Sunday, March 25, 2001

FBI software can take bite out of Canadians' privacy

Borders no obstacle for U.S. cyber spy known as Carnivore

by Tyler Hamilton

CAMBRIDGE, Mass. -- A mix of jean-clad libertarians and suited cyber lawyers gathered in a Boston hotel earlier this month to discuss how the U.S. Federal Bureau of Investigation is using snooping software to monitor the e-mail of Americans.

DSC1000, the Web surveillance system previously known as Carnivore, operated in secrecy until its existence was reported in the U.S. press last April. Since then, Carnivore has become a lightning rod for controversy, generating more questions than answers and sparking even greater mistrust of U.S. law-enforcement agencies.

The gathering in Boston, a special session of this year's Computers, Freedom, and Privacy conference, was aimed at getting a better understanding of how Carnivore works and when the FBI is likely to use it.

By the end of the session, it became clear that Carnivore's bite can extend well beyond the borders of the United States. Leading to the question: Is Uncle Sam reading Canada's e-mail, too?

"I think it's a realistic scenario and it's something we should be concerned about", says David Jones, president of Electronic Frontier Canada, an online civil-liberties group. "If the Americans are spying on my e-mail, I want to know about it."

Mark Rasch, former head of the computer crimes division at the U.S. justice department, says it's not a question of whether the FBI can monitor Canada's e-mail, it's a question of whether it has done so already. "And that applies to the FBI, CIA or NSA (National Security Agency)", he says.

Rasch, one of four speakers invited to talk about Carnivore, says the global nature of the Internet and the free and invisible movement of data across borders make it easy for U.S. authorities to monitor electronic communications flowing across or in and out of countries such as Canada.

"They can simply reroute the traffic through the United States and do it here", he says. "It's simple."

In fact, many Internet service providers (ISPs) operating in Canada routinely direct their traffic through the northern U.S., dipping across the border from Vancouver to Seattle and popping back up through Detroit or Buffalo to Toronto.

On top of that, hundreds of thousands of Canadians use Web-based e-mail services such as Yahoo and Hotmail that operate out of the U.S. Meanwhile, about 700,000 high-speed cable users have e-mail accounts that are managed out of Redwood City, Calif.

Asked what the FBI, CIA, or NSA would say if Canadian authorities had complaints about cross-border Internet snooping, Rasch says bluntly: "We would have two words for them, and the second one would be 'you'."

So, what exactly is this Carnivore beast? And how can it eat our e-mail for dinner?

Carnivore was designed by the FBI to figuratively chew on data as it passes through an ISP's network.

According to the FBI, Carnivore can only eat data the FBI has been authorized to collect by a U.S. court order. Once Carnivore sniffs out a particular data "packet" -- for example, part of an e-mail from a suspected terrorist or a Web site visited by a known drug trafficker -- it saves a copy of the packet.

Depending on the type of court order, the FBI can try to capture the full contents of an e-mail or less detailed information, such as when an e-mail was written and to whom it was sent.

Rasch says Carnivore was developed because the FBI became frustrated with ISPs that claimed they did not have the technology to spy on Internet traffic. "The FBI said, 'Here's a magic box, put this on your system and now you can do it.'"

There are about two dozen of these Carnivore boxes, which can be strategically placed on the main "hub" or traffic juncture of an ISP.

From the FBI's perspective, Carnivore is just another extension of regular surveillance practices, all done in the name of national security and public safety. The fact that more criminals use the Internet to perpetrate crimes requires even more advanced technologies to fight the battle.

In the case of suspected terrorist activity, "we would move swiftly to intercept, just as we would with telephone conversation", says FBI spokesperson Paul Bresson. "And I don't think people would have a problem with that."

But privacy advocates fear the technology is too open to abuse, or at the very least will unintentionally capture the intimate Internet messages or private surfing habits of innocent people -- both Americans and Canadians.

Unlike the phone system, where surveillance is much more targeted, the digital nature of the Internet means many different packets of data can be caught in the same net.

As the industry moves toward wireless, location-based services capable of pinpointing the exact whereabouts of a mobile Internet user, the temptation for abuse is expected to grow much stronger.

"Cops are nosy", says Jones. "They want to know what everybody is doing. They want to investigate everything, to see who's doing the bad stuff."

Jones says the ability of the FBI, CIA, or NSA to capture and analyze the e-mail of Canadians should be viewed as a national security risk -- an issue of sovereignty protection.

"Forget about personal e-mail. What about corporate transactions? Political correspondence?"

"In terms of Canada's interest, we have no control or say if the FBI implemented Carnivore here. We're not at the table."

When questioned by The Star, the FBI said Carnivore has never been used outside the United States. But it didn't rule out the cross-border use of Carnivore should the need arise.

"It's never been used internationally to date", says Bresson. "The question has come up, can it be used? There can be circumstances where we wouldn't necessarily discount using it for international purposes."

Bresson says, in its two-year existence, Carnivore has been used only about 30 times. "We can speculate on various scenarios, but I know it has not been used (in Canada) to date", he says.

Jones is convinced it is only a matter of time before Carnivore is used in Canada -- if it hasn't been used already. He is concerned the FBI may begin working with the RCMP, providing information on Canadians' online activities that the Mounties could not otherwise get legally.

"That's the way the intelligence community works", he says. "It's a well-recognized loophole that Canadian, British, and American intelligence agencies take advantage of from time to time."

Furthermore, Jones said recently that proposed amendments to the Criminal Code, making it illegal for somebody in Canada to look at or e-mail child pornography over the Internet, would give local authorities a reason to adopt broader tactics for electronic monitoring.

"They'll use this as an excuse to put everyone under surveillance", he said.

The RCMP works on a regular basis with the FBI on matters of mutual interest, but it refuses to discuss any capabilities it may have or take advantage of in the area of electronic surveillance.

"I can neither confirm nor deny we have the capability that you refer to", says RCMP spokesperson Paul Marsh, when asked if the Mounties had Carnivore-like technology or access through the FBI. "In this case, we'd prefer to keep the criminals wondering."

The RCMP works within the "parameters of the legislation that exists", he says.

Meanwhile, the Communications Security Establishment -- Canada's secretive monitoring organization that is responsible for intercepting foreign intelligence -- is equally guarded about its capabilities.

"One of the things we never talk about here is capabilities", says spokesperson Kevin Mills. However, he does say that the CSE's surveillance technology is robust and state-of-the-art. "We do have a research and development effort so that we are, if not ahead of the wave, at least riding the crest."

Many countries have e-mail snooping organizations and technologies.

The British system, called the Government Technical Assistance Centre, is a part of the secret service and sniffs out Internet traffic in the U.K.

E-mail, banking data, credit-card transactions -- they all are reportedly under a digital microscope. ISPs in the U.K. are required to link up to the surveillance centre.

In Russia, President Vladimir Putin signed an order in January that would let law-enforcement agencies legally spy on all Internet traffic within the nation's borders. Other countries have made similar moves or plan to head in the same direction.

In what has become a digital Cold War, moves by other countries put even more pressure on the United States and Canada to beef up their capabilities, resulting in highly advanced surveillance systems that are several steps ahead of slow-moving legislation.

The goal may be to catch domestic criminals and foreign terrorists, but privacy advocates say the tradeoff is an aggressive erosion of privacy on a global scale.

Carnivore is a known threat. What isn't known is how many other beasts of surveillance roam the Internet.

"What we really need to have happen, which has never really happened, is a fundamental examination of what are people's subjective expectations of privacy online," says Rasch.

"What are we, as a society, willing to accept as reasonable?"

Copyright © 2001 by The Toronto Star. All Rights Reserved. Reprinted with permission.