The Carnivore System

BACK to the Decaying Freedom main page.

*The Carnivore System (FBI)
On July 11, 2000, the existence of an FBI Internet monitoring system called "Carnivore" was widely reported. Not much is known about this device, which appears to have been developed with little or no public oversight. The Carnivore system is installed at the facilities of an Internet Service Provider (ISP) and can monitor all traffic moving through that ISP. The system accesses and processes a great deal of ISP traffic, the vast majority of which contains the communications of Internet users not targeted for surveillance and not named in any court authorization. The FBI claims that Carnivore "filters" data traffic and delivers to investigators only those packets that they are lawfully authorized to obtain. Because the details (such as source code) remain secret, the public is left to trust the FBI's characterization of the system and the FBI's compliance with legal requirements.

A note of explanation before proceeding: The Electronic Communications Privacy Act allows the use of a pen register or trap and trace device (designed to collect phone numbers dialed without collecting the content of communication, or even knowing if the communication took place or was aborted) if a law enforcement officer certifies that the "information likely to be obtained is relevant to an ongoing criminal investigation." By contrast, a much higher standard applies to an order to intercept the content of electronic communications: that requires a showing of probable cause that the target has committed a specified felony. The request for such an order must state with particularity information regarding the facts relied upon by the applicant, the crime at issue, the individuals suspected of committing the offense, and the type of communications to be intercepted. Carnivore is used under the relaxed standards of a pen register or trap and trace device. [Source for this information]


  • Independent reviewers concluded that the system is capable of collecting more information than law enforcement is legally authorized to acquire. Incorrectly configured (intentionally or unintentionally), Carnivore can record any traffic it monitors (whereas it is only legally allowed to record limited, non-contentful information on a named suspect). [EPIC]

  • An FBI document indicates that Carnivore can "reliably capture and archive all unfiltered traffic." This contradicts testimony before the Senate Judiciary Committee by FBI Assistant Director Kerr, who claimed that "the packets of the subject's communication associated with the identifying information that was detected, and those alone, are segregated for additional filtering or storage. However, it's critically important to understand that all...other communications are instantaneously vaporized after that one second. They are totally destroyed; they are not collected, saved, or stored." [EPIC]

  • Although Carnivore has been described as an email surveillance system, the FBI said it could also intercept files that were transferred. "We have, in at least one case, been able to intercept using a different protocol, file transfer protocol, but with relatively small files," said Assistant Director Kerr. [WIRED]

  • Due to the way the internet transfers information (by packets), Carnivore cannot collect only information that it is legal for the FBI to collect; in the same packets as the legal information can be contained full email text, websites visited, pictures viewed, books perused in online stores, etc. [CDT]

  • Carnivore could become confused or deceived about who it is monitoring (and thus end up monitoring illegally). The recipient of an email can be determined by looking at the mail transmission protocol traffic; the sender, however, cannot be identified without looking at the body of the letter, and not even then if a very modest attempt is made at concealment or forgery of the return address. A more reliable mechanism is to use the IP address; but IP addresses are often dynamically assigned, so it is possible that following an IP address might lead Carnivore to follow not just the suspect, but any innocents who subsequently get assigned that IP address. [BLAZE]

  • Independent reviewers "did not find adequate provisions (e.g. audit trails) for establishing individual accountability for actions taken during use of Carnivore." The review team thus concluded that "it is not possible to determine who, among a group of agents with the password, may have set or changed filter settings. In fact, any action taken by the Carnivore system could have been directed by anyone knowing the Administrator password. It is impossible to trace the actions to specific individuals. Auditing is crucial in security. It is the means by which users are held accountable for their actions." [EPIC]

  • Sources:
    Electronic Privacy Information Center - Comments on Independent Review [EPIC]
    Center For Democracy and Technology - Testimony to House Constitution Subcommittee [CDT]
    Matt Blaze of AT&T Labs - Testimony to House Constitution Subcommittee [BLAZE]
    Wired - July 25, 2000 News on Carnivore [WIRED]

    Further Info: - Universities unwilling to 'review' Carnivore
    Peter Sachs of ICONN - Testimony to House Constitution Subcommittee
    Electronic Privacy Information Center - Documents obtained by Freedom Of Information Act
    FBI - Carnivore: A Diagnostic Tool

    Originally Written: 04-04-03
    Last Updated: 04-04-03

    BACK to the Decaying Freedom main page.