Confounding Carnivore: How to Protect Your Online Privacy
Ever since the FBI confirmed the existence of their Internet wiretapping device -- a device which they named Carnivore -- cyberprivacy activists have been up in arms. Carnivore promised to be their worst nightmare: a technology that could track and record every email sent, every Web page browsed, every chat room visited.
Today, those fears are more likely to come true than ever before. The passage of anti-terrorism laws in the wake of Sept. 11, and the extended powers of the FBI, CIA and police agencies everywhere, make it likely that Carnivore will see more use in the near future. Congress has been quite willing to trade some privacy for security, and the Bush Administration -- especially Attorney General John Ashcroft -- has been no defender of online privacy. With Constitutional protections being chipped away, what can civil liberties-minded citizens do to maintain their privacy online?
Though the technology behind the mysterious Carnivore box (officially renamed DCS1000 in early 2001, though that name hasn't stuck) has been portrayed as quite sophisticated, it's actually very simple. When attached to server computers at an Internet service provider (ISP), the device records the details of all traffic coming through that ISP. It can snatch email headers and content, and keep a history of Web pages accessed. This data can then be saved onto disk and admitted as evidence in court.
Similar devices have long been used in private enterprise, allowing cautious business administrators to monitor the Internet activity of employees. In network security circles, these devices are referred to as "sniffers."
As common as this technology is, its potential uses give security specialists great power to track electronic communications. Sniffers can produce a list of Web sites visited so that ISPs can block access to sites deemed questionable or subversive. Carnivore can also keep track of whom you send email to and who sends you email, shedding light on the company you keep and potentially tying you to activities you know nothing about. Aside from these scary scenarios, the mere fact that someone is watching is disconcerting.
But before you panic about the government tracking those flirty emails you sent to a co-worker last year, consider that the FBI is reported to have used Carnivore only 13 times between October 1999 and August 2000 (the latest figures available). That's not very much, given the enormous amount of Web traffic. So the chances that Carnivore has been watching you are incredibly low -- you're much more likely to have been sniffed by your employer.
Nevertheless, with the passage of the USA Patriot Act, Carnivore's use is very likely to increase. In addition to committing unprecedented resources to security, the new law drops some of the checks and balances once required for getting permission to eavesdrop. Futhermore, rumors that Osama bin Laden has used encrypted messages, images, and Web sites to communicate with the global Al Qaeda network, and fears that unknown terrorists are using the Web as a tool, has upped Carnivore's value in law enforcement's eyes. The FBI has even begun to enhance Carnivore. Development of the "Magic Lantern" virus, will allow agents to collect passwords from individual machines. It's part of a concerted effort to broaden Carnivore's net and fortify its encroachment into once private sectors of cyberspace.
Cyber-libertarians determined to maintain anonymity have already found ways to circumvent Carnivore's watchful eyes. Most of the methods were developed by hackers to cover their tracks when engaging in questionable, sometimes illegal activity. But these techniques work just as well for the law-abiding citizen who wishes to uphold the right to privacy. And thankfully, you don't have to be a hacker to use these tools effectively.
Controversial, but legal, encryption software has been publicly available for years. Encryption allows users to maintain a high level of secrecy when sending email or files over the Internet.
The most storied of encryption tools is a free program called PGP. PGP stands for Pretty Good Privacy, but it's a whole lot more than just pretty good. PGP is "strong crypto," geek speak for encryption that is nearly impossible to break. PGP is so strong that after releasing PGP to the public in 1991, Philip Zimmermann, the program's creator, drew immediate attention from federal prosecutors intent on preventing its distribution.
Zimmermann says, "PGP empowers people to take their privacy into their own hands. There has been a growing social need for it. That's why I wrote it."
And that's why governments are so afraid of it. As a result, Zimmermann became the target of a three-year criminal investigation that questioned the legality of exporting PGP to users in other nations. But by 1996, the investigation had produced no evidence of wrongdoing and PGP had become the most widely used encryption program in the world.
A few versions later, PGP is stronger in popularity and security. PGP works by scrambling the data such that only the recipient can descramble it. Even the sender cannot descramble the data because only the recipient has the descramble key.
Part of the reason behind PGP's strength is thorough peer review. The original programming source code for PGP is publicly viewable for anyone and everyone to scrutinize. The openness allows engineers to point out flaws, back doors or any other kind of weakness.
By using PGP to encrypt transmissions, one can ensure with high confidence that only the person intended to see its contents actually has access to it. Even if someone intercepts the transmission it would be completely unreadable unless that person has the decryption key. This would not prevent Carnivore from biting email off the network, but it will prevent prying federal agents from reading your private communications.
"You may be planning a political campaign, discussing your taxes, or having an illicit affair," says Zimmermann. "Whatever it is, you don't want your private electronic mail or confidential documents read by anyone else."
Zimmermann acknowledges that PGP could be used to conceal illegal activity but believes the right to privacy supercedes this concern.
A warning: Encryption is illegal in many countries. It is also illegal to export encryption tools from the U.S. without authorization. So you're best using PGP only in the United States or checking your local laws before using PGP.
PGP Freeware will get your messages across the Net safely, but it cannot stop Carnivore from watching what Web sites you are viewing. Most people surf from Web site to Web site not knowing that every click they make can be recorded not just by the government, but by more than one monitoring system. Your ISP, your ISP's ISP, and every Web site has a record of where Web traffic comes from and where it goes. Even if Carnivore is not watching you, federal agents can subpoena ISP logs to track you down. Whether you're merely looking at NYTimes.com or AlterNet.org or one of Osama bin Laden's alleged porn-fronted Al Qaeda Web sites, you are being watched.
There are several ways to keep your surfing habits hidden. Most involve placing a computer on your network between you and the Internet. This computer is called a proxy. Proxies work by taking your request for a Web page, getting the page from the Internet and then passing it on to you. With a proxy installed, the Internet knows the proxy is there, but doesn't know who is behind the proxy. While proxies are common in corporate networks, average home users don't have this luxury, unless they have the economic resources and technical know-how to set one up.
However, in the last few years, services have been created to provide Web surfers with a virtual proxy. In this case, instead of setting up a proxy on your own network, you connect to a virtual proxy over the Internet. One that works very well is Anonymizer.com. The Web service effectively allows users to surf anonymously without additional hardware or software.
You connect to Anonymizer with your Internet browser, tell it what site you want to see and it takes you there anonymously. If Carnivore is watching you, it will know that you are connected to Anonymizer, but not where Anonymizer has taken you. If the Web site you visit is recording your vital signs (your computer address, operating system, browser type, and the page you last visited), all it sees is the Anonymizer server.
Singapore, Vietnam, Iran, Algeria, Yemen, Bahrain, the United Arab Emirates, Saudi Arabia and China have banned sites like Anonymizer. Each country has attempted to block citizens' access to such services; testament to the technology's ability to keep government eyes from peeking into private activity.
Another way that people are surfing anonymously is by using someone else's network proxy. Hackers often do this surreptitiously, hacking into a private network and hiding behind its proxy. While this is effective, it may not be completely legal. You should only use someone else's proxy with their expressed permission. Also, not all proxies will be effective anonymizers out of the box, so it is best to coordinate the setup with the proxy's rightful administrator.
AntiProxy, a network of tech-savvy privacy activists, hosts a public proxy search engine (www.antiproxy.com/Censored/pxysearch/indexs.php). If you are able to obtain permission to use one of these proxy computers, go to your Web browser preferences and enter the proxy address under "Proxies." You will need to enter both the address and the port number. All current Web browsers in any operating system, from Netscape and Internet Explorer to Opera and Mozilla, have this functionality built in. With those settings in place you can surf the Web anonymously just as you would with your own in-house proxy.
Another privacy group -- Priavcy.net -- hosts an Environment Check (www.privacy.net/analyze/). This page will tell you just what kind of information you are broadcasting to the world when you surf the Web. Information culled by the Environment Check includes what kind of computer you have, the version and type of browser you use, the Web address of your ISP and your computer's network address. Try Environment Check with a proxy and then without a proxy to see anonymity in action.
For the less tech-experienced activist, PGP and proxies may not be the best way to fight Carnivore. Organizations like StopCarnivore, ACLU and Electronic Frontier Foundation are good places to start for finding a grassroots solution to a digital problem.
StopCarnivore.org has been leading the charge to de-fang the device and the over-zealous legislators pushing its use on innocent Americans. The organization's founder Lance Brown says, "It may be a generation or two before the stifling effect of Carnivore manifests itself in ways that can be measured. By that time, America will have been able to spread its use around the globe."
Brown's Web site offers ways to get in touch with lawmakers and law enforcement agencies to express concern over Carnivore. The site also lists ways to find out if Carnivore is tapping your ISP.
Privacy activists say that as a matter of patriotism and democracy, everyone must fight to protect privacy. As Zimmerman says, "If we do nothing, new technologies will give the government new automatic surveillance capabilities that Stalin could never have dreamed of."
The latest version of PGP Freeware is now available for Windows 95/98/NT/2000 and the Macintosh, as well as UNIX-based computers. Download it at MIT's distribution Web site (http://web.mit.edu/network/pgp.html).
Omar J. Pahati is the associate editor of AlterNet.org.