You may have heard about Carnivore, a controversial program
developed by the U.S. Federal Bureau of Investigation (FBI) to give
the agency access to the online/e-mail activities of suspected criminals.
For many, it is eerily reminiscent of George Orwell's book "1984."
What exactly is Carnivore? Where did it come from? How does it work? What
is its purpose? In this edition of
you will learn the answers to these questions and more!
Carnivore is apparently the third generation of online-detection software
used by the FBI. While information about the first version has never been
disclosed, many believe that it was actually a readily available commercial
program called Etherpeek.
In 1997, the FBI deployed the second generation program, Omnivore.
According to information released by the FBI, Omnivore was designed to look
traffic travelling over a specific Internet service provider (ISP)
and capture the e-mail from a targeted source, saving it to a tape-backup
drive or printing it in real-time. Omnivore was retired in late 1999 in
favor of a more comprehensive system, the DragonWare Suite, which
allows the FBI to reconstruct e-mail messages, downloaded files or even
DragonWare contains three parts:
- Carnivore - A Windows NT/2000-based system that captures the
- Packeteer - No official information released, but presumably an
application for reassembling
cohesive messages or Web pages
- Coolminer - No official information released, but presumably an
application for extrapolating and analyzing data found in the messages
As you can see, officials have not released much information about the
DragonWare Suite, nothing about Packeteer and Coolminer and very little
detailed information about Carnivore. But we do know that Carnivore is
basically a packet sniffer, a technology that is quite common and has
been around for a while.
Computer network administrators have used packet sniffers for years
to monitor their networks and perform diagnostic tests or troubleshoot
problems. Essentially, a packet sniffer is a program that can see all of the
information passing over the
is connected to. As data streams back and forth on the network, the program
looks at, or "sniffs," each packet.
Normally, a computer
only looks at packets
it and ignores the rest of the traffic on the network. When a packet sniffer
is set up on a computer, the sniffer's network interface is set to
promiscuous mode. This means that it is looking at everything that comes
through. The amount of traffic largely depends on the location of the
computer in the network. A client system out on an isolated branch of the
network sees only a small segment of the network traffic, while the main
domain server sees almost all of it.
A packet sniffer can usually be set up in one of two ways:
- Unfiltered - Captures all of the packets
- Filtered - Captures only those packets containing specific data
Packets that contain targeted data are copied as they pass
through. The program stores the copies in
or on a hard drive,
depending on the program's configuration. These copies can then be analyzed
carefully for specific information or patterns.
When you connect to the Internet, you are joining a network maintained by
your ISP. The ISP's network communicates with other networks maintained by
other ISPs to form the
foundation of the Internet. A packet sniffer located at one of the
servers of your ISP would potentially be able to monitor all of your online
activities, such as:
- Which Web sites you visit
- What you look at on the site
- Whom you send e-mail to
- What's in the e-mail you send
- What you download from a site
- What streaming events you use, such as audio, video and
- Who visits your site (if you have a Web site)
In fact, many ISPs use packet sniffers as diagnostic tools. Also,
a lot of ISPs maintain copies of data, such as e-mail, as part of their
back-up systems. Carnivore (and its sister programs) may be a controversial
step forward for the FBI, but it is not a new technology.
Now that you know a bit about what Carnivore is, let's take a look at how it
- The FBI has a reasonable suspicion that someone is engaged in
criminal activities and requests a court order to view the suspect's
- A court grants the request for a full content-wiretap of e-mail
traffic only and issues an order.
A term used in
surveillance, "content-wiretap" means that everything in the packet
can be captured and used. The other type of wiretap is a trap-and-trace,
which means that the FBI can only capture the destination information,
such as the e-mail account of a message being sent out or the Web-site
address that the suspect is visiting. A reverse form of trap-and-trace,
called pen-register, tracks where e-mail to the suspect is coming
from or where visits to a suspect's Web site originate.
- The FBI contacts the suspect's ISP and requests a copy of the back-up
files of the suspect's activity.
- The ISP does not maintain customer-activity data as part of its
- The FBI sets up a Carnivore computer at the ISP to monitor the
suspect's activity. The computer consists of:
- A Pentium III Windows NT/2000 system with 128
- A commercial communications software application
- A custom C++
application that works in conjunction with the commercial program above
to provide the packet sniffing and filtering
- A type of physical lockout system that requires a special passcode
to access the computer (This keeps anyone but the FBI from physically
accessing the Carnivore system.)
- A network isolation device that makes the Carnivore system
invisible to anything else on the network (This prevents anyone from
hacking into the system from another computer.)
- A 2-gigabyte (GB)
Iomega Jaz drive for storing the captured data (The Jaz drive uses
removable cartridges that can be swapped out as easily as a
- The FBI configures the Carnivore software with the
of the suspect so that Carnivore will only capture packets from this
particular location. It ignores all other packets.
- Carnivore copies all of the packets from the suspect's system without
impeding the flow of the network traffic.
- Once the copies are made, they go through a filter that only
keeps the e-mail packets. The program determines what the packets contain
based on the
protocol of the packet. For example, all e-mail packets use the
Simple Mail Transfer Protocol (SMTP).
- The e-mail packets are saved to the Jaz cartridge.
- Once every day or two, an FBI agent visits the ISP and swaps out the
Jaz cartridge. The agent takes the retrieved cartridge and puts it in a
container that is dated and sealed. If the seal is broken, the person
breaking it must sign, date and reseal it -- otherwise, the cartridge can
be considered "compromised."
- The surveillance cannot continue for more than a month without an
extension from the court. Once complete, the FBI removes the system from
- The captured data is processed using Packeteer and Coolminer.
- If the results provide enough evidence, the FBI can use them as part
of a case against the suspect.
The example above shows how the system identifies which packets to store.
Prey of the Carnivore
The FBI plans to use Carnivore for specific reasons. Particularly, the
agency will request a court order to use Carnivore when a person is
- Child pornography/exploitation
- Information warfare
There are some key issues that are causing a great deal of concern from
- Privacy - Many folks think that Carnivore is a severe violation
While the potential for abuse is certainly there, the Electronic
Communications Privacy Act (ECPA) provides legal protection of privacy
for all types of electronic communication. Any type of electronics
surveillance requires a court order and must show probable cause
that the suspect is engaged in criminal activities. Therefore, use of
Carnivore in any way that does not adhere to ECPA is illegal and can be
- Regulation - There is a widespread belief that Carnivore is a
huge system that can allow the U.S. government to seize control of the
Internet and regulate its use.
To do this would require an amazing infrastructure -- the FBI would
need to place Carnivore systems at every ISP, including private,
commercial and educational. While it is theoretically possible to do so
for all of the ISPs operating in the United States, there is still no way
to regulate those operating outside of U.S. jurisdiction. Any such move
would also face serious opposition from every direction.
- Free speech - Some people think that Carnivore monitors all of
the content flowing through an ISP, looking for certain keywords such as
"bomb" or "assassination."
Any packet sniffer can be set to look for certain patterns of
characters or data. Without probable cause, though, the FBI has no
justification to monitor your online activity and would be in severe
violation of ECPA and your constitutional right to free speech if it did
- Echelon - This is a secret network rumored to be under
development by the National Security Agency (NSA), supposedly
designed to detect and capture packets crossing international borders that
contain certain keywords, such as "bomb" or "assassination."
There is no solid evidence to support the existence of Echelon. Many
people have confused this rumored system with the very real Carnivore
All of these concerns have made implementation of Carnivore an uphill
battle for the FBI. The FBI has refused to disclose the source code and
certain other pieces of technical information about Carnivore, which has
only added to people's concerns. But, as long as it is used within the
constraints and guidelines of ECPA, Carnivore has the potential to be a
useful weapon in the war on crime.