Mr. Chairman and Subcommittee Members, thank you for calling this hearing and giving CDT the opportunity to testify on the FBI's "Carnivore" initiative and its implications for the Fourth Amendment. Carnivore is the latest in a series of wake-up calls about the future of personal privacy online. The deployment of Carnivore itself creates new threats to the privacy and security of Internet communications. More fundamentally, Carnivore raises broad issues about the need for greater privacy protections in the outdated statutory and constitutional framework that today governs surveillance and privacy online.
Among the specific points I would like to make about Carnivore:
More broadly, Carnivore shows how our traditional conceptions of wiretapping and the Fourth Amendment, developed in an era of central-switch telephone networks, do not neatly translate onto the packetized, decentralized Internet. For example, "wiretapping" the Internet may provide government with access to vast streams of information, requiring greater oversight and protection. Pen register orders applied to the Internet reveal far more than the "numbers dialed" they once provided for telephones.
In the future, access to a person's electronic data will likely provide a more complete window into their actions, relationships, and thoughts than any previous form of surveillance. The Internet is exploding the home. Sensitive papers and possessions once kept in a desk drawer are now finding their way out onto network servers, where they lack the Fourth Amendment protections given to items at home.
Our electronic surveillance laws, last reworked in 1986, are rapidly falling behind this changing world. Revisions to those laws are needed to provide heightened protections and staunch the growing erosion of personal privacy in the digital age. At the same time, the desire to translate every current offline surveillance capability into the online world - regardless of consequences - should not be allowed to create a new technical surveillance architecture with huge privacy and security risks.
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue.
The Internet is at once a new communications medium and a new locus for social organization on a global basis. Because of its decentralized, open, and interactive nature, the Internet holds out unprecedented promise to promote expression, spur economic opportunity, and reinvigorate civic discourse. Individuals and groups can create new communities for discussion and debate, grassroots activism and social organization, artistic expression and consumer protection. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries. According to a December 1999 Harris poll, 56% of American adults are online, 6 times higher than 4 years ago.
Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about children - once kept securely in a home or office - now travel through the network. Electronic mail, online publishing and shopping habits, business transactions and Web surfing profiles can reveal detailed blueprints of people's lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.
While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that the digital revolution has been a boon to government surveillance and information collection as well. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 percent. Computer files are a rich source of evidence: In a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to "data mine" these public and private sources of digital information for their intelligence value. So while the changing electronic landscape has made some of law enforcement's traditional functions more difficult, it has also provided tremendous new opportunities for data collection. It is in this context that the FBI's Carnivore initiative must be viewed.
Recent press reports, along with testimony before this Subcommittee in April, have revealed the existence of the new FBI wiretapping device known as "Carnivore." Not much is known about this device, which appears to have been developed with little or no public oversight. What is known raises serious questions about the application of electronic surveillance laws and the Fourth Amendment on the Internet.
Carnivore reportedly serves at least two functions. Installed on the network of an ISP, it monitors communications on the network and records messages sent or received by a targeted user. This is presumably designed to respond to an electronic "wiretap" order served on an ISP. Because of the intrusive nature of wiretaps, a high legal standard must be met for their issuance, requiring a showing of probable cause and strict judicial oversight.
Carnivore can reportedly also provide the origin and destination of all communications to and from a particular ISP customer. This is presumably designed to satisfy what law enforcement claims is the Internet equivalent of "pen register" and "trap and trace" orders, which in the telephone context provide digits dialed and incoming phone numbers. (Note that there are fundamental questions about whether and how pen register and trap and trace orders apply in the Internet context, addressed below.) Since the digits dialed in a phone call are less revealing than the contents of communication, pen registers and trap and trace orders have traditionally been authorized under a significantly lower legal standard. Each year the government executes many more pen registers than wiretaps.
Both the "Internet wire tap" and "Internet pen register" functions of Carnivore raise important privacy and security concerns.
According to published accounts, Carnivore operates by monitoring all traffic on the network link where it is installed. In theory, Carnivore examines traffic and only stores data appropriate to the order under which it operates - i.e., data relating to the target of an order, or even narrower information pertaining to pen register or trap and trace orders.
Does Carnivore only reveal the information that is legally entitled under a particular wiretap or pen register order? Since Carnivore operates openly on a network link, it has the potential to capture the traffic of customers who are not the subjects of an order. It also has the potential to capture the content of communications even when a pen register order would limit collection to addressing information.
Isolating network traffic can be technically difficult, and it is not at all clear how the Carnivore device operates. For example, Internet Protocol (IP) addresses may be used to identify the communications of a target. But in many systems such addresses are dynamically allocated and changed over time, making it quite possible to either miss communications or monitor the wrong user. Moreover, identifying the source or destination of an email message or a web site query might require a detailed examination of the contents of a data packet. It is not clear that such an analysis is permitted under a narrow pen register order.
Such a system - with easy access to unauthorized data and no current potential for oversight - creates tremendous potential for misuse. Without a detailed understanding of Carnivore's operations, it is easy to believe Carnivore could be exceeding the legal authority of a particular order - quite possibly by mistake or error.
The technical community has developed a method to improve trust in complex systems: open source review. Review of the source code and design specifications by a community of experts might reveal mistakes, bugs, or security holes unknown to the FBI. Such mistakes are quite common in the design of complex technical systems. More importantly, open source review of Carnivore's hardware, software, and technical design is essential to improving public understanding of what Carnivore does and does not do. And it is essential to ensuring that Carnivore does not exceed its legal authority.
Some will likely argue that revealing source code will compromise the effectiveness of Carnivore. If true, one must question the general security and usefulness of a system that can be so easily circumvented by anyone with knowledge of its operation.
Even with open review of Carnivore's system, installation of a "black box" out of an ISPs control creates new privacy and security risks.
Is Carnivore itself a secure system? Can it be compromised? Does it provide secure audit trails, and is it tamper resistant? Without a fuller understanding of how Carnivore works, it is difficult to answer these questions. But the risks are high: If Carnivore, an eavesdropping device with access to a vast stream of traffic independent of any ISP control, were itself somehow compromised, the damage could be tremendous.
Even with a more complete understanding of its operations, the parameters for how Carnivore is used once installed are likely to be extremely important. Such parameters could control who the targets are, how they are identified, and what information is collected about them. With Carnivore ISPs appear to have no control over how the system operates. Such a system again provides no checks on its use, and is an invitation for misuse or mistake.
ISPs themselves are in the best position to comply with lawful orders for electronic surveillance. ISPs have a dual duty, to both produce information for law enforcement and to protect the privacy of their customers by only revealing such information where required by lawful order. Moreover, ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders. They are also in the best position to understand potential implications or threats from installation of a Carnivore device.
Carnivore's apparent attempt to extend "pen registers" and "trap and trace" orders for telephone surveillance into the Internet is not a simple matter. Capturing Internet origin and destination addresses instead of "numbers dialed" could create a much more intrusive form of surveillance that is not clearly supported by law, and is not justified given the current low standard for authorization.
The Electronic Communications Privacy Act of 1986 (ECPA) adopted the pen register and trap and trace statute, 18 USC § 3121 et seq., governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." (A pen register collects the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and a trap and trace device collects "the originating number" for incoming calls. While the functions provided by these devices are different, for simplicity I refer mainly to pen register orders; analogous arguments hold for trap and trace orders.) To obtain such an order, the government need merely certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC §§ 3122-23.
Extending the use of pen registers in new telephone devices and services - such as pagers, or numbers dialed after a call is completed - has been the subject of great debate. But Carnivore is indicative of a whole new and problematic expansion of the pen register to the Internet.
The origin and destination of a particular Internet message are not easily defined. In the packet-switched Internet, the literal "destination" of an intercepted message is often an end-point of the link on which it is observed. Origin or destination depends on what layer of the Internet protocol stack one looks at. For a single email packet, the destination could be viewed as the header Ethernet address it is being sent to on a local network; the IP address of an ISPs mail server (also in the packet header); the To: line of an email message buried within the packet's body; or even other routing information within the email message ("Give this message to Harry," or instructions for a remailer). Finding the addressee of an email or the name of a web site being visited - if that is what law enforcement is seeking - will often require analysis of the content of packets, not just the header information.
For example, attached in Example 1 is a sample IP packet captured from CDT's network on its way to our ISP. The packet is an email message from me to Paul Taylor, a member of the Committee staff. The header of the message shows the IP addresses of the packet's origin (a computer at CDT) and destination (our ISP's mail server, which will next send the packet to the House mail server). To find out whom the email inside the packet is addressed to, one would need to read and analyze the contents of the packet. Example 2 shows a similar example for a visit to Chairman Canady's web page; finding the "destination" Uniform Resource Locator, or URL (the web site address, like http://www.cdt.org/), would require looking in the body of the packet. We have no idea if this is what Carnivore is doing, but to the extent that law enforcement seeks origin and destination addresses that are more than link IP addresses they will be forced to analyze the contents of packets.
Origin and destination on the Internet are also much more revealing pieces of information than "numbers dialed." In the case of someone visiting a website, the URL can disclose specific pages visited, books browsed, or items purchased. And as people move more of their lives online, a list of emails sent or web sites visited can provide a very detailed dossier of activities - all available without the heightened protections of a wiretap or even a standard Fourth Amendment warrant.
For example, attached in Example 3 is a sample IP packet showing a search for a book on the Barnes and Noble web site. Again, the IP address information is available in the header and finding the URL requires a search through the body of the message. In this case, the URL includes revealing information about what books the user is looking at - here, books on prostate cancer. Taken together, a collection of such "destination" information could generate a revealing dossier of a person's interests and activities.
All of this raises Fourth Amendment questions for pen registers online. Courts have found that consumers have no "expectation of privacy" in the digits they dial on a telephone. It may very well be that, given the revealing nature of Internet transactional information, users do have a reasonable expectation of privacy in the URLs of web sites they visit and the email addresses of those with whom they communicate.
At the very least, Congress should raise the standards for use of pen registers in the Internet context. Under the current standards, a judge "shall" approve any request signed by a prosecutor certifying that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC §§ 3122-23. This is low standard of proof, similar to that for a subpoena, and judges are given little discretion in the granting of orders. Investigators have broad leeway to seek orders without, for example, any indication that the targets have been involved in criminal wrongdoing themselves, and without the probable cause required for searches under Fourth Amendment standards.
A large number of pen registers are executed each year with little public oversight. Unlike wiretaps, there are no national reporting requirements on the use of pen registers. The Justice Department reports on its own use, but this does not include numerous federal, state and local uses. Congress should extend the wiretap reporting requirements to pen registers.
Electronic privacy and surveillance are today governed by a complex statutory and constitutional framework that has slowly eroded in the face of technological change. (For a complete review of this framework and its evolution, please see CDT's Testimony before the Subcommittee in April 2000.) Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then, including --
The recent White House announcement on privacy and surveillance helpfully adopts many of these proposals. Extension of the wiretapping exclusionary protections to electronic interceptions is a particularly welcome step. Increasing the standard for pen registers is an improvement, but will not be sufficient if such orders are applied broadly (i.e., include URLs) to the Internet. On the other hand, expansion of the Computer Fraud and Abuse Act is an unwelcome criminalization of an unnecessarily broad range of activities online. And the proposal fails to tackle with the need for heightened protections for private data held in the hands of third parties. CDT is prepared to work with Congress and the Justice Department to continue to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for discussion and consensus building on these issues.
The Carnivore system demands greater public oversight and attention. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract the real threats to privacy online.
Protecting national security and public safety in this new digital age is a major challenge and priority for our country. On balance, however, we believe that the new sources of data and new tools available will prove to be a boon to government surveillance and law enforcement. These new technologies are likely to make law enforcement's job harder in some ways. And it appears likely that some of the traditional methods of surveillance and information gathering will have to change in this new medium. Carnivore demonstrates a real danger: The attempt to literally translate all current surveillance capabilities directly onto the Internet may not be possible or desirable in all cases, or may require new privacy protections. The demand that every current offline capability be directly implemented online should not become an excuse for creating a massive technical architecture for surveillance that, given the nature of the Internet, could be far more invasive than anything we have seen to date.
House Rule XI, Clause 2(g)(4) Disclosure: Neither Alan Davidson nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.
1 TIME: 17:25:32.394378 (0.314456) 2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP 3 IP: 126.96.36.199 -> 188.8.131.52.25 hlen=20 TOS=00 dgramlen=472 id=3DC2 4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=4B75 5 TCP: port 2064 -> smtp seq=0122753662 ack=4082691367 6 hlen=20 (data=432) UAPRSF=011000 wnd=17520 cksum=C20C urg=0 7 DATA: X-Sender: [email protected] 8 Message-Id: <[email protected]>. 9 Date: Fri, 21 Jul 2000 17:27:27 -0400. 10 To: [email protected]. 11 From: Alan Davidson <[email protected]>. 12 Subject: Thanks for your help. 13 Content-Type: text/plain; charset="us-ascii" ; format="flowe 14 d". 15 . 16 Paul,. 17 . 18 Thanks for your help in locating a projector for Monday's he 19 aring. I . 20 will be forwarding my testimony shortly.. 21 . 22 Alan Davidson. 23 ..
This data packet was collected from CDT's network while a computer on the network sent an e-mail message from me to Paul Taylor, a member of the committee staff.
The header of the packet includes the source and destination IP addresses (line 3). In this case the source 184.108.40.206 is a computer at CDT and the destination 220.127.116.11.25 is our ISPs mail server (which will receive the packet and send it to the House mail server based on its content.) The header of the packet also contains local Ethernet source and destination information.
This packet is an example of how the "payload" or contents of the packet would have to be analyzed in order to retrieve the address of the email recipient. The e-mail's addressing information is contained in this data section (line 10), which also contains the subject of the message and the actual message text.
1 TIME: 15:12:13.326012 (0.722398) 2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP 3 IP: 18.104.22.168 -> 22.214.171.124 hlen=20 TOS=00 dgramlen=372 id=3216 4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=8EB4 5 TCP: port symplex -> http seq=0914855425 ack=1136120663 6 hlen=20 (data=332) UAPRSF=011000 wnd=17520 cksum=7838 urg=0 7 DATA: GET /canady/p74.jpg HTTP/1.0. 8 Referer: http://www.house.gov/canady/. 9 Connection: Keep-Alive. 10 User-Agent: Mozilla/4.72 (Macintosh; U; PPC). 11 Pragma: no-cache. 12 Host: www.house.gov. 13 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 14 image/png. 15 Accept-Encoding: gzip. 16 Accept-Language: en. 17 Accept-Charset: iso-8859-1,*,utf-8. 18 .
This data packet was collected from CDT's network while a computer on the network was viewing a page on Chairman Canady's web site.
The header of the packet includes the source and destination IP addresses (line 3). In this case the source 126.96.36.199 is a computer at CDT and the destination 188.8.131.52 is a House of Representative web server. The header of the packet also contains local Ethernet source and destination information.
This packet is an example of how the "payload" or contents of the packet would have to be analyzed in order to retrieve the web address being viewed. In this case URL of the item being viewed, an image on Chairman Canady's web site, is shown in the contents of the packet at lines 12 and 7 -- www.house.gov/canady/p74.jpg.
1 TIME: 15:02:27.439225 (0.111930) 2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP 3 IP: 184.108.40.206 -> 220.127.116.11 hlen=20 TOS=00 dgramlen=695 id=6638 4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=79CE 5 TCP: port 1559 -> http seq=3306680833 ack=0184661700 6 hlen=20 (data=655) UAPRSF=011000 wnd=17520 cksum=C1DE urg=0 7 DATA: GET /booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3 8 F70ED HTTP/1.0. 9 Referer: http://www.bn.com/. 10 Connection: Keep-Alive. 11 User-Agent: Mozilla/4.72 (Macintosh; U; PPC). 12 Host: shop.barnesandnoble.com. 13 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 14 image/png, */*. 15 Accept-Encoding: gzip. 16 Accept-Language: en. 17 Accept-Charset: iso-8859-1,*,utf-8. 18 Cookie: SITESERVER=ID=3b671bc4c04048950bc8a20a61c31d96; brow 19 serid=BITS=0&OS=4&VERSION=4%2E72&AOLVER=0&BROWSER=1; Shopper 20 Manager%2FBNShop=SHOPPERMANAGER%2FBNSHOP=2D9DNPCEB6S92MJ1001 21 PQUW93SAR9582; userid=2NW5T2ANM7; SalesURL=Rwww%2Ebn%2Ecom%2 22 F; ASPSESSIONIDQGQGQQCD=NACHKFKCMBPBEANEEODHLDAI. .
This data packet was collected from CDT's network a computer on CDT's network was searching for a book on the Barnes & Noble web site relating to "prostate cancer."
The header of the packet includes the source and destination IP addresses (line 3). In this case the source 18.104.22.168 is a computer at CDT and the destination 22.214.171.124 is a web server affiliated with Barnes & Noble.com. The header of the packet also contains local Ethernet source and destination information.
The information about the specific web page that the CDT computer viewed is contained in the packet's data section. The URL shown here: http://shop.barnesandnoble.com/booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3F70ED also provides information about what books are being viewed - in this case, books about prostate cancer.
15:02:27.439225 0:80:19:42:21:68 0:d0:58:a9:30:52 0800 709: 126.96.36.199.1559 > 188.8.131.52.80: P 3306680833:3306681488(655) ack 184661700 win 17520 (DF) 4500 02b7 6638 4000 ff06 79ce cfe2 032b d09e f58d 0617 0050 c517 f201 0b01 b6c4 5018 4470 c1de 0000 4745 5420 2f62 6f6f 6b73 6561 7263 682f 7265 7375 6c74 732e 6173 703f 5752 443d 7072 6f73 7461 7465 2b63 616e 6365 7226 7573 6572 6964 3d34 4d4f 5433 4637 3045 4420 4854 5450 2f31 2e30 0d0a 5265 6665 7265 723a 2068 7474 703a 2f2f 7777 772e 626e 2e63 6f6d 2f0d 0a43 6f6e 6e65 6374 696f 6e3a 204b 6565 702d 416c 6976 650d 0a55 7365 722d 4167 656e 743a 204d 6f7a 696c 6c61 2f34 2e37 3220 284d 6163 696e 746f 7368 3b20 553b 2050 5043 290d 0a48 6f73 743a 2073 686f 702e 6261 726e 6573 616e 646e 6f62 6c65 2e63 6f6d 0d0a 4163 6365 7074 3a20 696d 6167 652f 6769 662c 2069 6d61 6765 2f78 2d78 6269 746d 6170 2c20 696d 6167 652f 6a70 6567 2c20 696d 6167 652f 706a 7065 672c 2069 6d61 6765 2f70 6e67 2c20 2a2f 2a0d 0a41 6363 6570 742d 456e 636f 6469 6e67 3a20 677a 6970 0d0a 4163 6365 7074 2d4c 616e 6775 6167 653a 2065 6e0d 0a41 6363 6570 742d 4368 6172 7365 743a 2069 736f 2d38 3835 392d 312c 2a2c 7574 662d 380d 0a43 6f6f 6b69 653a 2053 4954 4553 4552 5645 523d 4944 3d33 6236 3731 6263 3463 3034 3034 3839 3530 6263 3861 3230 6136 3163 3331 6439 363b 2062 726f 7773 6572 6964 3d42 4954 533d 3026 4f53 3d34 2656 4552 5349 4f4e 3d34 2532 4537 3226 414f 4c56 4552 3d30 2642 524f 5753 4552 3d31 3b20 5368 6f70 7065 724d 616e 6167 6572 2532 4642 4e53 686f 703d 5348 4f50 5045 524d 414e 4147 4552 2532 4642 4e53 484f 503d 3244 3944 4e50 4345 4236 5339 324d 4a31 3030 3150 5155 5739 3353 4152 3935 3832 3b20 7573 6572 6964 3d32 4e57 3554 3241 4e4d 373b 2053 616c 6573 5552 4c3d 5277 7777 2532 4562 6e25 3245 636f 6d25 3246 3b20 4153 5053 4553 5349 4f4e 4944 5147 5147 5151 4344 3d4e 4143 484b 464b 434d 4250 4245 414e 4545 4f44 484c 4441 490d 0a0d 0aThis data packet was collected from CDT's network a computer on CDT's network was searching for a book on the Barnes & Noble web site relating to "prostate cancer." This packet is presented in Hexadecimal notation.