directive to the operators of the subject's telephone service provider, and the service provider performs whatever action is needed to provide access to the subject's telephone calls. The calls are typically voice, not too frequent, and listened to in "real time" by people, in addition to any recordings that may be made. All of these factors provide a "gating" function that limits the scale and scope of any surveillance activities. It is simply infeasible for the government to implement wide-scale monitoring of large numbers of people, due to the need for cooperation from the telephone service providers and the labor-intensive nature of the surveillance. This is likely a major reason that the National Security Agency and other government agencies have long sponsored basic research in speech recognition.

However, the Internet is fundamentally different, and with Carnivore and other systems, the monitoring activity is different as well. It is apparent that the digital nature of the Internet allows a wider net to be cast, at a lower cost than in the telephone world. The Internet is a digital medium, and most of its data remains text-based. These two attributes combine to make it very easy to use computers to process large amounts of collected data. Textual data is much easier and cheaper to process than voice telephone, for example. Also, the government installs Carnivore with little or no participation from the Internet Service Provider (ISP). The ISP has no way of knowing what data is being gathered or who the target of the wiretap may be. As previously mentioned, the filtering done by Carnivore can be changed remotely, without the knowledge of the ISP, as well.

All of these factors combine to provide a capability that is broader and more scalable than in the analog telephone world, for which most of the wiretap statutes were written.

It is important to ensure that any digital wiretap capability and law does not allow what Dr. Steve Bellovin of AT&T calls "scaling up to oppression". It should remain relatively expensive for the government to monitor its citizens, so that this capability will be reserved for those exceptional cases that warrant electronic surveillance and discourage casting a wide net that will gather in information about unintended bystanders.

Any digital wiretap systems and law must provide the same protections, checks and balances that exist in the telephone world. It is not obvious that this is currently the case. It seems likely that the "law of unintended consequences" applies and that current digital wiretap capabilities and legal constraints do not provide the same protections as in the telephonic environment.

Control, Oversight and Accountability

If a "dual-use" technology, such as Carnivore and other network monitoring tools exists, the only way to protect against mis-use is to find ways to discourage, or punish abuse.

This is explicitly embodied in current wiretap law, where there are consequences ranging from inadmissibility of evidence up to criminal prosecution for an improperly performed wiretap. But in order to impose these consequences, the improper activities must be discovered. Also, by the nature of a telephonic wiretap, the scope of the wiretap is limited to a small number of telephones and the people who use them. With a digital wiretap, such as Carnivore, only the FBI knows who is the subject of the wiretap, and whether or not data concerning other people is actually being gathered.

It would be trivial for the FBI to monitor ten or a hundred or a thousand (or more) people with a single Carnivore system, using a wiretap order which only authorized monitoring of a single subject. Essentially there is no way for any outside entity to know the configuration of the filters in a Carnivore system, or the true capabilities of the Carnivore system without examining the source code of the system during installation and during the monitoring itself.

Carnivore and Open Source

The ACLU and others have called for publication of or access to the source code of the Carnivore system. While interesting, this is unfortunately insufficient to determine the true capabilities of a particular Carnivore system as installed for any given wiretap order. A function of a Carnivore system is determined both by the program and the filter configuration active at any moment in time.

A one-time publication or review of the source code would provide only a "snapshot" of Carnivore's capabilities, and it might be difficult to prove that the Carnivore program installed at an ISP was actually built from the sources reviewed. Since Carnivore is under constant development, the snapshot reviewed would be out-of-date within a few weeks. A review of the source code would not indicate the filters installed in a Carnivore system at any given time.

In the computer security and cryptography communities, no claims are accepted until programs or algorithms have undergone public scrutiny and peer review. Typically, security-relevant software then remains in the public purview, with many contributors making incremental improvements and continuing the review process. For our computers, and those at any site truly concerned with security, Open Source security tools are compiled from publicly available, peer-reviewed source code. These programs are widely trusted because it is believed that this public scrutiny would find and publicize most flaws and any "secret" functions. This affords a high level of confidence that these programs perform their stated functions properly, and not perform any inappropriate functions.

It may be that to provide this level of confidence, that the source code for Carnivore might need to become publicly available, and that ISPs be permitted to acquire, examine, compile and configure the Open Source Carnivore software. Interestingly, this is more analogous to the current telephonic wiretap (installed by the telephone service provider), than the current use of Carnivore.

Conclusion

The issue of Carnivore is not really about technology. It is really about the attempts of the government to extend its lawful and appropriate access to electronic communications into the digital Internet realm. It seems that in the process of applying laws, policies and procedures into the digital realm, that the privacy of citizens has been eroded in ways not intended or permitted under the original wiretap legislation, current practice or Supreme Court decisions.

The FBI will always have to live with the legacy of the Hoover era, just as the Congress will have to constantly compare itself with the McCarthy hearings, and the Executive Branch must always remember Watergate. These and other incidents from our country's history have contributed to an unfortunate general distrust of our public institutions when they concern themselves with the rights of our citizens.

I continue to have the utmost regard for the Special Agents it has been my good fortune to meet and work with. I understand and support their need for legal and proper access to the electronic communications of those subject to investigation for serious crimes. The challenge will be to provide the intended monitoring abilities that are reasonable and proper in the digital area.

Ladies and Gentlemen of the Subcommittee, thank you for your attention in the matter, and for the opportunity to provide this testimony.