Table Of ContentHow Carnivore Works
You may have heard about Carnivore, a controversial program developed by the U.S. Federal Bureau of
Investigation (FBI) to give the agency access to the online/e-mail activities of suspected criminals. For many, it
is eerily reminiscent of George Orwell's book "1984." What exactly is Carnivore? Where did it come from? How
does it work? What is its purpose? In this edition of HowStuffWorks, you will learn the answers to these
questions and more!
Carnivorous Evolution
Carnivore is apparently the third generation of online-detection software used by the FBI. While information about
the first version has never been disclosed, many believe that it was actually a readily available commercial
program called Etherpeek. In 1997, the FBI deployed the second generation program, Omnivore. According to
information released by the FBI, Omnivore was designed to look through e-mail traffic travelling over a specific
Internet service provider (ISP) and capture the e-mail from a targeted source, saving it to a tape-backup drive
or printing it in real-time. Omnivore was retired in late 1999 in favor of a more comprehensive system, the
DragonWare Suite, which allows the FBI to reconstruct e-mail messages, downloaded files or even Web
pages. DragonWare contains three parts:
Carnivore - A Windows NT/2000-based system that captures the information
Packeteer - No official information released, but presumably an application for reassembling packets into
cohesive messages or Web pages
Coolminer - No official information released, but presumably an application for extrapolating and analyzing data
found in the messages As you can see, officials have not released much information about the DragonWare
Suite, nothing about Packeteer and Coolminer and very little detailed information about Carnivore. But we do
know that Carnivore is basically a packet sniffer, a technology that is quite common and has been around for a
while.
Packet Sniffing
Computer network administrators have used packet sniffers for years to monitor their networks and perform
diagnostic tests or troubleshoot problems. Essentially, a packet sniffer is a program that can see all of the
information passing over the network it is connected to. As data streams back and forth on the network, the
program looks at, or "sniffs," each packet. Normally, a computer only looks at packets addressed to it and
ignores the rest of the traffic on the network. When a packet sniffer is set up on a computer, the sniffer's network
interface is set to promiscuous mode. This means that it is looking at everything that comes through. The
amount of traffic largely depends on the location of the computer in the network. A client system out on an
isolated branch of the network sees only a small segment of the network traffic, while the main domain server
sees almost all of it. A packet sniffer can usually be set up in one of two ways:
Unfiltered - Captures all of the packets
Filtered - Captures only those packets containing specific data elements Packets that contain targeted data are
copied as they pass through. The program stores the copies in memory or on a hard drive, depending on the
program's configuration. These copies can then be analyzed carefully for specific information or patterns. When
you connect to the Internet, you are joining a network maintained by your ISP. The ISP's network communicates
with other networks maintained by other ISPs to form the foundation of the Internet. A packet sniffer located at
one of the servers of your ISP would potentially be able to monitor all of your online activities, such as:
Which Web sites you visit
What you look at on the site
Whom you send e-mail to
What's in the e-mail you send
What you download from a site
What streaming events you use, such as audio, video and Internet telephony
Who visits your site (if you have a Web site) In fact, many ISPs use packet sniffers as diagnostic tools. Also, a
lot of ISPs maintain copies of data, such as e-mail, as part of their back-up systems. Carnivore (and its sister
programs) may be a controversial step forward for the FBI, but it is not a new technology.
The Process
Now that you know a bit about what Carnivore is, let's take a look at how it works:
The FBI has a reasonable suspicion that someone is engaged in criminal activities and requests a court order
to view the suspect's online activity.
A court grants the request for a full content-wiretap of e-mail traffic only and issues an order. A term used in
telephone surveillance, "content-wiretap" means that everything in the packet can be captured and used. The
other type of wiretap is a trap-and-trace, which means that the FBI can only capture the destination information,
such as the e-mail account of a message being sent out or the Web-site address that the suspect is visiting. A
reverse form of trap-and-trace, called pen-register, tracks where e-mail to the suspect is coming from or where
visits to a suspect's Web site originate.
The FBI contacts the suspect's ISP and requests a copy of the back-up files of the suspect's activity.
The ISP does not maintain customer-activity data as part of its back-up.
The FBI sets up a Carnivore computer at the ISP to monitor the suspect's activity. The computer consists of:
A Pentium III Windows NT/2000 system with 128 megabytes (MB) of RAM
A commercial communications software application
A custom C++ application that works in conjunction with the commercial program above to provide the packet
sniffing and filtering
A type of physical lockout system that requires a special passcode to access the computer (This keeps anyone
but the FBI from physically accessing the Carnivore system.)
A network isolation device that makes the Carnivore system invisible to anything else on the network (This
prevents anyone from hacking into the system from another computer.)
A 2-gigabyte (GB) Iomega Jaz drive for storing the captured data (The Jaz drive uses 2-GB removable
cartridges that can be swapped out as easily as a floppy disk.)
The FBI configures the Carnivore software with the IP address of the suspect so that Carnivore will only capture
packets from this particular location. It ignores all other packets.
Carnivore copies all of the packets from the suspect's system without impeding the flow of the network traffic.
Once the copies are made, they go through a filter that only keeps the e-mail packets. The program determines
what the packets contain based on the protocol of the packet. For example, all e-mail packets use the Simple
Mail Transfer Protocol (SMTP).
The e-mail packets are saved to the Jaz cartridge.
Once every day or two, an FBI agent visits the ISP and swaps out the Jaz cartridge. The agent takes the retrieved
cartridge and puts it in a container that is dated and sealed. If the seal is broken, the person breaking it must
sign, date and reseal it -- otherwise, the cartridge can be considered "compromised."
The surveillance cannot continue for more than a month without an extension from the court. Once complete, the
FBI removes the system from the ISP.
The captured data is processed using Packeteer and Coolminer.
If the results provide enough evidence, the FBI can use them as part of a case against the suspect.
The example above shows how the system identifies which packets to store.
Prey of the Carnivore
The FBI plans to use Carnivore for specific reasons. Particularly, the agency will request a court order to use
Carnivore when a person is suspected of:
Terrorism
Child pornography/exploitation
Espionage
Information warfare
Fraud There are some key issues that are causing a great deal of concern from various sources:
Privacy - Many folks think that Carnivore is a severe violation of privacy. While the potential for abuse is certainly
there, the Electronic Communications Privacy Act (ECPA) provides legal protection of privacy for all types of
electronic communication. Any type of electronics surveillance requires a court order and must show probable
cause that the suspect is engaged in criminal activities. Therefore, use of Carnivore in any way that does not
adhere to ECPA is illegal and can be considered unconstitutional.
Regulation - There is a widespread belief that Carnivore is a huge system that can allow the U.S. government to
seize control of the Internet and regulate its use. To do this would require an amazing infrastructure -- the FBI
would need to place Carnivore systems at every ISP, including private, commercial and educational. While it is
theoretically possible to do so for all of the ISPs operating in the United States, there is still no way to regulate
those operating outside of U.S. jurisdiction. Any such move would also face serious opposition from every
direction.
Free speech - Some people think that Carnivore monitors all of the content flowing through an ISP, looking for
certain keywords such as "bomb" or "assassination." Any packet sniffer can be set to look for certain patterns of
characters or data. Without probable cause, though, the FBI has no justification to monitor your online activity and
would be in severe violation of ECPA and your constitutional right to free speech if it did so.
Echelon - This is a secret network rumored to be under development by the National Security Agency (NSA),
supposedly designed to detect and capture packets crossing international borders that contain certain keywords,
such as "bomb" or "assassination." There is no solid evidence to support the existence of Echelon. Many people
have confused this rumored system with the very real Carnivore system. All of these concerns have made
implementation of Carnivore an uphill battle for the FBI. The FBI has refused to disclose the source code and
certain other pieces of technical information about Carnivore, which has only added to people's concerns. But, as
long as it is used within the constraints and guidelines of ECPA, Carnivore has the potential to be a useful
weapon in the war on crime.
