"a fish, a barrel, and a smoking gun"
for 4 December 2000. Updated every WEEKDAY.



Score another one for the Law of Unintended Consequences. The United States government's too-enthusiastic efforts to pry into every packet of data that its citizens ship to each other over the Internet has the potential to doom its ability to spy on anybody at all. Gone greedy with data-lust, the Feds are running the very real risk of closing every door they have ever peeked through. It is no small irony that the inept fumbling of Carnivore could be the greatest boon to privacy — both legitimate and otherwise — that electronic communication has ever known.

"Carnivore" is the soothingly innocuous code name for an FBI project to build a comprehensive wiretap for the Internet. Intended to be installed at every Internet service provider in the country, each sealed Carnivore box is a single point through which all information to or from that ISP flows. Though the Bureau originally claimed that Carnivore was designed only to scan for e-mail messages sent to known bad elements — binladen@aol.com, you've got mail! — Freedom of Information Act details have proven otherwise: Carnivore can watch everything — e-mail, Web requests and responses, logins, instant messages, chat, that naughty streaming video you like so much. Everything.

The implications of such a device are terrifying. With an ever-increasing amount of communication — everything from business correspondence to love letters to Metallica songs — sent via the Net, the FBI is claiming the right to examine, record, track and analyze any and all of it, in detail. Basically, the same organization whose level-headed reasonableness landed Wen Ho Lee in solitary for no very good reason now wants arbitrary access to (and arbitrary discretion over the delivery of) everything you might decide to tell someone else.

The technology itself is not new. "Promiscuous sniffers" — machines designed to watch data pass along wires — are well-established and well-known tools, used by every network administrator in the world. It's the FBI's coordinated and near-omnipresent installation of these sniffers, coupled with no public disclosure or oversight of what they are looking for, that has caused privacy advocates to fall into grand mal seizures.

A collection of independent reviewers has gone over the Carnivore code, of course — after several others passed, citing onerous FBI conditions — but their report has done exactly nothing to mollify critics. Though the Bureau promises — cross their hearts — that Carnivore would never be used to invade anyone's privacy without a court order, their regard for the Fourth Amendment appears shaky at best. For instance, the FBI already considers e-mail headers fair game, claiming that they're the equivalent of the information on an envelope. But sophisticated traffic analysis can be conducted with this data, far beyond (and far more telling than) anything coming off paper. This does not bode well for any sensible definition of "unreasonable."

Hard-core privacy advocates, long and somewhat justifiably regarded as paranoids, have taken to Carnivore with all the delicate nuance that ducks take to jet engines. They consider that quiet thump-thump-thump in the distance as either Thomas Jefferson rolling over in his grave or J. Edgar Hoover whacking off in his. Carnivore, they claim, is the end of the world.

And at first blush, you'd be hard-pressed to disagree with them. Whether guilty of anything or not, the thought of the government granting itself the ability to root through the post-diluvian equivalent of every conversation you have is gut-curdling. Big Brother, it turns out, looks a lot like Efrem Zimbalist, Jr.

But that view may prove to be reflexive and short-sighted — it expects and allows for no response. The FBI's mysterious toy may yet be the best thing that has ever happened to the cryptography movement. Long resigned to defending the public's interest without any interest from the public, the cypherpunks and crypto-geeks don't seem to realize that they have been given a gift as valuable as anything they could have ever wished for: a very big, very recognizable and very dumb enemy.

Which is a nice thing to have, in the eternal battle to sway status quo. By demonizing the FBI (or by just sitting back and letting the FBI demonize itself), privacy advocates could go a long way towards stoking the public's interest in — and demand for — electronic privacy, including software to avoid the Bureau's prying eye. While most e-mail clients, for instance, currently support S/MIME or some other encryption standard, they are at best awkward and at worst ignored; after market add-ons like PGP are little better.

But just as Web browsers create invisible, cryptographically secure connections without their users being (or, in fact, being capable of being) any the wiser, Carnivore has enough PR-downside to spur interest in adding that ability to every program. The simple act of sending an e-mail message should ideally cause the text to be encrypted, randomly routed through anonymous re-mailers and decrypted — all without any extraordinary user involvement. Carnivore has the potential to make it possible. The FBI has created a market.

And it's a market that's already being catered to. In the wake of geek-based services like Hushmail and Freedom, even such mainstream providers as Yahoo have started taking awkward baby-steps toward encrypted mail. Mozilla (assuming it ever ships) would be the perfect place to start adding ubiquitous cryptography — using the now patent-free RSA algorithm — to desktop applications. Open-sourced and freely available, the e-mail client of the Web's ugliest late-bloomer is a guinea pig begging to be toyed with. Outlook and Eudora and other programs could quickly join in any open, Net-wide cryptographic infrastructure. And once simple encryption becomes a standard checklist feature, it will spread virally, into every nook and cranny of the Internet. Suddenly, grandma is using munitions-grade crypto, without even realizing it.

And so the fearsome Carnivore may end up doing what nobody has managed to do before, despite years of effort and endless doom-saying — instantly create a massive demand for ubiquitous, high-quality, easy-to-use encryption. While other government-sponsored threats to electronic privacy — Echelon, for instance — have had all the verifiability of the bogeyman, Carnivore is real. It's documented. It works. The Bureau has taken existing technology and combined it with governmental authority and gotten everything it has ever wanted.

And that simple fact may very well damn the project to uselessness.


courtesy of Greg Knauss


pictures Terry Colon

Greg Knauss