The U.S. Department of Justice Tuesday night released an edited version of an independent review of the FBI's Carnivore e-mail surveillance system, and the document confirmed the concerns of some privacy advocates that the controversial tool could be used to collect information about people who aren't the targets of criminal investigations.
However, the report prepared by a team of researchers affiliated with the Chicago-based Illinois Institute of Technology (IIT) also said Carnivore is not powerful enough to monitor "almost everyone with an e-mail account" or to follow individual Internet users as they surf the Web.
Carnivore is a software program that monitors packets of data passing through an Internet service provider's network. Officials at the FBI and the DOJ have said the surveillance system can only be legally deployed to monitor allegedly criminal activity under a court order, similar to the regulations that govern the use of telephone wiretaps.
However, privacy groups have charged that Carnivore could be used to do widespread monitoring of e-mail messages on Internet service provider networks. Those complaints prompted the DOJ to issue a request for proposals from universities interested in examining the technology, in hopes that the independent review would head off calls for the FBI to release the still-secret source code underlying Carnivore.
In September, the IIT Research Institute (IITRI) was chosen to do the review. In its report, IITRI said Carnivore "provides investigators with no more information than is permitted by a given court order" when it is used correctly. The report also indicates that Carnivore offers no operational or security risk to service providers and "can be more effective in protecting privacy and enabling lawful surveillance than can alternatives."
The concern for privacy advocates, however, is the potential for broad-sweeping data collection if the software isn't configured properly. And the IITRI report does say that Carnivore "can record any traffic it monitors" if it has been incorrectly configured by investigators. According to the report, Carnivore will collect all e-mails in a packet delivered to an Internet service provider if its filters aren't set properly.
The Electronic Privacy Information Center (EPIC), a Washington-based privacy group that's seeking the release of all the FBI's Carnivore-related documents through a Freedom of Information Act request, yesterday issued a statement charging that the IITRI report "raises more questions than it answers."
"If it's that easy for the FBI to accidentally collect too much data, imagine how simple it would be for agents to do so intentionally," said David Sobel, EPIC's general counsel. "This supports our belief that Carnivore raises extremely serious privacy concerns."
IITRI's report also said Carnivore's filter settings may be difficult to configure properly and added that the FBI doesn't have adequate provisions to monitor how the system is used. However, other safeguards are in place that should provide privacy protections, the report said.
"Multiple approvals are currently required before a court order that might involve a Carnivore deployment is requested," the report reads. "Significant post-collection organizational and judicial controls exist as well." For example, IITRI said, a supervising judge can "independently verify that traffic collected is only what was legally authorized."