CongressLine - Security and Trust in Cyberspace, Carnivore and R.I.PBy Carol M. Morrissey, Published on July 31, 2000
What's in a Name
The road to technological advancement is paved with unfortunate acronyms and catch phrases - Carnivore, Digital Storm, R.I.P., Trust and Security in Cyberspace. It’s not enough that most people do not understand the capabilities or the proposals involved! The government also feels duty-bound to christen their pet technology projects or legislative proposals with monikers which are confusing, at best, and misleading at worst.
Trust and Security
Take for example the Clinton Administration’s new legislative proposal addressing electronic wiretapping and surveillance. On July 17, 2000, White House Chief of Staff, John Podesta, gave a speech before the National Press Club in which he outlined the Administration’s legislative proposal to "assure the security and trust of Americans in cyberspace." The purpose of the proposal is to bring law enforcement authority into the age of the Internet by harmonizing and updating the inconsistent rules which currently apply to electronic and online technologies, such as the telephone, cable and the Internet. As Americans are a naturally suspicious lot, Podesta emphasized that the proposal would balance the interests of law enforcement with the fundamental privacy rights of individuals. However, as we know, "trust" and "security" are difficult to guarantee in cyberspace. (For the text of John Podesta’s remarks, please go to: http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/7/18/4.text.1. For the White House fact sheet on the legislative proposal, please go to:http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/7/17/15.text.1.)
Under the proposal, law enforcement officials must obtain "high level" approval for e-mail interception and it must be based on probable cause. "Trap and trace" orders (essentially identifying the source of a call or e-mail) would require only one court order, although numerous telephone carriers or ISP’s may be affected by one trace, possibly across state lines. In emergency situations, communications may be traced without prior approval. Computer hacking laws would be modified to classify several small incidents as one large "attack" and federal prosecutors would have jurisdiction (in serious cases) over hackers who are juveniles.
The Administration’s proposal also incorporates some provisions from legislation which is currently pending in Congress. It has been noted by Congressional staffers that due to time constraints the security and trust in cyberspace proposal will probably be addressed in a substantive manner in the next Congressional session. (For examples of pending bills, please go to: http://thomas.loc.gov/cgi-bin/bdquery/z?d106:s.02448: for the text of S.2448 by Sen. Hatch (R-UT) and to: http://thomas.loc.gov/cgi-bin/bdquery/z?d106:s.02430: for the text of S.2430 by Sen. Leahy (D-VT).)
Digital Storm and Carnivore
Digital Storm is the name given the collection of programs run by the Federal Bureau of Investigation (FBI) to collect online data through legal means. Privacy groups have concerns about the accuracy of the systems and technology which comprise Digital Storm. These programs were discussed at a hearing entitled, The Fourth Amendment and the Internet, which was held this past April by the House Committee on the Judiciary, Subcommittee on the Constitution. (The text of the testimony from the April hearing can be accessed at: http://www.house.gov/judiciary/con0406.htm.) It was at this April hearing that the existence of the Carnivore system first came to light.
Carnivore (so named for its ability to sift through information and extract only the "meat") is similar to a network maintenance program called a "packet filter", for it seeks only particular "packets" of information. The FBI touts it for its specificity – it can track the origin and destination of a users e-mail, copy the information to the hard drive and then allow that message and all other mail to continue. It is also possible for Carnivore to obtain contents from e-mail, but the FBI says that type of usage would slow down the online traffic prohibitively. The system has to be installed at an Internet Service Provider (ISP) in order to operate.
On July 24, 2000, the House Committee on the Judiciary, Subcommittee on the Constitution held an oversight hearing entitled, Fourth Amendment issues Raised by the FBI’s ‘Carnivore’ Program. Once the hearing was announced, the FBI attempted to do some damage control and proceeded to demonstrate the system to Members of Congress, their staff and some judges. Privacy advocates were not among those privy to the demonstrations and the American Civil Liberties Union (ACLU) has filed a request under the Freedom of Information Act (FOIA) for Carnivore’s source code.
The FBI was questioned closely at the hearing as to the system’s capabilities and uses. Several Members expressed concern that under current law, Carnivore might be employed without a showing of "probable cause." ISP’s represented at the hearing claimed that they already have the capability to provide electronic surveillance and voiced reluctance at having an outside system such as Carnivore "installed" on their network. One ISP, Earthlink, refused the FBI’s request to install the system and they were upheld by a federal judge. (For testimony from the July hearing, please go to: http://www.house.gov/judiciary/con07241.htm. The text of an ACLU press release on the issue is at: http://www.aclu.org/news/2000/n072400a.html and the Center for Democracy and Technology (CDT) Data Privacy page featuring a FBI Schematic of Carnivore is at: http://www.cdt.org/privacy/govaccess/.)
RIP or Regulation of Investigatory Powers
As we hold hearings about our Fourth Amendment Rights and Wiretapping, England is poised to give the Royal nod to a bill granting wide-ranging police powers over the seizure of electronic communications. The bill, entitled, the Regulation of Investigatory Powers or RIP, requires ISP’s to install "black box" surveillance systems, similar to Carnivore, which will send online information to a central government monitoring system. The government will be picking up some of the tab for the cost of installation. ISP’s must also, upon request, provide the government with the plain text of any code used to encrypt information. This provision was softened some, initially the government could request the "key" to any encryption code. The bill has made its way through the House of Commons and the House of Lords and is now awaiting Royal Assent. (The text of RIP as amended on Report in the House of Lords on July 13, 2000 is at: http://www.publications.parliament.uk/pa/ld199900/ldbills/104/2000104.htm and Lord’s amendments from July 26, 2000 are at: http://www.publications.parliament.uk/pa/cm199900/cmhansrd/cm000726/debtext/00726-32.htm.) (Explanatory notes prepared by the Home Office to be read in conjunction with the RIP bill can be accessed at: http://www.parliament.the-stationery-office.co.uk/pa/ld199900/ldbills/061/en/00061x--.htm.)
A loose coalition of ISP’s, trade unions, privacy groups, newspapers and major corporations oppose the legislation. Not only are there the civil liberties issues, but the cost it imposes on business may drive some companies away and discourage others from considering England as a location. One ISP, PopTel, has announced that it is considering moving offshore to avoid some of the more onerous requirements. (The Foundation for Information Policy or FIPR has a RIP Information Centre featuring articles and the text of the bill which can be accessed at: http://www.fipr.org/rip/index.html. Clara.net, a major ISP, has some of their proposed amendments to RIP posted on their web page at: http://www.clara.net/pressoffice/13600.html and http://www.clara.net/pressoffice/100700_2.html.)
If the Regulation of Investigatory Powers Bill becomes law, which appears to be a certainty, England will be the first democracy to enact such legislation. Here in the United States, concern for the "unfettered" scope of Digital Storm will prompt Congress to act to modernize our electronic surveillance and wiretapping laws. The Administration’s proposal has set the stage for the dialogue between privacy groups, government and industry to begin in earnest. Although this issue is highly sensitive, all those involved understand that our current laws are flawed and a successful resolution will benefit all parties.