(reporting from Reuters, reporting from the original study by the Electronic Privacy Information Center) reports on that Carnivore, the controversial system designed to “wiretap” email, might have provided information about Osama bin Laden before September 11 — if it had worked right.
Apparently, a Carnivore “run” looking for al Qaeda e-mails also picked up e-mails from non-targeted people, which is against the law. And the operator of the system got so flustered that he deleted the whole run, including the lawfully collected al Qaeda intercepts.
A ways back, the Justice Department was going to submit Carnivore to a fairly rigorous peer review by a panel of high-powered encryption and security gurus from the private & academic sectors. The conditions that were placed on the review, however, were rather restrictive, and eventually, the review went to a less-qualified group (see EPIC’s site for their report).
I’m serious about this peer review kick folks. There was a time, not so long ago, when everybody who knew anything that mattered about security and encryption either worked at the NSA, or at IBM. But that time is gone, and the Feds need to get over it.
This is just funny. But when you screw up designing systems that matter, people end up dead. And it looks like that’s what may have happened here.
Let me make my views on this general subject clear: I am not a total absolutist when it comes to privacy, electronic or otherwise. I believe now (and believed before September 11th) that there is a legitimate need for law enforcement to be able to intercept communications by individuals suspected of committing or intending to commit crimes.
What I object to is that our government continues to apply 1950s-era approaches to solving technical problems in 21st century. As with my comments on Amnesty yesterday: I agree with the objective; I just wish they’d do a better job.
One proposal that I find very intriguing is the idea of making Carnivore open-source. While this may seem absurd at first, it actually makes a great deal of sense when examined more closely.
Security experts Matt Blaze and Steve Bellovin testified to exactly that before Congress in July of 2000: you can find a summary of their testimony on Blaze’s page . (Full disclosure: I’ve met and socialized with Blaze a few times, although not in several years: he’s a friend-of-a-friend. You have been warned. )
At any rate, I think we’re going to see a great deal more discussion in this area going forward. Because as we’ve learned in many other areas since September, the old approaches just aren’t working any more — if they ever were.
PS – Glenn also has some comments on this matter.