ACLU, EPIC Say Further Study of Carnivore Review Proves "Beast Must Be Tamed"

FOR IMMEDIATE RELEASE
Friday, December 1, 2000

WASHINGTON– Further careful review of a report on a new FBI Internet surveillance tool conclusively proves that the Carnivore system is an aptly named beast that must be tamed, the American Civil Liberties Union and the Electronic Privacy Information Center (EPIC) said today in comments submitted to the Department of Justice.

“All in all, the new review of Carnivore falls far short of the public disclosure necessary for such a potentially serious threat to individual liberties,” said Barry Steinhardt, ACLU Associate Director. “We call on the Clinton Administration — or its successor — to suspend the use of Carnivore until we can be assured of an ongoing review process for both Carnivore and successor programs.”

David Sobel, General Counsel of EPIC said, “Despite FBI claims that the review has vindicated Carnivore, it has actually validated many of the privacy concerns that have been voiced by the public and members of Congress. Internet users won’t find much comfort in the review team’s report. Private communications are very much at risk.”

In its comments, the ACLU said that:

–One of the team’s tests (Test 9, “TCP All Ports Full Mode Collection” ) demonstrated that contrary to FBI assertions Carnivore is, in fact, capable of collecting all communications over the segment of the network being surveilled. The default configuration is set to this option.

–Despite repeated assertions to the contrary from the FBI, the report concludes that Carnivore has no effective auditing function to record precisely what has been intercepted in order to expose and prevent abuses. The review team report explains that “Carnivore operators are anonymous to the system. All users are logged in as ‘administrator’ and no audit trail of action is maintained.”

–The government should fully comply with requests under the Freedom of Information Act for all documents regarding Carnivore, including its source code.

EPIC’s comments noted that:

–The review found that Carnivore is capable of “broad sweeps” when “improperly configured.” If there is a risk of accidental “over-collection,” intentional abuse of the system is clearly possible.

–Carnivore lacks adequate accountability mechanisms, according to the review team. The potential for abuse is thus heightened.

–The privacy threats posed by Carnivore can not be cured with any technical “fixes,” but are inherent to the system.

According to documents recently released to the ACLU and EPIC under the Freedom of Information Act, Carnivore will be retired within a few months, to be replaced by an even more powerful program. This information suggests that, at best, the present system for Carnivore review will only provide a “snapshot” of current capabilities and privacy issues.