[Senate Hearing 106-1057]
[From the U.S. Government Publishing Office]
S. Hrg. 106-1057
THE ``CARNIVORE'' CONTROVERSY: ELECTRONIC SURVEILLANCE AND PRIVACY IN
THE DIGITAL AGE
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 6, 2000
__________
Serial No. J-106-105
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
74-729 WASHINGTON : 2001
----------------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 1
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 3
WITNESSES
Cerf, Vinton G., Internet Trustee, Internet Society, Reston, VA.. 29
Dempsey, James X., Senior Staff Counsel, Center for Democracy and
Technology, Washington, DC..................................... 42
Di Gregory, Kevin V., Deputy Assistant Attorney General, Criminal
Division, U.S. Department of Justice, Washington, DC;
accompanied by Martha Stansell-Gamm, Chief, Computer Crimes and
Intellectual Property Section, U.S. Department of Justice,
Washington, DC................................................. 21
Kerr, Donald M., Assistant Director, Federal Bureau of
Investigation, Washington, DC; accompanied by Larry R.
Parkinson, General Counsel, Federal Bureau of Investigation,
Washington, DC................................................. 9
O'Neill, Michael, Assistant Professor of Law, George Mason
University Law School, Fairfax, VA............................. 36
Rosen, Jeffrey, Associate Professor of Law, George Washington
University Law School, Washington, DC.......................... 62
QUESTIONS AND ANSWERS
Responses of Donald M. Kerr to Questions from:
Senator Hatch................................................ 81
Senator Thurmond............................................. 83
Senator Leahy................................................ 87
THE ``CARNIVORE'' CONTROVERSY: ELECTRONIC SURVEILLANCE AND PRIVACY IN
THE DIGITAL AGE
----------
WEDNESDAY, SEPTEMBER 6, 2000
U.S. Senate,
Committee on the Judiciary,
Washington, DC.
The committee met, pursuant to notice, at 10:08 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Orrin G.
Hatch, (chairman of the committee) presiding.
Also present: Senators Specter and Leahy.
OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM
THE STATE OF UTAH
The Chairman. We are happy to welcome all of you out to
today's hearing. The purpose of our hearing today is to examine
the effect that new surveillance technologies, such as the
FBI's now too famous Carnivore, is having on the important
public policy balance between personal privacy rights and law
enforcement in the digital age.
That the context of this hearing is important goes without
saying. The Internet is rapidly becoming a dominant means by
which Americans transact business, receive news and
information, communicate with their families, and even have
fun. A recent report states that over 40 million Americans are
currently using the Internet, and that the rate of increase is
nearly 55,000 new users every day. Over three million Web pages
were created every day in 1999.
Clearly, the Internet is becoming a pervasive feature of
daily life, and the technology on the horizon promises to make
it even more so. Additionally, the Internet's ability to allow
anyone, regardless of wealth or status or political clout, to
share opinions with the world, makes it the ultimate first
amendment-enabling technology.
But as with many great technological developments and
achievements, the Internet's greatest strength is also its most
vulnerable weakness. The huge amounts of data speeding through
the Internet, including phone numbers, addresses, credit card
numbers and bank account information, have facilitated an
online crime wave. And the same ease of use that has motivated
so many people to rely on the Internet has also given rise to a
new breed of swindlers, vandals and terrorists who are short-
circuiting the Internet's benefits by waging denial of service
attacks, or who are turning the Internet into a weapon by
spreading computer viruses.
Only last week, a 24-year-old California man was charged
with securities fraud after a fake news release posted on a
Website claimed that the Emulex Company had lost its CEO and
would restate its last quarter's earnings to show a loss
instead of a profit. The hoax caused a $2 billion loss in the
value of this company.
Unfortunately, this is only one of the myriad types of
crime committed via the Internet. The use of e-mail has been a
boon to criminals engaged in spreading child pornography,
coordinating illegal drug rings, stealing intellectual
property, and much more. America's Internet users are
legitimately concerned that surfing the Internet is like
walking in a big city at night: the enjoyment is tempered by a
fear of what is lurking unnoticed in the dark alleys. Even
short of illegal activity, Americans are concerned about the
ability of businesses and other Web site hosts to collect and
share personal information, and to track individuals'
interests, purchases, and other data.
On the other side of the debate is an equally important
concern that the Government should not intrude unduly into
commerce and personal lives. Unlike many other governments in
the world, the United States does not permit its law
enforcement agencies easy access to phone lines, the mail, and
other sources of private information.
The computer geniuses who are innovating with new
technology and creating e-commerce companies are understandably
wary of opening up their hard drives and servers to government
data traffic control. And individuals who use the Internet for
personal communications, purchases and hobbies are justifiably
reluctant to allow an ``Orwellian Big Brother'' to monitor
which Web sites they visit or what messages they send through
cyberspace.
In short, America's Internet users want a balanced approach
to Internet integrity that guarantees protection of personal
privacy, but that allows limited and constitutionally-
sanctioned access to law enforcement when necessary for the
protection of law-abiding citizens.
Some believe these goals are in hopeless conflict. I
personally do not. I firmly believe that properly calibrated
laws can simultaneously protect the Internet from criminals and
terrorists, respect the privacy interests of all Americans, and
allow the Internet to flourish free from burdensome regulation.
In fact, I recently introduced a bill, the Internet Integrity
and Critical Infrastructure Protection Act of 2000, that
strives to do that in certain circumstances.
Although no law could prevent bad actors from misusing the
Internet, my bill will provide much needed resources and
investigative tools to law enforcement and will update our
computer abuse laws to help deter and prevent such activities.
So it is within the context of this debate that we are
holding today's hearing to examine the constitutional and
policy implications of new surveillance technologies, in
general, and the FBI's Carnivore system in particular. I hope
we get a better understanding of what Carnivore is and how it
operates today. As I understand it, it permits law enforcement
agencies to gather specific electronic-mail information,
presumably circumscribed by court order, relevant to the
commission of a crime.
There has been a lot of controversy surrounding this
system, perhaps justified, perhaps not. Much of the controversy
and confusion is due to differences in opinion on the degree of
protection against improper searches by the Government that the
fourth amendment of our Constitution provides each citizen, and
whether current laws--which were written before the Internet
became the revolutionary force in communications that it has
become--need updating in this new digital age. It is this
constitutional challenge created by technological advancement
that we are here to examine today.
Now, before we hear from today's witnesses, I want to note
that the technical questions about Carnivore are to be
addressed by a DOJ-commissioned independent technical review.
These technical questions include whether the Carnivore system
could interfere with the proper functioning of Internet service
providers, whether the system might provide investigators with
more information than is authorized by a court order, or
whether the system's capabilities could give rise to a risk of
misuse, leading to improper invasions of privacy. I think this
is a very important study which likely will affect some of our
policy decisions, and we will examine the report's findings
once it is conducted in a future hearing.
With that background, I will introduce our distinguished
witnesses as soon as the ranking member makes his comments.
STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE
STATE OF VERMONT
Senator Leahy. Thank you, Mr. Chairman. We talk about ISP's
and URL's and all this new language of the Internet age that
Mr. Cerf and others gave us. And I thank you most of the time,
Mr. Cerf. There are days when connections are slow when I
don't, but that is not your fault.
What we are doing here actually is carrying on a 200-year
conversation about how we assure the rights of the American
people, the rights of all of you, the rights of me and the
chairman and everybody else to be secure in their persons, in
their houses, in their papers, and their effects, secure
against unreasonable searches and seizures. That obviously goes
back to the Constitution's Fourth Amendment.
Back at the time of the Framers, you gained access to a
person's private effects by being there. You were going to find
out what was in somebody's desk drawer by walking in the house
and opening the desk. You were going to find out what papers
they had in their inside pocket by searching them and searching
their inside pocket. It is a lot different today. You can be a
mile away or 10,000 miles away and search information about
most families, certainly those who have computers and are on
the Net.
This is really the concern that I have. On the one hand, I
ask the question, are we dealing with a legitimate surveillance
tool in a cyber age when we know that criminals can move
billions of dollars electronically; when terrorists can plan
damage from a point on another continent to a residence or a
warehouse in the United States; when a kidnaper can deal with
somebody in a different State, or where a child abuser can seek
out a victim hundreds of miles away. But on the other hand, is
this surveillance something that goes way beyond what we the
American people want?
It is legitimate to ask the FBI, which has come up with
this unfortunately named device--and I suspect nobody has
claimed credit as the author of the name, but we should not
allow ourselves to be distracted simply by the name. Call it
anything you want. The question we have to ask, and
legitimately, is has the FBI given themselves a tool which
allows them to go way beyond what the American people would
allow, what the stated mandate of the FBI would allow, and
certainly what the Congress or anyone else would accept.
I think these are the kinds of questions that we have to
ask because new communications technologies both have benefits
and pose challenges to privacy and law enforcement. The
Congress has, I think, worked successfully, in a bipartisan
fashion, to mediate this tension with a combination of very
stringent procedures for law enforcement access to our
communications, but also legal protections to maintain privacy
and confidentiality, whether it is in person, over the
telephone, fax, computer, or elsewhere.
In fact, in 1968 the Congress passed comprehensive
legislation authorizing Government interception of voice
communications over telephones, and so on. We returned to this
in 1986, when we passed the Electronic Communications Privacy
Act, which I sponsored. That law established procedures for law
enforcement access to electronic mail systems, to remote data
processing systems, and had privacy safeguards for computer
uses. It talked about the way we get pen registers and traps,
and so on. These pen register and trap and trace orders,
though, were not to be used to identify or record the contents
of the communications.
Now, we have this new surveillance tool and we have to find
out where it fits in the mix. I understand Carnivore is a
surveillance tool, a software program developed by the FBI,
installed by the FBI at the physical premise of an Internet
service provider, to intercept Internet communications
following a court order.
The order may authorize capture of an entire communication
or it may be limited to addressing information, sort of like a
pen register. This program, though, is versatile enough that
the FBI can use the same program to accommodate variations in
court order authorizations. So I want to hear more about how it
works, the precise kind of information the program produces to
the FBI, and what controls the FBI has in place when Carnivore
is used to ensure the program is operated only as authorized by
the court order.
This is keeping in mind the fact that usually the court
orders are going to be designed exactly the way the Government
wants them to be. But notwithstanding that--and I am sorry some
of the courts may take offense at that, but that is a fact. And
notwithstanding that, I want to make sure it still doesn't go
beyond it.
Carnivore is not ``freeware'' available for download and
public scrutiny. So somewhere, somebody has got to be able to
scrutinize it. I commend the Attorney General for her efforts
to address this concern and hiring an independent contractor to
conduct a technical review of the surveillance program. It is a
constructive step that moves beyond the hypothetical
discussions of Carnivore.
Now, there is no dispute that the stringent legal
requirements governing wiretaps apply to Carnivore when it is
used to capture the content of e-mails or other computer
transmissions. I think all of us here on the Judiciary
Committee would agree with that.
There is also no dispute that both the text and the subject
line of an e-mail message are content which law enforcement may
intercept only under a wiretap order. But we still want to know
whether the legal standards for its use are adequate and
exactly what it does.
Telephone companies regularly comply with wiretap and other
legitimate surveillance orders, as do Internet service
providers. But if the Internet service provider doesn't have
the capability or willingness to do it, to execute court
orders, fine; I will accept the fact that law enforcement can
step in. I think Carnivore is for that. But, again, is it
limited, and will it limit itself to what a willing ISP would
give if they were willing to carry out the order themselves?
Second, Carnivore works by sifting through the Internet
traffic of a particular ISP to capture the particular
information or communication authorized by a court order. I
think privacy advocates are rightly concerned about whether
Carnivore accesses too much, not only too much information
about Internet users, but also too much information about the
communications that are the subject of the court order.
We know that the Internet breaks down communications into
separatepackets that are reassembled at the destination point.
The FBI will say that Carnivore is able to find the different packets
that make up a suspected Internet criminal's message only by sifting
through all the traffic. Technically, that is correct, but that might
not be a great comfort to all the other Internet users who are not
subject to the court-ordered surveillance but have their messages being
looked at.
It comes down to this: Carnivore is like a car. It can be
very useful or it can be abused. You can drive back and forth
to take your kids to school or you could have a drunk driver
come down the road and wipe out a family. What counts is the
rules of the road, but also what counts is what license we give
the driver, and I am interested in the license and hearing from
the witnesses today whether surveillance rules we developed for
the analog telephone environment and for the pre-Internet
computer environment are adequate to protect our current
expectations of privacy when we go online.
And I must say in that regard, Mr. Chairman, that we have
the CALEA Act, which we all worked on very closely and worked
closely with the FBI. And in many ways, the FBI has tried to
push the envelope way beyond what I as one of the authors of
that bill intended and what many of the others did. Because of
that, I take a little more careful view of what they might say
and whether the FBI now is going to push beyond the envelope of
what they are allowed.
In closing, I am a strong proponent of the Internet. I
don't know of anybody in the Senate who is a stronger
proponent. But I am a defender of our constitutional right to
speak freely, and also I have the typical Vermonter's view of
privacy that we should keep private our confidential affairs
from either private sector snoops or unreasonable government
searches. These principles can and must be respected when law
enforcement agencies use surveillance tools to uncover and hold
accountable criminal wrongdoers.
So, Mr. Chairman, I think you have an excellent hearing. I
think it is a wise one to have. I would put my whole statement
in the record so we can hear from the witnesses.
The Chairman. Well, thank you, Senator, and we will put all
statements in the record at this point.
[The prepared statement of Senator Leahy follows:]
Prepared Statement of Senator Patrick J. Leahy
We will talk today about ISPs and URLs and other new language of
the Internet age, but fundamentally we are continuing a 20-year-old
conversation about how we assure the right of American people to be
secure in their persons, houses, papers and effects, against
unreasonable searches and seizures. This is both the promise and the
mandate of our Constitution's Fourth Amendment.
The means by which law enforcement authorities may gain access to a
person's private ``effects'' is no longer limited by physical
proximity, as it was in the time of the Framers. New communications
methods and surveillance devices have dramatically expended the
opportunities for surreptitous law enforcement access to private
messages and records from remote locations.
In short, new communications technologies pose both benefits and
challenges to privacy and law enforcement. The Congress has worked
successfully in the past to mediate this tension with a combination of
stringent procedures for law enforcement access to our communications
and legal protections to maintain their privacy and confidentiality,
whether they occur in person or over the telephone, fax machine or
computer. In 1968, the Congress passed comprehensive legislation
authorizing government interception, under carefully defined
circumstances, of voice communications over telephones or in person in
Title III of the Omnibus Crime Control and Safe Streets Act.
We returned to this important area in 1986, when we passed the
Electronic Communications Privacy Act (ECPA), which I was proud to
sponsor, that outlined procedures for law enforcement access to
electronic mail systems and remote data processing systems, and that
provided important privacy safeguards for computer users. ECPA also set
forth the procedures for use, application and issuance of orders for
pen registers and trap and trace devices that were to be used to
identify the numbers dialed from a particular telephone line or the
originating number of an incoming telephone call, respectively. As the
Committee's report on ECPA makes clear, these pen register and trap and
trace orders were not to be used ``to identify or record the contents
of the communication.'' [Senate Comm. On the Judiciary, ``Electronic
Communications Privacy Act of 1986'', S. Rep. No. 99-541, 99th Cong.,
2d Sess. at p. 46 (1986).]
This hearing will explore where the FBI's use of the new
surveillance tool called ``Carnivore'' fits into that mix.
As I understand this surveillance tool, Carnivore is a software
program developed by the FBI and installed by the FBI at the physical
premise of an Internet Service Provider to intercept Internet
communications, in accordance with a court order. This court order may
authorize capture of an entire communication, or it can be limited only
to addressing information, akin to a pen register order for a telephone
line. Carnivore is sufficiently versatile that the FBI can use the same
program to accommodate variations in court order authorizations. I want
to hear more about how the Carnivore program works, the precise kind of
information the program produces to the FBI, and what controls the FBI
has in place when Carnivore is used to insure the program is operated
only as authorized by the applicable court order.
Certainly, some of the concern over the FBI's use of Carnivore
stems from the fact that the Carnivore program is not ``freeware''
available for download and public scrutiny. I commend the Attorney
General for her efforts to address this concern and for moving forward
to hire an independent contractor to conduct a technical review of the
surveillance program. This is constructive step to move beyond
hypothetical discussions of Carnivore's theoretical capabilities to
focus on the facts.
At the outset, let us be clear where there is no dispute. There is
no dispute that the stringent legal requirements governing wiretaps
apply to Carnivore when it is used to capture the content of e-mails or
other computer transmissions. There is also no dispute that both the
text and the subject line of an e-mail message are ``content'' which
law enforcement may intercept only under a wiretap order. But
fundamental questions remain about when the FBI chooses to use
Carnivore, how the program works, and whether the legal standards that
apply to its use are adequate. First, telephone companies regularly
comply with wiretap and other legitimate surveillance orders, as do
Internet Service Providers. But if the trail of a criminal
investigation leads to evidence in the custody of an Internet Service
Provider that lacks the capability or willingness to conduct the
interception as required in a court order, most of us agree that law
enforcement authorities should not be stymied but should have the
authority to pursue the trail. Indeed, it has been a long-standing
tenet codified in the wiretap and pen register laws that providers of
telephone services must furnish law enforcement officials with ``all
information, facilities and technical assistance necessary to
accomplish'' the interception or installation of the pen register
device unobtrusively and with a minimum of interference with the
service being provided to the person whose communications are to be
intercepted.'' [18 U.S.C. Sec. 2518(4) and3124(a).] Carnivore was
apparently created for use in just this circumstantce--where the ISP is
unable to assist directly in execution of the court-ordered
surveillance.
We want to hear today about whether use of Carnivore is limited to
only that circumstance and what effect, if any, this use has on the
integrity and function of the ISP.
As the principal Senate sponsor of the Communications Assistance
for Law Enforcement Act (CALEA), I should note that we passed this law
in 1994 to require telephone companies to be able to execute court
orders for surveillance. That law was passed with the concurrence of
the telecommunications industry, which wanted all participants to share
the responsibilities and expenses of complying with such court orders.
This law exempts ``information services'', however, including most
ISPs. Consequently, the FBI has developed its own program to fill the
gap if a particular ISP is unable or unwilling to assist in execution
of a court order for surveillance. This is preferable, in my view, to
legislation requiring ISPs to ramp up to execute court orders.
Second, Carnivore apparently works by sifting through the Internet
traffic of a particular ISP to capture the particular information or
communication authorized by a court order. Privacy advocates are
rightly concerned about whether Carnivore accesses too much--not only
too much information about Internet users whose communications are not
the subject of the court order, but also too much information about the
communications that are the subject of the court order.
The Internet works by breaking communications down into separate
packets that are reassembled at the destination point. The FBI says
that, as a technical matter, Carnivore is able to find the different
packets that make up a suspected criminal's Internet message only by
sifting through all the traffic. This is cold comfort to all the other
Internet users, who are not the subject of any court ordered
surveillance but nonetheless are having their Internet messages
automatically screened by the FBI's Carnivore program.
The FBI says that Carnivore can be used as the functional
equivalent for the Internet of a pen register or trap and trace devices
that provide information about the source or destination of a telephone
call. Yet the addressing, or header, information on an Internet message
may provide far more detail about the interests of the person sending
the message than a dialed telephone number does. This prompts the
question whether the same legal standard and procedure should apply to
capturing Internet addressing information that applies to capturing
telephone numbers.
Finally, Carnivore is a like a car. It can be useful, or it can be
abused. What counts are the rules of the road and the license we give
the driver. I am interested in hearing from the witnesses today whether
the surveillance rules we developed for the analogue telephone
environment and for the pre-Internet computer environment are adequate
to protect our current expectations of privacy when we go online.
I, for one, do not believe our current laws are adequate. That is
why over a year ago I introduced the E-RIGHTS Act, S. 854, to update
our laws and provide additional privacy protections for our online
communications and records, including law enforcement access procedures
and standards that are more in keeping with our current privacy
expectations.
For example, a critical privacy issue confronting us today is the
procedure by which law enforcement authorities obtain pen register and
trap and trace orders. The controversy over Carnivore puts the
shortcomings of that procedure in stark relief. Under current law,
federal judges are no more than rubber stamps who are required to issue
pen register or trap and trace orders whenever a prosecutor asks for
them. Federal judges have no authority to ask ``why'' and to make sure
that requested surveillance is necessary and justified. The E-RIGHTS
Act proposes a procedure that would permit judges to ask for and get
reasons for the surveillance. The Administration has recently
transmitted proposed legislation that would modify this procedure in a
fashion similar to the one I originally proposed.
I am a strong proponent of the Internet and a defender of our
constitutional rights to speak freely and to keep private our
confidential affairs from either private sector snoops or unreasonable
government searches. These principles can and must be respected when
law enforcement agencies use surveillance tools to uncover and hold
accountable criminal wrongdoers. I look forward to hearing from the
witnesses today about whether Carnivore oversteps these bounds.
The Chairman. We have a distinguished group of witnesses
here today. First, we will hear from Dr. Donald M. Kerr, who is
the Assistant Director of the Federal Bureau of Investigation.
Mr. Kerr heads the FBI lab that developed Carnivore and will be
able to provide us with valuable insight from the Bureau.
Our next witness is Kevin V. Di Gregory, Deputy Assistant
Attorney General of the Criminal Division, which includes the
Computer Crimes and Intellectual Property Section at the
Department of Justice.
After first hearing from these two witnesses, we will then
hear from distinguished experts who will help guide us through
the complex legal and technical issues involved in balancing
the needs of law enforcement with the privacy rights of
individuals.
So we will hear, after the first two, from Mr. Vinton G.
Cerf of the Internet Society, a non-profit educational and
research institution devoted to the continual evolution of the
Internet. Mr. Cerf is also a senior vice president at WorldCom,
where he is responsible for Internet architecture and
technology. In 1997, Mr. Cerf was awarded the National Medal of
Technology for his role in the invention and implementation of
the Internet.
We are very fortunate to have you here today and we look
forward to taking your testimony.
Our next witness, Michael O'Neill, is an assistant
professor of law at the George Mason University School of Law
in Fairfax, VA. Professor O'Neill, who is a former Supreme
Court clerk and current Commissioner on the U.S. Sentencing
Commission, specializes in criminal law, criminal procedure,
and constitutional law.
Mr. O'Neill, we are very happy to have you back before the
committee.
Next, we welcome James X. Dempsey, Senior Staff Counsel
with the Center for Democracy and Technology, located here in
Washington, DC. Mr. Dempsey is a respected leader in the
privacy community. He has been a friend of the committee and
has testified here before, so we are really happy to have you
back and we look forward to hearing your testimony.
Our final witness is Professor Jeffrey Rosen, associate
professor at the George Washington University Law School,
located here in Washington. Professor Rosen teaches
constitutional law, criminal procedure, and the law of privacy.
He is also the legal affairs editor of the New Republic and has
authored a book analyzing privacy issues.
I wouldn't mind having one of the books if you could send
it, OK?
Mr. Rosen. I will provide it for you Senator.
The Chairman. Good. I hope you autograph it.
Mr. Rosen. Absolutely.
The Chairman. We are fortunate to have each of you here
today and we want to welcome you to our hearing on ``The
Carnivore Controversy: Electronic Surveillance and Privacy in
the Digital Age.'' This is a very, very important hearing and
we look forward to hearing from each and every one of you.
So we will turn to you, Mr. Kerr, and go from there.
PANEL CONSISTING OF DONALD M. KERR, ASSISTANT DIRECTOR, FEDERAL
BUREAU OF INVESTIGATION, WASHINGTON, DC, ACCOMPANIED BY LARRY
R. PARKINSON, GENERAL COUNSEL, FEDERAL BUREAU OF INVESTIGATION,
WASHINGTON, DC; KEVIN V. DI GREGORY, DEPUTY ASSISTANT ATTORNEY
GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE,
WASHINGTON, DC, ACCOMPANIED BY MARTHA STANSELL-GAMM, CHIEF,
COMPUTER CRIMES AND INTELLECTUAL PROPERTY SECTION, U.S.
DEPARTMENT OF JUSTICE, WASHINGTON, DC; VINTON G. CERF, INTERNET
TRUSTEE, INTERNET SOCIETY, RESTON, VA; MICHAEL O'NEILL,
ASSISTANT PROFESSOR OF LAW, GEORGE MASON UNIVERSITY LAW SCHOOL,
FAIRFAX, VA; JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, CENTER FOR
DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC; AND JEFFREY ROSEN,
ASSOCIATE PROFESSOR OF LAW, GEORGE WASHINGTON UNIVERSITY LAW
SCHOOL, WASHINGTON, DC
STATEMENT OF DONALD M. KERR
Mr. Kerr. Good morning, Mr. Chairman, members of the
committee. I am grateful for the opportunity to discuss the
Internet and data interception capabilities developed by the
FBI in response to the increased exploitation of computers,
networks, and databases by terrorists, spies, and dangerous
criminals to commit crimes and to harm the safety, security and
privacy of others.
I have provided a rather long statement for the record
which I will spare you.
The Chairman. We will put all statements in the record as
though they were fully delivered. We hope you can summarize.
Mr. Kerr. Thank you, Mr. Chairman, and I will simply
briefly try to address some of the major issues covered in that
statement.
The context for our development and use of the Carnivore e-
mail intercept system and other similar tools is the
significant increase in terrorist and criminal acts. For
example, terrorist groups are increasingly using new
information technology and the Internet to formulate plans,
raise funds, spread propaganda, and to communicate relatively
securely.
An early instance of the use of secured information was the
convicted terrorist Ramzi Yousef, who was the mastermind of the
World Trade Center bombing, who, in fact, had encrypted files
on his laptop for blowing up U.S. airplanes in various parts of
the world.
Serious fraud, such as the one mentioned earlier in your
opening statement, recently dramatized by a case in New York,
in March, where 19 people were charged in an insider trading
scheme--the commission of that fraud rested on theability to
enter chat rooms, in effect recruit people to provide information on
two major brokerage firms' customers and, of course, share in the
profits from the use of that illicitly obtained information.
You are well aware of our Innocent Images program dealing
with child pornography and sexual exploitation of children
where, since 1995, the FBI has investigated nearly 800 cases
involving adults traveling interstate to meet minors for the
purpose of illegal sexual relationships, and more than 1,800
cases involving persons trading child pornography over the
Internet.
As mentioned, the FBI only conducts electronic surveillance
pursuant to Federal law, and in particular acts pursuant to
court order. The Federal electronics surveillance law has
carefully balanced the constitutional and privacy rights of
individuals, legitimate search and seizure needs of law
enforcement, and the obligations placed upon communications and
information service providers to cooperate.
In enacting the Federal electronic surveillance laws,
including title III and the ECPA-based transactional record and
pen register trap and trace regimes, Congress specified
appropriately strict procedures for law enforcement's
interception of communications content, and also its access to
communications transactional, addressing, and dialing
information.
Also, by law, the investigators must specify the steps that
will be taken to minimize the acquisition of any non-criminal
communications. A title III application must be approved by a
Federal district court judge who, after authorizing the order,
carefully monitors the progress of the surveillance by
reviewing reports brought to the court usually every 7 to 10
days by the U.S. Attorney's Office. The U.S. Attorney's Office
oversees the surveillance on a daily basis, and at the end of
the surveillance the judge directs notice be given to those
whose communications were intercepted.
Under titles II and III of ECPA, law enforcement acquires
transactional addressing and dialing type information pursuant
to court orders based upon relevancy to an ongoing criminal
investigation. These acquisitions, which include no
communications content, can be obtained through approval by a
Federal magistrate pursuant to applications from the U.S.
Attorney's Office.
Acquisitions under the pen register trap and trace regime
last for 60 days, since they only pertain to the transactional
addressing and dialing information. While the law requires no
notice be given to the criminals or others concerning whom
service provider communications transactional records are
obtained, many service providers advise their subscribers after
the investigation is concluded.
Those who have raised concerns regarding Carnivore have
principally asserted that through the use of Carnivore, the FBI
is collecting more information than a given pen register or
trap and trace court order permits. I want to speak to the
safeguards we have in place, the techniques by which we deploy
Carnivore, and in particular I think the great protections we
offer for both personal privacy and the business interests of
the Interest service providers.
First of all, as you have correctly mentioned, Carnivore is
both software and hardware. And because it is software in part,
it can be configured to specifically comply with each court
order. In doing that, we provide an audit trail. And, of
course, you are well aware of the sanctions for misuse, both
criminal and civil.
It is a PC-based system. We maximize the use of commercial
software to reduce risk and cost. It is installed by a team
comprising a senior supervisory FBI special agent, typically an
electronics technician, and one or more members of the Internet
service provider's staff to be sure that we don't do something
that would interfere with their system. But I would point out
the case agent is not the one installing the system. People who
are specifically trained in its use and the legal constraints
on its use are the ones who do that.
It is important to understand that it filters the Internet
traffic. It is looking for the addressing information, and at
the first stage it is looking for the Internet addresses that
are covered in the court order and it picks off the packets
that meet that test. It then goes through the subsequent
filtering stage. If full content is allowed, it, of course,
captures all of the packets relating to that message and
records them in their digital form. If only the addressing
information, the ``to'' and ``from'' lines, subject again to
the court order, are captured, those are recorded.
Once the recordings are made, there is no other information
available to the FBI. We capture and record no other
information, and those pieces of data are not available to us
at any subsequent time. There is no real-time review of text
because, in fact, we are dealing with systems where the
information is transiting at rates, for instance, of 40
megabits a second. We have no one who can read 0s and 1s at 40
megabits a second and translate that into content. In fact, we
only restore the message when content is authorized after
recovering the recorded bits and bringing it back to our
laboratory to recover the actual content of the message.
We produce a record of all settings, and that becomes part
of the evidentiary chain that we create. The system, in fact,
is secured within the Internet service provider's spaces to
provide physical chain of custody as well. In fact, in the
newest version that we are intending to bring into use, we will
provide the same authentication of the message information that
we capture, as well as the settings, so that we will be able to
testify later in court as to what the settings were, who set
them up, and were any subsequent changes or alterations made.
Carnivore does not adversely affect the business interests
of the Internet service provider. I mentioned we safeguard
their interests in part by collaborating with their technical
staff. We always use the smallest segment of traffic through
their system because, in fact, what we are after is just the
message traffic of the subject of the court order. So if that
can be delivered and the ISP can do it with their equipment, we
accept that from them and, in fact, we reimburse them for
providing that service.
When the ISP does not have the equipment or the capability
to meet the terms of the court order, we, in fact, use
Carnivore, installed under the conditions that I mentioned. But
recall there may be 15,000 ISP's in this country. Some of them
are well capitalized and well equipped. Others are very small
operations and would not have the capital to have in place an
infrequently usedcapability or perhaps a never used capability.
The Chairman. How many ISP's did you say are in the
country?
Mr. Kerr. I think approximately 15,000, but I think there
are others at the table who know better.
Mr. Cerf. Mr. Chairman, I can respond to that. I think
probably that is a global number, as opposed to the number in
the United States. So presumably your focus of attention is the
number in the United States, but that still could be on the
order of 8,000. So you are in the same order of magnitude.
The Chairman. OK; sorry to interrupt you.
Mr. Kerr. Not a problem. It is very helpful.
Carnivore is a passive system and, in fact, it is isolated
from the Internet service provider's network by a commercial
device that allows for information to flow to Carnivore, but
for no signals to flow from Carnivore into the system. And, of
course, like all communications intercept equipment, it is
removed as soon as the court order has expired.
Overall, we think that the public should have trust and
confidence in the FBI conduct of electronic surveillance under
the legal guidance that we have. We first exhaust other means
to get timely information. We always try to minimize the
intrusiveness of our intercept, whether it be for e-mail or for
telephones.
We attempt to avoid undesirable consequences for
telecommunications providers or Internet service providers. We
cannot activate our capabilities without an appropriate order.
There are sanctions in place that deter misuse. Broad search
and surveillance is prohibited, and we seek specific evidence
of criminal behavior, not broad information content.
With that, Mr. Chairman, I will conclude my remarks and
look forward to your questions.
[The prepared statement of Mr. Kerr follows:]
Prepared Statement of Donald M. Kerr
Good morning, Mr. Chairman and Members of the Committee. I am
grateful for this opportunity to discuss with you the FBI's Carnivore
system--a system specially designed for effectively enforcing the law
while at the same time fully complying with the law. Carnivore is a
system which we are counting on to help us in critical ways in
combating acts of terrorism, espionage, information warfare, hacking,
and other serious and violent crimes occurring over the Internet, acts
which threaten the security of our Nation and the safety of our people.
In my statement, I will touch upon five points; why we need a system
like Carnivore; why the public should have confidence that the FBI is
lawfully Carnivore; how Carnivore, as a special purpose electronic
surveillance tool, works; why computer network service providers, with
whom the FBI always work closely, should not be fearful about
Carnivore's use with their networks; and, as an overarching matter, why
the public should have trust in the FBI's conduct of electronic
surveillance and in its use of the Carnivore system. In addressing
these important points, we hope to set the record straight and allay
any legal, privacy, network security, and trustworthiness concerns.
Why does the FBI need a system like Carnivore?
By now, it has become common knowledge that terrorists, spies,
hackers, and dangerous criminals are increasingly using computers and
computer networks, including the Internet, to carry our their heinous
acts. In response to their serious threats to our Nation, to the safety
of the American people, to the security of our communications
infrastructure, and to the important commercial and private
potentialities of a safe, secure, and vibrant Internet, the FBI has
responded by concentrating its effort, including its technological
efforts, and resources, to fight a broad array of Cyber-crimes.
While the FBI has always, as a first instinct, sought to work
cooperatively and closely with computer network service providers,
software and equipment manufactures, and many others to fight these
crimes, it also become obvious that the FBI needed its own tools to
fight this battle, especially where legal, evidentiary, and
investigative imperatives required special purpose tools. One such tool
is Carnivore, which I will discuss at length today. However, before
discussing Carnivore, it is important to identify and briefly discuss
some of the types of Cyber-crime threats which we in law enforcement
have been encountering, and will encounter in the future, and
concerning which Carnivore, and tools such as Carnivore, are of
critical importance to the FBI.
Terrorism
Terrorist groups are increasingly using new information technology
(IT) and the Internet to formulate plans, raise funds, spread
propaganda, and communicate securely. In his statement on the worldwide
threat in the year 2000, Director of Central Intelligence George Tenet
testified that terrorist groups, ``including Hezbollah, HAMAS, the Abu
Nidal organization, and Bin Laden's al Qa'ida organization are using
computerized files, E-mail, and encryption to support their
operations.'' As one example, convicted terrorist Ramzi Yousef, the
mastermind of the World Trade Center bombing, stored detailed plans to
destroy United States airliners on encrypted files on his laptop
computer.
Other terrorist groups, such as the Internet Black Tigers (who are
reportedly affiliated with the Tamil Tigers), engaged in attacks on
foreign government websites and E-mail servers. ``Cyber terrorism''--
the use of Cyber tools to shut down critical national infrastructures
(such as energy,telecommunications, transportation, or government
operations) for the purpose of coercing or intimidating a government or
civilian population--is emerging as a very real threat.
Recently, the FBI uncovered a plot to break into National Guard
armories and to steal the armaments and explosives necessary to
simultaneously destroy multiple power transmission facilities in the
Southern United States. After introducing a cooperating witness into
the inner circle of this domestic terrorist group, it became clear that
many of the communications of the group were occurring via E-mail. As
the investigation closed, computer evidence disclosed that the group
was downloading information about Ricin, the third most deadly toxin in
the world. Without the fortunate ability to place a person in this
group, the need and technological capability to intercept their E-mail
communications' content and addressing information would have been
imperative, if the FBI were to be able to detect and prevent these acts
and successfully prosecute.
Espionage
Not surprisingly, foreign intelligence services have adapted to
using Cyber tools as part of their espionage trade craft. Even as far
back as 1986, before the worldwide surge in Internet use, the KGB
employed German hackers to access Department of Defense systems in the
well-known ``Cuckoo's Egg'' case. It should not surprise anyone to hear
that foreign intelligence services increasingly view the Internet and
computer intrusions as useful tools for acquiring sensitive U.S.
government and private sector information.
Information Warfare
The prospect of ``information warfare'' by foreign militaries
against our Nation's critical infrastructures is perhaps the greatest
potential Cyber threat to our national security. We know that several
foreign nations are developing information warfare doctrine, programs,
and capabilities for use against the United States or other nations.
Knowing that they cannot match our military might with conventional
weapons, nations see Cyber attacks on our critical infrastructures or
military operations as a way to hit what they perceive as America's
Achilles heel--our growing dependence on information technology in
government and commercial operations. Two Chinese military officers
recently published a book that called for the use of unconventional
measures, including the propagation of computer viruses, to
counterbalance the military power of the United States. And a Russian
official has also commented that an attack on a national infrastructure
could, ``by virtue of its catastrophic consequences, completely overlap
with the use of [weapons] of mass destruction.''
Child Pornography and Sexual Exploitation of Children
Through the FBI's ``Innocent Images'' case, and others, it has
become abundantly clear that certain adults are using computers and the
Internet widely to disseminate child pornography and to entice young
children into illegal and often violent sexual activity. Such sexual
predators find the Internet to be a well-suited medium to trap unwary
children. Since 1995, the FBI has investigated nearly 800 cases
involving adults traveling interstate to meet minors for the purpose of
illegal sexual relationships, and more than 1850 cases involving
persons trading child pornography--almost all of these involve the
exchange of child pornography over the Internet.
Serious Fraud
One of the most serious criminal threats facing the Nation is the
use of the Internet for fraudulent purposes. For example, securities
offered over the Internet have added an entirely new dimension to
securities fraud investigations. The North American Securities
Administrators Association has estimated that Internet-related stock
fraud results in a loss to investors of approximately $10 billion per
year (or nearly $1 million per hour). In one case, on March 5, 2000,
nineteen people were charged in a multimillion-dollar insider trading
scheme. At the core of the scheme, the central ``insider'' figure went
online and found others in ISP chat rooms. He soon was passing inside
information on clients of several brokerage firms to two other
individuals in exchange for a percentage of any profits they earned by
acting on it. For 2\1/2\ years, this person passed inside information,
communicating almost solely through online chats and instant messages,
with the insider receiving $170,000 in kickbacks while his partners
made $500,000.
Why should the public have confidence in the FBI's lawful use of
Carnivore?
There are a number of reasons why the public should have confidence
in the FBI's lawful use of Carnivore. First of all, since 1986, with
the enactment of the Electronic Communications Privacy Act of 1986
(ECPA), which amended Title III of the Omnibus Crime Control and Safe
Streets Act of 1968 (Title III), Congress created statutory legal
protection for all types of wire and electronic communications'
content, including computer and Internet-based communications' content,
consistent with the Constitution. The ECPA also created statutory
privacy protection for ``transactional records'' pertaining to an
electronic communications provider's provision of services to a
customer or subscriber consistent with the Constitution. The term
``transactional records,'' as used here, includes addressing (e.g., in
the context of E-mail communications, the ``to'' and ``from'' lines--
but not the ``subject'' or ``re'' lines) routing, billing, or other
information maintained or generated by the service provider.
``Transactional records'' do not include the content (substance,
purport or meaning) of E-mails or other communications.
Correspondingly, in the ECPA, Congress regulated all governmental
electronic surveillance interceptions of communications' content and
all acquisitions of communications addressing and transactional record
information consistent with the Constitution. Under the ECPA, all such
electronic surveillance efforts require some form of court order,
either a full Title III (probable cause-based) court order for
obtaining communications' content or an ECPA-created court order based
upon relevancy for communications' addressing and transactional record
information. Of course, there are ``emergency'' provisions whereby
surveillance is permitted to proceed immediately, when high-level
Department of Justice authorization is obtained, so long as a court
order is filed within 48 hours.
Under Title III, applications for electronic surveillance must
demonstrate probable cause and state with particularly and specificity:
the offenses being committed, the communications facility regarding
which the subject's communications are to be intercepted, a description
of the types of conversations to be intercepted, and the identities of
the persons committing the offenses and anticipated to be intercepted.
Clearly, the criminal electronic surveillance laws focus on gathering
hard evidence--not intelligence. Under this law, the FBI cannot, and
does not, ``snoop.''
In obedience of the law, the FBI obtains judicial authorization, in
terms of always obtaining the appropriate court order required when
intercepting wire and electronic communications' content or when
acquiring addressing information and transactional record information,
or lawful consent, regardless of whether they are occurring over a
computer or telecommunications network. The FBI's use of the Carnivore
system--approximately 25 times in the last two years--has in every case
and at all times been pursuant to such a judicially-granted court order
or lawful consent. In every case, we only deploy Carnivore after
serving a court order on an ISP (or after obtaining lawful consent of a
party to the communication) and then only after working closely with
the ISP technicians or engineers in installing it. Parenthetically,
were the ISP is equipped to fully and properly implement the court
order or consensual authorization, the FBI leaves the interception to
the ISP and does not rely upon Carnivore. Moreover, if an FBI employee
were to attempt to acquire such content or information using Carnivore
without obtaining a court order or appropriate consent, it would be a
serious violation of the law--a federal felony, thereby subjecting
theemployee to criminal prosecution, civil liability, and termination.
Finally, FBI employees fully understand that the unlawful interception
of the content of private communications will lead to the suppression
of any and all tainted evidence and any evidence of fruits derived
therefrom. In short, the penalties for violating the electronic
surveillance laws are so severe as to dissuade any such unlawful
behavior, even if someone were so inclined.
Those who have raised legal concerns regarding Carnivore have
principally asserted that (1) through its use of Carnivore, the FBI is
collecting more information than a given pen register or trap and trace
court order permits, or (2) while using Carnivore, the FBI is acquiring
more information under such order than that order should lawfully
permit.
As to the first assertion (as will be explained in detail below),
in many investigative situations (principally those involving pen
register or trap and tract court orders), Carnivore--far better than
any commercially-available sniffer--is configurable so as to filter
with precision certain electronic computer traffic (i.e., the binary
computer code, the fast-flowing streams of O's and 1's) such that, in
each case, FBI personnel only receive and see the specified
communications addressing information associated with a particular
criminal subject's service, concerning which a particular ECPA court
order has been authorized. Further, to our knowledge, there are few, if
any, electronic surveillance tools that perform like Carnivore, in
terms of its being able to be tailored to comply with different court
orders, owing to its ability to filter with precision computer code
traffic.
In fact, the genesis for some of the technological functionality of
Carnivore was the result of the FBI's decision, made in light of
privacy and investigative concerns, that prudent practice, with regard
to computer network-based electronic surveillance, dictated that the
communications' addressing information gleaned through technical
equipment the FBI would be using should, to the fullest extent
possible, correspond to that information authorized for acquisition and
use under law. In this regard, prior to our development of Carnivore,
the FBI, consistent with the Constitution and the legal mandate found
in 18 U.S.C. 3121, was using ``technology reasonably available to it''
which permitted the acquisition of communications' addressing
information, but which necessitated minimization. However, while the
technology then available (principally commercial sniffers) worked as
well as could be expected, as discussed in greater detail below, such
equipment had never been designed as a law enforcement electronic
surveillance tool, and hence had shortcomings. Not knowing if, or when,
market forces would lead to the development of a law enforcement
electronic surveillance too, the FBI took the initiative.
In this context, we want to make sure that both the Congress and
the public understand that, in using Carnivore, there is no broad-brush
acquisition by either Carnivore or by FBI personnel of the ``contents
of the wire or electronic communications'' of all ISP users--such as to
constitute an unauthorized Title III ``intercept.'' Carnivore only
intercepts the communications of that particular criminal subject for
which a Title III order has been obtained. Similarly, we want everyone
to understand that, in using Carnivore, there is no broad brush
collection, storage, or review, by either Carnivore or by FBI
personnel, of the addressing or transactional information regarding any
ISP user beyond that pertaining to the criminal subject's service for
which an ECPA court order under 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d)
has been obtained.
As to the second assertion, some have stated that, in their
opinion, the FBI is acquiring more information when it uses Carnivore
to acquire communications addressing and transactional record
information than it should be entitled to under the Constitution or
under the ECPA statutory regimes found in Chapters 206 and 121 of Title
18 of the United States Code, and, in particular, under the court order
authorities within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). By way of
response, and more to the point, it appears that much, if not most, of
this contention regarding governmental access to communications
addressing and transactional information emanates from concerns about
the use of electronic surveillance generally, as opposed to the FBI's
use of Carnivore in particular. However, there is little or nothing in
law or Federal jurisprudence to support the contention that has been
asserted in this regard.
In 1979, the U.S. Supreme Court ruled that, because there was no
justifiable or reasonable expectation of privacy in the electronic
impulses dialed and transmitted over the telephone lines of a service
provider to initiate a telephone call, no Fourth Amendment search or
seizure was implicated, and, accordingly, that no legal right or
protection regarding governmental acquisition of such information was
cognizable or afforded under the Constitution (see, Smith v. Maryland,
442 U.S. 735 (1979). Similarly, the U.S. Supreme Court had earlier
found no Constitutional right or protection against the Government's
warrantless acquisition of banking information that had been disclosed
by a customer to a third party financial institution (see, United
States v. Miller, 425 U.S. 435, 442-444 (1976)). Hence, then, at least
as a matter of Constitutional law, the Supreme Court has found no
Constitutional requirement for a probable cause-based warrant in order
to acquire transactional records or information that a customer conveys
or transmits to third parties such as banks and telephone service
providers.
In 1986, in enacting the ECPA's Title II and Title III provisions,
the Congress was aware of the foregoing Supreme Court rulings and
sought to ``create'' new privacy protection in statute to protect a
subscriber's communications addressing and transactional record
information. Also, just as it intended to afford statutory privacy
protection for such information, Congress also created appropriate and
commensurate court order authorities for lawful governmental use in
acquiring such information. In doing so, Congress made very reasonable,
considered, and balanced determinations as to the level of privacy
protection that was appropriate for each type of information at issue.
Now, although it is true that there have been great changes in computer
technology since 1986, the core statutory privacy principles and fault
lines applicable to protecting computer-based communications content,
on the one hand, and communications addressing information, on the
other, as well as to their lawful interception or acquisition, have
remained quite stable.
Since 1986, and long before the advent and use of Carnivore, the
FBI and many other Federal, State, and local governmental authorities
having been lawfully acquiring computer network-based addressing and
transactional information from both telecommunications carriers and
Internet Service Providers (ISPs) under court order as anticipated by
Congress within the ECPA., i.e., the court order authorities set forth
within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). Governmental
surveillance in this area has proceeded based upon the rightful premise
that, with the appropriate ECPA court order(s), each and every type of
communications addressing and transactional record information found
within telecommunications and computer networks could be lawfully
acquired. Since the ECPA was enacted, federal courts throughout the
country have consistently authorized ECPA-based court orders applied
for by the Department of Justice and the United States Attorneys'
Offices, under the authorities set forth within 18 U.S.C. 3123 and 18
U.S.C. 2703(c)(d), with regard to the types of governmental access to
and acquisition of computer network addressing information currently
being complained of, without finding Constitutional or statutory
impediment.
Finally, with specific reference to Carnivore, in the approximately
25 instances wherein its use has occurred, the courts have approved the
applications, in terms of what was lawfully obtainable through the
federal statutory regimes(s) and/or court orders cited above, and in
terms ofthe information which Carnivore, through its filtering, enables
FBI personnel to lawfully receive or see under these regimes. In the
only case challenging Carnivore's intended use (in a case involving the
acquisition of E-mail addressing information under the court order
authorities set forth within 18 U.S.C. 2703(c)(d) and 18 U.S.C. 3123),
the court sided with the Government, finding that the addressing
information to be acquired through the Government's use of Carnivore
was no more intrusive than the information acquired through a
conventional pen register under 18 U.S.C. 3123.
How does Carnivore work, and why the FBI believes Carnivore is superior
from a legal, privacy, investigative, evidentiary and
technological perspective to commercial sniffers
Carnivore is very effective and discriminating special purpose
electronic surveillance system. Carnivore is a filtering tool which the
FBI has developed to carefully, precisely, and lawfully conduct
electronic surveillance of electronic communications occurring over
computer networks. In particular, it enables the FBI, in compliance
with the Constitution and the Federal electronic surveillance laws, to
properly conduct both full communications' content interceptions and
pen register and trap and trace investigations to acquire addressing
information.
For many electronic surveillance purposes, Carnivore is superior to
any commercially available ``sniffer'' tool which ISP network
administrators typically might use for network oversight, management,
and trouble-shooting. In the ISP world such sniffers are the closest
thing to what would be considered an electronic surveillance
interception device. Such sniffers, however, were never designed or
intended to be a special purpose electronic surveillance tool, and
therefore they are not best suited to protect the privacy rights
afforded by the Constitution or by statute.
It's important to describe the context of when and how Carnivore is
used and the way Carnivore works. It's most critical to clearly
understand what Carnivore discloses and, more importantly, what it does
not disclose to the FBI personnel who use it.
First of all, as emphasized above, Carnivore is only employed when
the FBI has a court order (or lawful consent) authorizing a particular
type of interception or acquisition regarding a particular criminal
subject user, user address, or account number. Second, when an ISP can
completely, properly, and securely comply with the court order on its
own, the FBI does not need to deploy Carnivore.\1\ Third, if a decision
is made to use Carnivore, the FBI never deploys it without the
cooperation and technical assistance of the ISP technicians and/or
engineers. Fourth, through working with the ISP, Carnivore is
positioned and isolated in the network so as to focus exclusively upon
just that small segment of the network traffic where the subject's
communications can be funneled. This is roughly analogous to using an
electronic surveillance device only within in a single trunk or cable
within a telephone network. Stated differently, and contrary to the
statements of some critics, Carnivore is not positioned to filter or
access ``in a Big Brother mode, all subscriber traffic throughout an
ISP network.''
---------------------------------------------------------------------------
\1\ In many instances, ISPs, particularly the larger ones, maintain
certain technical capabilities which allow them to comply, or partially
comply, with court orders. For example, certain ISPs have the
capability to intercept or ``clone'' the E-mail transmitted to and from
a particular criminal subject's account. In many instances, such
capabilities are satisfactory and allow full compliance with a court
order. However, as noted in the main text, in most cases, ISPs do not
have such capabilities or cannot employ them in a secure manner. Also,
most ``off the shelf'' sniffers or internal systems designed ad hoc to
effect an electronic surveillance effort frequently lack the ability to
properly discriminate between messages in a fashion that satisfies the
court order. Further, many court orders go beyond E-mail, authorizing
the acquisition of other messages or protocols, such as instant
messaging. In these cases, obviously, a cloned mailbox would not be
sufficient to comply with the order of the court.
---------------------------------------------------------------------------
In illustrating its functionality, it is important to understand
that Carnivore's filtering operates in stages. Carnivore's first action
is to filter a portion of an ISP's high speed network traffic.
Specifically, it filters binary code--streams of 0's and 1's that flow
through an ISP network, for example, at 40 mega-bits per second, and
often at much higher speeds. Carnivore operates real time with these
speeds. To visualize this, imagine a huge screen containing 40 million
0's and 1's flashing by on this screen for one second, and for one
second only. Carnivore's first effort--entirely within the Carnivore
box--is to identify within those 40 million 0's and 1's whether the
particular identifying information of the criminal subject (for which a
court order has been authorized) is there.
If the subject's identifying information is detected, the packets
of the subject's communication associated with the identifying
information that was detected, and those alone, are segregated for
additional filtering or storage. However, it's critically important to
understand that all of those 40 million 0's and 1's associated with
other communications are instantaneously vaporized after that one
second. They are totally destroyed; they are not collected, saved, or
stored. Hence, FBI personnel never see any of these 40 million 0's and
1's, not even for that one second. Continuing the illustration, if the
subject's identifying information is not in that screen, then the next
screen of 40 million 0's and 1's flashes by at the same rate, and the
process described above is repeated in identical fashion until the
subject's identifying information is detected.\2\
---------------------------------------------------------------------------
\2\ Parenthetically, some might argue that although the FBI does
not collect, save, or store all of those 40 million bits per second,
that it could if it chose to. In fact, that is simply not the case. The
reason is that, even with substantial gigabit level storage, the hard
drive storage would fill up in a matters of a few minutes, requiring
constant replacement of the hard drives or alternatively the front end
acquisition of large amounts of equipment space within an ISP's access
space. Neither one of these scenarios is in any way realistic.
But, for the sake of argument, even if such massive collection and
storage could be marshaled, an equally gigantic effort would be
required to process all of the O's and 1's to produce intelligible
English text. Then finally, there would have to be a huge dedication of
FBI human resources to sift through the information--and for no
discernable reason. The fact of the matter is that the FBI, focused
upon the identified criminals/accounts under investigation, is normally
``swamped'' with evidence. The FBI simply has no interest in rummaging
(``snooping'') through the immense number of communications of those
ISP users that through mere happenstance traverse the same part of the
network as the traffic of the criminal subject. As noted above, any
such unauthorized rummaging would be a violation of law, subjecting FBI
personnel to criminal prosecution, civil liability, and immediate
termination of employment.
---------------------------------------------------------------------------
After exclusively segregating the subject's information for further
machine processing, then a second stage of filtering is employed. At
this point, and again all within the Carnivore box, Carnivore checks
its programming to see what it should filter and collect for
processing. In other words, it determines, as required by the specific
wording of the court order, if it's supposed to comprehensively collect
communications content--in a full title III or FISA mode--or,
alternatively, whether it's only to collect pen register or trap and
trace transactional and addressing information. Only information
specified in the court order is being collected by Carnivore.
Importantly, this is where some of Carnivore's key legal,
evidentiary, and privacy-enhancing features really kick in. To address
the particular concerns that have been raised regarding what is
filtered and processed, and what FBI personnel see and don't see, its
useful to illustrate how Carnivore operates, for example, in a pen
register or trap and trace transactional and addressing information
mode, pursuant to authorities set forth within 18 U.S.C. 3123 and 18
U.S.C. 2703(c)(d). Under these circumstances, Carnivore only collects
transactional and addressing information. It is programmed to filter
out all content, including subject line and ``re'' information.
For example, certain pen register or trap and trace orders will
authorize collection of simply ``source,'' ``destination,'' date, time,
and duration of the message. Others will authorize collection of
``source,'' ``destination,'' ``user account address,'' date, time, and
duration. Again, each collection, and the filters being employed, are
tailored to a particular court order's authorization.
At this point, an explanation on a more technological and
functional level is warranted as to why, with regard to pen register
and trap and trace transactional and addressing information usage,
Carnivore's use was necessitated by certain privacy, evidentiary, and
investigative concerns. Commercially-available sniffers do a very good
job in many circumstances of filtering and segregating ISP information,
especially in title III interceptions. However, in other cases, where
more stringent legal, evidentiary, and law enforcement investigative
requirements exist, manysniffers would collect either too much
information, such as collecting all of the information regarding a
given criminal subject's account, or , alternatively fail to collect
the authorized information at all.
For example, because of differences and vagaries in network
protocols and header addressing information and their implementations
by ISPs, collections with these commercial sniffers often do not cut
off the header addressing information at the precise point. This can
lead to a small amount of a communications' content being included
(such as the ``subject line'') which then must be minimized by human
review. Hence, resort to commercial sniffers alone under certain
circumstances raises privacy concerns and interferes with the FBI's
investigative resources. While such sniffer capabilities might suffice
for non-law enforcement administration purposes, it is less than
perfect for a law enforcement point of view. Carnivore's development
was driven by a need to address such issues.
In another area with significant legal, evidentiary, and
investigative ramifications, Carnivore is superior to commercial
sniffer. Commercial sniffers are typically designed to work only with
fixed IP addresses. Unfortunately, dynamic addressing within ISPs
occurs probably in 98-99% of the cases. Hence, the use of commercial
sniffers, without more, would be ineffective in 98-99% of court
authorized collections. Carnivore was specifically designed to
interface with ISP networks so that when dynamic addressing occurs it
can immediately respond to it. Finally, while it is true that other
efforts with ISPs can address this problem, this problem is effectively
and efficiently resolved technically by Carnivore.
In still another area with significant legal, evidentiary, and
investigative ramifications, Carnivore has the ability to filter and
collect Simple Mail Transport Protocol (SMTP) traffic sent to or from a
specific user. Most, if not all, commercial sniffers would collect all
E-mails and then require a human visual search to find the targeted E-
mail. This obviously is wanting from a privacy and operational
perspective. Carnivore, on the other hand, has the ability to conduct
very surgical acquisitions of only a targeted criminal subject's E-
mail.
To repeat, during all the filtering/processing noted above, no FBI
personnel are seeing information--all of the information filtering/
processing, and purely in a machine-readable format, is occurring
exclusively ``within the box.''
Now, at the end of all the filtering and processing, there, of
course, is information that ultimately is collected and stored for
human review. Hence, what finally reaches the hands of FBI personnel in
every case is simply and only that particular lawfully authorized by
the court order--and no more.
Finally, Carnivore includes another piece of important
functionality. For evidentiary purposes, and as an audit history,
Carnivore was also designed to append to an event file for each
collection the filter configuration that was used in that collection.
This information tells the FBI personnel--and indeed it tells the
world, including a court, defense counsel, and a jury--what mode the
device was operating in (what it was programmed to collect), so as to
allay any suspicion that more information was being passed along to FBI
personnel.
As you know, Rule 901 of the Federal Rules of Evidence requires the
authentication of evidence as a precondition for its admissibility. The
use of the Carnivore system by the FBI to intercept and store
communications establishes, with much less human interaction and
without the potential for human error, a trustworthy machine-based
memorialization of the evidence. It also establishes a reliable first
link in an undisturbed chain of custody, and it facilitates the ease
and accuracy of a witness' testimony by permitting the witness to
testify as to the retrieval of the evidence and as to the purely
technological method by which the evidence was acquired and recorded.
Finally, Carnivore is being upgraded by adding an integrity feature
which will further demonstrate the authenticity of the information, by
imprinting on the evidence the collection mode being used. It thus
helps prove authenticity, by demonstrating that no alteration has been
made to the filter settings employed or to the information obtained. As
an evidentiary matter, such features strengthen showings of ``chain of
custody,'' authenticity, and non-alteration.
Why computer network service providers should not be fearful about
Carnivore's use with their networks
Notwithstanding assertions to the contrary, the Carnivore system is
safe to operate with IP networks. As noted above, Carnivore is only
installed in that small segment of the computer network through which
the criminal subject's communications traffic will pass. The Carnivore
system is connected with the network by a bridging device that
physically prevents Carnivore from transmitting into the network. Thus,
as a technological certainty, there is absolutely no way it could
possibly have any ability to transmit any information or thing into the
network.
Importantly, Carnivore is only attached to the network after
consultation with, and after obtaining the agreement and assistance of,
technical personnel form the ISP. It is worth noting that, to date, the
FBI has never installed Carnivore with an ISP's network without first
obtaining the assistance of the ISP's technical personnel. The Internet
is highly complex and heterogeneous environment in which to conduct
electronic surveillance, and I can assure you that without the
technical knowledge of the ISP's personnel, it would be very difficult,
and in some instances impossible for law enforcement agencies to act
unilaterally and successfully in implementing such a technical effort.
Moreover, the FBI particularly depends upon the ISP personnel to
understand the protocols and architecture of their particular networks.
Some critics have also asserted that the use of the Carnivore
system introduces significant new vulnerabilities for hacking access.
But such assertions miss the mark. With regard to hacking, and
considering the hacking methodologies most commonly employed, there
would be absolutely no greater qualitative value in trying to use the
Carnivore system as an access point than any other access point or node
in the Internet, concerning which there are literally millions. Indeed,
recognizing that Carnivore is a law enforcement surveillance tool, a
hacker's attempted use of it as an access path would be particularly
foolish inasmuch as access to Carnivore, as noted above, would never
create an actual transmission path into the network.
Lastly, there has been the suggestion, in prior Congressional
testimony, that the Carnivore system had caused a network crash or
other problems in the network of a particular ISP. Let me emphasize
that such a suggestion is simply factually incorrect. In the instance
cited, the cause of the network problem (there was no crash)--it was in
the nature of a network slowdown--was programming steps undertaken
exclusively by the ISP's technicians, and entirely on their own.
Why should the public have trust in the FBI's conduct of electronic
surveillance, and, in particular, in its use of the Carnivore
system
We believe that the American public should have trust in the FBI's
conduct of electronic surveillance, principally because it has an
outstanding record of lawfully complying with the Federal electronic
surveillance laws which the Congress first enacted over thirty years
ago, in 1968. Although the assertion of widespread 'illegal FBI
wiretapping' is frequently made, and is an article of faith for some,
the facts in no way support it. Any careful review of the dockets of
the Federal courts offers no support to the assertion of FBI electronic
surveillance abuse during these years. Indeed, all FBI electronic
surveillance is authorized and carefully supervised by many different
``outside'' entities.
To begin with, in every FBI investigation involving electronic
surveillance, all surveillance efforts are approved, monitored, and
overseen at each step of the way by both the local United States
Attorneys Office and the appropriate U.S. District Court Judge (for
Title IIIs) or Magistrate (for ECPA court orders). In surveillance
conducted under the Foreign Intelligence Surveillance Act (FISA), FBI
surveillance efforts are approved, monitored, and overseen by the
Department of Justice's Office of Intelligence Policy and Review, and
by the Foreign Intelligence Surveillance Court, respectively. Moreover,
before any full-blown Title III or FISA electronic surveillance
involving the interception of communications' content is approved,
lengthy, multi-layered, and thorough reviews occur both within the FBI
and within the Department of Justice, and, as a statutory mandate,
high-level Department of Justice approval is required for all such
surveillance.
For more than three decades now, FBI electronic surveillance has
been closely supervised and monitored by the Department of Justice.
There has been no indication of FBI abuse. Indeed, the Department of
Justice typically points to the FBI as an agency model with regard to
how to carefully and lawfully conduct electronic surveillance.
Aside from Executive and Judicial Branch review of FBI electronic
surveillance efforts, the Congress itself exercises frequent and
ongoing oversight over the FBI's conduct of electronic surveillance in
a number of ways. Year in and year out, numerous Congressional
Committees (and their staff) involved in authorizations and
appropriations scrutinize FBI expenditures, programs, and even
equipment. Committees on the Judiciary and Intelligence frequently hold
hearings, such as this, and submit written questions to be addressed by
the FBI. Further, since Title III's enactment in 1968, the Congress has
revisited the Federal electronic surveillance laws on a number of
occasions: in 1978 (FISA), in 1986 (ECPA), and in 1994 (CALEA). And, as
the Committee is well aware, each time the Federal electronic
surveillance laws are updated there is a substantial subtext to the
legislative initiative wherein the Congress considers and reconsiders
whether such laws are working well and whether there is any significant
indication of abuse such as to warrant the laws' curtailment or
modification. However, with each of these pieces of legislation, the
Congress has never found or suggested that the law enforcement
community, in general, or the FBI, as an agency, in particular, was
abusing the electronic surveillance authorities.
Further, in recent years, it has become somewhat commonplace for
members of the Congress to request a visit to the FBI's Engineering
Research Facility (ERF) to permit themselves and/or their staff to
understand FBI surveillance methodologies, etc., better. Beyond these,
every year the Administrative Office of the United States Courts sends
to the Congress the yearly "Wiretap Report" which specifies Federal,
State, and local law enforcement's Title III electronic surveillance
activities. Likewise, and also pursuant to Federal statute, every year
the Department of Justice submits to the Congress a report regarding
the use of pen register and traps and traces conducted by law
enforcement agency components within the Department. Further, several
years ago, as a part of the Anti-terrorism and Effective Death Penalty
Act of 1996, the Congress requested a Report from the Department of
Justice which was to specifically include a review of any abuse in law
enforcement's conduct of electronic surveillance. In the Report
submitted by the Department of Justice, it was pointed out that law
enforcement errancy in this area was rare, and did not suggest any
significant problem. In particular, there was no citation as to abuse
by the FBI.
At this point, it may be useful to briefly discuss another vital
component in the overall electronic surveillance/Carnivore mix: the FBI
personnel who use it.
In this regard, the Committee would truly be missing a significant
part of the story if we failed to point out the quality of the FBI
personnel involved and the ways in which they perform their tasks. To
begin with, to become and FBI employee requires a substantial showing
of trustworthiness, lawfulness, and personal and professional
intergrity--all of which must be demonstrated through the conduct of an
extensive and very thorough national security-level background
investigation. To be sure, the structure of the FBI would quickly
collapse if the agency and all of its onboard employees could not trust
without reservation its new employees. And the FBI certainly does not
recruit honest and law-abiding people only to turn around and employ
them in corrupt and dishonest ways. Indeed, in contrast with the
requirements placed upon many of the personnel employed by
telecommunications and computer network service providers (who may have
some role in implementing electronic surveillance orders), all FBI
employees are specifically sworn to uphold the Constitution, obey the
law, and to faithfully execute the laws of the land.
Of course, and as noted above, it is emphasized to all FBI
employees that any type of illegal electronic surveillance would be a
serious violation of the law--a federal felony, thereby subjecting the
employee to criminal prosecution, civil liability, and termination.
Further, FBI employees are made to fully understand that any unlawful
surveillance will likely lead to the suppression of any and all tainted
evidence and any evidence or fruits derived therefrom. In short, it is
made clear that any such unlawful behavior will not be tolerated.
All FBI personnel involved in conducting electronic surveillance
are thoroughly and specifically trained about the Federal electronic
surveillance laws. This is particularly so for the FBI Technically
Trained Agents (TTAs) who receive specialized training in the conduct
of electronic surveillance, including legal instruction, at the FBI's
Engineering Research Facility (ERF) in Quantico, Virginia. This
training weds together the black letter law with the ``hands on''
technical level implementations of electronic surveillance. Moreover,
FBI personnel involved in electronic surveillance are involved in
ongoing consultation with attorneys from the FBI's Office ofthe General
Counsel, the FBI Field Office's Chief Division Counsel, the Department
of Justice, and the Offices of United States Attorneys.
Access to and the use of FBI electronic surveillance equipment is
controlled administratively, and usually requires a trained specialist
to operate it. Hence, the large pool of FBI Special Agents and support
employees never have access to, or competency in the use of, such
highly-specialized pieces of surveillance equipment.
In sum, over the last 32 years, the FBI's record of properly
conducting court authorized electronic surveillance is a very good
one--one that we believe should command the trust of the public and the
Congress.
With regard to Carnivore, it is a relatively new electronic
surveillance tool, and has only been used within the last two years.
Trust in the FBI's use of Carnivore, we believe, should at least in
part rest upon the FBI's openness and willingness to discuss this
device. Indeed, perhaps the most telling fact about Carnivore, as an
electronic surveillance tool, is that in an unprecedented fashion, the
FBI has shared with numerous entities in the public Carnivore's (and/or
some of its technical counterparts') purpose and basic functionality--
long before any concerns were raised and before any Congressional
hearings were scheduled.
Ironically, the most central fact and aspect of the entire matter
has gotten lost: that the FBI has spent a considerable amount of time,
money, and energy in developing an electronic surveillance tool with
the exclusively laudable purposes of better satisfying the
Constitutional standard of particularity, the Title III and ECPA
precepts of minimization, as well as the legal, privacy-based, and
societal concerns associated with careful, precise, and lawful
surveillance efforts.
As the Committee may be aware, the FBI has briefed a wide-ranging
variety of entities: governmental attorneys, leading ISPs, leading
Information Technology (IT) companies, leading telecommunications
service providers, academic labs, and software manufacturers as to the
functionality of the Carnivore system. Hence, if, for the sake of
argument, the FBI had ever possessed any untoward intentions, in terms
of using Carnivore in a stealthy, illegal, or abusive way, it certainly
went about pursuing them in the wrong way. In fact, the FBI's openness
with regard to Carnivore should, in and of itself, properly and
reasonably instill public confidence and trust, notwithstanding that
some of its detractors may disagree with some aspect of Carnivore.
Of course, with regard to Carnivore, the same strict personnel,
legal, training, and security practices apply. Further, given that
relatively few of these devices are even available throughout the
entire FBI, those in existence are under the custody and control of but
a few FBI technically-trained personnel.
Finally, the FBI, in concert with the Department, has welcomed a
review of the Carnivore system. The FBI believes that when all is said
and done the FBI and the Carnivore device will receive a clean bill of
health, and thereby hopefully more fully instill public confidence and
trust in this important and critically needed investigative tool.
Conclusion
In conclusion, I would like to say that over the last ten years or
more, we have witnessed a continuing, steady growth in computer and
Internet-related crimes, including extremely serious acts in
furtherance of terrorism, espionage, infrastructure attack, as well as
the more conventional serious and violent crimes, to include child
pornography and exploitation. These activities which have been planned
or carried out, in part, using computers and the Internet pose
challenges to the U.S. law enforcement community that we dare not fail
to meet. In turn, the ability of the law enforcement community to
effectively investigate and prevent these serious crimes is, in part,
dependent upon our ability to lawfully and effectively intercept and
acquire vital evidence of these crimes, and our ability to promptly
respond to these harms that so threaten the American public. As the
Internet becomes more complex, so too do the challenges placed upon us
to keep pace. Without the continued cooperation of our industry
partners and important technological innovations such as the Carnivore
system, such a task would be futile.
I look forward to working with the Committee staff to provide more
information and welcome your suggestions on this important issue. I
will be happy to answer any questions that you may have. Thank You.
The Chairman. Thank you so much.
Mr. Di Gregory, we will turn to you.
STATEMENT OF KEVIN V. DI GREGORY
Mr. Di Gregory. Thank you, Mr. Chairman. Thank you for
allowing me the opportunity to testify about electronic
surveillance and privacy in the digital age.
We have seen, as you have already noted, the Internet
flourish over the last 10 years. In that relatively short
period of time, it has created vast benefits for citizens,
businesses and governments, and appears to hold boundless
promise. The Internet has spurred a new economy, and many
businesses have been built and people employed through Internet
sales of products and services.
Others have assisted in building, maintaining and improving
the Internet itself. The Internet has given people jobs,
supported families and communities, and created new
opportunities for commerce for America and the world. The
Internet has touched our working lives, our social lives, and
our family lives.
As we have seen throughout history, however, there are
those who would use powerful tools like the Internet to inflict
harm on others. The Internet has not escaped this historical
truth. Even in the Internet's relatively short existence, we
have seen a wide range of criminal use of this technology. It
has been used to commit traditional crimes against an ever
widening number of victims. There are also those criminals
intent on attacking and disrupting computers, computer
networks, and the Internet itself.
In short, although the Internet provides an unparalleled
opportunity for Americans to freely express ideas and conduct
business and government, it also provides a very effective
means for ill-motivated persons to breach the privacy and
security of others.
Many of the crimes that we confront everyday in the
physical world are beginning to appear in the online world.
Crimes like death threats, extortion, fraud, and child
pornography are migrating to the Internet at a startling pace.
The fourth amendment and laws addressing privacy and public
safety serve as a framework for law enforcement to respond to
this new forum for criminal activity.
If law enforcement fails properly to respect individual
privacy in its investigative techniques, the public's
confidence in government will be eroded, evidence will be
suppressed, and criminals will elude successful prosecution. If
law enforcement is too timid in responding to cyber crime,
however, we will, in effect, render cyberspace a safe haven for
criminals and terrorists to communicate and carry out crime
without fear of authorized government surveillance.
If we fail to make the Internet safe, people's confidence
in using the Internet and in e-commerce will decline,
endangering those very benefits brought about by the
information age. Proper balance is the key. Despite the fervor
over the unfortunately named Carnivore, the truth of the matter
is that Carnivore was created to provide us with a tool to help
us enforce the laws and preserve the privacy of our citizens.
To satisfy our obligations to the public to enforce the
laws and preserve public safety, we use the same sorts of
investigatory techniques and methods online as we do in the
physical world, with the same careful attention to the strict
constitutional and legal limits which apply. We must have an
investigatory tool that helps us to investigate online in the
same way as in the physical world, and enables us to obtain
only the information we are authorized to obtain through a
court order.
For example, if a man is suspected of luring children for
sex, law enforcement must determine with whom the suspect is
communicating. In the recent past, such communications would
have been carried out exclusively by telephone. To find out who
the suspect is communicating with, law enforcement would obtain
an order from a court authorizing the installation of a trap
and trace and a pen register device, and either the telephone
company or law enforcement would have installed the device to
comply with the court's order.
Thereafter, the source and destination of the calls would
have been recorded. This is information that the Supreme Court
has held in Smith v. Maryland is not subject to any reasonable
expectation of privacy. Given the personal nature of the
information, however, Congress required the Government to
obtain an order under these circumstances. In this way, privacy
is protected and law enforcement is able to conduct its
investigation in its efforts to protect the public.
Nowadays, that same suspect is more likely to operate
through e-mail or other kinds of online communications. In
attempting to investigate the criminal activity, law
enforcement can apply to a court for an order to obtain in real
time the e-mail addresses of those persons with whom the
suspect is communicating through or by e-mail.
Law enforcement needs to be able to quickly identify the
source and destination of such e-mails to fulfill its
obligations to the victims, in particular, and to the public
generally. In the event that the investigation requires viewing
the content of the e-mail, even just the subject line, then law
enforcement must comply with the strict internal FBI and
Department guidelines and the provisions of Title III of the
Omnibus Crime Control and Safe Streets Act of 1968.
When law enforcement uses a trap and trace, pen register,
or a title III order in the online context, however, we have
found that at times the Internet service provider has been able
or even unwilling to supply the information we need. It is for
that narrow set of circumstances that the FBI needs effective
online investigative tools.
Law enforcement cannot abdicate its responsibility to
protect public safety simply because technology has changed.
Rather, we believe the public rightfully expects that law
enforcement will continue to be effective as criminal activity
migrates to the Internet. Where the service provider cannot or
will not comply with a court order to reveal addressing
information or content of electronic communications, law
enforcement must have some mechanism to obtain that
information. It must have a tool that can obtain the
information authorized by the court order, and I say again only
that information authorized by the court order.
The tool should be configurable so that, for example, it
can be set to gather only the e-mail addresses of those persons
with whom the suspect is communicating without any human being
either from law enforcement or the service provider viewing the
private information that is outside of the scope of the court
order. Such a tool automatically reduces the data collected to
only that permitted by the court, thus allowing law enforcement
strictly to comply withthe order and safeguarding the privacy
of information outside the order.
The FBI created Carnivore to be such a tool. We have
numerous mechanisms in place to prevent possible misuse of
electronic surveillance tools. The fourth amendment, of course,
restricts what law enforcement can do with the software, as do
the statutory requirements of title III and the Electronic
Communications Privacy Act. And, further, implementing orders
of the courts will restrict us and will prevent possible misuse
of electronic surveillance tools.
For Federal title III applications, as you know, the
Justice Department imposes its own guidelines on top of the
privacy protections provided by the Constitution, statutes, and
the courts. For example, before Carnivore can be used to
intercept wire or electronic communications, with the limited
exception of digital display pagers, the requesting
investigative agency must obtain approval for the title III
application from the Department of Justice.
Specifically, the Office of Enforcement Operations in the
Criminal Division of the Department reviews each proposed title
III application to ensure that the interception satisfies
fourth amendment requirements and is in compliance with
applicable statutes and regulations. If the proposal clears the
Office of Enforcement Operations, approval must generally be
given then by a Deputy Assistant Attorney General in the
Criminal Division. Typically, investigative agencies such as
the FBI have similar but separate internal approval
requirements.
If the investigative agency and the Department of Justice
approve a Federal title III request, it still must, of course,
be approved by the proper court using familiar but exacting
standards. By statute and internal departmental regulation, the
interception may last no longer than 30 days without an
extension by the court. Courts, as I alluded to earlier, often
impose their own additional requirements.
In addition, the remedies for violating title III or ECPA
by improperly intercepting electronic communications include
criminal sanctions and civil suits. For violations of the
fourth amendment, of course, the remedy of suppression is also
available.
We recognize that notwithstanding the limited use of the
software and the many protections in place, concerns remain
about the computer program Carnivore. To address those
concerns, the Attorney General has asked, as you have noted,
Mr. Chairman, for an independent technical review of Carnivore
to evaluate whether it performs the functions it was designed
to perform, and does so without any greater threat to privacy
or to the smooth operation of private service providers than
would be posed by any other system that allows compliance with
the law related to court-ordered interceptions.
The technical reviewers will have whatever access they need
to discharge their responsibilities, and their report will be
made public to the maximum extent that is consistent with
otherwise applicable law or contractual obligations and with
preserving the continued effectiveness of the software.
The report will also be reviewed by a high-level Department
panel, chaired by the Assistant Attorney General for the
Justice Management Division, Mr. Stephen Colgate, and including
the Attorney General's chief science and technology officer;
the Department's chief privacy officer; the Assistant Director
of the FBI in charge of the Bureau's laboratory Division, Dr.
Kerr; and a representative of the Department's Criminal
Division. That panel will consider the positions of interested
parties, such as industry and privacy groups, concerning the
technical review and will report to the Attorney General.
Mr. Chairman, thank you again for allowing me this
opportunity to address our efforts to fight crime on the
Internet and preserve the privacy rights conferred by the
fourth amendment and statutes. The need to protect the privacy
of our citizens from criminals, as well as the Government, is
the paramount consideration in all our activities. The public
is undoubtedly concerned about their online privacy and the
potential for criminals, private industry and the Government to
infringe upon it.
The public is also deeply concerned, we believe, about
their safety and security when exploring and using the ever-
expanding reaches of the Internet. By deterring and punishing
those criminals who violate individual privacy, ensuring the
ability of law enforcement to fight cyber crime both promotes
safety and security of Internet users and enhances user
privacy. The Department of Justice stands ready to work with
the members of this committee and others to achieve these
important goals.
Mr. Chairman, that concludes my prepared statement. We have
provided the committee with my full written statement, and
thank you very much. Hopefully, later, we will be able to
answer any questions you or Senator Leahy may have.
[The prepared statement of Mr. Di Gregory follows:]
Prepared Statement of Kevin V. Di Gregory
Mr. Chairman and Members of the Committee, I appreciate your
providing me with this opportunity to testify about the computer
program ``Carnivore.'' This Committee has previously heard from Deputy
Attorney General Eric Holder and Assistant Attorney General for the
Criminal Division James K. Robinson and concerning cybercrime issues.
We are pleased to continue to participate in this very important
dialogue today, and to address the imperative of protecting individual
privacy on the Internet from unwarranted governmental intrusion, and
the critical role the Department plays to ensure that the Internet is a
safe and secure place for our citizens.
Privacy and the Obligation to Provide Public Safety
Our obligation to the public to enforce the laws is not limited to
activities in the physical world; our responsibilities to the citizens
to preserve their safety continues where illegal conduct is committed
on-line or facilitated by the Internet. The public rightfully expects,
for example, that law enforcement will investigate and prosecute child
molesters who prey on children using electronic mail or other Internet
communications tools.
Similarly, of course, the duty of law enforcement to preserve
privacy does not end where the Internet begins. The Fourth Amendment
protects the rights of our citizens as we go on-line to work, learn and
explore the Internet, just as the Fourth Amendment protects rights in
the physical world. The goal of the Department is long-honored and
noble: we must preserve the privacy of our citizens while protecting
their safety. History has taught us, and our founding fathers
recognized, that our citizens' liberty cannot thrive unless we can
investigate, apprehend and prosecute those who engage in criminal
conduct. At the same time, however, our founding fathers abhorred the
disregard and abuse of privacy by the government in England. Privacy
and public safety can be at odds in certain circumstances. The founders
of this nation adopted the Fourth Amendment to address those
situations. Under the Fourth Amendment, the government must demonstrate
probable cause to a neutral magistrate before obtaining a warrant for a
search, arrest, or other significant intrusion on privacy.
Congress and the courts have also recognized that less intrusive
investigate steps should be permitted under a less exacting threshold.
The Electronic Communications Privacy Act establishes a three-tier
system by which the government can obtain stored information from
electronic communication service providers. In general, the government
needs a search warrant to obtain the content of unretrieved
communications (like e-mail), a court order to obtain transactional
records, and a subpoena to obtain information identifying the
subscriber. See Sec. Sec. 18 U.S.C. 2701-11.
In addition, to obtain information identifying who is sending or
receiving communications to or from a particular suspect, the
government must obtain a ``trap and trace'' or ``pen register'' court
order authorizing the recording of such information. See 18 U.S. 3121
et seq.
Because of the privacy values it protects, the wiretap statute, 18
U.S.C. Sec. Sec. 2510-22, commonly known as Title III, places a higher
burden on the real-time interception of oral, wire and electronic
communications than even the Fourth Amendment requires. To listen to or
record communications as they are happening, law enforcement must
obtain a court order unless one of the specified statutory exceptions
applies. To obtain such an order, the government must show that normal
investigative techniques for obtaining the information have or are
likely to fail are too dangerous, and that any interception will be
conducted so as to ensure that the intrusion is minimized. The Fourth
Amendment and statutory restrictions on government access to
information do not prevent effective law enforcement. Rather, they
provide boundaries for law enforcement, clarifying what is acceptable
evidence gathering and what is not.
Often, our obligations to enforce the law and our goal to preserve
privacy are in complete harmony, such as when we apprehend and
prosecute a criminal who has hacked into a computer containing the
confidential records of others. In those instances where there is
tension, we must find a proper balance. Law enforcement has a critical
role to play in preserving privacy against intrusions by others.
Although the primary mission of the Department of Justice is law
enforcement, Attorney General Reno and the entire Department understand
and share the legitimate concerns of all Americans with regard to
personal privacy. If the Internet is to thrive and citizens' confidence
in the Internet is to remain high, we can abandon neither the goal of
on-line privacy nor the goal of public safety.
The Department has been and will remain committed to protecting the
privacy rights of individuals. We look forward to working with Congress
and other concerned individuals to address these important matters in
the months ahead.
Keeping the Peace in Cyberspace
Although the Fourth Amendment is over two centuries old, the
Internet as we know it is stillin its infancy. The huge advances in
communications technology over the past decade have forever altered the
landscape of society worldwide. The Internet provides a new forum in
which citizens can communicate, transfer information, engage in
commerce, play and expand their educational opportunities. These are
but a few of the wonderful benefits of this rapidly evolving
technology. As has happened to every major technological advance,
however, we are seeing individuals and groups use the Internet to
commit crimes. As the Department has noted in the past, this nation's
vulnerability to computer crime is astonishingly high and threatens not
only economic prosperity, but the privacy of our citizens and our
country's critical infrastructure.
Many of the crimes that we confront everyday in the physical world
are migrating to the on-line world. Crimes like death threats,
extortion, fraud and child pornography have migrated with startling
speed to the Internet. The Fourth Amendment and laws addressing privacy
and public safety serve as the framework for law enforcement to respond
to this new forum for criminal activity. If law enforcement fails
properly to respect individual privacy in its investigate techniques,
the public's confidence in government will be eroded, evidence will be
suppressed, and criminals will elude successful prosecution. If law
enforcement is too timid in responding to cybercrime, however, we will,
in effect, render cyberspace a safe haven for criminals and terrorists
to communicate and carry out crime, without fear of authorized
government surveillance. If we fail to make the Internet safe, people's
confidence in using the Internet and e-commerce will decline,
endangering the very benefits brought by the Information Age. Proper
balance is the key.
To meet our responsibilities to the public to enforce the laws and
preserve the safety, we use the same sorts of investigative techniques
and methods on-line as we do in the physical world, with the same
careful attention to the strict constitutional, statutory, internal and
court-ordered boundaries.
For example, if a man is suspected of luring children for sex, law
enforcement must determine with whom the suspect is communicating. In
the recent past, such communications would have been carried out
exclusively by telephone. To find out who the suspect is communicating
with, law enforcement would obtain an order from a court authorizing
the installation of a ``trap and trace'' and a ``pen register'' device,
and either the telephone companyor law enforcement would have installed
these devices to comply with the court's order. Thereafter, the source
and destination of calls would have been recorded. This is information
that the Supreme Court has held is not subject to any reasonable
expectation of privacy. Given the personal nature of this information,
however, the law requires government to obtain an order under these
circumstances. In this way, privacy is protected and law enforcement is
able to investigate to protect the public.
Now, that same suspect is more likely to operate through e-mail or
other kinds of online communications. In attempting to investigate the
criminal activity, law enforcement can apply to a court for an order to
obtain in real time the e-mail addresses of those persons with whom the
suspect is communicating through or by e-mail. Law enforcement needs to
be able to quickly identify the source and destination of such e-mails
to fulfill its obligations to the victims in particular and the public
generally. In the event that the investigation requires viewing the
content of the e-mail--even just the subject line--then law enforcement
must comply with strict internal FBI and Department guidelines, and the
provisions of Title III of the Omnibus Crime Control and Safe Streets
Act of 1968, 18 U.S.C. Sec. Sec. 2510-2521.
At times, Internet service providers may be unable to use their own
technology to comply with court orders directing them to supply source
and destination information or the content of communications. Law
enforcement cannot abdicate its responsibility to protect public safety
simply because technology has changed. Rather, the public rightfully
expects that law enforcement will continue to be effective as criminal
activity migrates to the Internet.
It is for such narrow set of circumstances that the FBI designed
``Carnivore.'' When a criminal uses e-mail to send a kidnaping demand,
to buy and sell illegal drugs or to distribute child pornography, law
enforcement needs to know to whom he is sending messages and from whom
he receives them. To get this information, we obtain a court order,
which we serve on the appropriate service provider. Because of the
nature of Internet communications, the addressing information (as
opposed to the content of the communication itself) is often mixed in
with other non-content data that we have no desire to gather. If the
service provider can comply with the order and provide us with only the
addressing information required by court order, it will do so and we
will not employ any investigative tool.
Where the service provider cannot or will not comply with a court
order to reveal addressing information or content of electronic
communications, law enforcement must have some mechanism to obtain the
information. It must have a tool that can obtain the information
authorized by court order, and only that information. The tool should
be configurable such that, for example, it can be set to gather only
the e-mail addresses of those persons with whom the kidnapper is
communicating, without allowing any human being, either from law
enforcement or the service provider, to view private information
outside of the scope of the court's order. Such a tool automatically
reduces the data collected to only that permitted by the court, thus
allowing law enforcement strictly to comply with the order, and
safeguarding the privacy of information outside the order. The FBI
created Carnivore to be such a tool.
We have numerous mechanisms in place to prevent possible misuse of
electronic surveillance tools. The Fourth Amendment, of course,
restricts what law enforcement can do with the software, as do the
statutory requirements of Title III and the Electronic Communications
Privacy Act, and the implementing orders of the courts.
For federal Title III applications, the Department of Justice
imposes its own guidelines on top of the privacy protections provided
by the Constitution, statutes and the courts. For example, before
Carnivore may be used to intercept the content of communications, the
requesting investigative agency must obtain approval from the
Department of Justice asking a court for a Title III order. The Office
of Enforcement Operations in the Criminal Division of the Department
reviews each proposed Title III application to ensure that the
interception satisfies the protections of the Fourth Amendment and
complies with applicable statutes and regulations. Even if the proposal
clears the OEO, the application cannot go to to a court without
approval by a Deputy Assistant Attorney General or higher-level
official in the Department. Although this requirement of high-level
review is required by Title III only with regard to proposed intercepts
of wire and oral communications, the Department voluntarily imposes the
same level of review for proposed interceptions of electronic
communications (except digital-display pagers). Typically,
investigative agencies such as the Federal Bureau of Investigation have
similar internal requirements, separate and apart from Constitutional,
statutory or Department of Justice requirements.
If the investigative agency and the Department of Justice approve a
federal Title III request, it still must, of course, be submitted to
and approved by a court of proper jurisdiction. The court will evaluate
the application under the Fourth Amendment and using the familiar
standards of Title III. By statute, for example, the application to the
court must show, through sworn affidavit, why the intercept is
necessary as opposed to other less-intrusive investigative techniques.
The application must also provide additional detail, including whether
there have been previous interceptions of communications of the target,
the identity of the target (if known), the nature and location of the
communications facilities, and a description of the type of
communications sought and the offenses to which the communications
relate. By statute and internal Department regulation, the interception
may last no longer than 30 days without an extension by the court.
Courts also often impose their own requirements. For example, many
federal courts require that the investigators provide periodic reports
setting forth information such as the number of communications
intercepted, steps taken to minimize irrelevant traffic, and whether
the interceptions have been fruitful. The court may, of course
terminate the interception at any time.
The remedies for violating Title II or ECPA by improperly
intercepting electronic communications can include criminal sanctions,
civil suit, and for law enforcement agents, adverse employment action.
For violations of the Fourth Amendment, of course, the remedy of
suppression is also available.
The Justice Department and law enforcement across this nation are
committed to continuing to work together and with their counterparts in
other countries to develop and implement investigative strategies to
successfully track, apprehend, and prosecute individuals who conduct
criminal activity on the Internet. In so doing, the same privacy
standards that apply in the physical world remain effective online.
As the Committee is aware, the Administration recently transmitted
to Congress a legislative proposal addressing various issues relating
to cyber-security. Two portions of the bill relate directly to today's
discussion. First, the Administration supports raising the statutory
standards for intercepting the content of electronic communications so
they are the same as those for intercepting telephone calls: high-level
approval, use only in cases involving certain predicate offenses that
are specified by statute, and statutory suppression of evidence derived
from improper intercepts. Second, the Administration bill requires
federal judges to confirm that the appropriate statutory predicates
have been satisfied before issuing a pen register or trap-and-trace
order. Those changes would apply to the use of Carnivore, and in
important respects wouldsimply confirm by statute the policies and
procedures already followed by the Department of Justice. The
Administration supports a balanced updating of laws to enhance
protection of both privacy and public safety, and the bill contains
important provisions that would be most helpful in the ongoing fight
against cyber-crime.
We recognize that, notwithstanding the limited use of the software
and the many protections in place, concerns remain about the computer
program. To address those concerns, the Attorney General has asked for
an independent technical review of Carnivore to evaluate whether it
performs the functions it was designed to perform, and does so without
any greater threat to privacy or to the smooth operation of private
service providers then would be posed by any other system that allows
compliance with the law relating to court-ordered interceptions. The
technical reviewers will have whatever access they need to discharge
their responsibilities, and their report will be made public to the
maximum extent that is consistent with otherwise applicable law or
contractual obligations and with preserving the continued effectiveness
of the software as a law-enforcement tool. The report will also be
reviewed by a high-level Departmental panel, chaired by the Assistant
Attorney General for the Justice Management Division and including the
Attorney General's Chief Science & technology Advisory, the
Department's Chief Privacy Officer, the Assistant Director of the FBI
in charge of the Bureau's Laboratory Division, and me. That panel will
consider the positions of interested parties, such as industry and
privacy groups, concerning the technical review, and will report to the
Attorney General.
Mr. Chairman, the Department of Justice takes privacy concerns
seriously and takes a proactive leadership role in making cyberspace
safer for all Americans. The cornerstone of our cybercrime prosecutor
program is the Criminal Division's Computer Crime and Intellectual
Property Section, known as CCIPS. Founded in 1991 as the Computer Crime
Unit, CCIPS became a Section in 1996. CCIPS has grown from five
attorneys in 1996 to nineteen today, and we need more to keep pace with
the demand for their expertise. The attorneys in CCIPS work closely on
computer crime cases with Assistant United States Attorneys known as
``Computer and Telecommunications Coordinators,'' or CTC's, in U.S.
Attorney's Offices around the nation. Each CTC receives special
training and equipment and serves as the district's expert on computer
crime cases. CCIPS and the CTC's work together in prosecuting cases,
spearheading training for local, state and federal law enforcement,
working with international counterparts to address difficult
international challenges, and providing legal and technical instruction
to assist in the protection of this nation's critical infrastructes.
CCIPS also provides its expertise to the public through its Internet
website, www.cybercrime.gov. We are very proud of the work these people
do and we will continue to work diligently to help stop criminals from
victimizing people online.
I also note that public education is an important component of the
Attorney General's strategy on combating computer crime. As she often
notes, the same children who recognize that it is wrong to steal a
neighbor's mail or shoplift do not seem to understand that it is
equally wrong to steal a neighbor's e-mail or copy a proprietary
software or music file without paying for it. To remedy this problem,
the Department of Justice, together with the Information Technology
Association of America (ITAA), has embarked upon a national campaign to
educate and raise awareness of computer responsibility and to provide
resources to empower concerned citizens. The ``Cybercitizen Awareness
Program'' seeks to engage children, young adults, and others on the
basics of critical information protection and security and on the
limits of acceptable online behavior. The objectives of the program are
to give children an understanding of cyberspace benefits and
responsibilities, an awareness of consequences resulting from the
misuse of the medium and an understanding of the personal dangers that
exist on the Internet and techniques to avoid being harmed.
Conclusion
Mr. Chairman, thank you again for allowing me this opportunity to
address our efforts to fight crime on the Internet and preserve the
privacy rights conferred by the Fourth Amendment and statute. The need
to protect the privacy of our citizens from criminals as well as the
government, is a paramount consideration in all our activities. The
public is undoubtedly concerned about their on-line privacy, and the
potential for criminals, private industry, and the government to
infringe upon it. The public is also deeply concerned about their
safety and security when exploring and using the ever-expanding reaches
of the Internet. By deterring and punishing those criminals who violate
individual privacy, ensuring the ability of law enforcement to fight
cyber-crime both promotes the safety and security of Internet users and
enhances user privacy. The Department of Justice stands ready to work
with the Members of this Committee and others to achieve these
important goals.
Mr. Chairman, that concludes my prepared statement. I would be
pleased to answer you questions
The Chairman. Thank you so much.
Mr. Cerf, we will take your testimony at this time.
STATEMENT OF VINTON G. CERF
Mr. Cerf. Thank you very much, Mr. Chairman. It is a
pleasure to be here. Good morning, Senator Leahy. It is a
pleasure to see you again as well.
I am here representing the Internet Society, although for
purposes of identification, the chairman is quite correct, I
also serve as senior vice president at WorldCom for Internet
Architecture and Technology.
For many, many years I worked on the Internet, and for a
long time many of you know that getting the Internet protocol
out there was an important goal. So I even had a T-shirt made
to commemorative. It reads ``IP on everything,'' and that is
what I have been doing for a long time.
However, the FBI is now confronted with a serious problem
because now that the Internet protocol is going everywhere,
everyone wants to put all new applications on top of it. So, as
a result, we have Internet telephony and television and radio
and e-mail and World Wide Web. So now I have another T-shirt
that says ``Everything on IP,'' although one could read this
``IP Under Everything,'' which is another way of thinking about
it.
That is the problem confronting the FBI today, is that
these communications----
Senator Leahy. You have made sure this will be the one
thing that we will remember from this hearing. [Laughter.]
The Chairman. If you had any guts, you would have worn
those T-shirts.
Senator Leahy. Don't encourage him, Mr. Chairman.
[Laughter.]
Mr. Cerf. I don't know if I want to go there any further.
Thank you, Mr. Chairman.
The Chairman. But I have met a lot of your associates in
this business and they wear T-shirts.
Mr. Cerf. My purpose today is entirely technical. I am not
prepared to, and I don't even consider myself competent to
speak to the policy side of these questions. But I do want to
make some attempt to explain how difficult it is to achieve
what the Carnivore system tries to do, so let me remind you a
little bit about the Internet.
First of all, think of the packets that flow through it as
if they are postcards. Postcards don't necessarily stay in
order as they go through the Postal Service. This is true on
the Internet as well. They get lost. In fact, in the Internet
world sometimes we have to duplicate them in order to get
reliable delivery to the far end.
The other thing which is characteristic of the Internet is
that it works with computers with a lot of software in them and
the software is structured in layers. So the lowest layer is
the Internet protocol layer, but there are layers on top of
that, each one depending on the ones below it for performing
the functions that achieve reliability or implement things like
electronic mail.
So as an example of what happens when someone is sending e-
mail from place to place on the Net, let me start with an
example. This is a simple little e-mail from Tom Bell to Vinton
Cerf, and we will pretend like this is the original message
that--for people back there, there you are. That is the
original message that is prepared by the sender. But by the
time the FBI gets a chance to look at it through the Carnivore
System, what they will see is, in fact, not this message, but
rather a series of envelopes which I have numbered 1, 2, 3 and
4.
They may not see them in this order. They may see them in
the order 1, 3, 2 and 4, depending on where the Carnivore
system is actually located in the network. If it is close to
the source of the messages, then it may actually see them in
order. But because of retransmissions and other things, you may
still see them out of order.
What is more interesting is that when you open up one of
these Internet packets to see what is in inside, what you
discover is only a piece of the e-mail that started out as one
whole message. And, in fact, you may not be able to tell from
looking inside who it is from or where it is going because not
all of the message is there. All of the header information that
says ``to Vint Cerf'' and ``from Tom Bell'' may not be visible
in the particular packet that you happen to have detected.
So it is a big challenge for the Carnivore system to have
its parameters set to filter out only those packets that have
information in them that is useful to the surveillance. In
fact, because of the way this system has been implemented, it
is looking at each packet one at a time. It doesn't assemble
them together and then look at them. It sees each one as if it
were through a keyhole.
As a result, if you don't see enough information in here,
you will have discard it because you won't, in fact, be able to
identify it as useful to the surveillance. So they actually
lose quite a bit of information. They don't see as much as they
would if they were trying to assemble everything. The result is
that they will see, for example, a subset of all the messages I
may send and receive to someone as e-mail.
If, on the other hand, they are permitted to record all of
the information because the court order says they can see
everything, then after they have captured these packets, you
can put them back together and examine the complete messages
and extract from them the part of the information that you are
permitted to extract.
Now, in order to do that properly, you are going to
actually see everything in the message and you will have to
filter out the part that says ``to'' and ``from'' because the
physical way in which you pull these things together allows you
to see the entire thing if you are permitted to see all of the
traffic. If you are only permitted to see the packets, then you
will just see those messages that happen to have in them enough
information to identify this as an e-mail from Vint Cerf to a
particular target.
So I would argue that, technically speaking, the Carnivore
system sees less than would be absolutely allowed in the case
that they are only permitted to see the ``to'' and ``from''
addresses. If, however, they are permitted to see everything,
they can, in fact, see everything and then have to filter that
out and discard the portion of the traffic which is not
relevant.
Then the other thing that I want to point out, then, is
that the placement of the Carnivore system is pretty crucial to
all of this. I would like to make an analogy, if I could.
Let's imagine for the sake of argument that our postal
services are done with post office boxes, that we have no home
addresses, we have no home delivery of postal mail. We all have
to go to our post office boxes in order to retrieve our
messages. The Internet behaves a lot like that because the mail
systems are like post offices that contain postoffice boxes.
The FBI's problem is that if they were trying to observe
the traffic going from one party to another, from one post box
to another, the only thing that they can see is traffic going
between post offices, not post office boxes. All they get to
see in the Internet packet is something that says this is the
Annandale post office and this is the Springfield post office,
and that is all the traffic they can see. You have to open it
up and look deeper to figure out from which post office box it
is going.
That is why there is such concern that you may be seeing
more than you are allowed to see. But my understanding of the
way the Carnivore configuration is set up is it is very limited
in its ability to capture packets with respect to the ``to''
and ``from'' addresses or the equivalent post office box
addresses.
So the last thing I would like to point out in this
discussion is that the technology that allows people to protect
privacy makes life even harder for the FBI in the course of
doing this surveillance because if you use what is called end-
to-end cryptography--and there is plenty of that now available
both domestically and internationally--the object that they had
to look at that was inside this packet to figure out the ``to''
and ``from'' addresses of the mail could be encrypted. As a
result, the target may not be visible. So this makes the job of
the FBI even more difficult in the event that end-to-end
cryptography is used.
I see that I have overstayed my welcome, but let me stop
there and say that the FBI's implementation of Carnivore
attempts, in my estimation, to limit the amount of information
that is being captured, but it is very, very hard to do that
successfully, and the cryptography makes their job even more
difficult.
I would be happy to answer any questions that may come
about as a consequence of further discussion at this point.
Thank you very much.
[The prepared statement of Mr. Cerf follows:]
Prepared Statement of Dr. Vinton G. Cerf
Mr. Chairman, my name is Vinton Cerf. I am present on behalf of the
Internet Society; a non-profit educational and research institution
devoted to the continued evolution and spread of the Internet on a
global basis. For purposes of identification only, I am also senior
vice present at WorldCom where I am responsible for Internet
Architecture and Technology, but my testimony today is on behalf of the
Internet Society where I serve as a trustee. I served a the founding
president of the Society from 1992 to 1995 and have served on its board
of trustees since 1992. In 1997, President Clinton awarded the National
Medal of Technology to me and to Dr. Robert E. Kahn for our roles in
the invention and implementation of the Internet.
The purpose of my testimony today is technical. I hope to provide
you, Mr. Chairman and the other members of the committee with a sense
for how the Internet works and how the FBI Carnivore system operates
within the architectural framework of the Internet. I thank you for
this opportunity to share these technical ideas with you and I hope
that they will prove to be useful as the committee considers the policy
implications of the Carnivore technology.
Let me begin by offering a simple analogy that has proven to be
helpful in the past to explain some basic principles by which the
Internet functions. To begin with, the Internet is not a single network
but, rather a network of networks interlinked on a global scale. The
precise figure is not known but there are probably on the order of
300,000 networks, worldwide, interconnected to form the Internet. There
are an estimated 100 million service computers on the Internet and
approximately 330 million users. These figures do not include laptops,
desktops, mobile telephones and Internet-enabled appliances that are on
the Internet on a sporadic basis. The technology used by the Internet
to switch data among the computers on the network is called ``packet
switching'' and is quite different from the technology used to support
conventional voice telephony services.
In the traditional voice telephone network, the end devices
(telephones and fax machines, typically) ``dial'' each other up and the
network forms end-to-end electronic circuits the pair of communicating
devices. The connection remains in place until one or the other device
``hangs up'' or, as occasionally happens, the telephone system
accidentally disconnects the parties. As far back as 1961, it was
recognized by a few individuals that a very different mode of operation
would be appropriate to link networks of communicating computers. That
technology eventually became known as ``packet switching.''
In principle, computers communicate with each other in a ``bursty''
fashion. That is, they compute for a while and then emit a burst of
information, then go back to computing. This is particularly true in
time-shared machines that serve many users concurrently. Each user
feels as if he or she has the computer resource all to himself or
herself, but in fact the computer is so much faster than the user, it
is possible to appear to be a dedicated resource when, in fact, the
machine serves each user in turn. The service rate is fast enough that,
most of the time, the sharing is not noticed by users. Of course, if
the resources of the serving computer are over-subscribed, users may in
fact find themselves waiting for service.
A ``packet'' is a brief computer message of perhaps a few thousands
bits (up to a thousand or so characters) containing some indication of
the source of the message and the destination in addition to the
content. The best analogy that I have been able to come up with so far
is to compare a packets to ordinary post cards.
Each postcard has a ``from:'' address and a ``to:'' address. So
does each Internet packet, but the packet addresses are Internet
addresses that are something like telephone numbers. A postcard has a
finite amount of content, and so does an Internet packet. When you put
a postcard into the postal system, it is picked up from the postbox and
transported to the destination, passing through one or more post
offices and carried by truck, plane, train, boat or even on foot on its
way to the destination. Similarly, an Internet packet may be carried
over optical fiber, telephone twisted pair copper lines, coaxial
television cables, point to point radio or satellite.
When you put a postcard into the postal system, there is no
guarantee that it will come out! The same is true of an Internet
packet! When you put two postcards into the postal system there is not
guarantee that they will come out in the same order they went in, even
if addressed to the same destination. The same is true of Internet
packets. The Internet does one other thing that the Post Office does
not do. Occasionally it will deliver duplicate packets to the
destination--that's not a feature of the U.S. Postal Service, as far as
I am aware.
As postcards are routed through the postal service, they are
forwarded from one post office to another until they reach the
destination post office after which they are delivered to the target
address. Devices called ``routers'' serve the same function in the
Internet as post offices in the sense that they take in packets
andforward them from router to router until the destination is reached.
The Internet uses what is called the Internet Protocol to forward
packets between computers in what is, effectively, a kind of computer
post card service. A ``protocol'' is simply a set of conventions and
formats used to achieve communications. The postal service dictates
that addresses take a certain format and occupy certain places in a
postcard--Internet packets have their own format and procedures for
being injected into and taken out of the Internet. The standards and
procedures used by the Internet are essentially developed by a body
called the Internet Engineering Task Force and the architecture of the
Internet is looked after by the Internet Architecture Board. These two
groups operate under the auspices of the Internet Society.
There is more, however, to Internet than the basic Internet
Protocol (the electronic postcard system). The Internet architecture is
called a ``layered'' system because there are actually several layers
of procedures. Each higher level procedure or protocol relies on the
lower level protocol(s) to perform basic functions. One sometimes hears
or reads the expression ``TCP/IP'' in association with the Internet.
TCP stands for Transmission Control Protocol and IP stands for Internet
Protocol. These are the two basic protocols that Bob Kahn and I began
working on in 1973 and they form the basis of the Internet as we know
it today. The Internet Protocol was designed to operate on top of
virtually any digital transmission and switching system and, in fact, I
have had a T-shirt made to emphasize this notion. The T-shirt reads
``IP on Everything''!
The Internet Protocol, as you should now realize, does not
guarantee the reliability of the packets it transports, nor does it
assure ordering, or the path over which the packets are transported.
But there are a great many applications that require these features,
and more, to function successfully. The Transmission Control Protocol
(TCP) was designed to make up for the deficiencies of the Internet
Protocol by keeping things in sequence, recovering from loss and
filtering out duplicates.
To see how TCP does this, another analogy is useful. Let us suppose
that Senator Hatch wants to send a book to Senator Leahy by means of a
postal service that can only carry postcards. How would he set about
accomplishing this task? He would first have to remove pages of the
book and cut them up to fit on post cards. Then he would notice that
not every postcard had a page number so Senator Leahy might have
difficulty piecing the post cards back in the right order, so he would
decide to number each page. Then he would remember that not all the
postcards would necessarily reach Senator Leahy, so he would keep
copies of them in case duplicates had to be sent. Then he would wonder
how he would know when to send duplicates. Senator Leahy might then
think of a good idea: he would occasionally send a postcard back to
Senator Hatch to say that he'd gotten every postcard up to, say, number
402. But then Senator Leahy would remember that his postcard might not
reach Senator Hatch. At this point, both Senators would conclude that
Senator Hatch will have to have some kind of time-out, after which he
would begin sending copies of postcards that had not been acknowledged,
until he receives confirming postcards from Senator Leahy. Finally,
Senator Leahy would remind Senator Hatch that his mailbox can hold only
a finite number of postcards. If the book Senator Hatch wants to send
turns into 1000 postcards but Senator Leahy's mailbox can only hold 200
at a time, both Senators might conclude that if by a miracle, the US
Post Office actually delivered all 1000 postcards at the same time,
some of them might get lost if they didn't fit into Senator Leahy's
mailbox. This would lead them to conclude that they should agree that
Senator Hatch won't send more than 200 postcards at a time and would
not have more than that ``outstanding'' until Senator Leahy has
confirmed their receipt.
Well, in principle, that is the way the TCP protocol turns the
simpler Internet Protocol into a reliable, sequenced and flow-
controlled service. This isn't quite the way in which Bob Kahn and I
developed the TCP but it isn't very far away from the basic reasoning!
At this point, it is possible to explain how the FBI`s Carnivore
observation system makes use of the Internet and to outline the
limitations of its operation. In this brief exposition, I will assume
that the Senate Judiciary Committee members are well-acquainted with
the legal basis on which the FBI occasionally is granted permission to
intercept domestic communications in the course of enforcing the laws
of the United States. As I understand the law, such surveillance is
carried out only after the conduct of judicial proceedings intended to
assure that any such surveillance is documented and justified. In the
past, such surveillance has been associated with the interception of
telephone-based communications but just like the rest of the citizens
of the United States, law-breakers are making increasing use of
electronic mail and other kinds of Internet-based communication,
including such things as chat rooms, in the conduct of their
activities.
The FBI, in recognition of this trend, has developed new methods of
observing computer-based communications and one such system has been
named ``Carnivore.''
To understand what Carnivore is and how it works, we need to take
one more foray into the world of analogies. I mentioned earlier that
the Internet architecture is ``layered''--that is, it consists of a
number of different protocols each one layered on top of the other and
each layer relying on the one below it for certain functions. For
example, the Internet Protocol layer that performs the forwarding of
packets relies on the lower levels to actually transport the bits of
information that make up each packet. The TCP layer relies on the
Internet Protocol to deliver packets, and TCP makes sure they are put
back in order and retransmitted if any are lost. The electronic mail
service has its own protocol (called Simple Mail Transport Protocol or
SMTP) and that service makes use of TCP. It turns email messages into
TCP streams of data that are broken up into Internet packets and sent
by varying paths toward the destination where the packets are
reassembled first into a sequenced stream of information by TCP and
parsed into messages again by the SMTP.
The layered architecture is mirrored in the implementation of the
software that uses the protocols. The email client software that is
used to compose email produces the text of messages that look something
like:
Date: Tue, 05 Sep 2000 19:27:05 +0100
From:
Subject: Thank you
To:
Dear Sir,
I would like to thank you for the very useful information that you
included in reply to my request.
Sharon Bell
This text is to be sent to the electronic mail box of user
Vinton.G.Cerf on the computer on the Internet that has the ``domain
name'' wcom.com (``To: [email protected]''). However, the email
composition program knows that the TCP service does not know where
computer ``wcom.com'' is on the Internet. So it ``looks up'' the name
of this computer in a distributed directory called the Domain Name
System, and discovers that the Internet address of this computer is:
204.176.69.71. You can think of this as a kind of Internet telephone
number forpurposes of this exercise.
The email composition program creates a kind of envelope that it
addresses to 204.176.69.71, puts a return address of the Internet
address of the computer that is sending the email, say 170.127.34.16,
and places the email message in the envelope. In spirit, the envelope
looks something like:
From: 170.127.34.16
To: 204.176.69.71
(Attention: For the SMTP service via the TCP program)
The TCP program takes this envelope and cuts it into pieces
(including the contents!!) and sends the pieces in smaller envelopes
that are addressed, again by analogy:
From: 170.127.34.16
To: 204.176.69.71
(Attention: for the TCP Program via the Internet Protocol)
These smaller envelopes function like the Internet Postcards that
were introduced in the earlier part of this testimony. They are sent
through the series of computers we call ``routers'' that serve in the
same fashion as post offices, to forward the traffic by potentially
different paths to the destination.
At the destination computer (``wcom.com''), the process is reversed
and the small Internet Protocol envelopes are opened, the contents
reassembled by the TCP program into a message and the result is handled
to the SMTP receiving program. That program puts the received message
away in the mailbox associated with Vinton.G.Cerf on the wcom.com
computer. Later, when user Vinton.G.Cerf runs the email reading and
composition program he will be able to see the message and to respond
to it.
The important concept to take away from these preliminary remarks
are:
1. The concept of packets (``postcards'');
2. The idea that packets do not always stay in order, may be
lost, and may even travel on distinct paths through the
Internet;
3. The understanding that there are tens of thousands of
Internet Service Providers around the world operating hundreds
of thousands of networks that make up the Internet and that
traffic may flow through a number of such networks as it flows
from source to destination; and
4. The concept of layering and the notion that each layer
``envelopes'' the information generated by the layer above and
that anyone observing traffic on a particular circuit that
carries Internet packets will actually be observing pieces of
messages (or files or bits of digitized sound) carried in the
small Internet Protocol envelopes.
The Carnivore system is a computer that tries to observe the
traffic (Internet packets) flowing on a circuit within the Internet.
Its objective is to try to find only those packets that may be relevant
to an ongoing investigation and to ignore theirs (both for legal
reasons and simply to deal with the potentially enormous flow of
traffic that may require filtering). It's a bit like trying to find a
particular shrimp in the intake of a baleen whale!
The physical location of the Carnivore computer is important. If it
is observing traffic somewhere in the middle of the Internet, it may
not even see all the packets that correspond to a particular exchange
between computers or even a complete transmission from one computer to
another. One could try to place Carnivore computers at different
locations in the Internet, hoping to catch all the requisite traffic
but in fact, the only way to achieve reasonable success is to locate
the Carnivore computer so it can observe all the traffic going to and
from the computer under observation. That may mean locating the
Carnivore computer where it can see everything going into and out of
the location of the subject of surveillance, watching all traffic going
to and from the subject's laptop or desktop, or locating the Carnivore
computer at the Internet Service Provider who serves that subject and
placing it in such a way that the traffic going to and from the
subject's email server computer can be observed.
Furthermove, since the Carnivore looks at each individual Internet
packet and does not perform reassembly of the packets in real time,
there are some limits to what the software can do to recognize relevant
traffic. It can plainly see the ``to:'' and ``from'' Internet address
of the Internet packets (e.g., 170.127.34.16). It may not be able to
see the ``To: [email protected]'' in every packet because this is
NOT contained in every Internet packet. One has to reassemble the
massage at the SMTP level of protocol (two layers above the Internet
Protocol) to be assured of seeing this. But this may require that all
the packets or most of the Internet packers carrying the email be
intercepted and this may or may not be assured, depending on the rate
at which these Internet packets must be examined by Carnivore and
whether most of the packets are actually present on the circuit being
monitored.
The Carnivore operators have the ability to be very precise about
which Internet addresses are of interest and can ignore all other
traffic. They can tell which protocols are being carried in these
Internet packets (TCP, among others, including steaming protocols based
on the so-called User Datagram Protocol). If the contents of the IP
packers are NOT encrypted they will be able to see for what layer of
protocol above TCP or UDP the traffic is intended so they could
distinguish email (SMTP) from file transfer (FTP) from World Wide Web
traffic (HTTP).
If the contents of the TCP traffic is encrypted, as it often is
with the World Wide Web for financial transactions, it is not possible
in real time for the Carnivore system to see any deeper into the
traffic than to know that it is World Wide Web traffic. The encryption
is often quite robust, using up to 128 bit keys and strong
cryptographic codes.
Some of the more recent standards for security for the Internet
even introduce cryptography at the level of the Internet Packet so that
it contents are encrypted end to end. Both the current version 4 IP
protocol and the more recent version 6IP protocol have provisions for
such encryption using the so-called IPSEC standard.
The Carnivore system has been configured so that it is possible to
limit the amount of information retrieved from any particular packet so
that, for example, the only information that might be collected is the
source or designation address of the Internet packet and none of the
content. It is may understanding that the Carnivore implements have
gone to considerable length to build in mechanisms to restrict traffic
capture to conform to the limitations that any particular court-
approved surveillance may impose.
In summary, the Carnivore system is fairly basic system that must
do itswork by observing single packets of traffic at a time and attempt
to determine based on a limited set of parameters whether this packet
is relevant to the desired surveillance. It is not a system that is
capable of observing all the traffic flowing through the Internet at
once nor even all the traffic flowing through any one reasonably-sized
Internet Service Provider's system.
It is also important to note that this system is not unlike
commercially available tools that help network operators debug problems
in the network by analyzing the protocols that are in use and observing
the states that these protocols go through in the course of an
interaction. These protocol analyzers generally do not capture packet
contents but rather work their way up through the ``envelopes'' to
understand the sequences of events that may be causing a problem for
the users or operators of a particular ISP or a collection of them.
Readers of this testimony should remember that reasoning by analogy
can sometimes lead to incorrect conclusions. I hope the use of analogy
has been educational and not misleading, but precision answers about
Carnivore should be sought from the engineers who have designed it, and
not drawn solely on the basis of the analogies I have tried to use to
explain the concepts behind its operation.
Thank you.
The Chairman. Thank you, Mr. Cerf.
Professor O'Neill, we will turn to you.
STATEMENT OF MICHAEL O'NEILL
Mr. O'Neill. Chairman Hatch, Senator Leahy, I welcome this
opportunity to testify regarding a topic that should obviously
be of great interest to us all, and that is, namely, the
appropriate way in which law enforcement interests should be
balanced against what Justice Douglas once called our
fundamental right to be left alone.
I think I would also like to just take a second and just
thank Mr. Cerf, as well, for helping to design something that
has helped break the grip that TV formerly held on my life.
I do not wish to belabor points that have already been
made, nor am I here to make claims that Carnivore is going to
eat the Constitution or that if we fail to deploy it that crime
will somehow run rampant. I think it is safe to say that none
of us in this room likely wishes to live in a police state, nor
do we particularly wish to live in a state of anarchy either.
We live now in a time of profound technological change, and
the communications revolution has been a part of that change.
Change, however, is not without its costs. Privacy, one of the
fundamental rights underpinning our society, is presently under
assault as perhaps never before, and not only by the
government, but also by business interests.
On the other side of the equation, however, criminal
enterprises have been increasingly willing to utilize
technological innovations to achieve their own ends and thereby
threaten our personal security. While we may stand at the brink
of a new world in terms of information, however, we still have
old rules, rules that have served to guide us well for over 200
years and that will continue to serve as a guide for us for our
understanding and ultimately controlling the many technological
transformations surrounding us.
With that in mind, I would like to address two fundamental
issues. One, is Carnivore, at least as I understand the
software to operate, compatible with the requirements of the
Fourth Amendment? And, two, what role should Congress play in
ensuring that both significant privacy and security interests
are addressed?
Our Constitution presupposes that, as citizens, we enjoy a
sphere of action free from governmental interference. To this
end, the Drafters of the Bill of Rights had the foresight to
include as a fundamental guarantee to protect the right of the
people in their persons, houses, papers and effects against
unreasonable searches and seizures. The term ``unreasonable''
is really key here. We are protected, at least from the
government, only against those searches that are per se
unreasonable.
The fourth amendment's reasonableness requirement has an
important application to today's debate; namely, after all,
what is deemed unreasonable is entirely and ultimately a social
construct. It is, at the end of the day, for the people to
decide what is and is not a reasonable intrusion into their
private affairs.
The difficulty I have in coming before you today is that I
am not at all confident that I know what is reasonable in this
particular context. If polled, most individuals, I suspect,
would assume and likely prefer that their e-mails be every bit
as secure, if not more so, than standard snail mail.
The evolution of the privacy/security struggle has been
well defined in the development of fourth amendment law. In
Olmstead v. United States, a 1928 case that was sort of the
harbinger of the wiretap and ultimately the electronic
surveillance revolution, the Supreme Court considered whether
warrantless wiretapping violated the fourth amendment. The
Court found ultimately no constitutional violation because
surveillance was accomplished without intruding upon the
defendant's physical property.
Justice Brandeis, however, penned a thoughtful dissent in
which he observed that constitutional principles were
undermined to the extent that the Court focused exclusively on
the means of communication. He reasoned that the Constitution
must be interpreted with technological advancements in mind to
preserve fundamental rights and liberties.
Foreshadowing those advancements, he warned that, quote,
``Discovery and invention have made it possible for the
Government, by means far more effective than stretching upon
the rack, to obtain disclosure in court of what is whispered at
in the closet.''
Now, the Court ultimately adopted Justice Brandeis' view
toward wiretapping. In Katz v. United States, it declared that
the Fourth Amendment protects people, not places, and held
wiretapping permissible only after the issuance of a valid
warrant. This decision expressly overruled Olmstead, replacing
the previous focus on the means of the communication with an
appreciation for the fact that the communication itself was the
source of the constitutional right.
The Court subsequently revisited this area in Maryland v.
Smith, a 1979 case that you have heard the executive branch
relied upon to justify its claim that there is no expectation
of privacy in an Internet address. In Smith, however, the Court
reasoned that there is no legitimate expectation of privacy in
a number being dialed on a telephone.
It is important to understand, however, that the Court
found that individuals do not have this expectation of privacy
because pen registers themselves do not acquire the contents of
communications. The technology in question was limited to this
single function. This neat categorization, however, may not
apply to technologies such as Carnivore which may have far
greater information-gathering abilities.
A URL, for example, can disclose specific pages visited,
sites visited, or even items that have been purchased or
browsed on the Internet. And as people move more of their lives
online, a list of e-mails sent or Web sites visited can provide
a very detailed dossier of activities, all available without
the heightened standards of a wiretap or even a regular fourth
amendment warrant. This is far more akin to walking into
somebody's office and snooping around in their file cabinet
than it is to standing on the street corner and writing down
their physical address.
Given the wealth of information obtainable by means of an
Internet address, perhaps it is time to rethink our privacy
expectations online. Indeed, I think it is increasingly
difficult to say that you don't have an expectation of privacy
in information that is in the hands of a third party. If the
vision of an open, PC-less Internet world is to come to pass,
it will be the case that much of our lives will be in the hands
of third parties.
Indeed, currently I do all of my banking and manage my
meager stock portfolio all on the Internet. All of this
information is contained online. To simply treat the ``to'' and
``from'' lines in e-mails as though they were the phone numbers
that you dial out on just doesn't make sense anymore.
Moreover, the physical ease with which information is
obtained becomes important. Ordinarily, a search is limited by
a number of physical properties. You have to be on site, you
have certain time limitations. Internet searches, however, make
the retrieval of vital data, even otherwise public data, far
more routine. For example, while property tax assessment
records are public, people generally had to take the time and
hassle to schlep on down to the court house to retrieve them.
In a matter of minutes, however, just the other night I was
able to retrieve fairly easily Chairman Hatch's property tax
records. And basically now I know what the value of his current
assessed land is. I know how many bedrooms he has in his house.
The Chairman. I wouldn't mind knowing that myself.
[Laughter.]
Mr. O'Neill. Well, sir, I would be happy afterwards--I
won't submit this for the record, but I will be happy to give
it to you after we have finished.
Now, again, that is public information, information that is
always obtainable at the court house. But the mere fact that
late last night, in a process of about, I don't know, maybe
half a dozen keystrokes and a matter of about five minutes or
so I could obtain all this information, should give us at least
some cause for pause about what we are getting ourselves into.
Mr. Cerf. You are not making a threat, are you?
Mr. O'Neill. Oh, not at all.
Mr. Cerf. OK; I am just checking.
Mr. O'Neill. I used to work for him, so I felt it was okay.
Mr. Cerf. OK.
Mr. O'Neill. But I did the same thing for Senator Leahy as
well.
Senator Leahy. I was thinking. I mentioned to the chairman
that he must have paid you too much if you have got a stock
portfolio.
Mr. O'Neill. Senator, I was smart; I married a doctor.
The Chairman. That is a typical Democrat comment--failing
to recognize the importance of the Internet and all of these
other great programs that we have.
Senator Leahy. We Democrats try to keep down the cost of
Government. That is why.
The Chairman. We hadn't noticed that. [Laughter.]
Mr. O'Neill. I will try to remain silent on that issue.
Similarly, I think another problem that we have to address
is we don't even know how certain Fourth Amendment doctrines
will apply in this field and to a device like Carnivore which,
although it may have physical limitations and may, in fact, be
limited in its application, may be configured or updated in
ways that we are not necessarily aware of. It may have the
potential of reading e-mail or looking at other addresses that
people visit.
The plain view doctrine, for example, permits, among other
things, law enforcement officers to seize items in their plain
view when they are executing a warrant. Well, if we allow law
enforcement to filter nonspecific pieces of mail, does that
mean that they can seize anything else that they may happen to
find of a criminal nature which is not necessarily contained
within the plain language of the warrant? These are among the
fundamental issues that we will ultimately need to address as
the law struggles to cope with technological advancements.
Now, I don't want to go too far over the red light here,
but I have ten fairly specific recommendations that I would
consider that perhaps Congress ought to consider in terms of
deciding and securing our privacy online. I will actually
submit those for the record and I won't belabor those points
now.
But I think that this hearing is an important first step in
looking at these important privacy issues as they come before
us, and one simple suggestion that I might make is that
government, specifically the Congress of the United States,
should set itself up as the primary protector of people's
liberty and security interests. And it is not a bad idea at
all, I think, either to place within the Intelligence Committee
or perhaps one of the other committees of jurisdiction careful
congressional oversight of precisely the types of information
and the sources of information that the Department of Justice
is seeking to obtain when it does things such as Carnivore to
search out people's private information.
But, again, I will submit those and the remainder of my
remarks for the record. I again thank you for this opportunity
to testify and look forward to answering any questions you may
have later.
The Chairman. Well, thank you, professor. I think the FBI
and Justice are going to want to look at your ten suggestions
those fairly carefully because there are some very interesting
suggestions there.
[The prepared statement of Mr. O'Neill follows:]
Prepared Statement of Michael O'Neill
Chairman Hatch, Senator Leahy, and members of the Committee, I
welcome this opportunity to testify regarding a topic that should be of
great interest to us all, namely the appropriate way in which law
enforcement interests should be balanced against what Justice Douglas
once called our fundamental right ``to left alone.'' [U.S. v. Davis,
328 U.S. 582 (1946).
I do not wish to belabor points that have already been made. Nor am
I here to make claims that Carnivore will eat the Constitution, or that
if we fail to deploy it, crime will run rampant. I think it is safe to
say that none of us in this room likely wishes to live in a police
state, nor, however, do we desire to live in a state of anarchy.
We live in a time of profound technological change, and the
communications revolution has been a vital part of that change. Change,
however, is not without its costs. Privacy, one of the fundamental
rights underpinning our society, is presently under assault as perhaps
never before. On the other side of the equation, however, criminal
enterprises have been increasingly willing to utilize technological
innovations to achieve their own ends and thereby threaten our personal
security.
While we may stand at the brink of a new world in terms of
information, however, we still have old rules, rules that have served
us well for over 200 years, and that continue to serve as a guide to
understanding, and controlling, the transformations surrounding us.
With that in mind, I would like to address two fundamental issues:
(1) is Carnivore, at least as I understand the software to operate,
compatible with the Fourth Amendment? And (2) What role should Congress
play in ensuring that both significant privacy and security concerns
are addressed?
Our constitution presupposes that as citizens, we enjoy a sphere of
action free from governmental interference. to this end, Drafters of
theBill of Rights had the foresight to include as a fundamental
guarantee to protect ``the right of the people * * * in their persons,
houses, papers, and effects, against unreasonable, searches and
seizures.'' The term ``unreasonable'' is the key here * * * we are only
protected against those searches that are unreasonable. The Fourth
Amendment's reasonableness requirement has an important application to
today's debate. After all, what is deemed ``unreasonable'' is
ultimately a social construct * * * it is at the end of the day for the
people to decide what is and is not a reasonable intrusion into their
private affairs.
The difficulty I have in coming before you today is that I am not
at all confident that I know what is ``reasonable'' in this particular
context. If polled, most individuals, I suspect, would assume, and
likely prefer, that their e-mails be every bit as secure, if not more
so, than their snail mail.
The evolution of the privacy/security struggle has been well-
defined in the development of Fourth Amendment law. In Olmstead v.
United States (1928), the Supreme Court considered whether warrantless
wiretapping violated the Fourth Amendment. The Court found no
constitutional violation because the surveillance was accomplished
without intruding on the defendant's physical property. Justice
Brandeis, however, penned a thoughtful dissent in which he observed
that constitutional principles were undermined to the extent the Court
focused exclusively on the means of communication. He reasoned that the
Constitution must be interpreted with technological advancements in
mind to preserve fundamental rights. Foreshadowing those advancements,
he warned that: ``Discovery and invention have made it possible for the
Government, by means far more effective than stretching upon the rack,
to obtain disclosure in court of what is whispered in the closet.''
The Court ultimately adopted Justice Brandeis' view toward
wiretapping. In Katz v. United States, it declared that the Fourth
Amendment ``protects people, not places'' and held wiretapping
permissible only after the issuance of a valid warrant. This decision
expressly overruled Olmstead, replacing the previous focus on the means
of communication with an appreciation of the fact of communication as
the source of the constitutional right.
The Court subsequently revisited this area in Maryland v. Smith
(1979), a case the executive branch has often relied upon to justify
its claim that there is no expectation of privacy in an internet
address. In Smith, the Court reasoned that there is no legitimate
expectation of privacy in a number being dialed on the phone. It is
important to understand, however, that the Court found that individuals
do not have a reasonable expectation of privacy in such information
because ``pen registers do not acquire the contents of communications.
Smith v. Maryland, 442 U.S. 735, 742 (1979). The technology in question
was limited to this single function. This neat categorization may not
apply to technologies such as Carnivore, however, which may have far
greater information gathering abilities.
An URL, for example, can disclose specific pages visited, sites
visited, or even items purchased or browsed. And as people move more of
their lives online, a list of e-mails sent or web sites visited can
provide a very detailed dossier of activities--all available without
the heightened protections of a wiretap or even a standard Fourth
Amendment warrant. This is much more akin to walking into someone's
office and snooping around in their file cabinet than it is to standing
on the street corner and writing down their address. Given the wealth
of information obtainable by means of an internet address, perhaps it
is time to re-think our privacy expectations on-line. Indeed, I think
it is increasingly difficult to say that you don't have an expectation
of privacy in information that is in the hands of a third party. If the
vision of an open, pc-less internet world is to come to pass, it will
be the case that our entire lives will be in the hands of third
parties. To treat the ``To'' and ``From'' lines in e-mails as though
they were just the same as the phone numbers that you dial makes little
sense.
Moreover, the physical ease with which information is obtained
becomes more important. Ordinarily, a search is limited by a number of
physical properties. Internet ``searches,'' however, make the retrieval
of vital data, even otherwise public data, far more routine. For
example, while property tax assessment records are public, people
generally had to take the time, and hassle, to go to a court house to
retrieve them. In a matter of minutes, however, I was able to easily
retrieve [hold up records] Chairman Hatch's property tax data. Don't
worry, I won't disclose it * * * but I do know how many bedrooms,
bathrooms, and fireplaces you have in your home * * *!
Similarly, we don't know exactly how certain Fourth Amendment
doctrines will apply to a device, such as Carnivore, that has the
potential of reading personal e-mail, as well as, via the internet
address, entering the individual's hard drive and scoping it out. The
plain view doctrine, for example, permits (among other things) law
enforcement officers to seize items in their ``plain view'' when they
are executing a warrant. Well, if we allow law enforcement to filter
non-specific pieces of mail, does that mean they can seize anything
they happen to find? These are among the fundamental issues that will
need to be addressed as the law struggles to cope with technological
advancements.
what questions ought congress be asking?
Law enforcement has pointed out that the law must be changed to
preserve its mission to prevent and punish crime, while the civil
liberties community has warned of grave dangers to personal privacy and
the Fourth Amendment. Although each group may emphasize different
aspects of the problem, each agrees that the law must be updated to
keep pace with technological change. Remarkably, the 1986 Electronic
Communications Privacy Act was the last significant update to the
privacy standards of the electronic surveillance laws. Significant
changes have occurred since then, including--the development of the
Internet; data convergence; the creation of wireless systems; and the
movement of information out of people's homes and offices onto networks
controlled by third parties. As a result of these developments, more
information is being held and communicated in configurations where it
is in the hands of third parties and not afforded the full protections
of the Fourth Amendment.
The following steps might therefore be in order.
(1) With respect to Carnivore itself, Congress ought to obtain
briefings, classified, if necessary, to get a better understanding of
what Carnivore is designed to do and how it does it, and whether there
exists potential for abuse.
(2) Congress ought to determine what the statutory authorization
for Carnivore is and whether law enforcement has the authority to
insist that a service provider install Carnivore.
(3) If implemented in some fashion, Congress should require that
statistics be maintained by the Justice Department, and that these so-
called ``audit trails'' be routinely provided for legislative
oversight.
(4) Congress should seek to learn whether Carnivore can easily be
defeated by encryption software or E.A. Poe type purloined letter
schemes.
More broadly,
(5) Hearings out to be conducted to determine whether all internet
trap and trace orders should be issued only on the basis of a judicial
finding that reasonable cause exists to believe that a target has or is
about to commit a crime;
(6) The executive branch ought to be required to provide consumers
with notice whenever the government obtains information about their
Internet transactions;
(7) Specific statistical reports for Internet trap orders similar
to the reports required under Title III ought to be require;
(8) Congress should explicitly provide that Internet queries, e-
mail subject lines, URL's of sites visited and other information which
provides more than the equivalent of a dialed number cannot be
disclosed without a probably cause order.
(9) Congress should consider requiring notice and an opportunity
for defendants to object when civil subpoenas seek personal information
about Internet usage.
(10) Finally, Congress ought to provide enhanced protection for
information on networks: including the establishment of probably cause
for seizure without prior notice, and providing a meaningful
opportunity to object to subpoena access.
At bottom, I would urge a cautious, thoughtful approach when it
comes to expanding surveillance capabilities. The conflict between
increased security and enhanced privacy protection is not easily
resolvable, nor will it likely ever be. But Congress ought to seize the
moment to ensure that robust debate occurs before law enforcement's
powers are enhanced, and regardless of how the balance is struck.
The Chairman. Mr. Dempsey, we will turn to you.
STATEMENT OF JAMES X. DEMPSEY
Mr. Dempsey. Mr. Chairman, Senator Leahy, good morning.
Thank you again for holding this hearing and for giving me the
opportunity to testify. I am at a certain point, I think, going
to use just one overhead, if I could, but in order not to delay
things I will talk while they are setting up the projector.
I think I wanted to start out by responding to one of the
points that the FBI and the Justice Department make which they
regularly make and I think which needs to be regularly rebutted
or balanced, and that is the point about the use of the
Internet by criminals.
Undoubtedly, criminals do use the Internet, but I think if
you look at the facts over the past two or three years, it is
clear that the Justice Department and the FBI have been
extremely successful in using the new technology to track
criminals online and to make cases, including some cases that
they probably couldn't have made in the offline environment.
Online surveillance and tracking led to the arrest of the
Phonemasters, who were stealing and selling credit card numbers
worldwide; Solar Sunrise culprits, one of whom was tracked down
to Israel; an intruder on NASA computers who was arrested and
prosecuted in Canada; the thieves who broke into the Citibank
computers and who were tracked and arrested in Russia; Ardita,
who was tracked down electronically to Argentina; the creator
of the Melissa virus. All of these people were tracked online
using this very technology.
Innocent Images is another example of where FBI agents are
able to pretend online to be young girls or to be pedophiles
and to legally entrap people. In the Emulex case that you
referred to, Mr. Chairman, investigators said that they learned
within hours of the stock's plunge where the computer was
located that the perpetrator had used, and they obviously have
arrested that person.
Back in August, two Kazhaks were arrested in a cyber
extortion case. Their communications went from Kazhakstan to
London and to the target in New York, which was Bloomberg. Yet,
they were traced back using this very technology, and in
response to that Bloomberg pointed out these arrests show that
our law enforcement agencies can find, catch, and bring
criminals to justice online. Criminals believe that they have a
totally anonymous presence on the Internet. They believe that
they can intimidate companies. This operation shows that they
do not have that kind of anonymity.
So I think we need to recognize--and Professor O'Neill in
his online search showed us how easy it is to find so much
information. And I think, if anything, what we need to do is to
not abandon the traditional rules that we have had to protect
privacy but, in fact, to strengthen those rules in the face of
the surveillance and investigative power of this new
technology.
Now, turning specifically to Carnivore, the first problem
that we have with Carnivore is that we don't know really what
it is and how it works. It is something that is now totally
controlled by the FBI. It is a black box. They have refused to
share publicly the details of that, and they have put out a
request for proposal to conduct an independent review, which is
a good idea even if it were conducted outside of the public
light.
But the FBI and the Justice Department have set out for
this independent review so many restrictions and they have put
such burdens on anybody who would sign up to do that, such
secrecy burdens, that a lot of the good people are backing out
of that, are backing out, it seems, from competing for that.
And it does call into question, with the kinds of restrictions
the FBI has set, whether they will be able to get the best
people to do that review.
Today, in USA Today Online, there is a story by Will Roger
in which he states that MIT, Purdue University, Dartmouth, the
University of Michigan, and the Super Computer Center at the
University of California at San Diego have all indicated their
reluctance to participate in that review, given the constraints
that the FBI has posed in terms of pre-review, and so on.
The second issue I would like to emphasize is that
Carnivore is fundamentally inconsistent with the way that
wiretaps have been done in the past, and fundamentally
inconsistent with the understandings of this committee
repeatedly over the years.
Traditionally, we have not allowed the FBI into the
networks, into the switching systems and into the property of
ISP's. A major, major problem with Carnivore, and I think a lot
of the source for the concern about it, is that it is a black
box that the FBI imposes on the ISP.
Now, this committee in 1986, when it was adopting ECPA--and
Senator Leahy was the prime author of that legislation in the
Senate--this committee in its report on ECPA emphasized
telephone company customers have a reasonable expectation,
traditionally enhanced by telephone company practice and
policies, that their company will not become, in effect, a
branch of government law enforcement.
The committee went on to say that they understand that the
practice has been that the telephone company premises are not
used for wiretap activity. And the committee actually
directed--I don't know if it happened--the Justice Department
in its wiretap manual to state that there would be a statement
there in the manual that U.S. attorneys should not attempt to
compel any company to make its premises available for wiretap
activity.
And the committee in 1986 asked for notification if there
was a change in that policy and if the Justice Department did
decide to try to compel carriers to make their premises
available and what is Carnivore to basically latch this
software and hardware into the network.
Again, in CALEA, in 1994, this committee reemphasized that,
and there is section 105 in CALEA which specifically says that
telephone companies--CALEA does not apply to the ISP's, but it
is the principle here that the committee cared about quite
strongly. CALEA says that a telecommunications service provider
shall design its system so that a wiretap is activated within
the switching premises and controlled by telephone company
personnel, not by law enforcement personnel, precisely because
this committee was concerned about the problem of remote FBI
access to the actual guts of the network of a service provider.
I think a lot of the concerns that people have with
Carnivore would be mitigated if the software and the ability to
control the software were placed in the hands of the service
providers rather than held and controlled by the FBI.
Now, I wanted to talk a little bit about the way----
The Chairman. How can you trust the service providersany
more than you trust the FBI?
Mr. Dempsey. Well, I think what we have to do is we have to
have a system of checks and balances; that is, we have to have
some buffer or barrier between the customer and the Government.
The Chairman. It is one thing for the telephone companies
to have control over how the transmission is made. It is
another thing to have the ISP's--who have tremendous software
capabilities themselves in control of the transmissions.
Mr. Dempsey. Well, many of the ISP's already perform and
comply with court orders, as Dr. Kerr made clear. Many ISP's do
not need Carnivore, do not accept Carnivore, and do comply on
their own with the court orders.
Mr. Cerf. May I? I have just two comments to make. One
observation is that the Carnivore equipment is a passive
device. In other words, it doesn't actively enter into the
control stream or anything like that. It simply taps
information. In fact, as was pointed out by the FBI, it is
prohibited technically from transmitting anything into the Net.
So in that sense, that is helpful because it is passive.
I would certainly debate the advisability of having the ISP
personnel setting the parameters and managing the capture of e-
mail-related information. In fact, I would be more concerned
about----
The Chairman. I think it is a different situation than
phone companies.
Mr. Cerf. Sir?
The Chairman. I think it is a different situation than
phone companies--much broader.
Mr. Cerf. Well, even going and setting parameters, let
alone inventing software, the side effect of having the ISP
personnel do that is that you may not get protection of the
evidence in the evidentiary chain. You may get exposures of
information that are not legal. The FBI operators are well
aware of those restrictions, but the ISP operators are probably
not.
So I am not sure that I would be as comfortable as you
sound like.
Mr. Dempsey. We have headed pretty far down the road in
allowing ISP's who can perform to do so. Of course, the FBI can
go back and say you didn't give us everything that we wanted,
and that process can go forward.
In the telephone realm, the way we are heading in CALEA is
that it will be an intercept function that is activated by
carrier, pursuant to an order----
The Chairman. Yes, but collected by the FBI.
Mr. Dempsey [continuing]. To isolate and identify what is
the stream of communications. In the Internet, it is harder
because we do not have a circuit-switched system.
Mr. Cerf. You actually have to work your way up in those
layers of protocol in order to see what is going on. In fact,
the simple analogy here, these little letters, is that if you
watch a stream going from a customer's personal computer going
into or coming from the Internet, it could contain a variety of
information all at the same time. There could be some voice
communication, there could be video, there could be e-mail,
there could be a World Wide Web exchange, all of this happening
at once. And the stream of packets going by in these little
envelopes have to be opened up and examined in order to figure
out which one is it.
The Chairman. One of the questions I am going to have is
how does the FBI protect this information from the ISP
collecting it? That is a question that I think----
Senator Leahy. But the ISP could look at it any time they
wanted anyway.
The Chairman. Yes, but they may not know what they are
looking for, where the FBI knows what they are looking for.
Mr. Cerf. In order for the ISP to perform the same function
that the Carnivore system does, they would have to essentially
build the same kind of software that the FBI is using and
configure it to capture the portion of the stream that is of
interest. In a sense, they would have to reproduce all of the
technology that goes into Carnivore.
There are systems like that. They are called sniffers, but
they are not as sophisticated, in fact, at restricting the
information that is captured. Moreover, there are none of the
safeguards that the Carnivore system has for keeping track of
who did what.
Senator Leahy. Well, are you saying by that then that no
ISP system today, whether they have sniffers or not, can match
Carnivore? And if so, does that mean the FBI are going to have
to say, well, we have always got to use our own system because
you are not good enough?
Mr. Cerf. What I am saying is that the devices that are
available that are used to help debug problems on the network
that will allow you to crawl up and down in the so-called
layers can capture everything. The problem is that that is not
what the FBI wants to do. What it wants to do is to capture
only that part that is----
Senator Leahy. But that goes, then, to my particular point.
Are you saying that nobody today can duplicate what the FBI is
doing? Thus, the FBI whenever they have one of these court
orders is going to have to use their own?
I see Ms. Stansell-Gamm shaking her head no, but I just----
Mr. Cerf. What I am trying to say is that the technology
exists to capture information off the Net. An ISP has that
capability because these are off-the-shelf devices. The
implementation of Carnivore is intended to constrain the way
that capture is done and the ISP doesn't have the particular
motivation to go and do that, to invest in all that.
The Chairman. They don't have the same interests as the
FBI. They are not going to be doing that.
Mr. Cerf. That is correct.
The Chairman. Well, let me finish with Mr. Dempsey and then
go to Professor Rosen.
Mr. Cerf. I am sorry I interrupted you.
Mr. Dempsey. If I could, to round out this dialog, I think
that there is an answer to the dilemma here, and that is to
take the Carnivore software and make it available to the ISP's
so that they know what it is, know how it works. They can
configure it, they can set the parameters as ordered by the
court order. And then you do have that protection in the middle
that you don't have the FBI, in essence, taking control of a
part of a network or inserting itself into the network. I think
that a lot of the concerns about Carnivore would be mitigated
if this software technology were disclosed and made available
to ISPs.
The Chairman. Well, let's go to Professor Rosen, but I have
a lot of problems with that because then you have a nonlaw
enforcement agency--a private company--being able to do
whatever they want to do with people's knowledge andpeople's
information.
You have made some interesting suggestions. I want to
really look at those because I don't know what the answer is
here. All I can say is that I don't want to have 1984 in 2004,
but we are already there. With nanotechnology coming up now--if
you read Kurtzweil's book--it is enough to scare the living
daylights out of every one of us. And if you read Bill Joy's
article, I mean, my gosh, it is mind-boggling.
Senator Leahy. But, Orrin, they can do this now.
The Chairman. Yes, I know.
Senator Leahy. The ISP's can do this now anyway.
The Chairman. They can do it now anyway.
Senator Leahy. They can step through and get most of this
now. They might have a different reason, a different purpose,
but they can do it.
The Chairman. But they don't need to have the assistance of
the FBI to do it.
Mr. Dempsey. If I could, Mr. Chairman, just before you go
to Professor Rosen--and we can go back to this later in the
questions--I just wanted to lay out two other areas that I
think merit discussion here, one of which is the question of
whether Carnivore constitutes a search for fourth amendment
purposes and an interception for title III purposes. I believe
that, at least as the FBI has explained it on their Website,
Carnivore does constitute a search and seizure for
constitutional purposes and an interception for title III
purposes.
Finally, I would just like to say that once again we are
back to the question of how do you translate the wiretap laws
to the Internet. And Professor O'Neill, I think, referred to
this quite well, but by developing Carnivore and by controlling
and programming Carnivore and putting it out there, the FBI has
basically decided that question technologically by saying that
Carnivore can collect, under a pen register order, e-mail
``to'' and ``from'' addresses and other Internet addressing and
routing information without ever finishing a debate which we
started back here, I think, in May before this committee, which
is the question of what should be the legal standards for
application of pen registers to this very different medium of
the Internet.
So with that, I will conclude. Thank you, Mr. Chairman.
[The prepared statement and attachments of Mr. Dempsey
follow:]
Prepared Statement of James X. Dempsey
Mr. Chairman, and members of the Committee, thank you for calling
this hearing and giving CDT* the opportunity to testify on the FBI's
``Carnivore'' initiative and its implications for Fourth Amendment
privacy protections in the digital age.
---------------------------------------------------------------------------
* The Center for Democracy and Technology is a non-profit, public
interest organization dedicated to promoting civil liberties and
democratic value on the Internet. Our core goals include ensuring that
the Constitution's protections extend to the Internet and other new
media. CDT also coordinates the Digital Privacy and Security Working
Group (DPSWG) a forum for more than 50 computer, communications, and
public interest organizations, companies, and associations working on
information privacy and security issue.
---------------------------------------------------------------------------
Summary
We can all appreciate that new communications technologies pose
challenges to law enforcement agencies carrying out important duties.
But as a black box controlled by the FBI and inserted into the network
of an Internet service provider to search through thousands or millions
of messages, including those of innocent people, Carnivore is not the
right solution. It is not consistent with the way that electronic
surveillance was conducted in the past. It is not consistent with the
Fourth Amendment nor with the Supreme Court's image in the Katz and
Berger decisions of how electronic surveillance could permissibly be
conducted. It is not consistent with the federal wiretap statute, Title
III. And it is not consistent with CALEA. The FBI has to find a better
way to conduct surveillance of Internet communications, one that does
not entail taking control of a portion of the network of a service
provider and that does not entail a general search through the
communications of innocent persons.
In order to moot the serious questions about Carnivore's legality,
the FBI should immediately cease insisting that it be installed outside
the control of Internet service providers (ISPs). Instead, the FBI
should immediately begin making the technology of Carnivore available--
including the source code and the right to modify it--to any ISP that
needs it to comply with a surveillance order. (Most ISPs don't need
it.) If any ISP needs to adopt Carnivore or something like it, the ISP
should control its own network, isolating and delivering to the
government only what the government is entitled to intercept, and thus
serving as a buffer between the government and the communications of
their innocent customers. This would reinstitute the kind of checks and
balances we depend on to preserve our rights.
Looking more broadly, Carnivore is the latest in a series of wake-
up calls about the perils facing personal privacy in the digital age.
Carnivore illustrates the extend to which the FBI claims the authority
to actually control the design or functioning of communications
networks.\1\ Yet the deployment of Carnivore and other design or
functional mandates for surveillance creates new and largely
unappreciated threats to the security of communications. Moreover, even
apart from FBI efforts to control the technology, it is clear that,
despite the ways in which the newer digital technologies are harder to
tap, on balance the government is acquiring far more surveillance
powers as a result of the digital revolution: Market-driven changes in
the technology and the ways we use it mean that we are generating more
electronic information than ever before about our lives and making it
available on networks and computers where it can be readily obtained by
the government. Law enforcement agencies are not loosing ground--they
are gaining surveillance and tracking capabilities by leaps and bounds.
For all of these reasons, Carnivore highlights the need for Congress to
enact greater privacy protections in the outdated statutory framework.
---------------------------------------------------------------------------
\1\ For other examples, see Neil King Jr. and David S. Cloud, Hang-
Ups: Global Phone Deals Face Scrutiny from New Source: the FBI, Wall
Street Journal, August 24, 2000, at A1. The implementation of CALEA has
been one long struggle over the FBI's insistence on dictating very
precise surveillance features to the telephone industry. See United
States Telecomm Assoc. v. FCC, No. 99-1442 (D.C. Cir Aug. 15, 2000).
---------------------------------------------------------------------------
Among the specific points we would like to make about Carnivore:
The first problem with Carnivore is that we do not know
how it works. There is little understanding of how Carnivore searches
are limited, and little chance for judicial or public oversight. Such a
situation is ripe for mistake or misuse. The government should embrace
an open source model allowing public scrutiny of Carnivore's design.
Unfortunately, the ``independent review'' promised by the Justice
Department at this point is so circumscribed and under such control of
the FBI and the Department that it holds little promise of giving
Congress, industry or the public reliable answers.
So long as Carnivore is a black box owned and controlled
by the government, its forced installation in the network of an ISP
means that, in essence, the government takes control of part of the
ISP's network. ISPs should control their own networks. Installing a
closed Carnivore system outside of ISP control introduces new risks to
the security of these networks. ISPs are in the best position to
respond to court orders in a fashion that protects user privacy.
As far as we can tell, Carnivore searches more information
than the government is legally entitled to search. Indeed, based on
current description. Carnivore, when controlled by the FBI, has to be
characterized as an unconstitutional governal search and an
interception in violation of Title III. If Carnivore is used as a pen
register under the pen register statute as currently interpreted by the
DOJ, it is likely that it searches (and intercepts, in Title III terms)
content of the target. Even worse, whether used under the pen register
order or a Title III probable cause order, it searches and intercepts
the communications of innocent persons outside the scope of any
properly issued Title III order.
Carnivore's use as a pen registers has pre-judged--in fact
has surrendered to Executive Branch discretion and ex parte legal
proceedings--the important public policy question of what data should
the government collect about Internet transactions under the weak
privacy standard of the pen register statute. Without explicit
statutory language, the Justice Department is asserting that it can use
the rubber-stamp pen register authority to collect information from the
Internet that is much more revealing than the information collected by
pen registers from telephone lines. There seems to be a growing
consensus that the low legal standard authorizing their use should be
raised for plain old telephones. But if the government is to collect on
the Internet transactional information more personally revealing than
that collected on telephone lines, then it would seem that an
intermediate standard must be developed for Internet transactional
data.
Context: Privacy and Surveillance in the Internet Age
The Internet has already demonstrated its potential to promote
democracy, spur economic growth, and enhance human development.
Individuals, civil society, businesses and governments are all rushing
to use the Internet for work, activism, education, social services,
human contact, artistic expression and consumerism. The Internet has
become a necessity in most workplaces and a fixture in most schools and
libraries. Soon, it may converge with the television and wireless
phones, and thereby become nearly ubiquitous.
Every day, Americans use the Internet to access and transfer vast
amounts of private data. Financial statements, medical records, and
information about our children--once kept on paper and secure in a home
or office--now travel through the network. Electronic mail, online
reading and shopping habits, business transactions and Web surfing can
reveal detailed profiles of people's lives. And as more and more of our
lives are conducted online and more and more personal information is
transmitted and stored electronically, the result has been a massive
increase in the amount of sensitive data available to government
investigators.
While the Justice Department frequently emphasizes the ways in
which digital technologies pose new challenges to law enforcement, the
fact is that the digital revolution has been a boon to government
surveillance and information collection. The FBI estimates that over
the next decade, given planned improvements in the digital collection
and analysis of communications, the number of wiretaps will increase
300 percent. Computer files are a rich source of evidence: In a single
case last year, the FBI seized enough computer evidence to nearly fill
the Library of Congress twice. As most people sense with growing
unease, everywhere we go on the Internet we leave digital fingerprints,
which can be tracked by marketers and government agencies alike. The
FBI in its budget request for FY 2001 sought additional funds to ``data
mine'' these public and private sources of digital information for
their intelligence value.
Wiretapping the Internet
Our legal framework for electronic surveillance was developed in an
era of circuit-switched telephone networks, where it was relatively
easy to isolate the communications of a particular target to the
exclusion of the communications of innocent persons, and where it was
relatively easy to distinguish between transactional data, which was
limited and not very revealing, and Constitutionally-protected content.
Even at the time CALEA (the Communications Assistance for Law
Enforcement Act) was adopted in 1994, the telephone system, while going
digital, was still largely based on a circuit-switched architecture,
and CALEA assumed that central telephone company switches, if loaded
with special software, would provide ready access to the communications
and call-identifying information of surveillance subjects. This
Committee, in drafting CALEA, wisely excluded the Internet from CALEA
specifically because those technical assumptions did not apply to the
packetized, decentralized Internet.
By design, the Internet's architecture is not like that of the
phone system. It is not centralized. It does not dedicate a channel or
circuit to one conversation. It does not have permanent addresses. But
surely these technological differences do not mean that we can abandon
the principles of the fourth Amendment. As the D.C. Circuit recently
made clear in the CALEA appeal, the mere fact that government agencies
are encountering a new technology does not give them the authority to
redefine the rules of interception, even where the government promises
it will not record or use the information it is not entitled to.
Instead, we must find ways to ensure that the fundamental distinctions
of the law are maintained, and where they cannot be, the government
must meet the higher, not the lower, legal standard. ``Wiretapping''
the Internet may require greater oversight and protection. If pen
registers on the Internet reveal more than the ``numbers dialed'' they
once provided for telephones, then the standard must be higher than the
standard for telephone pen registers. And we must recognize that the
government's desire to translate every current telephone surveillance
capability into the Internet world (with a kind of 100% guaranteed
success rate never really available with traditional telephone
surveillance) would require a new technical architecture for the
Internet with huge security risks.
It is in this context that the FBI's Carnivore initiative must be
viewed.
Questions about Carnivore
Carnivore reportedly serves at least two functions. Installed at an
ISP, it monitors communications on the ISP network and records messages
sent or received by a targeted user. This is presumably designed to
effectuate an electronic ``wiretap'' order served on an ISP. Carnivore
can reportedly also isolate the origin and destination of all
communications to and from a particular ISP customer. This is
presumably designed to satisfy what law enforcement claims is the
Internet equivalent of ``pen register'' and ``trap and trace'' orders,
which in the telephone context provide digits dialed and incoming phone
numbers. (Note that there are fundamental questions about what
information pen register and trap and trace orders should collect in
the Internet context.)
There are many unanswered questions about Carnivore:
How does Carnivore isolate and record only the information that the
government is legally entitled to collect under a particular wiretap or
pen register order? Carnivore has the potential to capture the content
of communications even when a pen register order would limit collection
to addressing information. Indeed, as we explain below, getting the
addressing information the government claims it is entitled to often
requires capturing and analyzing content. Does Carnivore avoid that?
Moreover, since Carnivore operates on a network link, it has the
potential to capture the traffic of customers who are not the subjects
of an order. For example, Internet Protocol (IP) addresses may be used
to identify the communications of a target. But in many systems such
addresses are dynamically allocated (meaning that the same address will
be assigned to many users sequentially, and a given user will not have
the same address from day to day or hour to hour), making it quite easy
to monitor the wrong user.
Is Carnivore itself a secure system? Can it be compromised? Does it
provide secure audit trails, and is it tamper resistant? Is it true
that Carnivore installed on an ISP's system can be remotely accessed
and reprogrammed by the FBI? If Carnivore, an eavesdropping device with
access to a vast stream of traffic independent of any ISP control, were
itself somehow compromised, the damage to privacy and security could be
tremendous.
The technical community has developed a method to improve trust in
complex systems: Open source review. Review of the source code and
design specifications by a community of experts might reveal mistakes,
bugs, or security holes unknown to the FBI. Such mistakes are quite
common in the design of complex technical systems. Open source review
of Carnivore's hardware, software, and technical design is essential to
ensuring that Carnivore does not exceed its legal authority. It would
also seem necessary for defense lawyers and judges to test in the
adversarial process the reliability of evidence it generates.
Undoubtedly, the FBI will initially argue that revealing source
code will compromise the effectiveness of Carnivore. If true, one must
question the general security and usefulness of a system that can be so
easily circumvented by anyone with knowledge of its operation.
The Department of Justice has promised to contract for an
``independent review'' of Carnivore. Unfortunately, the review has been
wrapped in conditions and controls that undermine its credibility and
seem to be discouraging the best experts from participating.Two in
particular are especially troubling: (1) The contract documents for the
review specify that the government will retain control over what
portions of the reviewers' comments are released to the public. The
government says that it will release as much as possible, consistent
with contractual obligations and ``preserving the effectiveness of
Carnivore.'' This would seem to preclude release of conclusions about
the vulnerability or effectiveness of Carnivore. Since the FBI has
claimed that its contractual obligations preclude it from disclosing
even the name of the company that built Carnivore, that could be
another huge justification for censoring the contractor's report. (2)
The implications of this are compounded by the blanket non-disclosure
agreement that contractor personnel would be required to sign, in which
they would promise not to disclose to anyone anything they learned in
the course of their review without FBI permission. Under the agreement,
sensitive information is defined as ``any and all information received
from the FBI'' and ``any and all other information associated with the
Carnivore device and system.'' This gag order would mean that persons
who now can talk about Carnivore based on their general understanding
of it would be permanently silence if they participated in the review.
In a Departure from Tradition and Best Practice, Carnivore Is Not
Controlled by ISPs
Even were there open review of Carnivore's system, installation of
a ``black box'' out of an ISP's control creates new privacy and
security risks. The parameters for how Carnivore is used once installed
are likely to be extremely important. Such parameters could control who
the targets are, how they are identified, and what information is
collected about them. Yet with Carnivore, ISPs appear to have no
control over how the system operates. Such a system provides no checks
on its use, and is an invitation for misuse or mistake. Indeed, we
understand that the FBI retains the sole right to alter how Carnivore
operates when it is in place, and that the FBI can do so remotely,
without the knowledge or cooperation of the service provider.
Carnivore is a radical departure from the way interceptions have
traditionally been performed. In the world of telephone wiretaps, phone
companies are extremely reluctant to allow law enforcement officials
into their switching facilities. In the past, and up through the
present time, telephone companies have been adamant that the would
activate any interception from within their central offices. (Companies
would allow law enforcement agents to activate intercepts from access
points on their outside plant, like neighborhood or apartment building
junction boxes, but that type of access is disappearing.) The reasons
were both privacy and security.
In 1994, Congress confirmed that this principle was an important
additional check on abuse. So section 105 of CALEA expressly provides
that wiretaps shall be activated and controlled by telephone company
personnnel:
A telecommunications service provided shall ensure that any
interception of communications or access to call-identifying
information effected within its switching premises can be
activated only in accordance with a court order or other lawful
authorization and with the affirmative intervention of an
individual officer or employee of the carrier * * * 47 U.S.C.
1004, Pub. L. 103-414, section 105.
CALEA does not apply to ISPs (and should not be extended to ISPs), but
Carnivore is a radical departure from the principle that service
providers must keep government agents out of their systems.
ISPs themselves are in the best position to comply with lawful
orders for electronic surveillance. ISPs have a dual duty, to both
produce information for law enforcement and to protect the privacy of
their customers by only revealing such information where required by
lawful order. Moreover, ISPs are in the best position to understand
their own networks and the most effective ways of complying with lawful
orders. They are also in the best position to understand potential
implications or threats from installation of a Carnivore device.
Carnivore Performs an Unconstitutional General Search and an Illegal
Intercept Under Title III
Carnivore operates very differently from an ordinary wiretap or pen
register. In the telephone world, it has always been possible to
isolate a pair of wires or a channel or circuit that is dedicated to a
targeted individual's communication. The Supreme Court's approval of
wiretapping under the Fourth Amendment was based on the understanding
that the government would be accessing only the communications on a
particularly identified line (the ``facility,'' in Title III terms).
All of the Court's concern about ensuring that on that particularly
identified line the government only intercepted communications that
involved specified criminal conduct would be rendered absurd if the
government could search the lines of many subscribers. See Berger v.
New York, 388 U.S. 41, 58-60 (1967); Katz v. United States, 389 U.S.
347, 355-56 (1967).
According to published accounts, including information on the FBI's
Web site, http://www.fbi.gov/programs/carnivore/carnlrgmap.htm,
Carnivore operates by monitoring (according to the FBI's description,
redirecting and copying) all traffic on the network link where it is
installed. Carnivore searches through all this traffic. (A copy of the
FBI's description is attached to this testimony.) In theory, Carnivore
then only records data appropriate to the order under which it
operates--i.e., data relating to the target of an order, or even
narrower information pertaining to pen register or trap and trace
orders.
Nevertheless, in Fourth Amendment terms, Carnivore, as it has been
described, is conducting a ``search'' of all the communications on the
network segment to which it is attached, including the traffic of
innocent persons. That is, even if Carnivore functions as promised and
only records the traffic of the target, it is searching through the
email of many innocent persons--it is conducting an unconstitutional
general search. The ISP redirects to Carnivore a stream of packets from
many different customers. Carnivore filters those packets. That is a
search. The fact that Carnivore is automated and that no human ever
reads innocent messages does not make it any less of a search. The use
of machines to carry out searches does not make them any less a search
for Constitutional purposes.
In Title III terms, it also seems clear that what Carnivore does is
an ``intercept.'' As the Second Circuit states, ``It seems clear that
when the contents of a wire communication are captured or redirected in
any way, an interception occurs at that time. * * * Redirection
presupposes interception.'' United States v. Rodriguez, 968 F.2d 130
(2nd Cir. 1992), cert. denied, 113 S.Ct 139, 140, 663 (19992). See also
United States v. Denman, 100 F.3d 399, 403 (5th Cir. 1996), cert
denied, 117 S. Ct 1256 (1997); United States v. Tavarex, 40 F.3d 1136
(10th Cir. 1994); United States v. Nelson, 837 F.2d 1519, 1527 (11th
Cir. 1988), reh'g denied en banc, 845 F.2d 1032 (1988), cert denied,
488 U.S. (1988). Thus, use of Carnivore under control of the FBI is an
illegal interception of the redirected communications of innocent
subscribers.
Pen Registers Do Not Translate Neatly Onto the Internet
A pen register collects the ``electronic or other impulses'' that
identify ``the numbers dialed'' for outgoing calls and a trap and trace
device collects ``the orginiating number'' for incoming calls. 18
U.S.C. Sec. 3121 et seq. The Supreme Court has held that the numbers
collected by a pen register on a telephone line reveal so little about
a person's communication that they are not constitutionally protected.
Smith v. Maryland, 442 U.S. 735 (1979). The Court has stated, ``Neither
the surpost of any communication between the callerand the recipient of
the call, their identities, nor whether the call was even completed is
disclosed by pen registers.'' United States v. New York Tel. Co., 434
U.S. 159, 167 (1977). (While the information is not constitutionally
protected, it is sensitive, and as CDT and others have noted, the
standard for pen registers in the telephone world is now too low, since
even phone numbers dialed can draw a profile of a person's life.)
Carnivore's apparent attempt to extend ``pen registers'' and ``trap
and trace'' orders to the Internet is not a simple matter. Access to
Internet transactional data is not clearly supported by the pen
register statute, which refers to the collection only of ``numbers
dialed'' on the ``telephone line'' to which the device is attached.
Moreover, Internet origin and destination addresses can be far more
revealing than the Supreme Court contemplated in Smith v. Maryland and
New York Tel. Co.
Extending the use of pen registers to new telephone devices and
services--such as pagers, or numbers dialed after a call is completed--
has been the subject of debate \2\ and was one of the issues in the
CALEA lawsuit where the Court of Appeals reversed the FCC. \3\ But
Carnivore is indicative of a whole new and problematic expansion of the
pen register to the Internet. See CDT memo dated April 4, 2000,
``Amending the Pen Register and Trap and Trace Statute in response to
Recent Internet Denial of Service Attacks, and to Establish Meaningful
Privacy Protections,'' http://www.cdt.org/security/
000404amending.shtml.
---------------------------------------------------------------------------
\2\ See,. e.g., Brown v. Waddell, 50 F.3d 285, 290-91 (4th Cir.
1995) (refusing to classify a digital display pager clone as a pen
register).
\3\ See United States Telecomm Assoc. v. FCC, No. 99-1442 (D.C. Cir
Aug. 15, 2000).
---------------------------------------------------------------------------
The first question is what Internet transactional data may be
collected and under what standard. It is one thing if the FBI were
using the pen register authority only to collect IP addresses
(provided, of course, that the isolation were done by the service
provider rather than by an FBI-controlled Carnivore). In the packet-
switched Internet, the literal ``destination'' of an intercepted
message is often the Internet Protocol (IP) address of the link on
which it is observed. This information is found in the header of a
packet. So is the Ethernet address it is being sent to on a local
network. If the government is seeking just IP or Ethernet address
information, it can find it in the header of a packet, which is easily
separated form the content.
But if by destination the government means the ``To:'' line of an
e-mail message, that is often within the packet's content payload, and
as the DC Circuit recently made clear, intercepting addressing
information that is commingled with content requires authority to
intercept content. United States Telecomm Assoc. v. FCC (Aug., 12,
2000).
In an effort to illustrate this point, I have attached some packets
we ``sniffed'' off our own DCT network. Example 1 shows a packet for a
visit to Chairman Hatch's web page. The header of the packet includes
the source the destination IP addresses. In this case, the source IP
address 207.2263.15 is a computer at CDT and the destination
199.95.76.12 is the U.S. Senate web server. (If you type 199.95.76.12
into your browser after http://, it takes you to the Senate home page
just as if you had typed www.senate.gov.) So the header, which can be
easily separated from the content payload, would provide information
that might be similar to the information that a pen register would
provide on a person at CDT who called 224-3121, the Senate switchboard.
However, if the FBI wanted to know what precise page I was viewing,
they would need to reach into the content (TCP data) portion of the
packet. There they would find that I had asked for (``Get'') a copy of
/-hatch/greeting.ram. Anybody typing that into a browser would find
that I had downloaded the video greeting on the Chairman's web page.
Thus, they would know the precise content of my Web viewing.
In other cases, where law enforcement is apparently seeking origin
and destination addresses that are more than link IP addresses, they
will be forced to analyze the contents of packets. For example,
attached in Example 2 are three sample IP packet ``sniffed'' as they
went from CDT's network to our ISP. The packets are part of an e-mail
message from me to Makan Delrahim, a member of the Committee staff. The
header of each packet shows the IP addresses of the packet's origin (a
computer at CDT) and destination (our ISP's mail server, which will
next send the packet to the Senate mail server). To find out to whom
the e-mail is addressed to, one would need to read and analyze the
contents of specific packets. Is Carnivore able to pick out only the
one packet that contains only the ``To:'' information and the one
packet that contains only the ``From:'' information? It would be nice
to have some assurance other than the FBI's say-so.
The e-mail addresses in the To and From lines are much more
revealing than ``numbers dialed'' in that they are associated with
specific persons. In the case of a Web site, the URL can disclose
specific pages visited, books browsed, or items purchases. And as
people move more of their lives online, a list of e-mail recipients by
name or web sites visited can provide a very detailed dossier of
activities--all available without the heightened protections of a
wiretap or even a standard Fourth Amendment warrant. For example,
attached in Example 3 is a sample IP packet showing a search for a book
on the Barnes and Noble web site. Again, the IP address information is
available in the header; the URL in the body of the message reveals
information about what books the user is looking at--here, books on
prostate cancer. (A subsequent URL might indicate that the person
actually bought the book.) Taken together, a collection of such
``destination'' information could generate a revealing list of a
person's interests and activities. In this way, Internet transactional
information is more revealing than telephone transactional data.
CDT has long urged, and there seems to be a consensus, that
Congress should raise the standards for use of pen registers across the
board. Under the current standards, a judge ``shall'' approve any
request signed by a prosecutor certifying that ``the information likely
to be obtained is relevant to an ongoing criminal investigation.'' 18
U.S.C.Sec. Sec. 3122-23. This is low standard of proof, similar to that
for a subpoena, and judges are given no discretion in the granting of
orders. Pen registers are executed with neither public nor judicial
oversight: in contrast to wiretap orders, there is no requirement that
the government ever report back to the authorizing judge on the results
of a pen register and no requirement of notice to the targets of pen
registers. Unlike wiretaps, there are no national reporting reqirements
on the use of pen registers. The Justice Department reports on its own
use, but this does not include numerous federal, state and local use.
The Carnivore debate raises Fourth Amendment questions for pen
registers online. Courts have found that consumers have no
``expectation of privacy'' in the digits they dial on a telephone.\4\
Given the revealing nature of Internet transactional information, it
would seem that users do have a reasonable expectation of privacy in
the URLs of Web sites they visit and the email addresses of those with
whom they communicate, such that an intermediate standard is necessary
for collecting certain Internet transactional data. See 18 U.S.C.
2703(d) and H.R. 5018, the ``Electronic Communications Privacy Act of
2000,'' introduced by Reps. Canady and Hutchinson.
---------------------------------------------------------------------------
\4\See Smith v. Maryland, 442 U.S. 735 (1979). The Court's
reasoning relied in part on its understanding that ``pen registers do
not acquire the contents of communications.''
---------------------------------------------------------------------------
Reinvigorating the Fourth Amendment in Cyberspace
On May 25, 2000, I testified before this Committee about the ways
in which the statutory and constitutional framework governing
electronic surveillance has been outpaced by technological change.
http://www.senate.gov/-judiciary/52520jxd.htm.
To update the privacy laws, and respond specifically to Carnivore,
Congress could start with the following issues:
Increase the standard for pen registers across the board.
Define and limit what Internet transactional information
can be disclosed to the government and under what standard.
Add electronic communications to the Title III
exclusionary rule in 18 USC Sec. 2515 and add a similar rule to the
section 2703 authority. This would prohibit the government from using
improperly obtained information about electronic communications.
Require notice and an opportunity to object when civil
subpoenas seek personal information about Internet usage.
Improve the notice requirement under ECPA to ensure that
consumers receive notice whenever the government obtains information
about their Internet transactions.
Require statistical reports for Sec. 2703 disclosures,
similar to those required by Title III.
Make it clear that Internet queries are content, which
cannot be disclosed without consent or a probable cause order.
Provide enhanced protection for information on networks:
probable cause for seizure without prior notice, and a meaningful
opportunity to object for subpoena access.
The recent White House announcement \5\ on privacy and surveillance
adopts some of these proposals. Extension of the wiretapping
exclusionary protections to electronic interceptions is a particularly
welcome step. Increasing the standard for pen registers is an
improvement, but will not be sufficient if such orders are applied
broadly (i.e., include URLs) to the Internet. On the other hand, the
proposed expansion of the Computer Fraud and Abuse Act criminalizes an
unnecessarily broad range of activities online. The proposal fails to
address the need for heightened protections for private data held in
the hands of third parties. And there are other changes buried in the
proposal that we are still analyzing. CDT is prepared to work with
Congress and the Justice Department to continue to flesh out the needed
privacy enhancements, and to convene DPSWG as a forum for discussion
and consensus building on these issues.
---------------------------------------------------------------------------
\5\ See Ted Bridis, Updating of Wiretap Law for E-Mail Age is Urged
by the Clinton Administration, Wall Street Journal., July 18, 2000, at
A3.
---------------------------------------------------------------------------
Conclusion
The Carnivore system requires greater public scrutiny. It should be
controlled by the ISPs. More broadly, it speaks to the need for
modernization of our surveillance laws and greater privacy protections
to counteract the real threats to privacy online.
Protecting national security and public safety in this new digital
age is a major challenge and priority for our country. On balance,
however, the new sources of data and new tools available are proving to
be a boon to government surveillance and law enforcement. We do not
need to ignore traditional standards in order to respond to the new
technologies. The attempt to literally translate all current
surveillance capabilities directly onto the Internet may not be
possible or desirable in all cases, or may require new privacy
protections.*ERR03*
[GRAPHIC] [TIFF OMITTED] T4729A.001
[GRAPHIC] [TIFF OMITTED] T4729A.002
[GRAPHIC] [TIFF OMITTED] T4729A.003
[GRAPHIC] [TIFF OMITTED] T4729A.004
[GRAPHIC] [TIFF OMITTED] T4729A.005
[GRAPHIC] [TIFF OMITTED] T4729A.006
[GRAPHIC] [TIFF OMITTED] T4729A.007
The Chairman. Professor Rosen, we will conclude with you.
We would like to have some questions here before we finish.
STATEMENT OF JEFFREY ROSEN
Mr. Rosen. Thank you so much, Senator. It is an honor to be
here. I just want to talk very briefly at the end of this
hearing about uncertainty, and in particular about the cost of
the uncertainty that results from covert monitoring on the
Internet, and this is the uncertainty of innocent citizens who
can't be sure whether or not their intimate communications are
being intercepted by State officials or by ISP's.
It strikes me that even at the end of this fascinating and
informative hearing, there is a great deal of uncertainty that
continues to be associated with Carnivore. I was interested and
encouraged to hear Dr. Kerr testify that Carnivore is only made
available to ISP's if they are unwilling or unable to conduct
the search themselves, and that it is removed as soon as the
court order expires. Surely, this procedural regulation should
be codified to reduce the uncertainty of innocent citizens who
may fear that their Government has technical access to their
messages without their knowledge or consent.
There are, as you began by saying, Senator Hatch, other
uncertainties associated with Carnivore. The FBI is legally
forbidden from monitoring the communications of citizens who
are not targets, but the mere knowledge that Government agents
have the technical capacity to read e-mail messages will
greatly increase the uncertainty of innocent citizens at a time
of widespread concern over privacy over the Internet.
It is also true that one of the safeguards of the system,
the audit trail records that record precisely which
communications are intercepted, is made available to targets
only if a prosecution actually results. So innocent citizens
who are not targets have no notice when they are being
monitored and no confidence that they are not being monitored.
Senator Hatch, I would be delighted to give you a copy of
my book. It is called ``The Unwanted Gaze: The Destruction of
Privacy in America,'' available everywhere from Random House.
And I will take this opportunity to note that the title, ``The
Unwanted Gaze,'' actually describes the consequences when
people are not certain about whether or not they are being
observed.
It comes from a beautiful passage actually in Jewish law
that describes the anxiety and inhibition that results when
citizens are being watched without their knowledge. There is a
body of doctrine called hezzek re'iyyah, which means the injury
caused by seeing or the injury caused by being seen. So when
your neighbor puts up a window, observing you in a common
courtyard, you are entitled not only to prohibit the neighbor
from observing you, but also actually to require that the
window be taken down because medieval authorities recognized
that it was not only the surveillance itself, but uncertainty
about whether or not surveillance is taking place, that forces
us to lead more constricted lives and inhibits us from speaking
and acting freely in private places.
So, understandably, the consensus among these medieval
jurists was that the window had to come down even if the
individual whose privacy was violated failed to protest because
there was this uncertainty that made everyone act in a more
inhibited way in spaces that should be considered private.
I am concerned particularly at this moment of uncertainty
about the Internet that the Carnivore System, even if it were
administered scrupulously, would increase the anxiety about
monitoring on the Internet at precisely the moment when many
citizens are afraid to use e-mail because of concerns about
privacy.
There are several surveys of the health effects of
monitoring in the workplace that suggest that electronically-
monitored workers express higher levels of depression, tension
and anxiety, and lower levels of productivity than those who
are not monitored.
Now, let me briefly address the constitutional issue which
has been touched on, but seems to me a very hard one, and this
is the question does Carnivore violate the fourth amendment. It
seems to me that one could make a strong argument on either
side. Is this the quintessential example of an unreasonable
search or is it the precisely tailored example of the perfectly
reasonable search?
Carnivore operates very much like an ingenious and
hypothetical search that was discussed in a fascinating article
in the Yale Law Journal recently, and this is a program called
the worm. So the worm is a form of computer software that the
Government can dispatch to enter your computer without notice.
It scans your hard drive for illegal software or specified
words or images, pornographic pictures or any other evidence
that the Government is looking for. If the worm finds what it
is looking for, it can alert the FBI. And if not, it destroys
itself, leaving no trace of its presence.
So in some respects, the worm seems very much like
Carnivore, and it looks precisely like the general warrants
that the Framers of the fourth amendment meant to prohibit.
Both Carnivore and the worm can monitor millions of computer
users without probable cause to believe that a crime has been
committed, and they search broadly without particularized
suspicion of people or places.
But in other respects, the worm, like Carnivore, avoids all
of the spillover effects that led the Framers of the fourth
amendment to condemn general warrants in the first place.
Rather than exposing innocent as well as illegal material, it
focuses on the illegal material with greater precision.
So, Senator Leahy, you began by noting that in the 18th
century if you wanted to read someone's diary, you had to break
into their house and rifle through their desk drawer, and then
you would see a lot of innocent information in the course of
searching for guilty information. Carnivore, if properly
administered, might be said to avoid all of those effects and
only reveal the guilty information. So I don't think we should
be alarmist or hyperbolic about this difficult question of
constitutional translation.
Senator Leahy. Are there people who are being alarmist or
hyperbolic here?
Mr. Rosen. Are people being hyperbolic? I should say that I
have a hyperbolic instinct when I hear about Carnivore because
my fourth amendment knee jerks. But when we think about this
responsibly, it seems to me a hard constitutional question.
Senator, let's remind ourselves, too, how far we have moved
from the world of searches of private diaries in desk drawers.
In the 18th century, the search of a private diary was
considered the quintessential example of an unreasonable
search. We have the story of John Wilkes, the famousEnglish
patriot whose diary was searched by King George, sued in trespass and
won ruinous damages. It is only recently that private diaries have lost
their constitutional protection, we learned from the case of Senator
Packwood.
It is also true that in the famous article about the right
to privacy written by the future Justice Brandeis, he noted
that if a man wrote in a letter to his wife that he hadn't
dined with his son that day, not only the content of the letter
but also a general list of its subject matter would be
protected from public exposure because it wasn't the
information itself, but the domestic occurrence.
We have fallen very far from there to a world where the
list of the subject matters of e-mails are available on a
general standard of relevancy. And one of the things you might
consider, Senator, because I know both of you have been so
important in thinking about pen registers, is whether a higher
standard for the subject matter of e-mails, some more like
reasonable cause, might be appropriate.
I will conclude by echoing Michael O'Neill's notion that
the search of this subject matter information seems far more
invasive than a pen register because they reveal so much more
identity, both the names of the recipient and the sender, and
in the case of URL's the bookstores that you have searched and
the actual search terms themselves. So this is why a reasonable
cause standard might be appropriate.
It seems to me that none of the FBI's testimony at previous
hearings suggests compelling reasons why e-mail interception
should depart from traditional statutory models for regulating
wiretaps. I agree with James Dempsey that Internet service
providers rather than the FBI should at least have the first
opportunity of producing relevant communications specified by a
court order, and Carnivore should not be imposed but made
available to those who can't afford to undertake this search.
You might also think about other possibilities, keeping
audit logs for all communications monitored by Carnivore, not
simply those that result in prosecution, and increasing
procedural protections for innocent communications to reduce
the uncertainty of citizens who have no notice about whether or
not monitoring has occurred.
But my big point is just the costs of uncertainty are
great. This is an anxious time for the Internet. At the very
least, innocent citizens need to be reassured that their
Government is not observing their intimate messages without
their knowledge or consent.
Thank you.
The Chairman. Mr. Cerf, let me just turn to you first, and
perhaps I should express the gratitude of the Vice President
for your assistance in helping him to invent the Internet.
[Laughter.]
I just couldn't resist.
I notice you had some differences, or at least you looked
like you had some differences with Professor Rosen. I will give
you a chance to respond.
Mr. Cerf. Senator, I am sorry. I am having trouble hearing
you. I am hearing-impaired and my hearing aids are not picking
you up.
The Chairman. That is fine. I do have a soft voice, too
soft--my wife says.
I noticed you had some difficulties with what Professor
Rosen was saying.
Mr. Cerf. I had some reactions.
The Chairman. I would like to see what you have to say.
Mr. Cerf. I would like to suggest two things to our
panelists. One suggestion about putting the Carnivore software,
or the equivalent thereof, in the hands of the ISPs for
purposes of having them perform these searches strikes me as
alarming, frankly.
If I were a member of the public wondering who is managing
that software and doing things with it, I would be more
concerned if it were available to and generally in use by ISP
personnel, who need not necessarily understand or follow all
the restrictions and constraints that the FBI would follow. So
it seems to proliferate that strikes me as being excessive
compared to what the FBI proposes, as I understand it, which is
to place the equipment there only during the period of time
that surveillance is required and then remove it again.
Have I misunderstood that?
Mr. Kerr. No. That is correct.
Mr. Cerf. So in some sense, the proposition puts the
facility at broader spread than it would otherwise. That is one
point.
You wanted to respond to that?
Mr. Dempsey. Well, I was just going to say that this use of
Carnivore or unauthorized access to electronic communications
is equally a crime. The sanctions are the same and the
definition of the offense is the same----
Mr. Cerf. No debate there.
Mr. Dempsey [continuing]. Whether it is done by Government
officials or by ISP's.
Mr. Cerf. But I have the feeling that the ISP geeks may be
less familiar with the penalties and with the restraints than
the gentlemen from the FBI. So I would propose that that is not
the best idea in the whole world.
The other reaction that I had, Mr. Chairman, was any
comparison of the Carnivore system with the worm is technically
ill considered. The worm is a very different kind of beast. It
is a mobile piece of software. That is not the way the
Carnivore system functions.
I did have the opportunity to go down to Quantico and have
a pretty thorough briefing and to see the Carnivore system in
operation. I regret that other members of the technical
community appear to have felt unable to do that or are
reluctant to do so. It was a helpful briefing, and I feel as
though I have a much more firm understanding of what it can and
cannot do.
I still have concerns about it, as you could tell, I hope,
from my comments on how much you have to look at in order to
filter appropriate content. But I think the comparison with the
worm is not well considered and I think should be rethought,
Mr. Rosen.
Mr. Rosen. I should suggest I was not making a technical
comparison between Carnivore and the worm, but simply in the
nature of the focused search. Limited to that particular
aspect, it seems to me they are exactly analogous in the sense
that it only reveals the information it is looking for and
doesn't reveal to any human agent information it is not looking
for. That was the limit ofthe comparison.
Mr. Cerf. OK, then you are not proposing that the Carnivore
is a mobile piece of software that moves around and jumps into
millions of machines, which it does not do?
Mr. Rosen. I am a lawyer, not a technician, sir. I will
defer to you on----
Mr. Cerf. I will forgive you for that.
Mr. O'Neill. If I could just make a point, sort of a means
of follow-up, I think one of the difficulties and what perhaps
concerns people is the idea that there is software and also
hardware, because Carnivore apparently is both, and it is
unclear precisely what it does or what its capabilities either
currently are or can be.
I mean, we all know--and I am not a technician particularly
either, but we all know that software is not only dependent
upon what it is, but how it is updatable, how it is modifiable,
and how in any individual case it can be configured.
Now, I happen to be not in the camp of those who would like
to see the Carnivore source code released to the public. I
think that would, in part, defeat its purpose. But I do think
that it is important for this body to have oversight to make
sure that at least someone is watching the watchers. And it
seems to me that that is the important role that Congress can
play in this whole decisionmaking process.
The Chairman. Go ahead.
Mr. Cerf. Well, I am thinking that the existing
surveillance mechanisms are in place now and we must have
someone watching the watchers, I hope. I mean, I would assume
that that is true. So wouldn't the same watchers who currently
oversee this----
Senator Leahy. Don't always assume that, Mr. Cerf.
The Chairman. No, you can't always assume that.
Mr. Cerf. I am sorry?
Senator Leahy. I said don't always assume that.
Mr. Cerf. Well, all right. If I am incorrect, then we have
a bigger problem than just Carnivore.
The Chairman. It is a big problem. We want you to know it
is a big problem.
Professor O'Neill, you gave us 10 reasons that you didn't
define, but let me just go through those. No. 1, you say with
respect to Carnivore itself, Congress ought to obtain
briefings, classified if necessary, to get a better
understanding of what Carnivore is designed to do, how it does
it, and whether there exists potential for abuse.
No. 2, Congress ought to determine what the statutory
authorization for Carnivore is and whether law enforcement has
the authority to insist that a service provider install
Carnivore.
No. 3, if implemented in some fashion, Congress should
require that statistics be maintained by the Justice Department
and that these so-called, ``audit trails,'' be routinely
provided for legislative oversight.
No. 4, Congress should seek to learn whether Carnivore can
easily be defeated by encryption software or E.A. Poe-type
purloined letter schemes.
More broadly, No. 5, hearings ought to be conducted to
determine whether all Internet trap and trace orders should be
issued only on the basis of the judicial finding that
reasonable cause exists to believe that a target has or is
about to commit a crime.
No. 6, the executive branch ought to be required to provide
consumers with notice whenever the Government obtains
information about their Internet transactions.
No. 7, specific statistical reports for pen register or
trap orders for Internet communications similar to the reports
required under title III ought to be required.
No. 8, Congress should explicitly provide that Internet
queries, e-mail subject lines, URL's of sites visited, and
other information which provides more than the equivalent of a
dialed number cannot be disclosed without a probable cause
order.
No. 9, Congress should consider requiring notice and
opportunity for defendants to object when civil subpoenas seek
personal information about Internet usage.
And, No. 10, provide enhance protection for information on
networks, probable cause for seizure without prior notice, and
a meaningful opportunity to object for subpoena access.
Then you say, ``At bottom, I would urge a cautious,
thoughtful approach when it comes to expanding surveillance
capabilities. The conflict between increased security and
enhanced privacy protection is not easily resolvable, nor will
it likely ever be. But Congress ought to seize the moment to
ensure that robust debate occurs before law enforcement's
powers are enhanced and regardless of how the balance is
struck.''
I thought those were pretty good suggestions, to be honest
with you. I don't know how the FBI feels, but having heard
them, what do you think, Mr. Kerr.
Mr. Kerr. Well, I must say that I have just heard them for
the first time, as you have read them off.
But if you would permit me, Mr. Chairman, there were some
questions and suggestions raised about our interactions with
the Internet service providers and I think I can help you on
that.
The Chairman. Well, let me add to that because it was
raised here in this article in USA Today, which I have read--it
appears to cast doubt on whether any university is willing to
take the study of Carnivore under the restrictions that have
been placed on such a study by the FBI, or at least the
restrictions they think are placed by the FBI. In fact, Mr.
Dempsey has pointed that out, I think, fairly strongly, and I
would just like you to comment about that in your overall
comments.
Mr. Kerr. All right. The first point I should make
absolutely clear is that the FBI is not soliciting this review.
It is being done by the Department of Justice, and in
particular under the auspices of Steve Colgate, the Assistant
Attorney General, head of the Justice Management Division.
While I will be part of reviewing the report once it is
prepared, I will have nothing to do with determining the scope
of that study or the acceptability of the outcome. We did it
precisely to avoid having the FBI funding a look at its own
equipment and capabilities.
Senator Leahy. Does the FBI support the study, though?
Mr. Kerr. Yes, absolutely.
Senator Leahy. Thank you.
The Chairman. Have you set the restrictions on the study,
though, or has the Justice Department set the restrictions?
Mr. Kerr. The Justice Department.
The Chairman. Mr. Di Gregory, is that right?
Mr. Di Gregory. That is correct, Senator.
The Chairman. Why have restrictions?
Mr. Di Gregory. Well, there are certain restrictions that
we believe are necessary. The one restriction, for example, is
the restriction on the release of the source code. We don't
believe that the source code should be released publicly
because that could hamper law enforcement efforts.
The Chairman. I can understand that.
Mr. Di Gregory. And a general restriction with respect to
the scope and the nature of the review is that the review is a
technical review. The review was never intended to be a legal
review, but a technical review to determine whether or not
Carnivore does the things it claims it does.
The Chairman. Then why are these universities having such a
difficult time taking on that review?
Mr. Di Gregory. I don't know. That is probably a question
you would have to ask the particular universities involved, and
I can't comment any further on the procurement process.
The Chairman. But am I correct in inferring that all the
universities approached thus far have refused to take on the
review?
Mr. Di Gregory. First of all, I don't know the answer to
that, and even if I did know, I wouldn't comment on it because
there are restrictions with respect to commenting on the
procurement process that I am not completely familiar with, but
am familiar enough with to know that I don't want to get in
trouble. So if you wouldn't mind my----
The Chairman. Well, you don't want to get in trouble with
us either, do you?
Mr. Di Gregory. I don't, Senator. [Laughter.]
The Chairman. I understand.
Mr. O'Neill. One thing I would add to that, Senator, is it
is interesting, though, that--and I think the Department of
Justice ought to be commended for taking these steps, but I
think it is interesting that it seems to be--if you sort of
follow the time line, at least, it is in large part because
Congress chose to take oversight of this because this
information was leaked to the press that the Department of
Justice then sought this outside independent review, which is
entirely the appropriate and proper thing to do, and it is, of
course, the role that Congress ought to be playing here.
The Chairman. Well, your ten suggestions are very broadly
written. I would like you and Mr. Rosen and others, and
especially you, Mr. Cerf and Mr. Dempsey, to look at these and
see if you can improve upon them and make suggestions for us
and for the Justice Department and for the FBI as to how we
might do this.
Look, this is something that is really terrifying a lot of
people around the country. Are we going to have an Orwellian
type of investigative Government now that we are in this
Orwellian type of a world which is doubling now in capacities
in revolutionary ways?
This is scary stuff. We have people who don't want anything
to be done in this area. And, of course, we have people that
are terrified that if we keep allowing the Internet to be used
as a source for crime and criminal activity, this society is
going to be very badly damaged. So I would like you all to
spend some time on that.
Mr. Cerf, go ahead, and then I will go to Mr. Kerr.
Mr. Cerf. There is a book that was published recently by a
gentleman named Amitai Etzione. The title, if I remember
correctly, is something like ``The Limits to Privacy.''
The Chairman. Right.
Mr. Cerf. In that book is what I thought was a fairly
reasoned and balanced discourse about the protection of
personal privacy.
The Chairman. And you think Etzione's discourse would apply
in this case, in this digital world?
Mr. Cerf. You say it would not apply?
The Chairman. No. Do you think it would apply?
Mr. Cerf. I believe that it would because his premise is
that there is a balance to be reached, as I think several
panelists have said, between the protection of personal privacy
and personal information, and the need to protect the general
public's well-being from people who don't mean it well,
criminal elements.
And what Etzione argues in this book is that it is possible
that we have gone too far in one direction or another. It is a
worthwhile book to read, if only to be provoked into thinking
about what the balance could be or should be.
The Chairman. Mr. Kerr.
Mr. Kerr. Two points that I would like to make very
briefly, Mr. Chairman. First, the suggestion that in any way
information about Carnivore was leaked to the press and has led
to hearings and press coverage is absolutely wrong. We have
been briefing on Carnivore for about 18 months. It has been
reviewed substantially within the Department of Justice. It has
been briefed to many companies, many trade associations.
We have offered two ISP's complete access for them to
review the product and its performance, and in no way have we
attempted to conceal its existence or its intended purpose. And
so I find it rather surprising at this juncture that that is
still the view. We have briefed many members of the
congressional staff as well.
With respect to the concern about ISP's and their access,
the thing we safeguard is the integrity of the evidence. The
box where we record the information is locked and accessible
only to an FBI agent. Also, the PC on which the system is based
has its keyboard and monitor removed so that, in fact, a
passer-by can't make a change either maliciously or
inadvertently. And we don't allow them to use the remote dial-
up access which we employ and log, but that is what tells us
when the memory is full and an agent needs to go and remove the
disk.
So we have tried to design it not only with great
specificity to respond to the court orders, but, in fact, with
a view toward maintaining the integrity and authenticity of the
evidence we collect, and to be able to testify after the fact
in court that we did so, who had access, when they had access,
and what the settings of the device were.
I hope that clarifies the point.
The Chairman. Well, it helps, except for one thing. As I
understand your testimony, you indicated that Carnivore has
been used in some 25 cases so far. Is that correct?
Mr. Kerr. Yes, sir. It is now between 25 and 30. That is
correct.
The Chairman. There are reports that the Attorney General
was not aware of it--according to press reports, was not aware
of Carnivore. And I hear from constituents that their concern
with Government surveillance is not their objection to
authorized uses of it, but the potential uses without the
proper checks and balances on Government search and seizure
that our country and Constitution are based on.
What concerns most citizens and concerns me deeply are
reports that the FBI developed and deployed the Carnivore
system without even the knowledge of the Attorney General
herself. That may be par for the course for this Justice
Department, but you cannot take this lightly, given the
fundamental civil liberties that are implicated here.
Now, my sense is that much of the controversy surrounding
Carnivore is due to the apparent perception, rightly or
wrongly--and I would like you to clarify this--that there is no
check on its use by the FBI. Now, I would like, Mr. Kerr, you
and Mr. Di Gregory to explain to us to what extent the
development and deployment of new surveillance technologies by
Federal law enforcement have to be authorized by Congress.
In other words, under what delegated authorities are new
technologies, in general--and Carnivore in particular--
developed, and was there specific authorization by Congress or
the Attorney General to develop and use Carnivore or other
similar systems?
Are these press reports right that the Attorney General
didn't even know about it until recently? And answer the
question as far as what rights do you have to go ahead with it.
Mr. Kerr. Mr. Di Gregory is going to give the first part of
the answer and I will give the second.
The Chairman. Okay, that will be great.
Mr. Di Gregory. From what I understand, Senator, without
knowing of the name ``Carnivore'' or without knowing of the
specific program--this is my understanding--the Attorney
General was aware of the FBI's capacity to do this kind of
surveillance. I think Ms. Stansell-Gamm may have some more
detail about that.
The Chairman. But the Attorney General was unaware of the
actual software that was being developed or has been developed?
Ms. Stansell-Gamm. I simply don't know at what point the
Attorney General became aware of this specific tool or the name
of the tool.
The Chairman. Then answer the second question. What
authority do you have to do this and to have used it in 25
cases? Has Congress given you any authority?
Mr. Kerr. Well, in fact, Congress appropriated the money,
pursuant to our budget request, within which there is a
specific line related to electronic surveillance, and
particularly the development of tools for access to data
networks, the Internet, and the like. It has been in our budget
for a number of years. It is part of our continuing response to
be able to carry out our mission to lawfully intercept
communications as technology evolves.
The Chairman. We are happy to have Mr. Parkinson and Ms.
Stansell-Gamm here with us today.
Ms. Stansell-Gamm. I would like to answer your question
another way, if I could. It has been at least 3 years ago since
the Attorney General made a press announcement about the case
called Ardita, which Mr. Dempsey referred to, kindly, as one of
our law enforcement success stories. And she briefed that case
in great detail to the press, and the core of that story was
what we were able to do and how we were able to do it.
It involved an electronic wiretap at a network at Harvard
University that this hacker, who turned out to be in Argentina,
was using as a platform for attacking DOD systems all over the
world. The investigative problem that we had was how to find
the needle in the haystack, how to find Mr. Ardita's
communications in the haystack of legitimate traffic.
The Attorney General understood how we were able to do
that, which was supervised very closely by a court in Boston. I
think there were two separate title III orders. And because the
tool that we were using to do that was a tool that was not as
sophisticated as Carnivore but, as Mr. Cerf has pointed out,
captured a great deal more hay than the needle, the minimizing
process was far more exacting, required several steps and, in
fact, required an agent to look at some text strings.
The irony of all of this is that while----
Senator Leahy. Instead of carnivore, was that omnivore?
Mr. Stansell-Gamm. No, that was not omnivore. In fact, it
was a tool developed by the Navy called NIDS, Network Intrusion
Defense System. The Air Force has one that they call Sniffy.
You know, they all have their different names, but these tools
have been used by law enforcement in a variety of agencies for
some time, under the strict supervision of courts.
As I say, the irony of all of this is that the tool
Carnivore is the most selective, the most discreet, the most
controllable, the one that is most likely to be able to reach
in and pull out only the needle, although, as you say, it is a
very hard problem.
The Chairman. Maybe bits of needles.
Ms. Stansell-Gamm. Bits of needles, exactly, while the
haystack is moving by.
The Chairman. Right.
Ms. Stansell-Gamm. It is a very difficult technological
challenge. So this represents, in my view, quite a good-faith
attempt on the part of the FBI engineers to respond to the
challenge of collecting information on the Internet in ways
that comply strictly with our legal authorities, and to do it
in very discreet, controlled ways that create records. That is
what this tool does.
The Chairman. Let me turn to Senator Leahy. I have taken
long enough.
Senator Leahy. You know, it is interesting as we examine
these issues to look back at lost opportunities. A few years
ago, I suggested some better procedures for applying for
warrants on pen registers, and so forth, and the FBI has always
been reluctant to talk about that.
Now, I find, since Carnivore came out, some of my
colleagues in the House have proposed that we change not just
the procedures, but also the standard for pen registers and
traps and traces to an extent that I think that probably
Justice and the FBI would wish that they had paid more
attention to the suggestions that Imade. But I assume from the
fact that they haven't expressed any change of heart about my prior
proposal that, they reject that and would prefer that I support the
legislation, for example, of Representatives Canady and Hutchinson,
H.R. 5018, which proposes a more stringent standard for pen registers,
trap and trace, and similar devices that would identify e-mail
addresses, like Carnivore.
That legislation would require specific and articulable
facts reasonably indicating that a crime has been or is being
or will be committed, plus a showing of relevance of the
information sought to the investigation of that crime. Another
bill introduced by Representatives Barr and Emerson, H.R. 4987,
would apply that same greater standard to all pen registers and
traps and traces, whether or not they would identify e-mail
addresses.
Since the source and destination information about e-mail
may have content in a way that a dialed telephone does not,
should we change the standard for pen registers and traps and
traces, or do my earlier suggestions now suddenly sound better
to you?
Mr. Di Gregory. As you may know, Senator, the
administration has put forth a proposal which would elevate the
standard required for trap and trace or pen register
information, though not quite the same standard that is put
forth by Barr and Canady. Our standard would require the
prosecutor--the one that is proposed would require the
prosecutor to submit a factual statement rather than merely a
certification, and that that factual statement would be viewed
by a court and a court would determine whether or not the
factual statement was sufficient to establish that the
information to be obtained from pen register or trap and trace
was information relevant to an ongoing criminal investigation.
Senator Leahy. Does that mean you don't like their
legislation?
Mr. Di Gregory. There are problems with their legislation.
The one that comes to mind initially is that the legislation
submitted by specifically Representative Canady is e-mail-
specific. It is not even Internet-specific, but it is e-mail-
specific, and that creates a problem.
As we have said in other contexts and have said before
Chairman Canady's subcommittee, we believe that any legislation
that is developed with respect to the substantive criminal law,
or even the procedural criminal law as it relates to the
Internet should be as much as possible technology-neutral. We
don't think that there should be a different standard for the
interception of e-mails versus the interception of telephones--
excuse me; I used the word ``interception''--for a pen register
or a trap and trace for e-mails as opposed to a pen register or
trap and trace for telephones.
Senator Leahy. Dr. Kerr, do you feel the same way?
Mr. Kerr. I will take the easy-out, sir. As you know, I am
a physicist and I don't normally opine on matters of the law.
Senator Leahy. Thank you. There is nothing wrong with that
answer.
We got a letter from the FBI last month that described the
operation of Carnivore. It said, ``It does not snoop through e-
mail traveling through an ISP network by searching for key
words or reading the subject line or any other content.''
But the nature of how the Internet works, as I see it
anyway, is that the specific communications or addressing
information of a suspected criminal, one who has been targeted
under a court order, are mixed all up like a stew with all the
other packets of different Internet users carried by the ISP.
Somehow, Carnivore has to snoop through all these other
different packets to find the right one, the needle in the
haystack. Is that correct?
Mr. Kerr. Let me start to answer and certainly welcome any
assistance Mr. Cerf would like to give, but go back to his
envelopes for a minute. What we are looking at in the first
instance is the address on the outside of the envelope. With
the address matching the one we are authorized to capture, we
collect the envelope and we subsequently go and we only take
from that envelope the information we are authorized to take.
But we use the addressing properties of the Internet
itself, the Internet protocols, to select out just those
packets. We don't read them at that point. The machine is doing
it. There is no content being viewed by any human. And, in
fact, those packets that contain information we are not
authorized to obtain disappear at that point. We don't control
them.
Senator Leahy. But to use the envelope thing, it is like
getting a big bag of envelopes and you are looking just for the
one addressed to Dr. Kerr, but there is also an envelope in
there to Mr. Parkinson, Mr. Di Gregory, and on and on. I mean,
you have got to go down through all those envelopes at some
point.
Mr. Kerr. Well, think of it better perhaps, you are
standing at the post office and all the envelopes are going by
you on a conveyor belt. And we are just picking off those
envelopes that have the right address on them. The others go
away; they are not in our life anymore.
Senator Leahy. Mr. Cerf.
Mr. Cerf. If I could interject, the problem here is a
language and terminology problem. The term ``address''
unfortunately is overused for a variety of different purposes
even in the Internet. And so we speak, for example, of Internet
addresses, by which we sometimes mean 170.127.34.16, which is a
numeric indicator of where a computer is in the Internet. It is
sort of like a telephone number.
On the other hand, we also say what is your Internet
address, and by this we often mean what is your e-mail address,
which in my case would be [email protected]. Those are different,
and so the way the Carnivore works is it starts with the
lowest-level physical numeric addresses of the source and
destinations that are under observation. And it only selects
out--the conveyer belt model is a good one--it only selects out
those ones that happen to contain those physical addresses.
Now, we can argue separately about whether you have got the
right addresses. I mean, there are some issues about the
stability of IP address assignment and whether or not a
particular computer has the same IP address forever and ever or
whether it changes from time to time. I am sure that the
members of this committee don't want to know all the details
right here on the spot, though I am prepared to provide them if
needed.
But after you have selected the set of envelopes thatmay
contain information of interest, only then do you then look inside. And
if I have any concerns at all--and I want the FBI folks here to know I
do have concerns--you do have to see quite a bit; you have to suck into
the Carnivore machine quite a bit before you can find that part which
you are interested in after you have determined that this envelope
might contain something of interest.
The point that the Carnivore programmers make is that the
software is intended to look at the collection of material that
makes up an e-mail message like this one, that amount of which
happens to be in one packet, and only if it finds, for example,
a ``to'' and ``from'' e-mail does it capture that packet. If it
can't find that, if it can't parse the contents, it throws it
away. That is the design, that is the intent, and that is the
way it is used. So it is true that the machine pulls in more
than is needed, but it then is programmed to throw away that
part which doesn't match their search criteria.
Senator Leahy. And what you are saying, Dr. Kerr, is you
can't go back to the machine and find out what was thrown away?
Mr. Kerr. That is correct.
Mr. Cerf. Except in the case, of course, where you have
been authorized to obtain and capture content as well. I don't
know whether you are ever allowed to do that.
Mr. Kerr. The answer I was giving was that packets that we
have discarded aren't available to us at all.
Mr. Cerf. They are not. They have disappeared on the
conveyor belt and have gone away. So it is a multilevel filter
that is being applied, and at each stage in the filtering
process less and less information is retained.
Senator Leahy. Mr. Dempsey, you wanted to add something to
that.
Mr. Dempsey. Yes, Senator. I have two comments, one of
which addresses the question which is, is it good enough that
Vint Cerf has looked at Carnivore and has come away relatively
satisfied with it. And I have to say that----
Mr. Cerf. I won't take any offense if you say that it isn't
because I would agree with you.
Mr. Dempsey. That it isn't good enough?
Mr. Cerf. That is right.
Mr. Dempsey. And so we have to somehow get beyond the fact
that one person has been in, or that several people have been
in. I really don't think we have had the kind of review of
Carnivore that would really satisfy this committee and satisfy
the public, and I do agree with the chairman that somehow the
FBI needs to work and the Justice Department needs to work on
that independent review.
I would note in response to Dr. Kerr's comments it is a
Justice Department review, but this nondisclosure agreement
which Vint Cerf signed but which other people are rather
reluctant to sign--the nondisclosure agreement is between the
contract personnel and the FBI. You are signing an agreement
with the FBI and you are responsible to the FBI as to what you
can say and not say.
I also think that I am a little bit reminded of the----
Senator Leahy. Responsible to the FBI, even though the
review is that of the Justice Department, or did I miss the
point?
Mr. Dempsey. Well, the question was who is controlling
the----
Senator Leahy. You are talking about when it goes in.
Mr. Dempsey. Controlling the review.
Senator Leahy. Yes, OK.
Mr. Dempsey. Who is controlling the review, and Dr. Kerr
made the point, well, people needn't worry; it is a Justice
Department-controlled review. And I am making the point that
the nondisclosure--people are going to be bound to the FBI.
Mr. Cerf. May I just interject that I agreed to sign the
nondisclosure on the principle that when you are dealing with
surveillance, just as you would with other intelligence
situations, sources and methods are always a sensitive issue.
Mr. Dempsey. But the concern on the part of people, as I
understand it, is that this agreement is so broadly drafted
that it will prohibit people from talking more broadly or more
generally. Now, you feel comfortable coming here today and
speaking, but other people are worried, particularly if they
would be critical as opposed to moderately supportive, that
they would then be accused that they had--particularly if they
talk about ways in which Carnivore may be vulnerable, may be
subject to abuse, may be avoidable or evadable, that they
would--the point is we need to get beyond one person knowing.
Mr. Cerf. Absolutely, and I believe that the FBI has, in
fact, introduced this system to more than one person.
But I just want to emphasize two things. First of all, I am
conscious of the concern over methods of collection and I
recognize the need to keep those reasonably under control.
However, I do agree with Mr. Dempsey that one person is not
enough and that you need a broader substantiation that this
system does what it, in fact, claims to do. So I would
certainly agree with what I think Mr. Dempsey is suggesting, is
that there be a broader review of this system and some
confirmation coming back to this committee that it does as it
is advertised.
Senator Leahy. I would like that.
And let me ask you--I think this would probably be for the
FBI or DOJ--the D.C. Circuit Court of Appeals had a recent
decision on the FCC's implementation of CALEA and it raised
some interesting questions both about the legality of
Carnivore, but also I think the liability of ISP's. The court
agreed with the FCC that a standard adopted by
telecommunications carriers could provide both packet headers
and the content or payload to law enforcement.
The carriers argued, though, that they couldn't technically
separate the two, while the FBI said, that is OK, we have got
equipment that could, ``distinguish between a packet's header
and its communications payload, and make only the relevant
header information available for recording or decoding.''
Now, I assume the FBI was referring to its Carnivore
equipment when it made that representation to the court. It
actually made the same representation to the FCC. The reason I
say this is the representation was critical, since both the FCC
and the court noted that, ``privacy concerns could be
implicated if carriers were to give to law enforcement packets
containing both the addressing information and the content,
when only the former''--that is, the addressing information--
``was authorized.''
Now, both the FCC and the court noted that CALEA imposes an
affirmative duty on carriers to protect the privacy and
security of communications not authorized to be intercepted. It
also requires that they do not give lawenforcement access to
any communications or addressing information not covered by a court
order.
I put all that as a basis to this question: do you believe
that the way in which Carnivore operates gives law enforcement
access to more than just the communications or addressing
information covered in a court order? And if so, could it put
the ISP in jeopardy of violating its duty under CALEA of
protecting the privacy and security of communications not
authorized to be intercepted?
Mr. Kerr. The very simple answer to your question is that
CALEA covers telecommunications carriers. The Internet service
providers are not covered under CALEA. We have only used
Carnivore in conjunction with the networks of Internet service
providers.
We did, in fact, brief the standards committee for the
companies and others involved in CALEA on the technology used
in Carnivore in order that they would be aware of it as they
develop a CALEA-based standard for telecommunications carriers
using packet-switched networks. But there is no carryover
between CALEA and what we have been talking about with
Carnivore.
Senator Leahy. Then what did the FBI mean, after the
carriers had argued they couldn't separate packet headers and
content--I am talking about telecommunications carriers when
they argued that before the court, and the FBI said, well, that
is OK, we have got equipment that could distinguish between
packet headers and communications payload. Were they referring
to Carnivore?
Mr. Kerr. I think they were likely referring to Carnivore,
but as a demonstration of a technical approach. To repeat, we
have not used and don't expect to use Carnivore in a CALEA-
covered intercept.
Senator Leahy. Mr. Di Gregory, is that your understanding,
too?
Mr. Di Gregory. My understanding of what the FBI intends to
use?
Senator Leahy. Yes.
Mr. Di Gregory. As I understand it, the FBI only intends to
use Carnivore when the ISP is unable to provide the information
or not willing to do so.
Senator Leahy. Mr. Dempsey.
Mr. Dempsey. Well, Senator, Dr. Kerr is 100-percent correct
when he says that CALEA does not apply to ISP's. And I have to
say that was one of the smartest decisions that was made in the
course of CALEA because implementing CALEA for the telephone
companies has been a nightmare. It would be even worse trying
to apply CALEA to the Internet and to ISP's.
But I think what the court and----
Senator Leahy. It is a matter that we thought of at the
time, as you recall. You were involved in some of that debate
at that time.
Mr. Dempsey. Yes, I was, Senator. I take responsibility for
all the mistakes we made there.
Senator Leahy. No, no, no.
Mr. Dempsey. But keeping the Internet out was your and
Congressman Edwards' decision, and it was a wise one, it turns
out.
I think what the FBI was referring to was not Carnivore,
per se, but this notion that we will let the technology make
this distinction, this constitutionally-based distinction
between content and something other than content.
We have a huge issue on the Internet about what about this
transactional information? It is not just numbers dialed, and
what should be the standard? Professor O'Neill referred to
that. But assuming that you can distinguish between content and
noncontent, the FBI said in the CALEA debate if the carriers
can't separate it, give it all to us. Even under a pen register
order, give us the whole packets and we, the FBI, will sort it
out, and we will only keep what we are authorized to keep. We
won't look at or keep what we are not authorized to keep. And
if it is a pen register, content, we are not authorized to keep
content. We have a machine, we have a capability to disregard
that.
And what the court of appeals said, I think, is that is not
good enough. The technology, the FBI, the Commission, the
industry cannot modify the constitutionally-based rules for
interception of content, and that in order to obtain and grab
and look at and analyze and redirect content, you need a full
probable cause-based order. And the FBI is using Carnivore
under the pen register authority on the ``trust us'' standard
that our technology will solve the problem of what is the
distinction.
Now, Mr. Cerf has said it is very hard to distinguish
between what is content and what is, ``addressing
information.''
Mr. Cerf. No, I didn't say it was hard to distinguish
between the two. What I said is that you have to capture a lot
before you can filter out the part which is considered header.
Yes, you must capture it. Because of the structuring of the
protocols, you have to capture essentially a lot of this piece
of text before you can then find the part that you want to
capture.
Mr. Dempsey. That poses huge constitutional problems.
Mr. Cerf. Hang on, folks.
Senator Leahy. Just a minute. To make sure I understand it,
part of the problem is the ``just trust us'' standard, but it
actually even goes beyond that, the fact that it is even being
collected to begin with. Is that what you are saying, Mr.
Dempsey?
Mr. Dempsey. Yes.
Mr. O'Neill. If I may interject, this is part of the
difficulty, I think, that Congress has to deal with. The fact
that the Department of Justice--and I was very proud to have
worked for the Department of Justice, and frankly in a lot of
circumstances I much prefer the Department of Justice having
any personal or private information about me than I do some
industry groups or whether the ISP does. I mean, that is sort
of my general default.
Part of the difficulty, though, is that the Department of
Justice perceives its mission, and rightly so, as making sure
that we are secure in our homes, preventing and stopping crime.
In an effort to do that, what the Department has done, and
rightly so, is to make sure that it stays technically relevant.
The Internet is a big change over the way people
communicated in the past. In order for the FBI to be able to
fight and deal with the perceived threat and the actual threat,
whether it is crime or international terrorism or what have
you, it then develops software and it develops new and
innovative approaches to collect information to continue doing
what it has done in the past.
The difficulty and I think the challenge for Congress is to
make sure that all of this technological innovation,all of
these changes in the way that the FBI or Federal law enforcement
assembles information-- that someone is watching it. Judges frankly are
in a very poor position to monitor this because judges frankly don't
have the information available. They are only trained as lawyers. They
are not in a situation like the U.S. Congress is to have people who are
expert in these very complicated, and as we have seen from the
discussion here today, very esoteric parts of technology.
Congress frankly is in the best position to be able to do
that, and I think it is in Congress where the American people's
trust has to reside to make sure that this just doesn't happen
with nobody watching it, to make sure the Department of Justice
isn't too good in fulfilling its mission, and that there is a
public watchdog, namely the Congress, making sure that the
appropriate balance between personal security and personal
privacy is maintained.
Senator Leahy. Well, I would agree there. I am happy we are
having this hearing. Whether Congress is going to be adequate
in this kind of oversight--I mean, we can be if we want to be.
It is whether we set that as a priority, and you have worked up
here and you know that there are a million things coming
through at any given time, some substantive and some symbolic,
and we tend to spend a lot of time on one or the other
depending on what we are doing.
But the Sunday afternoon emergency court order is not going
to be--the oversight is not going to be in the Congress, but it
is going to be at the Department of Justice.
Mr. O'Neill. But Congress should be setting the baselines.
Senator Leahy. I agree.
Mr. O'Neill. And once the baselines are set, then judges
and the FBI and law enforcement can properly administer those
baselines when they are out there in the field.
Mr. Rosen. Can I just make a point on that?
Senator Leahy. Well, Mr. Cerf had been trying to respond.
Mr. Cerf. Only to support Mr. O'Neill's argument. It seems
to me that it is inescapable that this technology will
proliferate, not the Carnivore technology, the Internet
technology, and that it will become the basis for most of our
communications. Even if the other systems survive and persist,
the Internet will carry television and telephony and radio, and
so on.
So we need to learn how to deal with that. We need to deal
with it in the context of the problems that the Justice
Department and the FBI have, and other law enforcement people
do, at the same time trying to protect individual rights to
privacy. That balance has to be struck, and the terms and
conditions for it surely lie squarely with our Congress.
Senator Leahy. Mr. Rosen.
Mr. Rosen. I wonder if I could make a concrete suggestion
about striking that balance, to pick up on the suggestion. We
have been focusing on the different standards for different
forms of technology, for pen registers, for content, for header
information. There is another approach that Congress took in
the title III area which is really a model for protecting
privacy and striking the balance that we are thinking about
here, and that is limiting the most intrusive searches to the
most serious crimes. A search of a diary, for example, might be
reasonable in the context of the Unabomber, but not for a
relatively trivial civil suit.
Now, there is a tendency, as you know, for the list of
these crimes to expand exponentially. So originally the title
III list was limited to really serious and violent crimes, and
now it includes all felonies. But for searches of e-mail and
for any content-based searches, you have the ability and the
opportunity right now to really create a very limited number of
crimes that can justify these searches.
And I think that citizens would just feel much more
comfortable about having intimate information revealed when
they know that there are violent and serious criminals involved
than when they think that any of them may be caught up in a
relatively trivial offense.
Senator Leahy. What you are saying is the constitutional
threshold remains the same, no matter what the crime is, but we
will just simply say that constitutional threshold or not, you
can only do these searches for certain types of crimes.
Mr. Rosen. I guess the notion is the constitutional
threshold is reasonableness, and a search is more likely to be
reasonable if a serious crime is involved than if it is not. So
in trying to substantiate that constitutional standard, just
make sure that the list is limited when the searches are
intrusive.
Senator Leahy. Mr. Cerf, there is something I have always
meant to ask you. Are you relation to the late Vincent Cerf?
Mr. Cerf. To whom?
Senator Leahy. The late Vincent Cerf.
Mr. Cerf. Are you thinking of the late Bennett Cerf,
perhaps?
Senator Leahy. Well, there is also a Vincent Cerf.
Mr. Cerf. There is a Vincent?
Senator Leahy. Yes.
Mr. Cerf. Gee, no, not that I am aware of. I am related to
Bennett Cerf, both of them. One of them is my son and the other
one, of course, is the former publisher at Random House. But I
do not know Vincent Cerf.
Senator Leahy. Bennett Cerf has the ability to come up with
some of the wildest puns, as you probably know.
Mr. Cerf. It is a genetic defect and it runs in the family.
Senator Leahy. I have been accused of using some from years
back.
Obviously, you are an acknowledged pioneer of the Internet,
and you were kind enough to help out the Internet Caucus, and
so on. You worked on ARPANet, which is the precursor to the
Internet. You were there when the Internet was first discussed
and began being developed into what it is today. I suspect that
neither you nor anybody else could have envisioned just how
quickly it has gone so far. You may have known that it would go
like this, but the fact that it has moved so quickly.
But Congress also played an essential role. We funded not
only ARPANet, but also the NSPNet and the backbone that led to
the Internet. The reason I ask this is that some--I wouldn't
suggest anybody on this committee, but some have poked fun at
Al Gore on this issue. But I think they fail to acknowledge his
role in Congress when he pushed fordevelopment and saw the
potential of the Internet years ago when a lot of others didn't.
I remember back in the 1980's--and I remember this because
his office was down the hall from mine--that then Senator Gore
chaired a hearing that had the first ever live computer
demonstration exhibiting the possibilities of a high-speed
computer network. I know of nobody else who had done it up to
that point.
So would you at least agree with me that the Vice President
played a significant role in pushing for funding and
development of what became the Internet, and may deserve some
praise for his vision in that regard?
Mr. Cerf. I would have to agree with that, Senator. The
Vice President while he was Senator, in fact, was one of the
first in this august body to realize that there might be
something important about super computers and optical fiber and
computer networking. He held a number of hearings, some of
which had a direct impact and influence on legislation that
supported the research that has led to the continued evolution
of the Internet.
He has been a strong supporter, as I am sure you are aware,
both in his senatorial role and as Vice President. And so I
think it is quite proper for him to receive some credit for
that interest and that support. I regret, as I suspect he does,
the slip of the tongue that led him to characterize his role
more broadly than I think it deserves.
Senator Leahy. More broadly than he intended, too, I think.
Mr. Cerf. I believe that is correct. On the other hand, I
feel very strongly that he does deserve considerable credit for
his consistent support for the Internet and related
technologies.
Senator Leahy. One of the national news media gave me what
I thought was too flattering, but I am not going to ask for a
retraction, profile referring to me as the Cyber Senator. I
have got to admit that a lot of that interest came from then
Senator Gore. When we were coming back from votes, he would
start pounding my ear and then would grab me into office and
keep on going until I agree that, yes, I would learn more about
it, and then he would turn me loose.
Thank you. Thank you, Mr. Chairman.
The Chairman. Well, I want to thank all of you for being
here today. This has been an excellent hearing. We have raised
a lot of issues that are important. Naturally, all of us want
to support law enforcement, it seems to me, in legitimate
pursuit of those who are breaking the laws. I certainly do. On
the other hand, we certainly want to be concerned about the
privacy aspects of individual citizens in our society.
There are no easy answers to all of these very significant
questions, but we are hopeful that you can continue to help us
to understand this. So we will keep the record open for a week
for any additional comments or statements anybody cares to make
and any additional materials you would want to submit to us.
Senator Leahy. Mr. Chairman, could I emphasize regarding
submitting anything further, if you have further thoughts on
that court of appeals case, I think it would be very helpful to
both the chairman and myself if any of you would like to add to
it. I mean, that is not a trick question in any way whatsoever,
as you know. I am trying to figure out where it goes. So if you
want to add something, if you want to ask your own question and
answer it, please feel free to do so.
The Chairman. We will keep the record open for that.
We want to thank each and every one of you. You have been
great here today, and this has helped us to understand this
much better.
So with that, we will recess until further notice.
[Whereupon, at 12:31 p.m., the committee was adjourned.]
----------
Questions and Answers
Responses of Donald M. Kerr to Questions From Senator Hatch
Question 1. Is Carnivore set up to intercept all of the
communications of all of the ISP Subscribers Within an ISP's Computer
Network?
Answer 1. No. First of all, the FBI intentionally works closely
with the computer network Administrator to decide on the best and most
appropriate interception access point. This access point is determined
with the specific purpose of finding the smallest segment within that
ISP's computer network into which the criminal subject's communications
traffic can be funneled, so as to minimize the amount of network
traffic involved. Technically speaking, most ISPs can and do identify
such a limited segment within the overall ISP network which contains
the criminal subject's communications traffic. Second, the FBI uses a
commercial device to attach Carnivore to, yet isolate it from, the
network.
More to the point, the FBI has absolutely no intention of being put
into a situation where Carnivore would have to interface with an entire
ISP network. If someone had the erroneous idea that the FBI might
desire to ``capture'' all such ISP network traffic--which it certainly
does not want to and will not do--the Carnivore system could very
quickly be overwhelmed with traffic. That is, Carnivore software is
deployed on a standard PC and the largest hard drive that has been
deployed is 18Gb. With the total traffic of many ISPs running at
thousands of Mbps, even if this hard drive was storing only 100Mbps of
network traffic, the Carnivore system would fill up in about three
minutes.
The only exception to the aforementioned rule would be with regard
to very small ISPs where all subscribers' communications traffic was
traversing the same segment of the network as the criminal subject's
traffic. Of course, under this unusual circumstances, Carnivore would,
as it always does, filter out all of the traffic other than that of the
criminal subject.
Question 2. Does the use of the Carnivore System legitimately raise
the concern of Carnivore broadly conducting illegal searches as to
other innocent, non-criminal subject subscribers' communications
addressing information or communications content?
Answer 2. No. It is important to understand that Carnivore's
filtering operates in stages--and that all filtering occurs exclusively
within the ``Carnivore box.'' Carnivore's first operation is
exclusively to detect the criminal subject's identifying information.
The first stage of filtering in the Carnivore system is to match (in
purely binary computer code) the ``pattern'' of ``1's'' and ``0's'' in
the computer bit stream that matches the subject's ``pattern,'' based
upon the criminal subject's identifying information, as set forth in
the court order. So, in a very simplified example, with the filter
exclusively set to detect the criminal subject's computer bit pattern
``1100,'' if the first bit in the compute bit stream was an ``0,''
Carnivore would automatically conclude that since ``0'' and ``1'' are
not a match, that this circumstances does not meet the filter pattern
criteria, and it would quickly move on to conduct the next pattern
match effort. If the first digit is a match, Carnivore would then go to
the next digit in the computer bit stream, and repeat the process,
until an exact, complete match is arrived at.
Importantly, nothing happens at all, by way of any interception of
communications content or acquisition of communications addressing
information, unless and until the criminal subject's unique identifying
information has been matched. Then, and only then, does Carnivore move
on to the second stage of filtering, in terms of applying the
appropriate filters required to filter either for communications
addressing information acquisition or for full communications content
interception, depending upon the particular authorization found within
the court's order.
Finally, FBI personnel only receive and ``see'' the communications
addressing information or communications content of the criminal
subject, as appropriate--based upon the court's order--after all of the
Carnivore filtering has been completed exclusively within the Carnivore
box.
In short, Carnivore never conducts a search of the communications
addressing information or communications content of any innocent, non-
criminal subject at all. Indeed, even with the criminal's subject's
communications traffic, Carnivore filters the criminal subject's
``machine readable only'' binary code exclusively within the box; and
FBI personnel only obtain, in a humanly intelligible format--and
``outside of the box''--the criminal evidence sought after Carnivore
has completely concluded its programmed filtering efforts within the
box.
Question 3. Does the FBI ``view'' computer network traffic as it
passes through the Carnivore System?
Answer 3. No. First of all, Carnivore's filtering program renders
Carnivore effectively blind to any network traffic other than that of
the criminal subject, concerning whom a court has issued an order
authorizing the acquisition of communications addressing and
transactional information or the interception of communications
content, all based upon identifying information unique to the criminal
subject. Only such information about or communications content of the
criminal subject is collected by Carnivore. Second, the computer
network traffic passes through the Carnivore system at a speed far
beyond human comprehension. The network traffic consists solely of a
series of ``machine readable only'' 0's and 1's, flashing through
Carnivore at a rate of 40 million ``0''s/``1''s per second (and often
at much higher speeds). Whenever any network traffic is stored on the
Carnivore system, it remains in the same format of 0's and 1's; and,
importantly, it is not turned into a format intelligible to humans
until after it is transferred from the Carnivore system. Again, it
bears repeating that Carnivore is a configurable system that will
provide FBI personnel only that information that it has been programmed
to deliver through its filtering--information that equates with the
information authorized for interception/acquisition in the court's
order.
Question 4. If the FBI were to conduct a pen register type
investigation, wherein Carnivore would be programmed to only acquire
the criminal subject's addressing information, and if the subject
visited different web sites, would the carnivore system acquire
information such as URL subdirectories? For example, if the subject
went to Amazon.com to buy a book, would the FBI be able to tell what
book he/she bought?
Answer 4. No. URL subdirectories are not acquired. The IP address
and port number for Amazon.com alone would be acquired. Hence, the FBI
would only know that the subject went to Amazon.com, and whether or not
the subject established a ``secure'' connection (i.e., secure socket
layer (SSL)).
Question 5. Can the FBI use Carnivore to intercept computer network
communications other than e-mail?
Answer 5. Yes. Carnivore can be configured to intercept various
types of computer network communications which match its filters. It
has been used to intercept several protocols in the TCP/IP protocol
suite (e.g., Telnet, FTP, IRC, and HTTP). Of course, in all instances,
the appropriate legal process under Title III, FISA, or the ECPA would
first have been obtained. If the electronic surveillance is for
communications ``content,'' a full Title III court order (probable
cause showings and more) would be required.
Question 6. Does Carnivore interfere with the service or operations
of an ISP computer network?
Answer 6. No. By design, Carnivore does not interfere with an ISP
network.
First, the FBI works closely with the ISP computer network
Administrator to decide on the appropriate interception access point.
This access point is determined with the specific purpose of finding
the smallest segment within that ISP's computer network into which the
criminal subject's communications traffic can be funneled, so as to
minimize the amount of network traffic involved. Then, importantly, a
commercial device is used to attach Carnivore to, yet isolate it from,
the network, such that, as a technological matter, it physically cannot
and will not transmit anything whatsoever into the network or otherwise
intrude into the network.
Second, by design, Carnivore's attachment to a network will not
crash or interrupt network service. Recent comments reported in the
media suggesting that Carnivore had interrupted or ``crashed'' the
service or operations of a major ISP are completely false. In reality,
a small loss of bandwidth did occur with the ISP in question, within
only one segment of that ISP's network, when technicians from the ISP
chose on their own to alter their software code to facilitate
interception access. In fact, Carnivore was not even attached to the
ISP network at the time when this ISP network problem arose.
Question 7. Does the Carnivore System use trojan horses or viruses
to collect a criminal subject's communications content or addressing
information?
Answer 7. No. The Carnivore system is totally passive. No software
is added to a subject's computer.
Question 8. Once Carnivore has been deployed, can the filters be
accessed and changed remotely?
Answer 8. Yes. Carnivore can be accessed remotely and the filters
may be changed--but, (1) only a select few technical persons specially
dedicated to the Carnivore program, (2) only when those few persons are
privy to the specific dial-up access number, (3) only when those
persons possess a hardware security device that is specifically
required for remote access, and (4) only when such persons have the
necessary two-tiered password access authority required.
Currently, within the FBI there are only a limited number of
technically-trained personnel who implement the Carnivore program. As
noted, the dial-up access is secured by both hardware and software
protections, and any access, or attempted access, automatically
generates a series of recorded logs which disclose precisely who, if
anyone, has ever accessed Carnivore remotely and/or changed the filters
in any given case. Importantly, any filter changes would be based upon
some significant reason, such as a change in the legal process (e.g.,
moving from a pen register or trap and trace investigation to a full
Title III, pursuant to obtaining a Title III court order), the
termination of the surveillance period and Carnivore's attendant
``shutdown,'' or for technical ``trouble-shooting,'' if some technical
problem or glitch arose.
Although investigative personnel have limited remote access
capabilities for investigative purposes only--that is, to access the
raw data that subsequently, through later processing, will constitute
the evidence in the investigation--they are never given the second tier
password required to access or change the Carnivore filter sets.
______
Responses of Donald M. Kerr to Questions From Senator Thurmond
Question 1. Dr. Kerr, please explain the obstacles that law
enforcement faces in getting information on electronic communications,
especially with less encryption controls and with the increased use of
digital messages.
Answer. As your question correctly suggests, technological
obstacles to electronic surveillance are arising in the environment of
electronic communications. These obstacles are varied and pose
significant challenges to the law enforcement community's lawful
conduct of court-ordered electronic surveillance.
In working with the vast array of large, medium, and small size
Internet Service Providers (ISPs), we have encountered some unusual
network-based obstacles. For example, even though the FBI always works
very closely with such ISPs (both by desire and necessity) before we
ever undertake an electronic surveillance effort, we have nonetheless
encountered some unusual, non-standardized, and proprietary network
protocols and other network controls within such ISP networks; and
these complicate electronic surveillance efforts. Indeed, somewhat
remarkably, we have found, in some instances, that a given ISP's most
expert technical personnel themselves may not always be fully aware of,
or conversant with, the protocols being utilized within their network
and/or how they have been implemented. Such a situation can adversely
impact upon the smooth effectuation of certain electronic surveillance
orders.
In another vein, certain very high-speed electronic communications
can likewise challenge, or threaten to undermine, the ability of law
enforcement to fully and properly execute electronic surveillance court
orders.
Finally, the use of encryption by criminal subjects (absent some
lawful and efficacious law enforcement decryption capability), can
threaten to undermine Federal District court electronic surveillance
orders and the ability of law enforcement agencies to investigate and
prevent serious acts of terrorism, espionage, and violent criminality.
As to the foregoing challenges and many others, the FBI
historically has worked (and continues to work) closely with various
business and technological components within the electronic
communications industry. and, by necessity, the FBI also steps in and
develops its own tools, as necessary, when commercial tools are not
available which fully meet legal, evidentiary, investigative, and
operational requirements placed upon law enforcement's lawful conduct
of electronic surveillance.
Question 2. Dr. Kerr, there has been considerable concern about the
F.B.I. possibly using Carnivore to search randomly through all e-mails
or other electronic communications that contain specific words or
phrases like ``bombs'' or ``drugs''. Does the F.B.I. have the authority
to gather intelligence on non-specific targets in this manner?
Answer 2. First of all, the FBI's Carnivore system simply does not
work, as suggested by some, in a fashion of randomly searching through
all E-mails or other communications that contain specific words or
phrases like ``bombs'' or ``drugs,'' etc. To the contrary, Carnivore is
a ``filtering'' tool which the FBI has developed to carefully,
precisely, and lawfully conduct electronic surveillance of electronic
communications regarding a specific criminal subject--based upon that
criminal subject's identifying information (e.g., his/her IP address)--
occurring over a particular computer network, in complicance with the
Constitution and the Federal electronic surveillance laws.
Whenever Carnivore is used, the FBI never deploys it without the
cooperation and technical assistance of the ISP network technicians
and/or engineers. Further, through working with the ISP, Carnivore is
positioned and isolated in the network so as to focus exclusively upon
just that small segment of the network traffic where the criminal
subject's communications can be funneled. This is roughly analogous to
using an electronic surveillance device only within in a single trunk
or cable within a telephone network. Stated differently, and contrary
to the assertions of some critics, Carnivore does not access `in a big
Brother mode, all subscriber communications throughout an ISP network.'
Carnivore's filtering operates in stages. Carnivore's first action
is to filter only within a small portion of an ISP's network.
Specifically, Carnivore filters binary code--streams of 0's and 1's
that flow through an ISP network, for example, at 40 mega-bits per
second, and often at much higher speeds. To visualize this, imagine a
huge screen containing 40 million 0's and 1's flashing by on this
screen for one screen for one second, and for one second only.
Carnivore's first effort--entirely within the Carnivore box--is to
identify within those 40 million 0's and 1's whether the particular
identifying information of the criminal subject, such as his/her IP
address, (for which a court order has been authorized) is there. If the
subject's identifying information is detected, the packets of that
criminal subject's communication associated with the identifying
information that was detected, and those alone, are segregated for
additional filtering or storage. However, it's very important to
understand that all of those 40 million 0's and 1's associated with
other communications are instantaneously vaporized after that one
second. They are totally destroyed; they are not collected, saved, or
stored. Hence, FBI personnel never see any of these 40 million 0's and
1's, not even for that one second.
After exclusively segregating the criminal subject's information
for further machine processing, then a second stage of filtlering is
employed. At this point, and again all within the Carnivore box,
Carnivore checks its programming to see what it should filter and
collect for processing. In other words, it determines, as required by
the specific wording of the court order, if it's supposed to
comprehensively collect communications content--in a full Title III or
FISA mode--or, alternatively, whether it's only to collect pen register
or trap and trace transactional and addressing information. Only that
information specified in the court order is being collected and passed
on to FBI personnel by Carnivore.
As to the second part of the question, the FBI does not have the
authority to--certainly does not--gather intelligence on non-criminal
targets in some broad brush manner. FBI electronic surveillance under
title III and the ECPA focuses on gathering hard evidence about
particular criminal subjects with regard to particular facilities being
used by such criminal subjects and with reference to particular crimes
and criminal communications, and with reference to identified co-
conspirators.
Question 3. Dr. Kerr, what controls exist on the F.B.I. to insure
that Carnivore is not misused for a fishing expedition or to obtain
electronic communications that lie outside of the scope of a court
order?
Answer 3. There are numerous legal, technological, and
administrative controls that prevent the misuse of Carnivore for a
fishing expedition or for intercepting communications outside the scope
of the court order.
Legal Controls: First of all, the law itself is a powerful control
to ensure that only properly authorized, lawful electronic surveillance
occurs. The FBI certainly is of this opinion. As such, the FBI only
conducts electronic surveillance--whether conducted through the use of
Carnivore or otherwise--pursuant to a lawful court order or lawful
voluntary consent of a party to the communication. This has been the
case since 1968, when the first Federal electronic surveillance laws
were enacted in the Title III legislation. Importantly, the FBI has an
outstanding record of compliance with the electronic surveillance laws
since their enactment over 30 years ago. In addition, it is very
noteworthy that the electronic surveillance laws contain stringent
deterrents to unauthorized (illegal) electronic surveillance, including
criminal (felony) and civil sanctions for any individual who violates
the law. Further, under the Constitution, suppression of illegally
obtained evidence (and fruits thereof) may be applied by Federal courts
if electronic communications content is unlawfully intercepted.
Technological Controls: The Carnivore system, by design and
functionality, is set up to establish an ``audit record'' for
evidentiary purposes. Of course, a secondary aspect and value of this
design and functionality would be to aid in the prevention of any
potential infringement of privacy rights. Moreover, as you may be
aware, Carnivore, by design, is a device which only functions to filter
out. In its first filtering action, carnivore filters out anything not
associated with the unique and specific identifier associated with a
particular criminal subject's service, as identified in a given court
order. Stated differently, Carnivore ``ignores'' and is ``blind to''
anything not associated with a criminal subject's unique identifier
that relates to the specific authorization set forth in the court's
order. In its second filtering action, Carnivore filters out content
when the order is only for communications addressing and transactional
information. Thus, as a special purpose electronic surveillance tool,
Carnivore fundamentally and purposely works as a ``filter.'' By
contrast, Carnivore fundamentally and purposely does not work,
descriptively speaking, as a ``vacuum cleaner'' which, by design, would
purposely acquire electronic communications broadly and
indiscriminately from all network users, including those of innocent
subscribers. Hence, Carnivore's design does serve as an effective check
against any potentiality of infringing upon privacy rights.
Adminstrative Controls: There are numerous administrative and
criminal justice system-based controls which preclude the errant use of
Carnivore, both in terms of internal and external oversight to control
how Carnivore is being used at any point in time. To begin with, it
should be emphasized that the FBI does not deploy or use Carnivore or
any other non-consensual electronic surveillance tool in a vacuum. With
regard to applications for pen registers or trap and trace devices,
section 3121 of Title 18 of the United States Code prohibits
Carnivore's use, as such a device, without a court order. In order to
acquire a court order, the FBI may not act alone, but must seek the
approval of an appropriate official within the Department of Justice.
Section 3122 mandates that an ``attorney for the government'' be the
applicant for a pen register or trap and trace device. Typically, this
requires the approval of the Office of United States Attorney for the
district in which the device is to be used. Of course, more stringent
requirements, mandating high-level Department of Justice approval, are
found in Title III/FISA provisions and practices controlling the
interception of electronic communications.
Within the FBI itself, there are also a number of administrative,
technological, and physical access controls which prevent the
unauthorized use of any electronic surveillance tool, including
Carnivore. First, as a general matter, all covert electronic
surveillance equipment is carefully controlled and overseen within the
FBI by FBI Headquarters program managers and by each field officer's
Technical Advisor (TA). Second, with regard to Carnivore specifically,
there are only a few Carnivore devices and only a limited number of FBI
personnel who are trained to operate this special purpose tool, under
FBI Headquarter's overnight. Third, to use Carnivore in any given case,
such personnel must be privy to the specific access number for a
targeted account number. Fourth, such personnel can use Carnivore only
when they possess a hardware security device that is specifically
required for access. And fifth, such personnel can use Carnivore only
when they have the necessary two-tiered password access authority
required.
Finally, if any FBI employee ever were to conduct such unlawful
activity, he/she would be terminated from employment with the FBI.
There is ``zero tolerance'' for any such illegal conduct within the
FBI.
In sum, Carnivore has many legal, technological, and administrative
controls. Such controls effectively act to prevent any ``fishing
expedition'' or infringement of privacy rights when using Carnivore.
Question 4. Dr. Kerr, is Carnivore used in routine criminal
investigations or is it limited to rare cases when the information
cannot be obtained through the Internet Service Provider or another
manner?
Answer 4. Carnivore has been used in important ECPA-based criminal
investigations and in important FISA-based national security
investigations. As noted in our testimony, we have used Carnivore when
the interception of electronic communications content or the
acquisition of electronic communications addressing information could
not be fully or properly effectuated by the Internet Service Provider
(ISP) (with reference to legal, evidentiary, investigative, and
operational requirements which need to be met) or when the ISP has
indicated that it is ill-equipped to effect the interception or that it
would be more efficient for the FBI to effectuate the order using
Carnivore.
Question 5. Dr. Kerr, some have called upon the F.B.I. to release
the source code for Carnivore. What impact would this have on the
ability of Carnivore to operate?
Answer 5. To begin with, in enacting the first comprehensive U.S.
electronic surveillance laws, Title III of the Omnibus Crime Control
and Safe Streets Act of 1968 (Title III), 18 U.S.C. 2510-2522, as
amended, the Congress instituted a balanced regime which both affords
clear statutory authority and Constitutionally-compliant procedures to
enable law enforcement to lawfully conduct electronic surveillance
pursuant to court order and which criminalizes the unauthorized conduct
of electronic surveillance in order to underscore the Congress'
intention of preventing unlawful searches and seizures and of
preserving communications privacy. To advance both of these principles,
the Congress also crafted Title III provisions to prevent the
proliferation of surreptitious electronic surveillance interception
devices. See 18 U.S.C. 2512 (Manufacture, distribution, possession, and
advertising of wire, oral, and electronic communication intercepting
devices prohibited). The only two categories of users exempted under
Section 2512 are providers of wire or electronic communication service,
with regard to equipment utilized by them in the normal course of
providing their service, and governmental officials, with regard to
equipment utilized by them in the normal course of carrying out
governmental activities.
Similarly, there are statutory and regulatory U.S. export control
regimes which govern the export of electronic surveillance-related
equipment (e.g., the Arms Export Control Act, as implemented by the
International Traffic in Arms Regulations, and the Export Control Act,
as implemented by the Export Administration Regulations). Depending
upon the type of electronic surveillance equipment involved, one or
both of these regimes will likely govern the export of electronic
surveillance equipment.
In short, electronic surveillance equipment generally, and that
used by the FBI in particular (at least that electronic surveillance
equipment used in covert, non-consensual efforts--i.e. surreptitious
electronic surveillance devices) is treated as sensitive, at a minimum.
In many cases, such equipment may also be classified. Hence, in light
of the above, and as a starting point, the FBI is concerned about the
legal and policy constraints associated with the disclosure of such
electronic surveillance equipment, including its software.
With regard to Carnivore, and again in light of the above laws,
controls, and constraints, we believe that it would be improper to
disclose to the public generally the source code of Carnivore. The
source code, after all, is for a special purpose surreptitious
electronic surveillance system which should be treated with
circumspection. Public disclosure of the source code could lead to the
unintended and harmful effect of facilitating unauthorized, and hence
unlawful, electronic surveillance. Further, it may be that disclosure
could inform the criminal community about aspects of Carnivore that
might suggest some potential for circumvention.
However, as you may be aware, the FBI will disclose the Carnivore
source code to the independent, outside review team which the Attorney
General has called for (the Illinois Institute of Technology and
Research Institute (IITRI)) in a controlled environment and under
controlled circumstances, in order to give assurance to the public that
Carnivore operates properly and lawfully, as the FBI claims it does.
Question 6. Dr. Kerr, do you think the name Carnivore has
contributed to public perceptions about the program being extremely
intrusive?
Answer 6. It's probably fair to say that the name ``Carnivore'' has
unintendedly and unhappily lent itself to some negative comments by
those who have not understood Carnivore's actual use, functionality,
and core purpose in making electronic surveillance efforts more--not
less--surgical and precise. As noted in our testimony, in a number of
regards, Carnivore is superior, as an electronic surveillance tool, to
the ``sniffers'' that are sold commercially and often used by ISPs for
network trouble-shooting and management (such sniffers were never
intended for use as a law enforcement electronic surveillance tool).
Indeed, in the furor, the public appears to have lost sight of the core
fact that the FBI has spent considerable time, money, and energy in
trying to develop an electronic surveillance tool which better meets
the dictates of the Constitution and the Federal electronic
surveillance laws.
Responses of Donald M. Kerr to Questions From Senator Leahy
Question 1. By letter dated August 16, 2000, the FBI informed me
that ``Carnivore is only used in those small number of instances when
an ISP cannot on its own deliver what the court order instructs,''
suggesting that Carnivore is an investigative tool of last resort.
Others have expressed the view that Carnivore should be a tool of first
resort because the responsibility for executing court orders for
electronic surveillance and protecting privacy rights is best
discharged by the Department of Justice, not private ISPs. What is your
view?
Answer 1. In the past, the FBI's decision to use Carnivore or to
permit an ISP to implement a court-authorized electronic surveillance
order for either the full interception of electronic communications
content or for the acquisition of electronic communications addressing
and transactional information within an ISP's network has been decided
on a case-by-case basis. Given the complexities and the great number of
variables related to any given court-authorized electronic surveillance
technical effort within an ISP network, the FBI has always viewed such
electronic surveillance efforts from a tactical and effectiveness
perspective. Central factors considered by the FBI in making
determinations have been the ISP's ability to implement a particular
order fully, properly, securely and in a timely manner. If the ISP can
meet these requirements, we would normally let the ISP implement the
order.
Further, it is important to remember that both as a technological
and practical matter, the FBI's conduct of electronic surveillance
within such ISP's computer network always requires a cooperative and
collaborative effort between the ISP and the FBI. This is so because an
ISP's network administrators and engineers are really the only ones
possessing the knowledge required as to their network to identify
within it the transmission pathway(s) of a particular criminal subject,
the best access vantage point(s), the protocols being used, etc.--all
of which are required to effectively execute a surveillance order.
Hence, the FBI believes the best approach will continue to be a
case-by-case approach, based upon considerations such as those outlined
above.
Question 2. The FBI has testified that Carnivore has been used, as
of September 6, 2000, in approximately 25 instances and that ``in many
instances, ISPs, particularly the larger ones, maintain certain
technical capabilities which allow them to comply, or partially comply,
with court order.''
A. Is it fair to say the majority of court orders for electronic
surveillance of Internet communications or source and destination
information of Internet communications are executed by ISPs without the
use of Carnivore?
B. Since the FBI employs Carnivore only on rare occasions when its
use is necessary, should the FBI retain the right to use Carnivore in
all cases?
C. Should the government be required to make a showing that use of
Carnivore is necessary and obtain court permission before using this
tool?
D. Would concern about abuse of Carnivore be allayed if its use
were limited to circumstances when a court has granted explicit
permission for the electronic surveillance order to be executed by law
enforcement on the ISP's premises?
Answer 2 A and B. Again, owing to a number of factors and
variables, as outlined above in Answer #1, and their interrelationship,
we cannot give an unqualified answer. Generally speaking, certain very
large ISPs do tend to have greater electronic surveillance capabilities
than the small ISPs. For example, if the electronic surveillance order
were for the interception of E-mail content, certain ISPs could
``clone'' the E-mail and accomplish, or very substantially accomplish,
such an interception effort. When the ISP can meet electronic
surveillance requirements, we have permitted the ISP to effect the
surveillance effort. However, since most ISPs have developed with
little emphasis being placed on conducting electronic surveillance for
law enforcement, and since the ``tools'' that they might typically
resort to in order to effect such efforts (e.g., ``commercial
sniffers'') were never designed for such a law enforcement electronic
surveillance purpose, surveillance shortfalls can occur. By comparison,
the FBI's Carnivore system was specially designed to effect such
surveillances. In this regard, it bears noting that, when an ISP does
lack the capability to implement a court order fully, properly,
securely, and in a timely manner, the ISP usually is the first to
recognize that it is more effective for the FBI to use its electronic
surveillance tools.
Given the different and sometimes unique factors and variables that
arise from case to case, as noted above, we believe that the FBI must
retain the right to use its electronic surveillance equipment in order
to ensure that electronic surveillance orders can be implemented fully,
properly, securely and in a timely manner. However, in the rare
instances where a dispute may arise between the government and the ISP,
as with any matter in contention, resolution of such matter is through
the courts, with a judge or magistrate resolving it. Resolution is
never dictated unilaterally by the government, much less by the FBI.
Answer 2 C and D. We believe, based upon different factors and
variables, as outlined above, as well as our past experience in this
area, that the best course is one where the ISP and the FBI work
closely together in a consultative, cooperative, and collaborative
fashion to implement a particular electronic surveillance order in the
best way possible, so that the court's order is properly implemented
and not frustrated. The technical and administrative staff of an ISP is
best positioned, in concert with law enforcement, to make complex
technological judgments, which often arise only after the court issues
its order. Relatedly, the FBI does not have the resources that would be
required to initiate in-depth discussions with all the ISPs (some in
industry estimate the number of ISPs to be in the thousands) that
conceivably could be involved in a potential future court-ordered
electronic surveillance interception (with an eye to pre-determining
what technological approach might be best) prior to the time when an
actual and specific order may in fact be issued by a particular court.
Further, and as indicated above, suchpre-determination could, at best,
only be general and tentative in nature since, as noted, many different
technological variables and factors come into play, and, importantly,
they change over time as the ISPs' networks change over time. Thus,
especially in fast-paced investigations where time is of the essence,
such as in computer hacker cases, to require in advance a specialized
demonstration of need to a court in order to utilize Carnivore, as
suggested, would impose very problematic procedural delays. Neither FBI
nor ISP engineers would be in a position to make a final determination
until after a particular order authorizing interception or acquisition
of particular information had been issued at a particular juncture in
time with reference to the then technological state of the given ISP's
network.
As to the issue of concern about abuse, as noted in our hearing
testimony, Carnivore has a built-in audit record. This audit record
feature was designed into Carnivore for the purpose of making a
permanent record as to the particular filter settings that have been
used in each case with Carnivore--and hence what information has been
acquired by Carnivore--at any point in time. Thus, this Carnivore
feature creates a record to afford assurance to any interested party
(FBI managers, Offices of the United States Attorney, U.S. District
Courts, juries, criminal defendants, and defense counsel) as to
precisely what Carnivore is or is not acquiring at any point of time in
each investigation. Also, as with any type of electronic surveillance
within any service provider network (wire or electronic), the criminal
and civil penalties within our electronic surveillance laws, along with
close DOJ and FBI administrative oversight, prevent misuse of
electronic surveillance. Indeed, the FBI has an outstanding record of
compliance with the electronic surveillance laws since their enactment
over 30 years ago.
Question 3. The FBI and Department of Justice have asserted that
Carnivore is the functional equivalent of pen register and trap-and-
trace devices used on telephone lines. The Supreme Court held in Smith
v. Maryland, 442 U.S. 735 (1979), that telephone callers do not have an
expectation of privacy in dialed numbers used in placing a call since
such numbers are necessarily divulged to a telephone company, which
makes a permanent record for purposes of billing operations and
maintenance of the service. The Court specifically distinguished such
dialed numbers from ``content,'' which are protected by the Fourth
Amendment.
A. An Internet user may go to a particular URL that specifies not
only the computer on the Internet on which a particular document can be
found, but also the directory in which the document is located, the
file name of the document and the page within the document that the
user seeks and retrieves. Does such a URL or ``Internet address''
contain more or less information about the subject of a communication
than a dialed telephone number?
B. Is Carnivore capable of intercepting information about a
specific URL searched by an Internet user who is the subject of a pen
register order? If so, at what point in the searching, or addressing,
information would the Justice Department believe that the line has been
crossed into ``content''?
C. Is Carnivore capable of intercepting information about all the
URLs visited by an Internet user who is the subject of a pen register
order during a particular session?
Answer 3 A, B, and C. To clarify, a Uniform Resource Locator (URL)
is simply an electronic Internet Protocol (IP) domain name address
(e.g., xyzcorp.com). Further, also riding underneath the alphabetic URL
address is a numeric address associated with the server that is
supporting the contacted URL. Accordingly, when, pursuant to a pen
register court order, the FBI uses Carnivore and acquires URL address
information that is all that is being acquired--i.e., the fact that a
criminal subject has electronically connected to a given URL address.
As such, the URL address information does not include any subdirectory
or any other information about the site. In such a case, the FBI would
only know that the criminal subject had contacted the xyzcorp.com site
and whether or not his/her computer had established a ``secure''
connection (i.e., secure socket layer (SSL))--no more. Hence, in light
of the foregoing, we believe that such URL information is essentially
identical to a telephone number within a telephone network that a
criminal subject may dial. Thus, it is worth noting that a Carnivore-
based pen register would provide the FBI with virtually the same
information as a telephone pen register would, i.e., the telephone
number dialed by the criminal subject reflecting that a communication
to XYZ Corp. had occurred. No ``content'' information (substance,
purport or meaning) is gleaned from either type of pen register as to
the nature of the call.
Question 4. Under current law, a judge must issue a pen register
order upon a prosecutor's certification that the information likely to
be obtained is relevant to an ongoing investigation. I have proposed in
the E-RIGHTS Act, S. 854, that the law be changed to authorize a judge
to issue such an order upon finding that the prosecutor has shown that
the information is likely to be relevant. The Administration has
proposed a similar change in current law. By contrast, Professor
O'Neill suggested at the hearing that Congress should consider whether
all Internet trap and trace orders should issue only on the basis of a
judicial finding that probable cause exists to believe that a target
has or is about to commit a crime. Representatives Canady and
Hutchinson have proposed a bill that would require a prosecutor seeking
e-mail source/destination information to show specific and articulable
facts reasonably indicating that a crime has been, is being or will be
committed, plus a showing of relevance of the information sought to
investigation of that crime. A bill sponsored by Representatives Barr
and Emerson would apply that standard to all pen registers and traps-
and-traces whether or not they would identify e-mail addresses. What
modifications, if any, to the existing standard for pen registers and
traps-and-traces do you favor?
Answer 4. We believe now, as we did in 1986 when agreement was
reached in the Congress (and amongst all of the interested parties) in
enacting the Electronic Communications Privacy Act of 1986 (ECPA), that
the current (ECPA) standard with regard to the use of pen registers and
traps and traces is appropriate for the acquisition of non-content-
based pen register-related addressing and transactional information. On
March 28, 2000, Director Freeh testified in support of S. 2092, a bi-
partisan bill co-sponsored by Senator Schumer and Senator Kyl. The FBI
believes S. 2092 maintains the appropriate 1986 ECPA standard with
regard to the acquisition of non-content-based ``addressing and
routing'' information while rendering the pen register statute
technologically neutral.
Question 5. According to the FBI, Carnivore operates by sifting
through network traffic where a subject's communications are expected
to be found ``roughly analogous to using anelectronic surveillance
device . . . on a single trunk or cable within a telephone network.''
In your view, does the manner in which Carnivore operates give law
enforcement access to more than just the communications or addressing
information covered in a court order and, if so, would a
telecommunications carrier that is also serving as an ISP be put in
jeopardy of violating its duty under CALEA of protecting ``the privacy
and security of communications . . . not authorized to be
intercepted''? (47 U.S.C. 1002).
Answer 5. As to the first part of your question, the way Carnivore
operates, as described at some length in Answer #9(B), below, does not
give the FBI more than the communications or addressing information
covered by a particular court order. As to the second part of your
question, no, we believe that the CALEA directive concerning protecting
``the privacy and security of communications not authorized to be
intercepted'' applies only to those technological approaches and
technical requirements that are developed to provide solutions covered
by CALEA.
Question 6. Professor O'Neill has suggested a number of steps to be
taken by Congress to address questions raised by Carnivore, including
obtaining answers to the following questions:
A. Please explain the legal authority for law enforcement to insist
that an ISP install Carnivore?
B. Can Carnivore be easily defeated by encryption software or does
this tool capture IP addresses that are more difficult to encrypt than
the contents of messages?
Answer 6A. The primary legal authority for the FBI and the United
States Attorney's Office requiring that an ISP cooperate in installing
Carnivore would be to avoid the ``frustration'' of a particular court
order. The prospect of frustration, in the first instance, would stem
from an ISP's inability to implement a given order fully, properly,
securely, and in a timely manner. Both the Title III and the pen
register/trap and trace statutes have specific ``assistance''
provisions addressed to, among others, ``providers of wire or
electronic communications service'' for the purpose of avoiding
frustration of court orders. The statutes state that such providers
``shall furnish . . . [the] investigative or law enforcement officer
forthwith all information, facilities, and technical assistance
necessary to accomplish [the Title III interception or the installation
of the pen resister].'' Accomplish necessarily means fully accomplish,
such that valuable evidence is not lost and such that its accuracy/
integrity is not challengeable. Second, it is to be done securely. And
third, as indicated by the statutory language (``forthwith''), a
service provider must be able to assist very promptly. 18 U.S.C.
2518(4), 18 U.S.C. 3124, respectively. The language in the ``assistance
order'' issued by the judge or magistrate usually mirrors the statutory
language exactly.
As emphasized in the FBI's testimony, anytime the FBI has a
surveillance order where an ISP can (1) fully and properly accomplish
the surveillance, (2) do it securely, (3) do it very promptly, the FBI
has been content to permit the ISP to implement the order. However,
noting the foregoing statutory and court order language, the FBI and
the United States Attorney's Office legitimately and properly could
insist upon an ISP's cooperation with regard to the use of FBI
electronic surveillance equipment (whether it be Carnivore or other
equipment) that would work to execute an order fully, properly,
securely, and in a timely manner, whenever the ISP does not have the
capability to satisfy such requirements. Of course, if there were to be
a dispute in this regard between the FBI and the ISP, as with any
matter in contention, the resolution of the matter would be through the
court, with a judge or magistrate resolving the issue. Resolution would
not be dictated unilaterally by the government, much less by the FBI.
Answer 6B. Carnivore was not designed to address encryption. Any
encryption that was encountered would require decryption through other
means or devices.
Question 7. At the hearing, Dr. Kerr testified that Carnivore had
recently been updated and improved. Presumably, the FBI will continue
to update and improve Carnivore even after the independent technical
review for which the Attorney General is now arranging. According to
the FBI, one way to monitor Carnivore's use and modifications after
conclusion of the technical review is by a so-called ``audit trail''
which allows a defendant to see how the FBI conducted a Carnivore
search keystroke-by-keystroke. If the search was improperly conducted,
the defendant might have grounds for suppression. Even if the audit
trail operates as advertised, however, it will only be available to
criminal defendants against whom prosecutors seek to introduce evidence
obtained by Carnivore. How do we assure the law-abiding public after
the anticipated technical review that Carnivore will not infringe on
privacy rights? Should Congress consider an independent monitor for
that purpose?
Anwser 7. There are numerous legal, technological, and
administrative controls in place that prevent the misuse of Carnivore
and any infringement upon privacy rights.
Legal Controls: First of all, the law itself is a powerful control
to ensure that only properly authorized, lawful electronic surveillance
occurs. The FBI certainly is of this opinion. As such, the FBI only
conducts electronic surveillance--whether conducted through the use of
Carnivore of otherwise--pursuant to a lawful court order or lawful
voluntary consent of a party to the communication. This has been the
case since 1968, when the first Federal electronic surveillance laws
were enacted in the Title III legislation. Importantly, the FBI has an
outstanding record of compliance with the electronic surveillance laws
since their enactment over 30 years ago. In addition, it is very
noteworthy that the electronic surveillance laws contain stringent
deterrents to unauthorized (illegal) electronic surveillance, including
criminal (felony) and civil sanctions for any individual who violates
the law. Further, under the Constitution, suppression of illegally
obtained evidence (and fruits thereof) may be applied by Federal courts
if electronic communications content is unlawfully intercepted.
Technological Controls: As you note in your question, the Carnivore
system, by design and functionality, is set up to establish an ``audit
record'' for evidentiary purposes. Of course, a secondary aspect and
value of this design and functionality would be to aid in the
prevention of any potential infringement of privacy rights. Moreover,
as you may be aware, Carnivore, by design, is a device which only
functions to filter out. In its first filtering action, Carnivore
filters out anything not associated with the unique and specific
identifier associated with a particular criminal subject's service, as
identified in a given court order. Stated differently, Carnivore
``ignores'' and is ``blind to'' anything not associated with a criminal
subject's unique identifierthat relates to the specific authorization
set forth in the court's order. In its second filtering action,
Carnivore filters out content when the order is only for communications
addressing and transactional information. Thus, as a special purpose
electronic surveillance tool, Carnivore fundamentally and purposely
works as a ``filter.'' By contrast, Carnivore fundamentally and
purposely does not work, descriptively speaking, as a ``vacuum
cleaner'' which, by design, would purposely acquire electronic
communications broadly and indiscriminately from all network users,
including those of innocent subscribers. Hence, Carnivore's design does
serve as an effective check against any potentiality of infringing upon
privacy rights.
Administrative Controls: There are numerous administrative and
criminal justice system-based controls which preclude the errant use of
Carnivore, both in terms of internal and external oversight to control
how Carnivore is being used at any point in time. To begin with, it
should be emphasized that the FBI does not deploy or use Carnivore or
any other non-consensual electronic surveillance tool in a vacuum. With
regard to applications for pen registers or trap and trace devises,
section 3121 of Title 18 of the United States Code prohibits
Carnivore's use, as such a device, without a court order. In order to
acquire a court order, the FBI may not act alone, but must seek the
approval of an appropriate official within the Department of Justice.
Section 3122 mandates that an ``attorney for the government'' be the
applicant for a pen register or trap and trace device. Typically, this
requires the approval of the Office of the United States Attorney for
the district in which the device is to be used. Of course, more
stringent requirements mandating high-level Department of Justice
approval, are found in Title III/FISA provisions and practices
controlling the interception of electronic communications.
Within the FBI itself, there are also a number of administrative,
technological, and physical access controls which prevent the
authorized use of any electronic surveillance tool, including
Carnivore. First, as a general matter, all covert electronic
surveillance equipment is carefully controlled and overseen within the
FBI by FBI Headquarters program managers and by each field office's
Technical Advisor (TA). Second, with regard to Carnivore specifically,
there are only a few Carnivore devices and only a limited number of FBI
personnel who are trained to operate this special purpose tool, under
FBI Headquarter's oversight. Third, to use Carnivore in any given case,
such personnel must be privy to the specific access number for a
targeted account number. Fourth, such personnel can use Carnivore only
when they possess a hardware security device that is specifically
required for access. And fifth, such personnel can use Carnivore only
when they have the necessary two-tiered password access authority
required.
Finally, if any FBI employee ever were to conduct such unlawful
activity, he/she would be terminated from employment with the FBI.
There is ``zero tolerance'' for any such illegal conduct within the
FBI.
In sum, Carnivore has many legal, technological, and administrative
controls. Such controls effectively act to prevent any infringement of
privacy rights when using Carnivore.
As to the second part of your question, we believe that it would be
imprudent for the Congress to contemplate as a course of action, in the
context of the concerns expressed with regard to Carnivore, the
establishment of an outside ``independent monitor.'' There are a number
of reasons why resort of such an independent monitor would be
problematic, including, but not necessarily limited to, the following.
First, there is a likely separation of powers issue with regard to the
Executive Branch's Constitutionally-reserved right to fashion and
utilize proper sources and methods in order to lawfully and fully
execute warrants and court orders (including electronic surveillance
orders). Second, as a general proposition, such an approach, if
adopted, could give rise to the unintended result of casting the
independent monitor in the awkward role of being a sort of ``electronic
surveillance technology police,'' a role particularly ill-suited to a
complex environment of fast-moving technology and the associated need
for nimble electronic surveillance response. Third, it would appear to
use that for this approach to really work the independent monitor may
also have to assume an unprecedented and ongoing supervisory role
throughout the duration of an execution of a given court-ordered
surveillance. As can be seen, significant philosophical and legal
including Constitutional) problems arise with the prospect of having
the government itself ``surveilled'' by an ``independent monitor'' as
the FBI proceeds to lawfully execute a warrant or court order.
If assuring the propriety of FBI surveillance is the core issue, as
noted immediately above, other effective checks and balances are in
place. Also, although the focus of the instant suggestion pertains to
Carnivore, as a matter of precedent, the notion associated with using
an independent electronic surveillance monitor could in principle be
applied to every piece of electronic surveillance equipment that might
be designed and used by the FBI, by other Federal law enforcement and/
or security agencies, and by State and local law enforcement agencies.
We would strongly recommend against pursing such an approach.
Question 8. Some universities interested in responding to DOJ's
solicitation of bids to conduct the independent technical review of
Carnivore have reportedly criticized certain terms of a non-disclosure
agreement which the chosen contractor would be required to sign. One
witness at the hearing said that the FBI would be a party to the
required agreement. Please provide a copy of the non-disclosure
agreement, identify the terms that have been criticized and explain why
they are necessary.
Answer 8. Attached at the end of this document is a copy of the
``Sensitive Information Nondisclosure Agreement'' (NDA) executed by the
Carnivore review team contractor.
In the recent Senate hearing on Carnivore, Mr. James Dempsey cited
a USA Today On Line story where certain universities reportedly had
indicated a reluctance to participate. One point noted in the story was
that ``Universities and any other contractors must agree not to publish
anything the government deems sensitive.'' Hence, it appears, based
upon the USA Today's characterization, that the university community's
objection is more global as to the general proposition of not
disclosing ``sensitive'' information as opposed to any particular
``term'' or provision in the NDA.
To begin with, the attached NDA is derived from a standard FBI NDA
form (FD 857) which the FBI sues when sharing sensitive information
with outside entities such as contractors and other persons. Such NDAs
are also typically included in FBI/DOJ federal contracting. In the
instant case, the FBI worked with the Carnivore review team contractor,
the Illinois Institute of Technology Research Institute (IITRI), in
formulating final NDA language which satisfied the contractor and which
did not stifle the full review of Carnivore by the contractor.
As to the second part of the question, electronic surveillance
equipment, including software, is sensitive and, under law, information
about it is strictly controlled and constrained.
As you are aware, in enacting the first comprehensive U.S.
electronic surveillance laws, Title III of the Omnibus Crime Control
and Safe Streets Act of 1968 (Title III), 18 U.S.C. 2510-2522, as
amended, the Congress instituted a balanced regime which both affords
clear statutory authority and Constitutionally-compliant procedures to
enable law enforcement to lawfully conduct electronic surveillance
pursuant to court order and which also criminalizes the unauthorized
conduct of electronic surveillance in order to underscore the Congress'
intention of preventing unlawful searches and seizures and of
preserving communications privacy. To advance both of these principles,
the Congress also crafted a particular Title III provision to prevent
the proliferation of surreptitious electronic surveillance interception
devices. See 18 U.S.C. 2512 (Manufacture, distribution, possession, and
advertising of wire, oral, and electronic communication intercepting
devices prohibited). The only two categories of users exempted under
Section 2512 from using such devices are providers of wire or
electronic communication service, with regard to equipment utilized by
them in the normal course of providing their service, and governmental
officials, with regard to equipment utilized by them in the normal
course of carrying out governmental activities.
Similarly, there are statutory and regulatory U.S. export control
regimes which govern the export of electronic surveillance equipment
(e.g., the Arms Export Control Act, as implemented by the International
Traffic in Arms Regulations, and the Export Control Act, as implemented
by the Export Administration Regulations). Depending on the type of
electronic surveillance device involved, one or both of these regimes
govern the export of electronic surveillance equipment.
In short, electronic surveillance equipment generally, and that
used by the FBI in particular (at least that electronic surveillance
equipment used in covert, non-consensual efforts--i.e. surreptitious
electronic surveillance devices) is treated as sensitive, at a minimum.
In many cases, such equipment may also be classified. Hence, in light
of the above, the FBI is concerned about the legal and policy
constraints and controls that would conflict with the open-ended public
disclosure of such electronic surveillance equipment, including its
software.
With regard to Carnivore, and again in light of the above laws,
controls, and constraints, we believe that it would be improper to
disclose to the public generally the source code of Carnivore. The
source code, after all, is for a special purpose surreptitious
electronic surveillance system which should be treated with
circumspection. Public disclosure of the source code could lead to the
unintended and harmful effect of facilitating unauthorized, and hence
unlawful electronic surveillance. Also, it may well be that disclosure
could inform the criminal community about aspects of Carnivore that
might suggest some potential for circumvention.
However, as you are aware, the FBI will disclose the Carnivore
source code to the IITRI review team under controlled circumstances in
order to give assurance to the public that Carnivore operates properly
and lawfully, as the FBI claims it does. In so sharing such sensitive
information, it is altogether appropriate that an NDA be utilized to
protect the information. It is important to note, however, that nothing
in the NDA can reasonably be read to prohibit or stifle the disclosure
of information of findings, potentially critical of Carnivore or the
FBI, to the Attorney General and the Department of Justice. In
conclusion, the testimony of the respected Internet expert, Mr. Vint
Cerf (who previously was briefed as to Carnivore and who signed an
NDA), is worth noting in this regard. At the hearing, Mr. Cerf
testified, ``May I just interject that I agreed to sign the
nondisclosure on the principle that when you're dealing with
surveillance just as you would with other intelligence situations,
sources and methods are always a sensitive issue.''
Question 9. In the D.C. Circuit Court of Appeals recent decision on
the FCC's implementation of CALEA (the ``Communications Assistance for
Law Enforcement Act''), the Court agreed with the FCC that under a
standard adopted by telecommunications carriers for packet-switched
networks, the carriers could provide both packet headers and the
content, or ``payload,'' to law enforcement. Carriers argued that
technically they could not separate the two, while the FBI contended
that it had equipment which could ``distinguish between a packet's
header and its communications payload and make[] only the relevant
header information available for recording or decoding.''
A. Was the FBI referring to its ``Carnivore'' equipment when it
made this representation to both the FCC and the Court?
B. The FBI's representation was critical, since both the FCC and
the Court noted that ``privacy concerns could be implicated if carriers
were to give to [law enforcement] packets containing both [the
addressing information and the content] when only the former was
authorized.'' When Carnivore is installed, is the ISP essentially
giving law enforcement the entire traffic flow over that particular
part of the network, including both addressing information and content
of packets?
C. The FBI testified at the hearing that CALEA does not apply to
ISPs. In fact, CALEA, by its terms, applies only to telecommunications
carriers. Are there telecommunications carriers that are also ISPs? If
so, please provide examples.
D. Should the privacy concerns expressed by the Court for packet-
switched networks apply only to telecommunications carriers, as defined
in CALEA, or do those concerns apply more broadly to ISPs?
Answer 9A. The reference in question was not to Carnivore. The
representation was generic as to what the FBI believes can be designed
to separate communications from call-identifying information.
Answer 9B. First, we would like to clarify a couple of points
included in the opening paragraph of this CALEA-related question. One
point is that the FBI has asserted in its FCC filings regarding CALEA
that, as a matter of technology, it believes that devices can be
designed that would be capable of separating the communications content
from the communications call-identifying information. A second point is
that, assuming the availability of such devices, any entity, including
a ``telecommunications carrier'' under CALEA, presumably could avail
itself of them and use any such device itself.
As to your specific question, ``[w]hen Carnivore is installed, is
the ISP essentially giving law enforcement the entire traffic flow over
that particular part of the network, including both addressing
information and content of packets?'' (emphasis added), some
clarification is in order. First, what an ISP ``gives'' to law
enforcement, when it identifies a ``particular part of [its] . . .
network]'' is a vantage point through which ``access'' can be achieved
as to the specific communications traffic of a particular criminal
subject, based exclusively upon that particular criminal subject's
unique identifying information.
Further, to better respond to your question, it is useful to
explain more particularly how Carnivore actually works. As we set forth
in our statement for the record, Carnivore is a special purpose
electronic surveillance system which, pursuant to an appropriate court
order or lawful consent, is used to acquire or intercept a criminal
subject's communications addressing and transactional information or
communications content, respectively, based exclusively upon filtering
that segregates a criminal subject's communications traffic based upon
his/her unique identifying information (e.g., his/her E-mail address,
IP address). Carnivore does not acquire or intercept any innocent, non-
criminal subject's communications addressing or transactional
information or communications content.
Moreover, it is important to understand that Carnivore's filtering
operates in stages--and that all filtering occurs exclusively within
the ``Carnivore box.'' As noted, Carnivore's first operation is
exclusively to detect the criminal subject's identifying information.
The first stage of filtering in the Carnivore system is to match (in
purely binary computer code) the ``pattern'' of ``1's'' and ``0's'' in
the computer bit stream that matches the criminal subject's identifying
information ``pattern''--which identifying information is set forth in
the court's order. So, in a very simplified example, with the filter
exclusively set to detect the criminal subjects's computer bit pattern
``1100,'' if the first bit in the computer bit stream was an ``0,''
Carnivore would automatically conclude that since ``0'' and ``1'' are
not a match, that this circumstance does not meet the filter pattern
criteria, and it would quickly move onto conduct the next pattern match
effort. If the first digit is a match, Carnivore would then go to the
next digit in the computer bit stream, and repeat the process, until an
exact, complete match is arrived at.
Importantly, nothing happens at all, by way of any interception of
communications content or acquisition of communications addressing
information, unless and until the criminal subject's unique identifying
information has been matched. Then, and only then, does Carnivore move
on to the second stage of filtering, in terms of applying the
appropriate filters required to filter either for communications
addressing information acquisition or for full communications content
interception, depending upon the particular authorization found within
the court's order. Finally, FBI personnel only receive and ``see'' the
communications addressing information or communications content of the
criminal subject, as appropriate--based upon the court's order--after
all of the Carnivore filtering has been completed exclusively within
the Carnivore box. Indeed, whenever any network traffic is stored on
the Carnivore system, it remains in the same format of 0's and 1's;
and, importantly, it is not turned into a format intelligible to humans
until after it is transferred from the Carnivore system.
In sum, Carnivore never conducts a search of the communications
addressing or transactional information or communications content of
any innocent, non-criminal subject at all. Indeed, even with the
criminal subject's communications traffic, Carnivore filters the
criminal subject's ``machine readable only'' binary code exclusively
within the box; and FBI personnel only obtain, in a humanly
intelligible format--and ``outside of the box''--the appropriate
criminal evidence sought after Carnivore has completely concluded its
programmed filtering efforts within the box.
Answer 9C As implied in your question, and as anticipated in CALEA,
a communications service provider's business could offer both
telecommunications services and information services. Examples of such
companies are AT&T and MCI WorldCom. CALEA's coverage with reference to
the definition of ``telecommunications carrier'' ``does not include (i)
persons or entities insofar as they are engaged in providing
information services (emphasis added). `` See 47 U.S.C. 1001(8)(C).
Answer 9D. The D.C. Court of Appeals decision pertained to the
actions taken by the Federal Communications Commission in light of its
CALEA-implementing Third Report and Order, and with reference to
actions taken by the Telecommunications Industry Association in its
CALEA-implementing J-Standard. The court's decision, hence, was CALEA-
centric. The FBI and the Department of Justice (DOJ) have articulated
their perspectives with regard to packet mode communications at some
length in their comments before the FCC (see FBI and Department of
Justice ``Comments Regarding Further Notice of Proposed Rulemaking,''
CC Docket No. 97-213 at 77-81) and in their brief before the D.C.
Circuit Court of Appeals (see Final Brief for the United States at 15-
18).
With reference to the aforementioned FBI/DOJ Comments before the
FCC, we note, as did the FBI/DOJ Comments at pages 79-80, that there is
nothing in CALEA or its legislative history to indicate that Congress
meant to prohibit the use of law enforcement electronic surveillance
equipment which has the capability of separating signals of
communications content from communications transactional information.
For example, all ``local loop'' electronic surveillance efforts
necessitate such tools and approaches. And no one, to our knowledge, is
suggesting,for example, that ``local loop'' interceptions are in any
way affected or curtailed by CALEA or otherwise. Further, to quote from
the Comments:
``It is worth noting that Section 103(a)(4) does not state that
carriers ``shall no deliver'' communications and call-identifying
information that law enforcement is not authorized to intercept, but
only that carriers shall ``protect the privacy and security'' of such
information. A carrier is entitled to rely on enforcement's discharge
of its legal obligation under 18 U.S.C. Sec. 3121(c) as a means of
``protecting the privacy'' and security'' of information that law
enforcement is not authorized to intercept. Accordingly, the J-Standard
is not deficient in this regard.''
Comments at 80. Moreover, with reference to the aforementioned FBI/
DOJ Brief, we quote the following:
``* * * because the use of minimizing technology under Section
3121(c) can prevent law enforcement agencies from hearing or seeing the
content portion of a packet stream, the J-Standard does not offend
Title III or the Fourth Amendment. Cf. United States v.Miller, 116F.3d
641, 659-60 (2d Cir. 1997) (use of pen register device that is capable
of recording call content as well as dialing information does not
violate Title III), Sanders v. Robert Bosch Corp., 38 F.3d 736, 742
(4th Cir. 1994) (no Title III interception occurred when oral
conversations were monitored and transmitted by hidden microphone but
contents of conversations were neither heard nor recorded).''
Brief at 17. Thus, in light of the above, and notwithstanding any
concerns which may have been expressed by the court with regard to
packet-switched communications generally, we believe, both with regard
to networks of telecommunications carriers and the networks of
computer-based ``information services,'' that privacy and security
protection can be satisfied in privacy-enhancing electronic
surveillance tools such as Carnivore. Since we believe that privacy and
security protection can be, and is being, maintained, we do not
necessarily share the rendition of ``privacy concerns'' as alluded to
in the dicta of the D.C. Court of Appeal's CALEA-based decision.
Question 10. The public concern about use of Carnivore and
government surveillance of the Internet has prompted at least one
witness at the hearing to call for more Congressional oversight. In
this connection, I introduced last year as part of the E-RIGHTS Act, S.
854, a proposal to require the Attorney General to provide the Congress
annual reports on the number of warrants, court orders and subpoenas
for government interceptions of e-mail and other electronic
communications under 18 U.S.C. section 2703. What is your view of
whether this proposal would assist Congress in providing appropriate
oversight and necessary information about government practices under
the law?
Answer 10. The FBI is certainly on record as being amenable to
Congressional oversight, including in the area of electronic
surveillance. As noted in the last section of our Hearing statement for
the record, a great deal of Congressional oversight already exists,
particularly in the area of electronic surveillance. With regard to
whether it is a good idea to require the Attorney General to provide to
the Congress detailed annual reports regarding all of the Department of
Justice agency components' warrants, court orders, and subpoenas
pertaining to governmental acquisitions of stored E-mail and other
electronic communications obtained under 18 U.S.C. Sec. 2703, we would
defer to the Department of Justice.
Sensitive Information Nondisclosure Agreement
An Agreement between __________ and the Federal Bureau of
Investigation (FBI) regarding the nondisclosure of sensitive FBI
information, to wit: any and all information received, observed, or
otherwise required from the FBI or the U.S. Department of Justice (DOJ)
arising from a review requested by the Attorney General of the United
States (the Review) of the FBI's Carnivore device and system,
including, but not limited to, any and all information pertaining to
the Carnivore software and associated software and hardware devices and
systems; any and all information pertaining to investigations,
investigative uses, operations, procedures, policies, practices,
guidelines, contracts, sensitive (including proprietary) governmental
information, nongovernmental proprietary information, training,
training documents, manuals, technical descriptions, source code,
object code, executable software, designs and design information,
documentation, descriptions, tests, test results, test scenarios,
deficiencies, and vulnerabilities associated with the Carnivore device
and system (``Sensitive Information'').
1. Intending to be legally bound, I hereby accept the obligations
contained in this Agreement in consideration of my being granted access
to Sensitive Information from the FBI or the DOJ arising from the
Review as required to perform my duties. I also understand and accept
that by being granted access to this Sensitive Information, special
confidence and trust shall be placed in me by the FBI.
2. I hereby acknowledge that I have been briefed concerning the
nature and protection of Sensitive Information, including the
procedures to be followed in ascertaining whether other persons to whom
I contemplate disclosing this information have been approved for access
to it, and that I understand these procedures. Further, I understand
that unauthorized use or disclosure of Sensitive Information, marked or
unmarked, including, but not limited to, oral communications or
information observed or gleaned arising from the Review, may
compromise, jeopardize or subvert current, past, or future law
enforcement activities, investigations, or investigative techniques and
may compromise, jeopardize or subvert existing or future FBI contracts,
contractual relationships between the FBI and vendors, or the ability
of the FBI to effectively contract with vendors now or in the future.
3. I agree to manage all Sensitive Information in a manner
consistent with procedures recommended by the FBI or DOJ, and I will
not now or in the future use, disclose, or retain Sensitive Information
unless such disclosure is necessary in the performance of the Review,
and I have either officially verified that the recipient of such
information has been properly authorized by the FBI or DOJ to receive
it, or been given prior written notice of authorizationfrom the FBI or
the DOJ that such use, disclosure or retention is permitted. I
understand that if I am uncertain as to the sensitive nature or status
of information as Sensitive Information, I am required to confirm from
an authorized FBI or DOJ official that such information may be used,
disclosed or retained prior to its use, disclosure or retention. The
obligations imposed upon me herein shall not apply to Sensitive
Information which is disclosed pursuant to a valid order of a court or
governmental body or any political subdivision thereof; provided,
however, that I shall first have given notice to the FBI or DOJ in
order to permit them to seek a protective order and in such case I
shall assist the FBI or DOJ in filing a protective order in accordance
with applicable rules; and if such order issues, disclosure under this
provision shall be made only in accordance with the terms of the
protective order. Not withstanding this provision, IITRI shall be able
to retain one (1) copy of the draft and final reports provided to the
FBI or DOJ as a result of the Review for a period of one year after
completion of the Review, after which time such copies shall be
returned to the FBI or DOJ.
4. I have been advised that except as necessary for the Review, any
effort to reverse engineer the Carnivore software or other software,
including software code, to which I may be given access during the
Review may cause irreparable damage to (a) FBI investigations and
investigative techniques; (b) FBI contracts, contracting capabilities,
contractual relationships between the FBI and vendors, or the ability
of the FBI to effectively contract with vendors now and in the future;
or (c) the rights of third parties to protect their proprietary
information; and I will not undertake any such action, use, or effort
to reverse engineer Carnivore or other software, including software
code, or undertake any other action, use, or effort that is
inconsistent with the sensitive and protected nature of this software,
unless I have been given prior and explicit written authorization from
the FBI or DOJ that such action, use, or effort is permitted. I will
also not duplicate or copy Sensitive Information arising from the
Review in a manner inconsistent with the procedures recommended by the
FBI or DOJ. I acknowledge that unauthorized duplication or copying of
Sensitive Information arising from the Review may cause irreparable
damage to FBI investigations, investigative techniques, or contracting
capabilities.
5. I have been advised that any breach of this Agreement may result
in the termination of my relationship with the FBI and the DOJ and my
removal from the Review. In addition, I have been advised that any
unauthorized disclosure, use, or retention of Sensitive Information by
me may constitute a violation or violations of United States criminal
laws, including those codified in title 18, United States code, or may
lead to criminal prosecution for obstruction of lawful government
functions. I realize that nothing in this Agreement constitutes a
waiver by the United States of the right to prosecute me for any
statutory violation.
6. I understand that all Sensitive Information to which I have
access or may obtain access by signing this Agreement is now and will
remain the property of, or in the control of the FBI or DOJ unless
otherwise determined by an authorized FBI or DOJ official or final
ruling in a court of law. I agree that I shall return all Sensitive
Information provided to me by the FBI or DOJ in written or any other
tangible form which has come or may come into my possession, or for
which I am responsible because of such access: (a) upon demand by an
authorized representative of the FBI or the DOJ, or (b) upon the
conclusion of my relationship with the FBI or the DOJ incidental to
this Review, whichever occurs first.
7. Unless and until I am released in writing by an authorized
representative of the FBI or the DOJ, I understand that all conditions
and obligations imposed upon me by this Agreement apply during the time
I am granted access to the Sensitive Information and at all times
thereafter.
8. Each provision of this Agreement is severable. If a court should
find any provision of this Agreement to be unenforceable, all other
provisions of this Agreement shall remain in full force and effect.
9. I understand that the United States Government may seek any
remedy available to it to enforce this Agreement including, but not
limited to, application for a court order prohibiting disclosure or use
of Sensitive Information in breach of this Agreement. I hereby assign
to the United States Government all royalties, remunerations, and
emoluments that have resulted, will result, or may result from any
disclosure, use, or retention of Sensitive Information not consistent
with the terms of this Agreement.
10. I have read this Agreement carefully and my questions, if any,
have been answered.
Signature____________ Date____________
Organization (if contractor, provide name and address):
The briefing and execution of this Agreement was witnessed by
(type or print name)
Signature____________ Date ____________
______
Security Debriefing Acknowledgment
I reaffirm that the provisions of the Federal criminal laws
applicable to the safeguarding of Sensitive Information have been made
available to me by the FBI or DOJ; that I have returned all Sensitive
Information in my custody; that I will not use, disclose or retain
myself Sensitive Information to any unauthorized person or
organization; that I will promptly report to the FBI any attempt by an
unauthorized person to solicit Sensitive Information; and that I have
received a debriefing regarding the security of Sensitive Information.
Signature____________ Date ____________
Name of Witness (type or print)____________
Signature of Witness____________ Date ____________
�