- Internet pioneer Vint Cerf weighed in on the controversial US FBI e-mail surveillance tool known as Carnivore at a Senate hearing on Wednesday, saying that it is not "technically abusive" and describing it as similar to other surveillance tools used by law enforcement.
"I would argue that, technically speaking, Carnivore has been conceived well," Cerf told the Senate Judiciary Committee. "The FBI's implementation of Carnivore attempts, in my estimation, to limit the amount of information that is being captured, and it is very, very hard to do that successfully."
Cerf, who co-developed TCP/IP (Transmission Control Protocol/Internet Protocol) in the early 1970s and is now senior vice president for Internet Architecture and Technology at WorldCom Inc. and a trustee of the Internet Society, said he was invited a few weeks ago by the FBI to a demonstration of Carnivore at the FBI's facility in Quantico, Virginia.
The FBI has been on the defensive about Carnivore since press reports about the system were published earlier this year. Civil libertarians and privacy advocates have criticized it because they believe its use falls outside the bounds of traditional wiretap laws that establish under what circumstances and how law enforcement officials can listen to a suspect's telephone conversations.
The House of Representatives has already held a hearing on Carnivore in which some members expressed grave concerns about the potential for privacy violations, and skepticism that Carnivore's operations are as confined as the FBI says they are.
Wednesday's Senate hearing was less contentious. Although Cerf stopped short of giving Carnivore a ringing endorsement, he said the creators of Carnivore went to considerable length to build in mechanisms to restrict the capture of traffic to that which is allowed under a court order.
"I don't believe that what the FBI has done is technologically abusive," Cerf said after the hearing.
Although the system must open packets of information belonging to people who have nothing to do with an investigation, the system is designed to discard any irrelevant information that it views, making it unavailable to the FBI, Cerf added.
Nevertheless, he said Carnivore could be abused if used wrongly. Concerns have been raised by opponents of Carnivore about what the standards should be for the capture of information on the Internet for law enforcement purposes, and Congress should make an effort to set those standards, he said.
Carnivore uses a desktop-like Windows-based PC and software that the FBI attaches to an Internet service provider's network, either to provide investigators with the names of people with whom a suspect is communicating, or to provide investigators with the ability to read the full content of a suspect's e-mail. In cases in which investigators want to read e-mail content, investigators must meet the higher legal standard of "probable cause," which means they must have a strong reason to believe criminal activity is ongoing. However, if investigators only want to know who a suspect is communicating with, a lower legal standard is applied.
Despite the system's aggressive-sounding name, Kevin DiGregory, deputy assistant attorney general of the Department of Justice's criminal division, said Carnivore was designed to preserve the privacy of ordinary Internet users when law enforcement officials are investigating major crimes, such as terrorism, child pornography and fraud.
"We must have an investigatory tool that helps us investigate online the same way as in the physical world, and enables us to obtain only the information we are authorized to obtain through a court order," DiGregory told the committee.
But James Dempsey, a lawyer with the Center for Democracy and Technology (CDT), argued that Carnivore, which has to scan the messages of numerous people not involved in a criminal investigation in order to work, "is not consistent with the way that electronic surveillance was conducted in the past." The CDT, along with the American Civil Liberties Union, are fighting to force the FBI to release more detailed information about Carnivore and how it works, including the program's source code.
Dempsey reiterated calls from privacy advocates that Carnivore should immediately stop being installed outside of the controls of ISPs, and that the FBI should provide a better understanding of how it works.
"Is it good enough that Vint Cerf has looked at Carnivore and has come away relatively satisfied?" Dempsey asked. "I really don't think we have had the kind of review of Carnivore that would really satisfy this committee and satisfy the public."
The DOJ is searching for a university that would review the system, and Attorney General Janet Reno has said she will decide on a university by Sept. 15.
Another witness, Michael O'Neill, a professor at George Mason University Law School in Fairfax, Virginia, made 10 recommendations to the committee. Among them were suggestions that Congress determine the statutory authorisation of Carnivore and that Congress require statistics on the use of the system be maintained by the DOJ. Those statistics about Carnivore's use should routinely be provided for legislative oversight, O'Neill suggested.
Senate Judiciary Committee Chairman Orrin Hatch, a Republican from Utah, described the professor's recommendations as "pretty good," and he asked the FBI and CDT officials to submit comment on them.
The FBI can be reached at http://www.fbi.gov/.