Carnivore controversy takes a bite out of FBI

Robert Gellman

Carnivore, the FBI wiretapping device for e-mail, has given privacy and Internet junkies plenty to chew on.

The FBI's use of Carnivore raises a series of difficult questions about the Fourth Amendment and the narrowing differences between forms of communications. These questions are undergoing review all along the policy corridors of Washington, but no conclusions have been reached.

But agencies can still learn from what has already happened. The process by which information about Carnivore was disclosed and the reactions of the press, the Congress and the Internet community are instructive.

Bad name

The first lesson is simple and obvious: Be careful what you name things.

Everyone, from Attorney General Janet Reno on down, has commented negatively on the name. Businesses don't pay Madison Avenue millions of dollars to dream up names for new products just for fun. Names are important, and the word Carnivore is hardly compatible with the FBI's hoped-for image of the wiretapping device as friendly, helpful'and limited.

The FBI deserves a dunce cap for not sticking with Omnivore, its original name for the software.

There are other examples of names, take cookies for instance, that illustrate how a naming decision can have tremendous consequences. Cookies receive more media and political attention than they deserve solely because of that cute name. Had cookies been named client-side persistent data, people wouldn't care as much.

A second lesson is that technical specifics matter. Never assume that people will accept your description of how a program will work.

Internet-savvy people are a show-me group, and they will not accept a description on faith. They will want to look under the hood. The Internet community wants access to Carnivore's source code, algorithms and technical specs. They want to verify that the filtering application does only what the FBI says it does.

If it turns out that the software does more than the FBI revealed, then Carnivore might become extinct'along with the careers of anyone who misrepresented it.

The corollary: Remember that the Internet privacy community is not just a bunch of privacy and computer freaks. The Net is big business. Internet service providers and all the other companies engaged in Internet activities have an interest, either for themselves or on behalf of their customers.'Recently I attended a meeting on Carnivore sponsored by a public interest group, and most of the attendees were business people and lawyers.

A third lesson is that you should learn from the past. The folks at the Electronic Privacy Information Center of Washington point out that much of the FBI's rhetoric about Carnivore sounds similar to its official statements about the Clipper chip in the early 1990s. Clipper was an attempt by the government to implement a technology that could intercept the communications of criminals'just like Carnivore.

Perhaps the FBI learned nothing from the Clipper public relations and policy debacle.

Early disclosure

The final lesson is that it's important to disclose your Internet activities publicly as early as possible. Carnivore apparently came as a surprise not only to the public, but to the attorney general as well as.

Few sins in Washington top surprising someone powerful. Policies and ideas that might be accepted without controversy will be rejected time after time if they are presented without a foundation.

Don't surprise your boss or the Net community, especially with something controversial. You won't avoid problems just because programs don't raise any concerns in your office or at the Office of Management and Budget.

Anyone planning an action that will affect privacy should cast a wide net for advice. Just talking to the people in your agency won't give you enough perspective.

Clearly, privacy remains a hot topic. The press and the Congress jumped all over the Carnivore story, and lawmakers scheduled hearings almost immediately.

It remains to be seen if the FBI will be eaten by its own Carnivore. Don't let it happen to you.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@cais.com.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.