InformationWeek

he FBI has revised the name of its E-mail monitoring device from the ominous Carnivore to the geeky and more neutral DCS-1000. But the move hasn't quelled fears among technology managers and Internet service providers that the government's E-mail eavesdropping device may damage a company's technology infrastructure, compromise privacy, and open security holes that hackers could exploit. Some critics charge Carnivore may even violate the Constitutional rights of customers and employees.

The American Civil Liberties Union thinks so; last week, it launched an ad campaign attacking Carnivore. The purpose of the ads is to draw public attention to "the powerful technology the government has at its disposal," says Barry Steinhardt, associate director of the ACLU in New York. The group wants to focus the attention of Congress on "our outdated laws about privacy in the Internet Age."

The object stirring such controversy is an E-mail version of a telephone wiretap. But instead of the tap being placed directly onto a user's phone line, a device is installed on an E-mail server at a business or ISP. In telephone terms, Carnivore tracks and records E-mail headers (phone numbers), but not the actual contents of an E-mail (phone conversations). Law enforcement officials more frequently seek warrants to obtain headers because the legal standard for getting that kind of court order is less demanding than the standard for a so-called full-content retrieval warrant.

Carnivore checks the headers of all E-mails traveling past the device and plucks out the ones it wants based on the search warrant's parameters. But if that was all it did, there wouldn't be much of an uproar. The Carnivore issue goes much deeper, and it produces strong reactions and feelings.

"From a technical aspect, I'm always concerned when someone wants to connect something to my network," says Chris Kelly, chief privacy officer of Excite@Home, a division of At Home Corp. in Redmond, Calif. Kelly and others are worried because the FBI won't reveal the source code or inner workings of Carnivore, so they have no idea what damage, if any, the device might do to their systems."I also have privacy concerns about Carnivore," he says. Because of the way Carnivore collects E-mail information, the FBI can't guarantee that E-mail packets from users not covered by the warrant aren't being accidentally collected. This includes customer E-mails--Excite@home has 3 million users--and internal company E-mails that are kept on separate servers. Kelly says the FBI has "approached" his company about installing a Carnivore box but has so far been "rebuffed." Kelly declined to elaborate.

"I will comply with any legal court order, and I have processed them in the past. But I would go to jail before I would allow the FBI to install Carnivore on my system," says Peter Sachs, president of Iconn LLC, a New Haven, Conn., ISP with 2,000 business customers that each have 100 to 200 users. Sachs says he can provide the FBI with the information it needs without using Carnivore. "If what we had wasn't adequate for them," he adds, "I would sooner close down my business than install it."

Sachs is an attorney who testified before Congress about Carnivore. "Not only do I believe it's illegal under the Fourth Amendment," he says, "but since the FBI won't reveal the source code and won't tell us how it works, we have no idea what harm it could do to our system."

Some IT managers, however, seem resigned to Carnivore's existence. "There's no way to stop Carnivore," says Steve Lopez, VP of technology services at the National Board of Medical Examiners in Philadelphia. "It's become a fact of life. It's being forced down our throats."

The FBI isn't very forthcoming when it comes to disclosing information about Carnivore (everybody, especially critics, still call it that, despite the name change). Most of what is known has been pieced together from Congressional hearings and Freedom of Information Act requests filed by groups such as the Electronic Privacy Information Center, which petitioned the FBI a day after Carnivore's existence became public in July. Most individuals involved in the Carnivore controversy refuse to discuss the details of specific incidents on the record. Only in the past few months have FBI officials given industry presentations about Carnivore, but those presentations include only information that has already been disclosed.

Carnivore is one part of a suite of Windows applications and PC-based hardware collectively known as Dragonware; the other two parts are Packeteer and Coolminer. Packeteer reassembles E-mail message packets so they can be read, and Coolminer analyzes data found in the messages. The FBI changed the original name, Omnivore, to Carnivore because the device didn't devour everything in sight, but instead got to the "meat" of the targeted data. Carnivore acts like packet sniffer software commonly used by network administrators to monitor systems and perform diagnostics.

None of the ISPs hit with a Carnivore warrant have been named publically by the FBI, because the agency keeps such information confidential. But one name is known: EarthLink Inc., the nation's second-largest ISP with more than 4.7 million subscribers. EarthLink's experience with Carnivore became public because it was the subject of public litigation.