(Fwd) [ISN] Father Of The Internet Lends Carnivore Credence

[lsi <lsi@lsi.clara.net>]

[: hacktivism :]

Vint Cerf vs. CDT, bring it on!

------- Forwarded message follows -------
Date sent:      	Mon, 11 Sep 2000 01:11:58 -0500
Send reply to:  	InfoSec News <isn@C4I.ORG>
From:           	InfoSec News <isn@C4I.ORG>
Subject:        	[ISN] Father Of The Internet Lends Carnivore 
Credence
To:             	ISN@SECURITYFOCUS.COM

http://www.computeruser.com/news/00/09/08/news10.html

By Brian Krebs
September 08, 2000

The FBI's e-mail surveillance tool "Carnivore" took center stage at a
congressional hearing Wednesday, as Senate lawmakers sought 
to learn
more about the controversial device that consumer advocates say
presents a threat to the privacy of innocent Americans.

While the witnesses called to testify before the Senate Judiciary
Committee included the usual suspects from the FBI, Department 
of
Justice and several privacy groups, the Justice Department gained 
an
important ally in Vint Cerf, a senior vice president at WorldCom and 
a
man considered by many to be one of the principal architects of the
early Internet.

In a simplified discourse on the mechanics of Carnviore vis--vis the
Internet, Cerf countered claims that the FBI's e-mail snooping 
device
could easily be used to randomly drop in on communications between
parties not placed under surveillance by a court order.

Designed to attach directly to an Internet service provider's network,
Carnivore is capable of sifting through vast amounts of data to
retrieve specific communications. Cerf said while it is true that
Carnivore can gather more information than is called for under a court
order, the device can be programmed to select only information
contained in the "header" (the "To" and "From" fields), and to
automatically discard the extraneous data.

James X. Dempsey, senior staff counsel for the Center for Democracy
and Technology, took issue with the FBI's claim that a search for
header information was the Internet equivalent of a "pen register" or
"trap-and-trace" wiretap order, which culls the phone numbers of any
two parties. Leaving aside questions of whether header information in
e-mails provides information typically considered "content" and
therefore subject to a court order requiring much higher levels of
proof, Demsey noted that many Internet Protocol (IP) addresses are
dynamically assigned and thus allow for the possibility that a given
user will not have the same address from day to day or hour to hour.

Dempsey suggested the FBI should be held accountable through a series
of checks and balances, and that the appropriate way to do so would be
to allow ISPs to examine Carnivore's source code and modify it
themselves if necessary.

But Cerf said doing so would open up a whole new can of worms.

"Leaving this software in the hands of thousands of ISP geeks strikes
me as somewhat alarming," Cerf said. "If I were a member of the public
wondering who was managing the software and what they were doing with
it, I think I'd be a lot more concerned about ISP personnel who may
not be under the same legal constraints that the FBI is under."

Donald M. Kerr, assistant director for the FBI, echoed Cerf's
concerns, noting that the Justice Department already had agreed to
allow a select group of university faculty to review Carnivore and
report back to the DOJ.

Dempsey attacked the DOJ's process for selecting a university to chair
the review panel as clunky and biased in favor of the FBI, referring
to restrictions spelled out in the DOJ's proposal that prevent panel
members from disclosing aspects of their findings to the general
public.

"Unfortunately, the 'independent review' promised by the Justice
Department at this point is so circumscribed and under such control of
the FBI and the DOJ that it holds little promise of giving Congress,
industry or the public reliable answers," he said.

Judiciary Committee Chairman Orrin Hatch, R-Utah, said he too was
concerned about the review panel's selection process, citing an
article in Wednesday's USAToday that quoted a half-dozen of the
nation's leading universities as saying they would not submit
applications to staff the review panel due to the heavy restrictions
imposed by the DOJ. When asked why so many universities objected to
the DOJ's narrow guidelines for the review panel, Kerr said those same
restrictions prohibited him from elaborating on the selection process.

The House Judiciary Committee, meanwhile, took up consideration of
three consumer privacy bills today, two of which were drafted
specifically to address the use of systems like Carnivore.

H.R. 4987, sponsored by Rep. Bob Barr, R-Ga., a member of the
Judiciary Committee, at its heart updates wiretapping laws to reduce
the government's ability to listen in on wireless, e-mail and Internet
communications.

H.R. 5018, sponsored by Rep. Charles Canady, R-Fla., who chairs the
Constitution Subcommittee, seeks to accomplish much the same thing as
Barr's bill. H.R. 5018, co-sponsored by Rep. Asa Hutchinson, R-Ark.,
also would count electronic communication as being inadmissible in
court if it were obtained illegally, and in addition requires the
government to submit annual reports on their requests to tap "stored
electronic communications."

The bill also changes the definition of "pen register" and "trap and
trace devices" to include e-mail, and requires the government to prove
that a crime was, or is likely to be committed, in order for a judge
to grant approval for an e-mail or Internet wiretap.

Kevin DiGregory, deputy assistant attorney general for the Justice
Department, said the Canady bill--with its e-mail specific
language--was fatally flawed.

"As we have said time and again, we believe that any legislation
developed with respect to criminal law should be technology-neutral,
and that there should not be different standards for trap-and-trace
orders," DiGregory said.

House Majority Leader Richard Armey, R-Texas, also weighed in on the
issue following today's hearing, criticizing U.S. Attorney General
Janet Reno for refusing to pull the plug on Carnivore while the review
panel conducts its investigation.

"The Justice Department has not responded to our request. They have
refused to suspend the use of Carnivore while the program is in
question," Armey said. "Instead, Attorney General Reno has proposed to
handpick a single university to review the system--a plan that is
woefully inadequate."

The Justice Department is scheduled to have selected the university to
staff the its Carnivore review panel by Sept. 26.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".


------- End of forwarded message -------


[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]