COMPUTER SECURITY EXPERTS SAY FBI'S INTERNET SURVEILLANCE SYSTEM RAISES CONCERNS OVER PRIVACY AND FUNCTIONALITY

PHILADELPHIA - An Internet wiretapping system developed by the FBI raises serious privacy and functionality concerns despite a favorable outside review, a group of prominent computer security experts says in a report to the U.S. Department of Justice.

The group, which includes some of the top names in Internet security, says that previous analyses have overlooked potential legal and operational flaws with the FBI's "Carnivore" system. Carnivore monitors Internet traffic, such as email sent or received by suspected criminals or terrorists.

"We have no way of knowing whether Carnivore is correct, safe, or always consistent with legal safeguards to privacy," said David J. Farber, Ph.D., the University of Pennsylvania computer scientist who currently serves as chief technologist at the Federal Communications Commission.

Farber, the Alfred Fitler Moore Professor of Telecommunications at Penn, was joined by Steven M. Bellovin and Matt Blaze of AT&T Labs, Peter Neumann of SRI International and Eugene Spafford of Purdue University. Their report, which was solicited by the Justice Department's chief scientist, urges the FBI to make public the specialized software's source code, or blueprint, so people can better understand its capabilities.

While an outside analysis of Carnivore released last month expressed confidence in the program, Farber and his colleagues describe that report as too narrow. They say it remains unclear how Carnivore will interact with other widely used software and operating systems, and that the program could miss critical exculpatory evidence or allow agents to gather unrelated information on innocent citizens.

"Serious technical questions remain about the ability of Carnivore to satisfy its requirements for security, safety, and soundness," Farber and his colleagues wrote. "Those who are concerned that the system produces correct evidence, represents no threat to the networks on which it is installed, or complies with the scope of court orders should not take much comfort from the analysis described in the report or its conclusions."

Carnivore is a variation on a common class of software known as "packet sniffers," used by Internet service providers in network maintenance. The system has been used many times so far in criminal and national security cases, usually by installation at a suspect's Internet service provider.

Civil rights activists have suggested that the software violates personal privacy by effectively scanning all messages, and that the secrecy surrounding its use makes it even more prone to abuse. Technologists have criticized Carnivore on the grounds that it may harbor serious technical flaws.