Internet Wiretapping and Carnivore - MIT CSAIL

Internet Wiretapping and Carnivore - MIT CSAIL

Internet Wiretapping and Carnivore Sarah Boucher Edward Cotler Stephen Larson May 17, 2001 Introduction Law enforcement needs

Individuals privacy concerns Emerging technology Goals To inform about the current technical, government, and public opinion state of U.S. Internet wiretapping policy through a case study of the FBIs Carnivore system To discuss concerns about the current state of U.S. Internet wiretapping policy

To propose changes to improve the U.S. system of Internet wiretapping Timeline

1791 The Fourth Amendment to the Constitution 1928 Olmstead v United States 1934 Federal Communications Act 1937 Nardone v United States 1939 Nardone v United States 1967 Berger v United States

1967 Katz v United States 1968 Omnibus Crime Control and Safe Streets Act 1978 Foreign Intelligence Surveillance Act Timeline 1979 Smith v Maryland 1986 Electronic Communications Privacy Act 1994 Communications Assistance for Law Enforcement Act 2000 US Telecom v FCC

2000 Hearings in House and Senate committees 2000 Digital Privacy Act, proposed 2000 Electronic Communications Privacy Act, proposed 2000 Illinois report released Key Players

ACLU: Opposed to wiretaps in general. CDT: Sees a place for restricted wiretaps. EPIC: Acquired key information using the FOIA. DOJ: In charge of the FBI, project in general. FBI: Conducted at least 25 Internet wiretaps already. Congress: Trying to catch the laws up.

Background Legislative Background

Fourth Amendment FCA Title III FISA ECPA CALEA Digital Privacy Act of 2000

Electronic Privacy Act of 2000 Legislative Background Fourth Amendment The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the

place to be searched, and the persons or things to be seized. Legislative Background Federal Communications Act of 1934 Prohibited the interception and disclosure of any communication without the consent of at least one of the parties to the communication. Legislative Background

Title III of the Omnibus Crime Control and Safe Streets Act of 1968 Electronic surveillance made illegal, except pursuant to a court order. Legislative Background How to get a court order for electronic surveillance Prove probable cause that an indictable crime has been, is being, or is about to be committed.

Specifically describe the communications to be intercepted. Other investigative procedures have failed or are too dangerous. Legislative Background Foreign Intelligence Surveillance Act of 1978 Requires approval from the Foreign Intelligence Surveillance Court for electronic

surveillance in national security cases. Legislative Background Electronic Communications Privacy Act of 1986 Amended Title III protections to cover most wire and wireless communications. Requires a court order for the use of pen register and trap and trace devices. Delineates regulations for the use of roving

wiretaps. Legislative Background Communication Assistance for Law Enforcement Act of 1994 Requires telecommunications carriers to ensure the ability of law enforcement agencies to intercept communications. Legislative Background

Digital Privacy Act of 2000, proposed in the 106th Congress Strengthened the requirements for obtaining a court order for the use of pen register and trap and trace devices. Heightened the reporting requirements for electronic surveillance. Legislative Background Electronic Privacy Act of 2000, proposed in

the 106th Congress Strengthened the requirements for obtaining a court order for the use of pen register and trap and trace devices. Other privacy enhancing changes to current federal wiretapping laws. Judicial Background

Olmstead v. US Nardone v. US Berger v. US Katz v. US Smith v. Maryland

US Telecomm v. FCC Judicial Background Olmstead vs. US, 1928 Supreme Court held that wiretaps were not a violation of the Fourth Amendment. Justice Brandeis wrote a strong dissent supporting the extension of Fourth Amendment rights to wiretapping.

Judicial Background Nardone vs. US, 1937 and again in 1939 Based on FCA of 1934, the Court ruled that wiretap evidence could not be used in trial. In the second case, the Court expanded this ruling to include any evidence derived from a wiretap. Judicial Background Berger vs. US, 1967

Supreme Court found that a New York State law that had been used to secure a warrant for wiretapping was overbroad in its scope. Judicial Background Katz vs. US, 1967 Supreme Court effectively overturned Olmstead v US, saying that the Fourth Amendment protects people, not places.

Judicial Background Smith vs. Maryland, 1979 Supreme Court held that there is a lower expectation of privacy in pen mode information, therefore no warrant is required to intercept this information. Judicial Background US Telecomm v. FCC, 2000 Challenges to the implementation Order for

CALEA. Supreme Court held that location information for wireless communications as well as packetmode data collection can be required by CALEA. Executive Background When does the FBI use Carnivore? The ISP cannot narrow sufficiently the information retrieved to comply with the court order

The ISP cannot receive sufficient information The FBI does not want to disclose information to the ISP, as in a sensitive national security investigation. Executive Background Full mode wiretap Pen mode wiretap

Case agent consults with the Chief Division Counsel, and a Technically Trained Agent. Case agent writes up a request with a justification for necessity

Executive Background FBI shows a judge the relevance of the information FBI shows a judge why traditional enforcement methods are insufficient FBI submits a request with information such as target ISP, e-mail address, etc. FBI waits 4-6 months

Public Policy Background Federal Title III Wiretaps 700 600 500 400 300 200 100

0 Public Policy Background Wiretaps influenced by administrative policy choice 10,000 before Safe Streets Act (1968) 9,000 after Safe Streets Act Could Carnivore have similar usage patterns? Log secrecy

1850% increase from 1997 to 1999 Technical Background Hardware Software Hardware Architecture A one-way tap into an Ethernet data stream A general purpose computer to filter and collect data

One or more additional general purpose computers to control the collection and examine the data A locked telephone link to connect the computers Hardware Architecture The Internet Ethernet Switch

Other Network Segments Tap Hub Hub

Target Bystander Carnivore Remote One Way Tap The Century Tap Produced by Shomiti Systems (3rd party)

Filtering/Collection Computer Pentium-class PC 2 GB Jaz Drive

Generic 10/100 Mbps Ethernet adapter A modem Windows NT pcAnywere Control/Examination Computer Another regular computer with: pcAnywhere Dragonware

Secure? Telephone Link Electronic device that prevents phone line connection unless you are the key. Software Architecture Functionality Filtering Filter Precedence

Output Analysis Software Architecture Software Architecture Filtering Fixed IP Dynamic IP

Can choose a range of IP addresses. Protocol Filtering One can choose to include packets from TCP, UDP, and/or ICMP in either Full mode, Pen mode, or none. Text Filtering Port Filtering

One can include packets that contain arbitrary text. E-mail address Filtering One can select to include packets that contain a particular e-mail address in the to or from fields of an e-mail.

If not in fixed IP mode, one can choose to include packets from in either Radius or DHCP mode. One can select particular ports to include (i.e 25 (SMTP), 80 (HTTP), 110 (POP3)). Software Architecture Filter Precedence Output .vor

.output .error Analysis Packeteer CoolMiner Software Architecture TapNDIS (written in C) is a kernal-mode driver which captures Ethernet packets as they are received, and applies

some filtering. TapAPI.dll (written in C++) provides the API for accessing the TapNDIS driver functionality from other applications. Carnivore.dll (written in C++) provides functionality for controlling the intercept of raw data. Carnivore.exe (written in Visual Basic) is the GUI for Carnivore. Concerns

Legislative/Judicial Concerns Pen mode collection Not strictly defined. Low standard for obtaining a court order for the interception of this information. Reporting of pen mode interceptions is minimal. Legislative/Judicial Concerns

Minimization of interception: No formal definition of minimization of search requirements. The minimization process only has optional judicial review. No requirements on who conducts the minimization. Legislative/Judicial Concerns FISA interceptions:

No notification requirement, unless information from the intercept will be used in a criminal trial. Completely confidential, the only information reported annually is the number of applications and the number of orders granted. Public/Executive Concerns

Trust Ease of access Loss of ISP control Procedural Trust Carnivore is roughly equivalent to a wiretap

capable of accessing the contents of the conversations of all of the phone companys customers, with the assurance that the FBI will record only conversations of the specified target. Barry Steinhardt Associate Director, ACLU Trust Should we trust the government? Agents overlook, misplace or otherwise

mangle information FBI still makes record-keeping mistakes Blanton Salvati McVeigh Ease of Access I would rather have the government crawl under barbed wire with a flashlight to install a listening device in my basement than to have them click a

mouse in an office and gain access to my most private conversations. Phil Zimmermann Inventor, PGP Ease of Access Allocation of resources Self-selects more important wiretaps Easier to make mistakes

No paper trail in digital age Loss of ISP Control The FBI is placing a black box inside the computer network of an ISP not even the FBI knows what that gizmo is doing. James X. Dempsey Senior Staff Counsel, CDT Loss of ISP Control

Allows access to non-targets Is such evidence legally obtained? Minimization to communications of targets Non-issues in traditional telephone wiretap Procedural The statutory suppression remedy available for illegal interception of other communications in Title III is not extended

to electronic communications the data gathered would not automatically be thrown out as evidence. IITRI Review of Carnivore Procedural Supervisor auditing mechanism No way to track which agent is responsible for error

Public Concerns Survey 117 responses Average age: 32 Average time online per week: 13 Survey Heard of Carnivore? No

Yes 0 5 10 Hours online per week

15 20 Survey 21% heard of Carnivore Of those who heard of it, 68% view Carnivore as a threat to their online privacy Survey

Public Suspicion of FBI Will abuse email monitoring rights Didn't hear Heard Currently monitors Internet activity Currently monitors email

2.50 2.60 2.70 2.80 2.90

3.00 Somewhat = 3.0 3.10 3.20 3.30

Survey Should we allow government monitoring? Internet activity Email Phone conversations 0.00

0.10 0.20 0.30 Heard 0.40

0.50 Didn't hear 0.60 0.70 0.80

Technical Concerns Design Principles Problems Wrong goals Bad implementation Hidden functionality? Design Principles

Oops: No formal development process was followed for the development of Carnivore through version 1.3.4. The Carnivore program was a quick-reaction capability program developed to meet the needs of the FBI for operational cases. [] This type of development is appropriate as a proof of concept, but it is not appropriate for operational systems. Because of this lack of development methodology, important considerations,

such as accountability and audit, were missed. Illinois Report Design Principles Goals were misplaced because of the perspective on the problem. What truths can we add? 1) Internet wiretapping is unlike other kinds of wiretapping 2) An Internet wiretapping device is a 'mission critical' device

3) Internet wiretapping devices are in a position to bear the brunt of public scrutiny 4) Internet wiretaps are not automatically more confidential just because they are automated. Design Principles Overarching lesson: The technical realities of Internet wiretapping strongly suggest that devices used for such purposes be engineered with

extreme care, with special attention paid to potential failures. Technical Problems: Wrong Goals No structured development process No audit trails Limited security of data Technical Problems: Bad Implementation

Problems with high throughput Standard Ethernet v. Full Duplex Security of remote computer Thwarted by crypto

RADIUS (analysis omitted from Illinois Report) Hidden Functionality? TapAPI provides 45 entry points callable from Carnivore.dll, only 22 are used. Commented out code: more sophisticated filters, real-time viewer, case tracking Proposals

Legislative/Judicial Proposals Exclusionary rule

Minimization Judicial review Pen mode requirements FISA amendments Stored communications amendment Legislative/Judicial Proposals Exclusionary rule Amend to include electronic communications.

Legislative/Judicial Proposals Minimization Judicial review of minimization prior to admittance as evidence. Minimization conducted by someone not directly involved in the investigation. Court orders for electronic surveillance explicitly specify minimization techniques to be employed.

Legislative/Judicial Proposals Judicial Review Require judicial review to verify that all electronic surveillance has been conducted in accordance with the applicable laws. Legislative/Judicial Proposals Pen mode requirements Stricter definition of what pen mode information may include.

For any technology that pen mode collection cannot be limited to this definition, no collection authorized. Court orders must be based on probable cause. Reporting requirements must be increased to the same level as full content intercepts. Legislative/Judicial Proposals FISA amendments Increase reporting requirements for all FISA

interceptions. Require notification of all US citizens who are the subject of a FISA intercept just as for Title III intercepts. Legislative/Judicial Proposals Stored communications amendment Court order is necessary to access any electronic communication stored for less than one year at communications provider.

Court order is necessary to access any electronic communication that has already been accessed by the user but remains in storage at the communications provider. Public Policy Proposals

Trust Ease of access ISP control Public awareness Trust Never trust a computer you cant throw out a window. Steve Wozniak

Inventor, Apple Computer Trust Establish independent review board of actual cases Open source Carnivore code Ease of Access Because of [differences between the Internet and the traditional telephone system], it is appropriate

to recognize a reasonable expectation of privacy in [electronic] information and to establish a higher evidentiary threshold to obtain a surveillance order than currently exists. Robert Corn-Revere Counsel, Hogan & Hartson Ease of Access Require warrant even for pen register traps

Require more evidence for Title III warrant Carnivore should be last resort ISP Control ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders. Alan Davidson Staff Counsel, CDT

ISP Control Make Carnivore an available alternative for small ISPs Let ISP technicians configure system and provide data to FBI CALEA A telecommunications carrier shall ensure that its equipment, facilities, or services are capable of expeditiously isolating and enabling the government to intercept, to the exclusion of other communications, communications all wire

and electronic communications carried by the carrier within a service area to or from equipment [and] to access callidentifying information. Public Awareness Public sentiment is everything. With it, nothing can fail. Without it, nothing can succeed. Abraham Lincoln Ten people who speak make more noise than ten thousand who are silent.

Napoleon Bonaparte Public Awareness Shed aura of secrecy People less intimidated by what they understand Publicize privacy-related issues Write to Congress Big scandal

Carnigate as Watergate of the 21st Century Technical Proposals Get goals right

Open source code Tamper-proof the local data Provide secure remote configuration Auto-post logs to website Get goals right To protect citizens, not to make them paranoid Treat as a mission critical system Solidify parameters for device design in law

Open up the Code The technical community has developed a method to improve trust in complex systems: open source review. Alan Davidson Staff Counsel, CDT Open up the Code What?

Release the source code to the public for review. Make updates based on suggestions and bugs discovered. Open up the Code Open systems are based on keys Almost all popular crypto algorithms are public knowledge & rely on computational intractability

Closed systems are based on secret processes Closed systems fail: DVD-CSS, SDMI Open up the Code Pros: Accountability: anchor for other protections More eyes to contribute feedback Fixing the code instead of the law (Lessig) Most important if distributed beyond FBI

Cons: Licensing, security issues require revamp (needed anyway) Provide Secure Remote Configuration What? Judicial branch sets the configuration with court order Why?

Eliminate ambiguity in court orders No need to trust the FBI One order = one search Provide Secure Remote Configuration FBI HQ Keyring {Kpub-judge[i]}Kpriv-fbihq

x n Provide Secure Remote Configuration FBI HQ Carnivore Box Keyring Carnivore Box

Provide Secure Remote Configuration Carnivore Box Keyring Remote User {Court Order}Kpriv-judge[i] Provide Secure Remote

Configuration Carnivore Box Keyring {Court Order}Kpriv-judge[i] (1) Generate Kpriv-carn[i] FBI HQ Provide Secure Remote Configuration

Carnivore Box Keyring {Court Order}Kpriv-judge[i] (2) Send Kpub-carn[i] FBI HQ Kpub-carn[i]

Saved* Provide Secure Remote Configuration Carnivore Box Keyring {Court Order}Kpriv-judge[i] FBI HQ (3) Receive

Symmetric Key Provide Secure Remote Configuration Carnivore Box FBI HQ Keyring

{Court Order}Kpriv-judge[i] (4) Receive Kpub-fbihq Provide Secure Remote Configuration Carnivore Box Keyring

{Kpub-judge[i]}Kpriv-fbihq Kpub-fbihq {Court Order}Kpriv-judge[i] Provide Secure Remote Configuration Keyring Carnivore Box

{Kpub-judge[i]}Kpriv-fbihq Verify Kpub-judge[i] {Court Order}Kpriv-judge[i] Kpub-fbihq

Provide Secure Remote Configuration Keyring Carnivore Box {Court Order}Kpriv-judge[i] Verify

Court Order Kpub-judge[i] Tamper-proof the Local Data FBI HQ Kpub-carn[i] Saved*

Tamper-proof the Local Data What? Private key generated with each order is used to sign output files. Public key from remote Carnivore unit can be used to verify data stored. Why? Data unprotected on computer, attacker can alter, delete, etc.

Auto-post Logs to Website Carnivore Box Carnivore Box Carnivore Box FBI HQ Web site Auto-post Logs to Website

Why? Knowing the source does not tell you how it is used Minimization Time till reporting can be specified in court order Central FBI server will be bottleneck for over-reporting Conclusions

Legislative/Judicial Exclusionary rule

Minimization Judicial review Pen mode requirements FISA amendments Stored communications amendment Public Policy

Trust Ease of access ISP control Public awareness Technical

Get goals right Open source code Tamper-proof the local data Provide secure remote configuration Auto-post logs to website

Conclusion If youre talking to someone in the next bathroom stall, the government shouldnt have to be able to listen in. Robert Ellis Smith Publisher, Privacy Journal

Recently Viewed Presentations

  • Environmental Hazards and Human Health

    Environmental Hazards and Human Health

    Toxicants may accumulate in the food chain. Some toxicants are not easily broken down in the body and build up in the body. Some substances are stored in fat or muscle tissue. Bioaccumulation refers to the process where toxicants build...
  • 2017Annual investment income reporting(AIIR)

    2017Annual investment income reporting(AIIR)

    VR592 - if the Security level data record . or . Sale of securities data record . are reported in 2017 the file will be rejected as these are for reporting from 2018. However, you still need to include those...
  • Tomography: principle Ulrike Ziese, Dept. Molecular Cell Tomography:

    Tomography: principle Ulrike Ziese, Dept. Molecular Cell Tomography:

    Title: Slide 1 Author: Ulrike Ziese Last modified by: Ulrike Ziese Created Date: 6/11/2002 9:32:24 AM Document presentation format: On-screen Show Company
  • These training materials are provided by the New Mexico ...

    These training materials are provided by the New Mexico ...

    Catching identity theft early helps minimize the consequences. Protect against identity theft: Change your passwords frequently. Changing your passwords frequently is another good safeguard against identity theft. If your password has been stolen, changing the password will mean that the...
  • Snapping Hip -

    Snapping Hip -

    "tucking the tush" too much (anterior tilt) , causes hip joint compression and decreases ROM. Also, shortens and tightens iliopsoas, leads to back pain from reversing spinal curves- iliopsoas. ... Lack of synergy with trunk, hip and pelvic stabilizers.
  • The influence of citizenship, institutional trust and racism

    The influence of citizenship, institutional trust and racism

    Saffron Karlsen with James Nazroo Department of Epidemiology and Public Health University College London Introduction Muslims are a group which is publically demonised Increase in religious victimisation since 9/11 Many Muslims feel positively about life in Europe, and feel 'at...
  • Business Owners Policy

    Business Owners Policy

    Permanent fixtures - blinds, drapes, lights, equipment. Personal property - contents of business including leased equipment (e.g., copiers) ... business owner can cancel by calling agent or writing insurance company. Insurance company must give prior notice to business owner to...
  • U.S. Citizenship

    U.S. Citizenship

    Roots of Citizenship. Ideas for citizenship date back 2,500 years ago to Ancient Greece and Rome. Gave them legal rights and the ability to participate in government (Only for men, who owned property.) Then, duties were paying taxes and serving...