Carnivore raises new concerns

New documents and the release of an independent panel's report raise suspicions about the FBI surveillance system

Newly released documents and a report from a highly criticised review panel have privacy experts once again questioning the FBI's motives in developing its Carnivore Internet surveillance system.

The Electronic Privacy Information Center (EPIC) has warned that new documents released by the FBI under the Freedom of Information Act (FOIA) showed Carnivore could monitor all Internet traffic -- including email, Web surfing, and file transfers -- something the FBI had previously denied.

"One of the most worrisome things is that [the FBI] constantly keeps seeming to move the goalpost," Wayne Madsen, a senior research fellow with Washington-based EPIC, said Friday. "The assistant director told Congress that they didn't have the ability to store unfiltered data, but now they have a successful test of saving raw, unfiltered data on the hard drive."

"They seem to be understating the capabilities of Carnivore," Madsen added. "It has a lot more capabilities than they have advertised."

But an FBI spokesman said a full test of the program, without limiting filters, was needed to gauge Carnivore's performance.

The new controversy surfaced after EPIC received a second batch of FOIA documents -- about 360 pages. In total, the FBI has reviewed more than 1,000 pages and released about 800 -- although far fewer have survived a censor's black marker.

One document -- a memo dated 5 June -- outlined the results of a performance test conducted by the FBI's Cyber Technology Section in early May on Version 1.3.4 SP1 of Carnivore. The most controversial test -- called a "real world test" in the memo -- gauged the system's compatibility with the two other components of the DragonWare Suite, an integrated package of three snooping applications developed by the FBI.

On a 300MHz Pentium II PC running Windows NT, Carnivore "could reliably capture and archive all unfiltered traffic to the internal hard drive", stated the memo.

The FBI has previously denied that such capabilities exist, according to EPIC.

In comments before the Senate Judiciary Committee, Donald Kerr, assistant director of the FBI's laboratory division told senators that "it's critically important to understand that all of those... other communications are instantaneously vaporized after [they're identified as extraneous]. They are totally destroyed; they are not collected, saved, or stored."

"Why did they test something that they said was not a capability?" asked Madsen, of EPIC.

"It's like a car," explained FBI spokesman Steve Barry. "We revved it up to its full parameters without the filter on, which we should, just to see how well it works." Barry called EPIC's questions of the FBI's intentions "really off-base".

"The test showed that we could grab data without the filter, but we can't do it in the real world," Barry said. "That would be illegal." The controversy may heighten when a report analysing Carnivore's capabilities hits the Web next week.

On Friday, the Department of Justice received a draft analysis of Carnivore from a panel of experts at the Illinois Institute of Technology's Research Institute. The DoJ is expected to release the report, minus any sensitive information, Tuesday.

Although he wouldn't discuss the details of the report, Harold Krent, professor of the Chicago Kent College of Law and a member of the Carnivore review team, said the analysis was comprehensive.

"It not only looks at the mechanics and capabilities [of Carnivore], but also at the gaps that may exist in the system's deployment," he said, referring to EPIC allegations that Carnivore had broader abilities than disclosed by the FBI.

After a public review of the report, the review team will produce a final version, said Krent.

Krent and his team may have quite an earful from the public and several members of Congress.

Last month, House majority leader Dick Armey (Republican, Texas) slammed the Justice Department and the Clinton Administration for inadvertently releasing the names of the review committee -- including Krent's -- then turned around and criticised the agencies for apparent favouritism in their choices.

"This Department of Justice proposal has confirmed my fears," he said in a statement. "This important issue deserves a truly independent review, not a whitewash." Several universities -- including the Massachusetts Institute of Technology and Purdue University -- reportedly declined to submit applications to review Carnivore because they feared the process would not be open.

The Department of Justice required all applicants to agree to let the agency edit the final report on Carnivore and not to release the source code to the program.

They can see you... Read about how and why in Surveillance, a ZDNet News Special

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.