View
220
Download
0
Category
Tags:
Preview:
Citation preview
Internet Wiretappingand Carnivore
Sarah Boucher
Edward Cotler
Stephen Larson
May 17, 2001
Introduction
• Law enforcement needs
• Individuals’ privacy concerns
• Emerging technology
Goals
• To inform about the current technical, government, and public opinion state of U.S. Internet wiretapping policy through a case study of the FBI’s Carnivore system
• To discuss concerns about the current state of U.S. Internet wiretapping policy
• To propose changes to improve the U.S. system of Internet wiretapping
Timeline
• 1791 – The Fourth Amendment to the Constitution• 1928 – Olmstead v United States• 1934 – Federal Communications Act• 1937 – Nardone v United States• 1939 – Nardone v United States• 1967 – Berger v United States• 1967 – Katz v United States• 1968 – Omnibus Crime Control and Safe Streets Act• 1978 – Foreign Intelligence Surveillance Act
Timeline
• 1979 – Smith v Maryland• 1986 – Electronic Communications Privacy Act• 1994 – Communications Assistance for Law
Enforcement Act• 2000 – US Telecom v FCC• 2000 – Hearings in House and Senate committees• 2000 – Digital Privacy Act, proposed• 2000 – Electronic Communications Privacy Act,
proposed• 2000 – Illinois report released
Key Players
• ACLU: Opposed to wiretaps in general.• CDT: Sees a place for restricted wiretaps.• EPIC: Acquired key information using the FOIA.• DOJ: In charge of the FBI, project in general.• FBI: Conducted at least 25 Internet wiretaps
already.• Congress: Trying to catch the laws up.
Background
Legislative Background
• Fourth Amendment• FCA• Title III• FISA• ECPA• CALEA• Digital Privacy Act of 2000• Electronic Privacy Act of 2000
Legislative Background
• Fourth Amendment– The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Legislative Background
• Federal Communications Act of 1934– Prohibited the interception and disclosure of
any communication without the consent of at least one of the parties to the communication.
Legislative Background
• Title III of the Omnibus Crime Control and Safe Streets Act of 1968– Electronic surveillance made illegal, except
pursuant to a court order.
Legislative Background
• How to get a court order for electronic surveillance– Prove probable cause that an indictable crime
has been, is being, or is about to be committed.– Specifically describe the communications to be
intercepted.– Other investigative procedures have failed or
are too dangerous.
Legislative Background
• Foreign Intelligence Surveillance Act of 1978– Requires approval from the Foreign
Intelligence Surveillance Court for electronic surveillance in national security cases.
Legislative Background
• Electronic Communications Privacy Act of 1986– Amended Title III protections to cover most
wire and wireless communications.– Requires a court order for the use of pen
register and trap and trace devices.– Delineates regulations for the use of roving
wiretaps.
Legislative Background
• Communication Assistance for Law Enforcement Act of 1994– Requires telecommunications carriers to ensure
the ability of law enforcement agencies to intercept communications.
Legislative Background
• Digital Privacy Act of 2000, proposed in the 106th Congress– Strengthened the requirements for obtaining a
court order for the use of pen register and trap and trace devices.
– Heightened the reporting requirements for electronic surveillance.
Legislative Background
• Electronic Privacy Act of 2000, proposed in the 106th Congress– Strengthened the requirements for obtaining a
court order for the use of pen register and trap and trace devices.
– Other privacy enhancing changes to current federal wiretapping laws.
Judicial Background
• Olmstead v. US
• Nardone v. US
• Berger v. US
• Katz v. US
• Smith v. Maryland
• US Telecomm v. FCC
Judicial Background
• Olmstead vs. US, 1928– Supreme Court held that wiretaps were not a
violation of the Fourth Amendment.– Justice Brandeis wrote a strong dissent
supporting the extension of Fourth Amendment rights to wiretapping.
Judicial Background
• Nardone vs. US, 1937 and again in 1939– Based on FCA of 1934, the Court ruled that
wiretap evidence could not be used in trial.– In the second case, the Court expanded this
ruling to include any evidence derived from a wiretap.
Judicial Background
• Berger vs. US, 1967– Supreme Court found that a New York State
law that had been used to secure a warrant for wiretapping was overbroad in its scope.
Judicial Background
• Katz vs. US, 1967– Supreme Court effectively overturned
Olmstead v US, saying that “the Fourth Amendment protects people, not places.”
Judicial Background
• Smith vs. Maryland, 1979– Supreme Court held that there is a lower
expectation of privacy in pen mode information, therefore no warrant is required to intercept this information.
Judicial Background
• US Telecomm v. FCC, 2000– Challenges to the implementation Order for
CALEA.– Supreme Court held that location information
for wireless communications as well as packet-mode data collection can be required by CALEA.
Executive Background
When does the FBI use Carnivore?• The ISP cannot narrow sufficiently the
information retrieved to comply with the court order
• The ISP cannot receive sufficient information• The FBI does not want to disclose information to
the ISP, as in a sensitive national security investigation.
Executive Background
Full mode wiretap
• Case agent consults with the Chief Division Counsel, and a Technically Trained Agent.
Pen mode wiretap
• Case agent writes up a request with a justification for necessity
Executive Background
• FBI shows a judge the relevance of the information
• FBI shows a judge why traditional enforcement methods are insufficient
• FBI submits a request with information such as target ISP, e-mail address, etc.
• FBI waits 4-6 months
Public Policy Background
Federal Title III Wiretaps
0
100
200
300
400
500
600
700
Public Policy Background
• Wiretaps influenced by administrative policy choice– 10,000 before Safe Streets Act (1968)
– 9,000 after Safe Streets Act
• Could Carnivore have similar usage patterns?– Log secrecy
– 1850% increase from 1997 to 1999
Technical Background
• Hardware
• Software
Hardware Architecture
• A one-way tap into an Ethernet data stream• A general purpose computer to filter and
collect data• One or more additional general purpose
computers to control the collection and examine the data
• A ‘locked’ telephone link to connect the computers
Hardware Architecture
CarnivoreHub
RemoteHub
Tap
Ethernet Switch
Other NetworkSegments
The Internet
Target
Bystander
One Way Tap
• The Century Tap
• Produced by Shomiti Systems (3rd party)
Filtering/Collection Computer
• Pentium-class PC– 2 GB Jaz Drive– Generic 10/100 Mbps Ethernet adapter– A modem– Windows NT– pcAnywere
Control/Examination Computer
• Another regular computer with:– pcAnywhere– Dragonware
• Secure?
Telephone Link
• Electronic device that prevents phone line connection unless you are the key.
Software Architecture
Functionality
• Filtering
• Filter Precedence
• Output
• Analysis
Software Architecture
Software Architecture• Filtering
Fixed IP Can choose a range of IP addresses.
Dynamic IP If not in fixed IP mode, one can choose to include packets from in either Radius or DHCP mode.
Protocol Filtering One can choose to include packets from TCP, UDP, and/or ICMP in either Full mode, Pen mode, or none.
Text Filtering One can include packets that contain arbitrary text.
Port Filtering One can select particular ports to include (i.e 25 (SMTP), 80 (HTTP), 110 (POP3)).
E-mail address Filtering
One can select to include packets that contain a particular e-mail address in the to or from fields of an e-mail.
Software Architecture
• Filter Precedence• Output
– .vor– .output– .error
• Analysis– Packeteer– CoolMiner
Software Architecture• TapNDIS (written in C) is a kernal-mode driver which
captures Ethernet packets as they are received, and applies some filtering.
• TapAPI.dll (written in C++) provides the API for accessing the TapNDIS driver functionality from other applications.
• Carnivore.dll (written in C++) provides functionality for controlling the intercept of raw data.
• Carnivore.exe (written in Visual Basic) is the GUI for Carnivore.
Concerns
Legislative/Judicial Concerns
• Pen mode collection– Not strictly defined.– Low standard for obtaining a court order for the
interception of this information.– Reporting of pen mode interceptions is
minimal.
Legislative/Judicial Concerns
• Minimization of interception:– No formal definition of minimization of search
requirements.– The minimization process only has optional
judicial review.– No requirements on who conducts the
minimization.
Legislative/Judicial Concerns
• FISA interceptions:– No notification requirement, unless information
from the intercept will be used in a criminal trial.
– Completely confidential, the only information reported annually is the number of applications and the number of orders granted.
Public/Executive Concerns
• Trust
• Ease of access
• Loss of ISP control
• Procedural
Trust
“Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company’s customers, with the ‘assurance’ that the FBI will record only conversations of the specified target.”
– Barry Steinhardt
Associate Director, ACLU
Trust
• Should we trust the government?
• Agents overlook, misplace or otherwise mangle information
• FBI still makes record-keeping mistakes– Blanton– Salvati– McVeigh
Ease of Access
“I would rather have the government crawl under barbed wire with a flashlight to install a listening device in my basement than to have them click a mouse in an office and gain access to my most private conversations.”
Phil Zimmermann
Inventor, PGP
Ease of Access
• Allocation of resources– Self-selects more important wiretaps
• Easier to make mistakes
• No paper trail in digital age
Loss of ISP Control
“The FBI is placing a black box inside the computer network of an ISP… not even the FBI knows what that gizmo is doing.”
– James X. Dempsey
Senior Staff Counsel, CDT
Loss of ISP Control
• Allows access to non-targets– Is such evidence legally obtained?
• Minimization to communications of targets
• Non-issues in traditional telephone wiretap
Procedural
“The statutory suppression remedy available for illegal interception of other communications in Title III is not extended to electronic communications… the data gathered would not automatically be thrown out as evidence.”
– IITRI Review of Carnivore
Procedural
• Supervisor auditing mechanism
• No way to track which agent is responsible for error
Public Concerns
• Survey– 117 responses– Average age: 32– Average time online per week: 13
Survey
Heard of Carnivore?
0 5 10 15 20
Yes
No
Hours online per week
Survey
• 21% heard of Carnivore
• Of those who heard of it, 68% view Carnivore as a threat to their online privacy
Survey
Public Suspicion of FBI
2.50 2.60 2.70 2.80 2.90 3.00 3.10 3.20 3.30
Currently monitorsemail
Currently monitorsInternet activity
Will abuse emailmonitoring rights
Somewhat = 3.0
Didn't hear
Heard
Survey
Should we allow government monitoring?
0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80
Phone conversations
Internet activity
Heard Didn't hear
Technical Concerns
• Design Principles
• Problems– Wrong goals– Bad implementation
• Hidden functionality?
Design PrinciplesOops:“No formal development process was followed for the
development of Carnivore through version 1.3.4. The Carnivore program was a quick-reaction capability program developed to meet the needs of the FBI for operational cases. […] This type of development is appropriate as a ‘proof of concept,’ but it is not appropriate for operational systems. Because of this lack of development methodology, important considerations, such as accountability and audit, were missed.”
–Illinois Report
Design Principles
Goals were misplaced because of the perspective on the problem. What truths can we add?
• 1) Internet wiretapping is unlike other kinds of wiretapping
• 2) An Internet wiretapping device is a 'mission critical' device
• 3) Internet wiretapping devices are in a position to bear the brunt of public scrutiny
• 4) Internet wiretaps are not automatically more confidential just because they are automated.
Design Principles
Overarching lesson:
The technical realities of Internet wiretapping strongly suggest that devices used for such purposes be engineered with extreme care, with special attention paid to potential failures.
Technical Problems: Wrong Goals
• No structured development process
• No audit trails
• Limited security of data
Technical Problems: Bad Implementation
• Problems with high throughput
• Standard Ethernet v. Full Duplex
• Security of remote computer
• Thwarted by crypto
• RADIUS (analysis omitted from Illinois Report)
Hidden Functionality?
• TapAPI provides 45 entry points callable from Carnivore.dll, only 22 are used.
• Commented out code: more sophisticated filters, real-time viewer, case tracking
Proposals
Legislative/Judicial Proposals
• Exclusionary rule
• Minimization
• Judicial review
• Pen mode requirements
• FISA amendments
• Stored communications amendment
Legislative/Judicial Proposals
• Exclusionary rule– Amend to include electronic communications.
Legislative/Judicial Proposals
• Minimization– Judicial review of minimization prior to
admittance as evidence.– Minimization conducted by someone not
directly involved in the investigation.– Court orders for electronic surveillance
explicitly specify minimization techniques to be employed.
Legislative/Judicial Proposals
• Judicial Review– Require judicial review to verify that all
electronic surveillance has been conducted in accordance with the applicable laws.
Legislative/Judicial Proposals
• Pen mode requirements– Stricter definition of what pen mode
information may include.– For any technology that pen mode collection
cannot be limited to this definition, no collection authorized.
– Court orders must be based on probable cause.– Reporting requirements must be increased to
the same level as full content intercepts.
Legislative/Judicial Proposals
• FISA amendments– Increase reporting requirements for all FISA
interceptions.– Require notification of all US citizens who are
the subject of a FISA intercept just as for Title III intercepts.
Legislative/Judicial Proposals
• Stored communications amendment– Court order is necessary to access any
electronic communication stored for less than one year at communications provider.
– Court order is necessary to access any electronic communication that has already been accessed by the user but remains in storage at the communications provider.
Public Policy Proposals
• Trust
• Ease of access
• ISP control
• Public awareness
Trust
“Never trust a computer you can’t throw out a window.”
– Steve Wozniak
Inventor, Apple Computer
Trust
• Establish independent review board of actual cases
• Open source Carnivore code
Ease of Access
“ Because of [differences between the Internet and the traditional telephone system], it is appropriate to recognize a reasonable expectation of privacy in [electronic] information and to establish a higher evidentiary threshold to obtain a surveillance order than currently exists.”
– Robert Corn-RevereCounsel, Hogan & Hartson
Ease of Access
• Require warrant even for “pen register” traps
• Require more evidence for Title III warrant– Carnivore should be last resort
ISP Control
“ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders.”
– Alan Davidson
Staff Counsel, CDT
ISP Control
• Make Carnivore an available alternative for small ISPs• Let ISP technicians configure system and provide data
to FBI• CALEA
– “A telecommunications carrier shall ensure that its equipment, facilities, or services… are capable of expeditiously isolating and enabling the government… to intercept, to the exclusion of other communicationsto the exclusion of other communications, all wire and electronic communications carried by the carrier within a service area to or from equipment [and] to access call-identifying information.”
Public Awareness
“Public sentiment is everything. With it, nothing can fail. Without it, nothing can succeed.”
– Abraham Lincoln
“Ten people who speak make more noise than ten thousand who are silent.”
– Napoleon Bonaparte
Public Awareness
• Shed aura of secrecy– People less intimidated by what they
understand
• Publicize privacy-related issues
• Write to Congress
• Big scandal– “Carnigate” as Watergate of the 21st Century
Technical Proposals
• Get goals right
• Open source code
• Tamper-proof the local data
• Provide secure remote configuration
• Auto-post logs to website
Get goals right
• To protect citizens, not to make them paranoid
• Treat as a mission critical system
• Solidify parameters for device design in law
Open up the Code
“The technical community has developed a method to improve trust in complex systems: open source review.”
– Alan Davidson
Staff Counsel, CDT
Open up the Code
What?
• Release the source code to the public for review.
• Make updates based on suggestions and bugs discovered.
Open up the Code
• Open systems are based on keys
• Almost all popular crypto algorithms are public knowledge & rely on computational intractability
• Closed systems are based on secret processes
• Closed systems fail: DVD-CSS, SDMI
Open up the Code
Pros:• Accountability: anchor for other protections• More eyes to contribute feedback• Fixing the code instead of the law (Lessig)• Most important if distributed beyond FBI
Cons: • Licensing, security issues require revamp (needed
anyway)
Provide Secure Remote Configuration
What?
• Judicial branch sets the configuration with court order
Why?
• Eliminate ambiguity in court orders
• No need to trust the FBI
• One order = one search
Provide Secure Remote Configuration
FBI HQ
{Kpub-judge[i]}Kpriv-fbihq x n
Keyring
Provide Secure Remote Configuration
FBI HQ
Carnivore Box Carnivore Box
Keyring
Provide Secure Remote Configuration
Keyring
Carnivore BoxRemote User
{Court Order}Kpriv-judge[i]
Provide Secure Remote Configuration
FBI HQKeyring
Carnivore Box
{Court Order}Kpriv-judge[i]
(1) Generate Kpriv-carn[i]
Provide Secure Remote Configuration
FBI HQKeyring
Carnivore Box
{Court Order}Kpriv-judge[i]
(2) Send
Kpub-carn[i] Kpub-carn[i] Saved*
Provide Secure Remote Configuration
FBI HQKeyring
Carnivore Box
{Court Order}Kpriv-judge[i]
(3) Receive Symmetric Key
Provide Secure Remote Configuration
FBI HQKeyring
Carnivore Box
{Court Order}Kpriv-judge[i] (4) Receive Kpub-fbihq
Provide Secure Remote Configuration
Keyring
Carnivore Box
{Court Order}Kpriv-judge[i]
Kpub-fbihq
{Kpub-judge[i]}Kpriv-fbihq
Provide Secure Remote Configuration
Keyring Carnivore Box
{Court Order}Kpriv-judge[i]
Kpub-fbihq{Kpub-judge[i]}Kpriv-fbihq
Verify
Kpub-judge[i]
Provide Secure Remote Configuration
Keyring Carnivore Box
{Court Order}Kpriv-judge[i]Kpub-judge[i]
Verify
Court Order
Tamper-proof the Local Data
FBI HQ
Kpub-carn[i] Saved*
Tamper-proof the Local Data
What?• Private key generated with each order is
used to sign output files.• Public key from remote Carnivore unit can
be used to verify data stored.Why?• Data unprotected on computer, attacker can
alter, delete, etc.
Auto-post Logs to Website
FBI HQ
Web site
Carnivore Box
Carnivore Box
Carnivore Box
Auto-post Logs to Website
Why?• Knowing the source does not tell you how it
is usedMinimization• Time till reporting can be specified in court
order• Central FBI server will be bottleneck for
over-reporting
Conclusions
Legislative/Judicial
• Exclusionary rule
• Minimization
• Judicial review
• Pen mode requirements
• FISA amendments
• Stored communications amendment
Public Policy
• Trust
• Ease of access
• ISP control
• Public awareness
Technical
• Get goals right
• Open source code
• Tamper-proof the local data
• Provide secure remote configuration
• Auto-post logs to website
Conclusion
“If you’re talking to someone in the next bathroom stall, the government shouldn’t have to be able to listen in.”
– Robert Ellis Smith
Publisher, Privacy Journal
Recommended