Who Let the Carnivores Out?

by Bryan Pfaffenberger

Imagine this scenario. At your local post office, investigators are busily opening and glancing at the contents of every first-class letter, resulting in significant delays for postal patrons. When asked why they're doing this, the investigators affirm that they have a legally valid warrant to read the mail of an individual who's under criminal investigation. Sure, they're opening everyone's mail, but they're only reading the mail involving the investigation's target. Would you believe them?

To the extent that such an investigation would involve first-class snail mail, it would be highly illegal under U.S. law (and, indeed that of most countries)--and rightfully so. An abundance of experience worldwide proves that citizens are all but bound to suffer political persecution and loss of liberty when their governments willfully monitor the activities of law-abiding citizens (Banisar 1995). However, such monitoring isn't so clearly illegal in cyberspace, where the letters in question are conveyed via e-mail.

Alarmingly, the post office scenario accurately describes what the U.S. Federal Bureau of Investigation (FBI) could be doing with its notorious Carnivore system. This system--essentially a dedicated PC running specially designed software--is installed on the premises of Internet service providers (ISP) when investigators have obtained a legal warrant to scrutinize e-mail and other electronic communications that pass through the ISP's computers. In this article, you'll learn why Carnivore poses a far more dangerous threat to law-abiding citizens than it does to criminals, and why should you start encrypting all of your electronic communications, if you haven't already.

Hi! I'm Carnivore!

Carnivore (Graham 2000, FBI 2000) derives its name from its voracious appetite; it "chews" all the e-mail messages routed through an ISP to which it is connected, even though--according to the FBI--it only "eats" the mail of those who are legally targeted (by means of a warrant) for an investigation. The result slows down mail servers to the point that at least one major ISP, EarthLink, has refused to cooperate with a Carnivore installation (Hayes 2000). The broader issue, of course, is whether the system provides investigators with too much power to intercept the e-mail conversations of private, law-abiding individuals who are not the target of an investigation.

According to the FBI's critics, such conversations are already intercepted far too frequently; the American Civil Liberties Union (ACLU) charted in Congressional testimony that nearly two million innocent conversations per year are illegally intercepted by law enforcement wiretaps (ACLU 1995). Reacting to the increasing threat of terrorist activity within the U.S., judges are approving significantly more wiretaps; the total number of approved wiretaps annually grew by 38 percent from 1994 to 1998 (Willing 1998). Worldwide, government use of legal and illegal wiretapping is exploding and is often used to monitor the activities of human rights groups, labor unions and political dissenters instead of fighting crime (Banisar 1995). Despite repeated assurances to the contrary, U.S. investigative agencies are known to have used illegal wiretaps and other surveillance measures to monitor law-abiding citizens who espouse political beliefs with which the government disagrees, sometimes ruining their lives in the process.

At the core of concerns about systems such as Carnivore is that they routinely monitors a "great deal of Internet traffic", including the communications of "users who are not targeted for surveillance and not named in any court authorization" (Electronic Privacy Information Center 2000). An independent review of the Carnivore system noted it is "capable of broad sweeps", and that, improperly configured, it can "record all traffic it monitors" (Bellovin et al., 2000).

If you tend to get paranoid over such things, don't worry too much about Carnivore tracking your e-mail--at least, not yet. Carnivore isn't a massive, nationwide monitoring system; only some 20 Carnivore systems are believed to be in existence, and they are not permanently installed. According to the FBI, the longest Carnivore installation lasted 45 days. The FBI claims that the system has been used only a few dozen times to monitor terrorists, hackers and drug traffickers. But there's every reason to suspect that use of Carnivore-like systems will grow by leaps and bounds, perhaps to the point, years or decades down the road, that virtually all e-mail will be routinely scrutinized. Will basic Constitutional guarantees against reasonable search and seizure be protected?

Don't Worry, We're Just Reading the Headers

For its part, the FBI denies that Carnivore is designed to read the mail of anyone who isn't targeted for a legal investigation. Conceding that Carnivore indeed reads the headers (address information) of all mail sent and received via an ISP on whose premises a Carnivore system is installed, the FBI asserts that the system contains adequate safeguards. However, independent technical evaluations of Carnivore (see Bellovin et al., 2000) show clearly that Carnivore all but invites investigators to exceed the bounds of lawful investigation. Let's take a closer look at what is known about Carnivore's technology, and you'll see why.

Carnivore is a "computer system"--a PC equipped with the Carnivore software--installed in cooperation with an Internet service provider (ISP) in order to facilitate the collection of information pertaining to the target of an investigation. Apparently, the system uses an IP sniffer as a capture filter. An IP sniffer is a program that detects Internet Protocol (IP) addresses in the stream of ongoing Internet traffic and, thus, able to identify (and differentiate) individual messages within the stream. Operating in real time, Carnivore writes all the data going to and coming from the Internet address of the individual targeted for an investigation to a Jaz disk. The system is used in two ways:

  • As a pen register (also called trap and trace) to capture all the e-mail headers going to and from a specified account, as well as URLs of all the servers accessed by the account; alternatively, the system can be used to record the IP addresses of everyone who accesses a specific Web page or FTP site. To collect this type of information, investigators still need a search warrant, but they can obtain one from a lower court judge.

  • As a content wiretap to capture all e-mail messages to and from a specific account and to capture all the network traffic to and from a specific account or IP address. To trap content, investigators must obtain a search warrant from the Federal judge--and it's tough to get. Investigators must show probable cause (i.e., evidence that the individual targeted for investigation is indeed involved in an illegal activity).

The distinction between trap and trace vs. content wiretaps goes back to telephone days. For telephone wiretapping, a trap and trace warrant involves no direct intervention; the judge merely authorizes the telephone company to release to investigators a record of all the calls handled by a particular number. Content wiretaps are much more intrusive which is why they require the assent of an independent Federal judge.

Whoops! I Recorded All the Data! Darn!

Here's the point raised by those concerned about Carnivore. Even if investigators have obtained a trap and trace (header-only) warrant, the Jaz disk created, nevertheless, contains the full content of the e-mail messages sent to and received by the individual targeted for the investigation. C'mon, do you think they're not going to look at it? Who would know, anyway? Carnivore lacks the security and auditing services that would be needed to make sure investigators did not abuse their lawfully granted authority. In short, the Carnivore system enables investigators to circumvent the distinction between the easily obtained trap and trace warrant and the much-more-difficult-to-obtain content warrant.

From an investigator's viewpoint, here's the genius of Carnivore: For the price of a trap and trace warrant, you get the content. And the price is right, because lower court judges cannot refuse a request for trap and trace warrants if investigators affirm the warrant is needed for an investigation. Of course, it's illegal for investigators to look at the content, but that hasn't stopped the FBI in the past. It's common knowledge in the law enforcement community that illegal telephone wiretaps have been used for years to establish the basis of investigations; a legal wiretap is obtained only when investigators are certain they've identified the correct suspect and want to produce evidence that is admissible in court.

Who Wins and Who Loses?

If you're a law-and-order type, you're probably wondering why Carnivore is so bad. After all, there's an ever increasing risk posed by terrorists, drug dealers, racketeers, child pornographers and organized crime. Systems such as Carnivore will help law enforcement investigators detect and prosecute criminals more efficiently. If some of our mail gets read by accident, who cares--especially if you have nothing to hide?

But this view misses the point. Any criminal with a modicum of technical knowledge has nothing to fear from Carnivore. As a leading computer security expert (Forno 2000) recently pointed out, you need only a Hotmail account to escape Carnivore's monitoring; Hotmail supports encrypted e-mail via SSL, which means that the data intercepted by Carnivore will appear as gibberish. Encrypted virtual private network (VPN) connections take Carnivore out of the picture as well, and eliminate the risks posed by plain text message storage on an ISP's mail server. In short, the only criminals who will be apprehended by Carnivore are those who are too stupid--or unprofessional--to know how to protect themselves from Carnivore's surveillance.

And that's precisely the risk that Carnivore poses. Because Carnivore enables investigators to obtain full message content on the basis of an easily obtained trap and trace warrant, it gives them an open invitation to go on hunting missions against people who would never dream that they are the subject of an investigation and have, therefore, taken no steps to encrypt their communications. Perhaps such people really are criminals--very stupid criminals. However, it's far more likely that Carnivore and future Carnivore-like tools will be used to monitor huge numbers of law-abiding people suspected of some sort of involvement in dissident organizations. If this situation develops, Carnivore will have helped to circumvent the very protection that the Fourth Amendment to the U.S. Constitution sought to bestow on its citizens: the right to remain free from unreasonable searches and seizures that violate a lawful citizen's basic right to engage in private life undisturbed, to maintain views and opinions that may not sit well with those in power.

So, what does all of this mean for Linux users worldwide? It's simple: Even if you are (to the best of your knowledge) a law-abiding citizen, don't wait to encrypt your communications. The existence of systems such as Carnivore in a country such as the U.S., which (supposedly) has strong constitutional guarantees against unreasonable searches and seizures, should remove any doubt on this score. Without encryption, your communications are an open book that can be read by anyone, including government investigators, who might have some reason, perhaps ideological or political, to use your own electronic communications against you. What's truly scary about Carnivore is that it all but encourages investigators to target the dissident activities of law-abiding citizens. And that's why such citizens should not hesitate to use strong, impenetrable encryption to protect the privacy of their letters and papers.


Hushmail is a free e-mail service that offers transparent, end-to-end encryption of your e-mail without requiring correspondents to install and use complicated software.

ZipLip closely resembles Hushmail. You can set a time limit on the messages that you send, so that they expire-- and can't be retrieved, even from the recipients' systems-- after the specified date.

1on1 is a commercial service and uses dedicated software, but it offers an additional, cool feature: You can remotely retract and delete mail that you decide, after sending, you shouldn't have sent.

GNU Privacy Guard is free software that offers strong encryption services to Linux users; GNUPG is increasingly supported by Linux-based e-mail packages.


American Civil Liberties Union, 1995. "Civil Liberties Implications of the Anti-Terrorism Act of 1995", available on-line at http://www.aclu.org/congress/terract.html.

Banisar, David. 1995. Bugoff! A Primer for Human Rights Groups on Wiretapping. Washington: Privacy International. Available on-line at http://www.tscm.com/bug_off.html.

Bellovin, Steven, Matt Blaze, David Farber, Peter Neumann, and Eugene Spafford, "Comments on the Carnivore System Technical Review". Available on-line at http://www.crypto.com/papers/carnivore_report_comments.html.

Electronic Privacy Information Center, December 1, 2000. Letter to Carnivore Review Panel, U.S. Dept. of Justice. Available on-line at http://www.epic.org/privacy/carnivore/review_comments.html

Forno, Richard. 2000. "Who's Afraid of Carnivore? Not Me", available on-line at http://www.infowarrior.org/articles/carnivore.html.

Graham, Robert. September 7, 2000. "Carnivore FAQ." Available on-line at http://www.robertgraham.com/pubs/carnivore-faq.html.

Hayes, Frank. 2000. "Quick and Dirty", ComputerWorld, Dec. 15, 2000 (available on-line at http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54989,00.html).

U.S. Federal Bureau of Investigation. 2000. "FBI Programs and Initiatives: Carnivore Diagnostic Tool", available on-line at http://www.fbi.gov/programs/carnivore/carnivore.htm

Willing, Richard. 1998 "Courts OK Record Number of Wiretaps", USA Today, Sept. 30, 1998. Copy available on-line at http://www.inet-one.com/cypherpunks/dir.98.09.28-98.10.04/msg00121.html.

Load Disqus comments