A few weeks ago, I wrote about Dug Song's dsniff package, which is available on the Internet and seriously invades people's privacy because of its protocol-specific sniffing capabilities. The dsniff package can capture email-based packets off the network and put those packets back together to reconstruct the email message.
The FBI uses this type of functionality to perform Internet wiretaps, although it doesn't use dsniff. Instead, the FBI claims to have developed proprietary software aptly nicknamed Carnivore for the software's ability to get to "the meat" of a conversation. The FBI has used Carnivore since early 1999 in some 100 criminal investigations. The FBI also has software called Omnivore that captures and rebuilds a variety of network traffic, as opposed to capturing only email.
The fact that the FBI can capture email is not new information, but privacy advocates say Carnivore invades their privacy unnecessarily because the software must look at portions of each packet to determine who it belongs to. Privacy advocates say this scenario is no different than listening to all telephone conversations to determine whether a suspect is talking on the phone.
I agree with such complaints; however, with the availability of dsniff and similar packages, it's a moot point because anybody can capture and reconstruct network traffic to spy on users, although such action is illegal in the United States and most other countries. Nonetheless, I think we let judges provide too much leeway for software such as Carnivore. After all, how hard is it to forge network packets or an email address? So I wonder how the FBI would prove beyond a shadow of doubt that some particular set of SMTP packets originated from a specific user if it attempted to use that data for evidence.
I understand the FBI's need for wiretaps, but what about AOL and Netscape? Is it OK for one of the world's largest ISPs and one of the world's most popular software vendors to deliberately spy on their users?
As you'll learn in this newsletter, a Massachusetts man has formally made these allegations and subsequently filed a lawsuit against the firms. If AOL and Netscape are found guilty of spying on users, I expect the case to set a major legal precedent toward the ultimate protection of our privacy. Be sure to read the story in Security Roundup below. Until next time, have a great week.