Testimony of James X. Dempsey
Senior Staff Counsel
Center for Democracy and Technology
http://www.cdt.org
before the
Senate Judiciary Committee
September 6, 2000
Mr. Chairman, and members of the Committee, thank you for calling this hearing and giving CDT [ * ] the opportunity to testify on the FBI's "Carnivore" initiative and its implications for Fourth Amendment privacy protections in the digital age.
Summary |
We can all appreciate that new communications technologies pose challenges to law enforcement agencies carrying out important duties. But as a black box controlled by the FBI and inserted into the network of an Internet service provider to search through thousands or millions of messages, including those of innocent people, Carnivore is not the right solution. It is not consistent with the way that electronic surveillance was conducted in the past. It is not consistent with the Fourth Amendment nor with the Supreme Court's image in the Katz and Berger decisions of how electronic surveillance could permissibly be conducted. It is not consistent with the federal wiretap statute, Title III. And it is not consistent with CALEA. The FBI has to find a better way to conduct surveillance of Internet communications, one that does not entail taking control of a portion of the network of a service provider and that does not entail a general search through the communications of innocent persons.
In order to moot the serious questions about Carnivore's legality, the FBI should immediately cease insisting that it be installed outside the control of Internet service providers (ISPs). Instead, the FBI should immediately begin making the technology of Carnivore available -- including the source code and the right to modify it -- to any ISP that needs it to comply with a surveillance order. (Most ISPs don't need it.) If any ISP needs to adopt Carnivore or something like it, the ISP should control its own network, isolating and delivering to the government only what the government is entitled to intercept, and thus serving as a buffer between the government and the communications of their innocent customers. This would reinstitute the kind of checks and balances we depend on to preserve our rights.
Looking more broadly, Carnivore is the latest in a series of wake-up calls about the perils facing personal privacy in the digital age. Carnivore illustrates the extent to which the FBI claims the authority to actually control the design or functioning of communications networks. [ 1 ] Yet the deployment of Carnivore and other design or functional mandates for surveillance creates new and largely unappreciated threats to the security of communications. Moreover, even apart from FBI efforts to control the technology, it is clear that, despite the ways in which the newer digital technologies are harder to tap, on balance the government is acquiring far more surveillance powers as a result of the digital revolution: Market-driven changes in the technology and the ways we use it mean that we are generating more electronic information than ever before about our lives and making it available on networks and computers where it can be readily obtained by the government. Law enforcement agencies are not loosing ground - they are gaining surveillance and tracking capabilities by leaps and bounds. For all of these reasons, Carnivore highlights the need for Congress to enact greater privacy protections in the outdated statutory framework.
Among the specific points we would like to make about Carnivore:
Context: Privacy and Surveillance in the Internet Age |
The Internet has already demonstrated its potential to promote democracy, spur economic growth, and enhance human development. Individuals, civil society, businesses and governments are all rushing to use the Internet for work, activism, education, social services, human contact, artistic expression and consumerism. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries. Soon, it may converge with the television and wireless phones, and thereby become nearly ubiquitous.
Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about our children � once kept on paper and secure in a home or office � now travel through the network. Electronic mail, online reading and shopping habits, business transactions and Web surfing can reveal detailed profiles of people's lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.
While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that the digital revolution has been a boon to government surveillance and information collection. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 percent. Computer files are a rich source of evidence: In a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 sought additional funds to "data mine" these public and private sources of digital information for their intelligence value.
Wiretapping the Internet |
Our legal framework for electronic surveillance was developed in an era of circuit-switched telephone networks, where it was relatively easy to isolate the communications of a particular target to the exclusion of the communications of innocent persons, and where it was relatively easy to distinguish between transactional data, which was limited and not very revealing, and Constitutionally-protected content. Even at the time CALEA (the Communications Assistance for Law Enforcement Act) was adopted in 1994, the telephone system, while going digital, was still largely based on a circuit-switched architecture, and CALEA assumed that central telephone company switches, if loaded with special software, would provide ready access to the communications and call-identifying information of surveillance subjects. This Committee, in drafting CALEA, wisely excluded the Internet from CALEA specifically because those technical assumptions did not apply to the packetized, decentralized Internet.
By design, the Internet's architecture is not like that of the phone system. It is not centralized. It does not dedicate a channel or circuit to one conversation. It does not have permanent addresses. But surely these technological differences do not mean that we can abandon the principles of the Fourth Amendment. As the D.C. Circuit recently made clear in the CALEA appeal, the mere fact that government agencies are encountering a new technology does not give them the authority to redefine the rules for interception, even where the government promises it will not record or use the information it is not entitled to. Instead, we must find ways to ensure that the fundamental distinctions of the law are maintained, and where they cannot be, the government must meet the higher, not the lower, legal standard. "Wiretapping" the Internet may require greater oversight and protection. If pen registers on the Internet reveal more than the "numbers dialed" they once provided for telephones, then the standard must be higher than the standard for telephone pen registers. And we must recognize that the government's desire to translate every current telephone surveillance capability into the Internet world (with a kind of 100% guaranteed success rate never really available with traditional telephone surveillance) would require a new technical architecture for the Internet with huge security risks.
It is in this context that the FBI's Carnivore initiative must be viewed.
Questions about Carnivore |
Carnivore reportedly serves at least two functions. Installed at an ISP, it monitors communications on the ISP network and records messages sent or received by a targeted user. This is presumably designed to effectuate an electronic "wiretap" order served on an ISP. Carnivore can reportedly also isolate the origin and destination of all communications to and from a particular ISP customer. This is presumably designed to satisfy what law enforcement claims is the Internet equivalent of "pen register" and "trap and trace" orders, which in the telephone context provide digits dialed and incoming phone numbers. (Note that there are fundamental questions about what information pen register and trap and trace orders should collect in the Internet context.)
There are many unanswered questions about Carnivore:
How does Carnivore isolate and record only the information that the government is legally entitled to collect under a particular wiretap or pen register order? Carnivore has the potential to capture the content of communications even when a pen register order would limit collection to addressing information. Indeed, as we explain below, getting the addressing information the government claims it is entitled to often requires capturing and analyzing content. Does Carnivore avoid that? Moreover, since Carnivore operates on a network link, it has the potential to capture the traffic of customers who are not the subjects of an order. For example, Internet Protocol (IP) addresses may be used to identify the communications of a target. But in many systems such addresses are dynamically allocated (meaning that the same address will be assigned to many users sequentially, and a given user will not have the same address from day to day or hour to hour), making it quite easy to monitor the wrong user.
Is Carnivore itself a secure system? Can it be compromised? Does it provide secure audit trails, and is it tamper resistant? Is it true that Carnivore installed on an ISP's system can be remotely accessed and reprogrammed by the FBI? If Carnivore, an eavesdropping device with access to a vast stream of traffic independent of any ISP control, were itself somehow compromised, the damage to privacy and security could be tremendous.
The technical community has developed a method to improve trust in complex systems: open source review. Review of the source code and design specifications by a community of experts might reveal mistakes, bugs, or security holes unknown to the FBI. Such mistakes are quite common in the design of complex technical systems. Open source review of Carnivore's hardware, software, and technical design is essential to ensuring that Carnivore does not exceed its legal authority. It would also seem necessary for defense lawyers and judges to test in the adversarial process the reliability of evidence it generates.
Undoubtedly, the FBI will initially argue that revealing source code will compromise the effectiveness of Carnivore. If true, one must question the general security and usefulness of a system that can be so easily circumvented by anyone with knowledge of its operation.
The Department of Justice has promised to contract for an "independent review" of Carnivore. Unfortunately, the review has been wrapped in conditions and controls that undermine its credibility and seem to be discouraging the best experts from participating. Two in particular are especially troubling: (1) The contract documents for the review specify that the government will retain control over what portions of the reviewers' comments are released to the public. The government says that it will release as much as possible, consistent with contractual obligations and "preserving the effectiveness of Carnivore." This would seem to preclude release of conclusions about the vulnerability or effectiveness of Carnivore. Since the FBI has claimed that its contractual obligations preclude it from disclosing even the name of the company that built Carnivore, that could be another huge justification for censoring the contractor's report. (2) The implications of this are compounded by the blanket non-disclosure agreement that contractor personnel would be required to sign, in which they would promise not to disclose to anyone anything they learned in the course of their review without FBI permission. Under the agreement, sensitive information is defined as " any and all information received from the FBI" and "any and all other information associated with the Carnivore device and system." This gag order would mean that persons who now can talk about Carnivore based on their general understanding of it would be permanently silenced if they participated in the review.
In a Departure from Tradition and Best Practice, Carnivore Is Not Controlled by ISPs |
Even were there open review of Carnivore's system, installation of a "black box" out of an ISP's control creates new privacy and security risks. The parameters for how Carnivore is used once installed are likely to be extremely important. Such parameters could control who the targets are, how they are identified, and what information is collected about them. Yet with Carnivore, ISPs appear to have no control over how the system operates. Such a system provides no checks on its use, and is an invitation for misuse or mistake. Indeed, we understand that the FBI retains the sole right to alter how Carnivore operates when it is in place, and that the FBI can do so remotely, without the knowledge or cooperation of the service provider.
Carnivore is a radical departure from the way interceptions have traditionally been performed. In the world of telephone wiretaps, phone companies are extremely reluctant to allow law enforcement officials into their switching facilities. In the past, and up through the present time, telephone companies have been adamant that they would activate any interception from within their central offices. (Companies would allow law enforcement agents to activate intercepts from access points on their outside plant, like neighborhood or apartment building junction boxes, but that type of access is disappearing.) The reasons were both privacy and security.
In 1994, Congress confirmed that this principle was an important additional check on abuse. So section 105 of CALEA expressly provides that wiretaps shall be activated and controlled by telephone company personnel:
A telecommunications service provider shall ensure that any interception of communications or access to call-identifying information effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier ... . 47 U.S.C. 1004, Pub. L. 103-414, section 105.
CALEA does not apply to ISPs (and should not be extended to ISPs), but Carnivore is a radical departure from the principle that service providers must keep government agents out of their systems.
ISPs themselves are in the best position to comply with lawful orders for electronic surveillance. ISPs have a dual duty, to both produce information for law enforcement and to protect the privacy of their customers by only revealing such information where required by lawful order. Moreover, ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders. They are also in the best position to understand potential implications or threats from installation of a Carnivore device.
Carnivore Performs an Unconstitutional General Search and an Illegal Intercept Under Title III |
Carnivore operates very differently from an ordinary wiretap or pen register. In the telephone world, it has always been possible to isolate a pair of wires or a channel or circuit that is dedicated to a targeted individual's communications. The Supreme Court's approval of wiretapping under the Fourth Amendment was based on the understanding that the government would be accessing only the communications on a particularly identified line (the "facility," in Title III terms). All of the Court's concern about ensuring that on that particularly identified line the government only intercepted communications that involved specified criminal conduct would be rendered absurd if the government could search the lines of many subscribers. See Berger v. New York, 388 U.S. 41, 58-60 (1967); Katz v. United States, 389 U.S. 347, 355-56 (1967).
According to published accounts, including information on the FBI's Web site, http://www.fbi.gov/programs/carnivore/carnlrgmap.htm, Carnivore operates by monitoring (according to the FBI's description, redirecting and copying) all traffic on the network link where it is installed. Carnivore searches through all this traffic. (A copy of the FBI's description is attached to this testimony.) In theory, Carnivore then only records data appropriate to the order under which it operates � i.e., data relating to the target of an order, or even narrower information pertaining to pen register or trap and trace orders.
Nevertheless, in Fourth Amendment terms, Carnivore, as it has been described, is conducting a "search" of all the communications on the network segment to which it is attached, including the traffic of innocent persons. That is, even if Carnivore functions as promised and only records the traffic of the target, it is searching through the email of many innocent persons � it is conducting an unconstitutional general search. The ISP redirects to Carnivore a stream of packets from many different customers. Carnivore filters those packets. That is a search. The fact that Carnivore is automated and that no human ever reads innocent messages does not make it any less of a search. The use of machines to carry out searches does not make them any less a search for Constitutional purposes.
In Title III terms, it also seems clear that what Carnivore does is an "intercept." As the Second Circuit stated, "It seems clear that when the contents of a wire communication are captured or redirected in any way, an interception occurs at that time. � Redirection presupposes interception." United States v. Rodriguez, 968 F.2d 130 (2nd Cir. 1992), cert. denied, 113 S.Ct 139, 140, 663 (19992). See also United States v. Denman, 100 F.3d 399, 403 (5th Cir. 1996), cert. denied, 117 S.Ct 1256 (1997); United States v. Tavarez, 40 F.3d 1136 (10th Cir. 1994); United States v. Nelson, 837 F.2d 1519, 1527 (11th Cir. 1988), reh'g denied en banc, 845 F.2d 1032 (1988), cert denied, 488 U.S. (1988). Thus, use of Carnivore under control of the FBI is an illegal interception of the redirected communications of innocent subscribers.
Pen Registers Do Not Translate Neatly Onto the Internet |
A pen register collects the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and a trap and trace device collects "the originating number" for incoming calls. 18 USC § 3121 et seq. The Supreme Court has held that the numbers collected by a pen register on a telephone line reveal so little about a person's communication that they are not constitutionally protected. Smith v. Maryland, 442 U.S. 735 (1979). The Court has stated, "Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers." United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). (While the information is not constitutionally protected, it is sensitive, and, as CDT and others have noted, the standard for pen registers in the telephone world is now too low, since even phone numbers dialed can draw a profile of a person's life.)
Carnivore's apparent attempt to extend "pen registers" and "trap and trace" orders to the Internet is not a simple matter. Access to Internet transactional data is not clearly supported by the pen register statute, which refers to the collection only of "numbers dialed" on the "telephone line" to which the device is attached. Moreover, Internet origin and destination addresses can be far more revealing than the Supreme Court contemplated in Smith v. Maryland and New York Tel. Co.
Extending the use of pen registers to new telephone devices and services � such as pagers, or numbers dialed after a call is completed � has been the subject of debate [ 2 ] and was one of the issues in the CALEA lawsuit where the Court of Appeals reversed the FCC. [ 3 ] But Carnivore is indicative of a whole new and problematic expansion of the pen register to the Internet. See CDT memo dated April 4, 2000, "Amending the Pen Register and Trap and Trace Statute in Response to Recent Internet Denial of Service Attacks� and to Establish Meaningful Privacy Protections."
The first question is what Internet transactional data may be collected and under what standard. It is one thing if the FBI were using the pen register authority only to collect IP addresses (provided, of course, that the isolation were done by the service provider rather than by an FBI-controlled Carnivore). In the packet-switched Internet, the literal "destination" of an intercepted message is often the Internet Protocol (IP) address of the link on which it is observed. This information is found in the header of a packet. So is the Ethernet address it is being sent to on a local network. If the government is seeking just IP or Ethernet address information, it can find it in the header of a packet, which is easily separated from the content.
But if by destination the government means the "To:" line of an email message, that is often within the packet's content payload, and as the DC Circuit recently made clear, intercepting addressing information that is commingled with content requires authority to intercept content. United States Telecomm Assoc. v. FCC (Aug. 12 2000).
In an effort to illustrate this point, I have attached some packets we "sniffed" off our own CDT network. Example 1 shows a packet for a visit to Chairman Hatch's web page. The header of the packet includes the source and destination IP addresses. In this case, the source IP address 207.226.3.15 is a computer at CDT and the destination 199.95.76.12 is the U.S. Senate web server. (If you type 199.95.76.12 into your browser after http://, it takes you to the Senate home page just as if you had typed www.senate.gov.) So the header, which can be easily separated from the content payload, would provide information that might be similar to the information that a pen register would provide on a person at CDT who called 224-3121, the Senate switchboard.
However, if the FBI wanted to know what precise page I was viewing, they would need to reach into the content (TCP data) portion of the packet. There they would find that I had asked for ("GET") a copy of /~hatch/greeting.ram. Anybody typing that into a browser would find that I had downloaded the video greeting on the Chairman's web page. Thus, they would know the precise content of my Web viewing.
In other cases, where law enforcement is apparently seeking origin and destination addresses that are more than link IP addresses, they will be forced to analyze the contents of packets. For example, attached in Example 2 are three sample IP packet "sniffed" as they went from CDT's network to our ISP. The packets are part of an email message from me to Makan Delrahim, a member of the Committee staff. The header of each packet shows the IP addresses of the packet's origin (a computer at CDT) and destination (our ISP's mail server, which will next send the packet to the Senate mail server). To find out to whom the email is addressed to, one would need to read and analyze the contents of specific packets. Is Carnivore able to pick out only the one packet that contains only the "To:" information and the one packet that contains only the "From:" information? It would be nice to have some assurance other than the FBI's say-so.
The email addresses in the To and From lines are much more revealing than "numbers dialed" in that they are associated with specific persons. In the case of a Web site, the URL can disclose specific pages visited, books browsed, or items purchased. And as people move more of their lives online, a list of email recipients by name or web sites visited can provide a very detailed dossier of activities � all available without the heightened protections of a wiretap or even a standard Fourth Amendment warrant. For example, attached in Example 3 is a sample IP packet showing a search for a book on the Barnes and Noble web site. Again, the IP address information is available in the header; the URL in the body of the message reveals information about what books the user is looking at � here, books on prostate cancer. (A subsequent URL might indicate that the person actually bought the book.) Taken together, a collection of such "destination" information could generate a revealing list of a person's interests and activities. In this way, Internet transactional information is more revealing than telephone transactional data.
CDT has long urged, and there seems to be a consensus, that Congress should raise the standards for use of pen registers across the board. Under the current standards, a judge "shall" approve any request signed by a prosecutor certifying that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC §§ 3122-23. This is low standard of proof, similar to that for a subpoena, and judges are given no discretion in the granting of orders. Pen registers are executed with neither public nor judicial oversight: in contrast to wiretap orders, there is no requirement that the government ever report back to the authorizing judge on the results of a pen register and no requirement of notice to the targets of pen registers. Unlike wiretaps, there are no national reporting requirements on the use of pen registers. The Justice Department reports on its own use, but this does not include numerous federal, state and local uses.
The Carnivore debate raises Fourth Amendment questions for pen registers online. Courts have found that consumers have no "expectation of privacy" in the digits they dial on a telephone. [ 4 ] Given the revealing nature of Internet transactional information, it would seem that users do have a reasonable expectation of privacy in the URLs of Web sites they visit and the email addresses of those with whom they communicate, such that an intermediate standard is necessary for collecting certain Internet transactional data. See 18 U.S.C. 2703(d) and H.R. 5018, the "Electronic Communications Privacy Act of 2000," introduced by Reps. Canady and Hutchinson.
Reinvigorating the Fourth Amendment in Cyberspace |
On May 25, 2000, I testified before this Committee about the ways in which the statutory and constitutional framework governing electronic surveillance has been outpaced by technological change. http://www.senate.gov/~judiciary/52520jxd.htm.
To update the privacy laws, and respond specifically to Carnivore, Congress could start with the following issues:
The recent White House announcement [ 5 ] on privacy and surveillance adopts some of these proposals. Extension of the wiretapping exclusionary protections to electronic interceptions is a particularly welcome step. Increasing the standard for pen registers is an improvement, but will not be sufficient if such orders are applied broadly (i.e., include URLs) to the Internet. On the other hand, the proposed expansion of the Computer Fraud and Abuse Act criminalizes an unnecessarily broad range of activities online. The proposal fails to address the need for heightened protections for private data held in the hands of third parties. And there are other changes buried in the proposal that we are still analyzing. CDT is prepared to work with Congress and the Justice Department to continue to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for discussion and consensus building on these issues.
Conclusion |
The Carnivore system requires greater public scrutiny. It should be controlled by the ISPs. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract the real threats to privacy online.
Protecting national security and public safety in this new digital age is a major challenge and priority for our country. On balance, however, the new sources of data and new tools available are proving to be a boon to government surveillance and law enforcement. We do not need to ignore traditional standards in order to respond to the new technologies. The attempt to literally translate all current surveillance capabilities directly onto the Internet may not be possible or desirable in all cases, or may require new privacy protections.
Example 1 � Sample Web Packet (Chairman Hatch's Web Site) [ 6 ] |
Packet 3704 Timestamp: 13:38:40.765533 Source Ethernet Address: 00:05:02:00:75:40 Destination Ethernet Address: 00:D0:58:A9:30:52 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 384 bytes Identification: 0x7D64 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 255 Encapsulated Protocol: TCP Header Checksum: 0x16B6 Source IP Address: 207.226.3.15 Destination IP Address: 199.95.76.12 TCP Header Source Port: 1844 () Destination Port: 80 (http) Sequence Number: 0941715457 Acknowledgement Number: 2963927064 Header Length: 20 bytes (data=344) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 17520 bytes Checksum: 0xAC87 Urgent Pointer: 0 TCP Data GET /~hatch/greeting.ram HTTP/1.0. Referer: http://www.senate.gov/~hatch/. Connection: Keep-Alive. User-Agent: Mozilla/4.72 (Macintosh; U; PPC). Host: www.senate.gov. Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*. Accept-Encoding: gzip. Accept-Language: en. Accept-Charset: iso-8859-1,*,utf-8. Cookie: STATE=UT.
This data packet was collected from CDT's network while I was viewing Chairman Hatch's web site.
The header of the packet includes the source and destination IP addresses. In this case, the source IP address 207.226.3.15 is a computer at CDT and the destination 199.95.76.12 is the U.S. Senate web server. (If you type 199.95.76.12 into your browser after http://, it takes you to the Senate home page just as if you had typed www.senate.gov.) So the header, which can be easily separated from the content payload, would provide information similar to the information that a pen register would provide on a person at CDT who called 224-3121, the Senate switchboard.
However, if the FBI wanted to know what precise page I was viewing, they would need to reach into the content ("TCP data") portion of the packet. There they would find that I had asked for ("GET"), a copy of /~hatch/greeting.ram. Anybody typing that into a browser would find that I had downloaded the video greeting on the Chairman's web page. Thus, they would know the precise content of my Web viewing.
Example 2 � 3 Sample IP Packets � Email Message |
Packet 145 Timestamp: 13:16:01.877863 Source Ethernet Address: 00:05:02:00:75:40 Destination Ethernet Address: 00:D0:58:A9:30:52 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 80 bytes Identification: 0x164E Flags: MF=off, DF=on Fragment Offset: 0 TTL: 255 Encapsulated Protocol: TCP Header Checksum: 0xB629 Source IP Address: 207.226.3.15 Destination IP Address: 205.252.14.66 TCP Header Source Port: 2681 (These three data packets were collected from CDT's network when a computer on the network sent an email message from Jim Dempsey to Makan Delrahim, a member of the Committee staff. To send the entire email message required about 20 packets, although the text of the message actually fit within one packet. All the other packets were involved in setting up the communication.) Destination Port: 25 (smtp) Sequence Number: 0758931484 Acknowledgement Number: 1689679905 Header Length: 20 bytes (data=40) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 17520 bytes Checksum: 0xE821 Urgent Pointer: 0 TCP Data MAIL FROM: size=1024. Packet 148 Timestamp: 13:16:01.997987 Source Ethernet Address: 00:05:02:00:75:40 Destination Ethernet Address: 00:D0:58:A9:30:52 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 87 bytes Identification: 0x164F Flags: MF=off, DF=on Fragment Offset: 0 TTL: 255 Encapsulated Protocol: TCP Header Checksum: 0xB621 Source IP Address: 207.226.3.15 Destination IP Address: 205.252.14.66 TCP Header Source Port: 2681 ( ) Destination Port: 25 (smtp) Sequence Number: 0758931524 Acknowledgement Number: 1689679948 Header Length: 20 bytes (data=47) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 17520 bytes Checksum: 0xDF9E Urgent Pointer: 0 TCP Data RCPT TO: . Packet 162 Timestamp: 13:16:02.417351 Source Ethernet Address: 00:05:02:00:75:40 Destination Ethernet Address: 00:D0:58:A9:30:52 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 743 bytes Identification: 0x1653 Flags: MF=off, DF=on Fragment Offset: 0 TTL: 255 Encapsulated Protocol: TCP Header Checksum: 0xB38D Source IP Address: 207.226.3.15 Destination IP Address: 205.252.14.66 TCP Header Source Port: 2681 ( ) Destination Port: 25 (smtp) Sequence Number: 0758931680 Acknowledgement Number: 1689680063 Header Length: 20 bytes (data=703) Flags: URG=off, ACK=on, PSH=on RST=off, SYN=off, FIN=off Window Advertisement: 17520 bytes Checksum: 0x7894 Urgent Pointer: 0 TCP Data Content-Type: text/plain; charset="us-ascii". Date: Thu, 31 Aug 2000 13:06:43 -0400. To: [email protected]. From: Jim Dempsey . Subject: Upcoming Carnivore hearing. . Makan,. . I might want to use some slides to illustrate some points in my testimony.. Would it be possible to have an overhead projector available at the witness. table on Wed?. . Thanks,. . Jim Dempsey. . Center for Democracy and Technology. 1634 I Street, NW Suite 1100. Washington DC, 20006. voice: 202.637.9800 fax: 202.637.0968. [email protected]. . Use Operation Opt-Out http://opt-out.cdt.org/. A single place to remove your name. from profiling, marketing, and research databases.. . . -----------------------------------------------------------------
Each packet has a two part header that includes the source and destination IP addresses. In this case the source 207.226.3.15 is a computer at CDT and the destination 205.252.14.66 is our ISP's mail server (which will receive the packet and send it to the Senate mail server based on its content.) It would be trivial for an ISP to isolate packets to and from these IP addresses and to strip off the headers and provide only them to the government.
But if the FBI wanted to use the packets above to determine the "To:" and "From:" lines under a pen register order, as it claims it has the authority to do, it wold not find that in the headers. It would have to analyze the "payload" or contents of the packets in order to retrieve the address of the email sender and recipient. In the example above, the "From:" information comprises the entire content payload of packet 145, and the "To:" information comprises the entire content payload of packet 148. If Carnivore were able to record just these two packets, it would be collecting only the addressing information. But if Carnivore recorded all packets from the IP address 207.226.3.15, it would be recording the content of the message, since packet 162 contains the full text of the message itself.
Example 3 � Sample Web Packet (Barnes & Noble.com Web Site) |
1 TIME: 15:02:27.439225 (0.111930) 2 LINK: 00:80:19:42:21:68 -> 00:D0:58:A9:30:52 type=IP 3 IP: 207.226.3.43 -> 208.158.245.141 hlen=20 TOS=00 dgramlen=695 id=6638 4 MF/DF=0/1 frag=0 TTL=255 proto=TCP cksum=79CE 5 TCP: port 1559 -> http seq=3306680833 ack=0184661700 6 hlen=20 (data=655) UAPRSF=011000 wnd=17520 cksum=C1DE urg=0 7 DATA: GET /booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3 8 F70ED HTTP/1.0. 9 Referer: http://www.bn.com/. 10 Connection: Keep-Alive. 11 User-Agent: Mozilla/4.72 (Macintosh; U; PPC). 12 Host: shop.barnesandnoble.com. 13 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 14 image/png, */*. 15 Accept-Encoding: gzip. 16 Accept-Language: en. 17 Accept-Charset: iso-8859-1,*,utf-8. 18 Cookie: SITESERVER=ID=3b671bc4c04048950bc8a20a61c31d96; brow 19 serid=BITS=0&OS=4&VERSION=4%2E72&AOLVER=0&BROWSER=1; Shopper 20 Manager%2FBNShop=SHOPPERMANAGER%2FBNSHOP=2D9DNPCEB6S92MJ1001 21 PQUW93SAR9582; userid=2NW5T2ANM7; SalesURL=Rwww%2Ebn%2Ecom%2 22 F; ASPSESSIONIDQGQGQQCD=NACHKFKCMBPBEANEEODHLDAI. .This data packet was collected from CDT's network when someone at CDT was searching for a book on the Barnes & Noble web site relating to "prostate cancer."
The header of the packet includes the source and destination IP addresses (line 3). In this case, the source 207.226.3.43 is a computer at CDT and the destination 208.158.245.141 is a web server affiliated with Barnes & Noble.com.
The information about the specific web page that the CDT computer viewed is contained in the packet's data section, starting at line 7. The URL shown here: http://shop.barnesandnoble.com/booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3F70ED tells what books are being viewed � in this case, books about prostate cancer, just as if one had intercepted a telephone call to Barnes and Noble asking if it had any books in stock about prostrate cancer. The content section of subsequent packets would show which of these books was purchased.
*. The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution�s protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue.
1. For other examples, see Neil King Jr. and David S. Cloud, Hang-Ups: Global Phone Deals Face Scrutiny from New Source: the FBI, Wall Street Journal, August 24, 2000, at A1. The implementation of CALEA has been one long struggle over the FBI's insistence on dictating very precise surveillance features to the telephone industry. See United States Telecomm Assoc. v. FCC, No. 99-1442 (D.C. Cir Aug. 15, 2000).
2. See, e.g., Brown v. Waddell, 50 F.3d 285, 290-91 (4th Cir. 1995) (refusing to classify a digital display pager clone as a pen register).
3. See United States Telecomm Assoc. v. FCC, No. 99-1442 (D.C. Cir Aug. 15, 2000).
4. See Smith v. Maryland, 442 U.S. 735 (1979). The Court�s reasoning relied in part on its understanding that "pen registers do not acquire the contents of communications."
5. See Ted Bridis, Updating of Wiretap Law for E-Mail Age is Urged by the Clinton Administration, WALL STREET JOURNAL., July 18, 2000, at A3.
6. The tools used in the packet collection for these three examples are freeware tools available for UNIX operating systems. The packet sniffing was done by tcpdump written by Van Jacobson, Craig Leres and Steven McCanne of the Lawrence Berkeley National Laboratory. The formatting of the packets into text was done by tcpshow written by Mike Ryan.