The FBI's Carnivore e-mail surveillance tool may scare privacy advocates, but Internet security experts say the online outlaws it's targeting aren't exactly shaking in their boots.
"I've spoken to a couple of guys in the underground, and we're all just, like, snickering," said Richard Forno, co-author of The Art of Information Warfare and an expert on hackers. As he put it in a recent online posting: "Carnivore is a joke to anyone who deems themselves a hacker, cracker, computer criminal or power user."
Why? Because Carnivore — a computer system designed to sift through a criminal suspect's e-mail — is easy to evade, experts said.
One way to slip by the filter is to use a cable Internet line instead of a phone dial-up. Under the Cable Act of 1984, e-mail sent via cable rather than telephone lines could be subject to stricter privacy protections that could effectively keep Carnivore at bay.
While the law was set up to keep private the viewing choices of cable consumers — and is actually unclear on whether cable e-mail is protected as well — it has already proved to be a bona fide Carnivore blocker.
"Some cable companies have relied on the Cable Act to refuse to disclose information (from users' accounts)," said Peter Swire, the Clinton administration's chief counselor for privacy.
The act requires the FBI to show a judge "clear and convincing evidence" of a cable user's criminal activity. That's harder to prove than "probable cause" of criminal activity, which is required before tapping a phone. On top of that, the government would have to notify the cable user being targeted — effectively rendering a tap impotent.
But with the controversy over spying on Internet communication still so new, nobody seems to know whether cable Internet service providers could be used as a virtual hideout.
"If the Cable Act prohibits all wire taps, then criminals could subscribe to cable services knowing that their conspiracies were immune from any lawful investigation," Swire said.
Of the 50 million online households in the U.S., 2.2 million log on via cable or broadband, according to the White House. That number is expected to grow dramatically in coming years.
The White House has just submitted legislation to Congress that would remove protections for cable e-mail, while giving e-mail in general some increased protections. One change is to require of Internet wiretapping the same high-level Justice Department approval that a phone tap requires.
But there's one group that may not be taking any of this legislation too seriously: criminals themselves. Anyone — hackers, child pornographers, drug traffickers — can fool Carnivore, experts said.
"Just set up an encrypted network and forget about it," Forno said.
A basic encryption program limits Carnivore to sniffing the "to" and "from" address — and nothing else. Beyond that, all the FBI can see is, as Forno put it, "this big blop of encrypted material."
Encryption programs like PGP (Pretty Good Privacy) are downloadable for free on the Web. Some programs on the market even scramble the addresses, making your e-mail completely anonymous. Their main drawback is that both the sender and the receiver must be using the program.
Swire declined to comment on encryption's effect on Carnivore.
Of course, if you don't want to bother encrypting, a simple trip to a local library computer and an anonymous Web-based account is the most obvious way to avoid having your online writing read by the feds.
Federal officials maintain that Carnivore is a necessary a part of the Information Age, and has already been useful to investigators in 25 criminal cases since its introduction more than a year ago.
And whatever its shortcomings, experts said, Carnivore isn't toothless.
"I wouldn't say Carnivore is completely ineffective because in fact most people do not encrypt," said Paul Schwartz, professor of Information Privacy and Internet Law at Brooklyn Law School.
Forno agrees: "Carnivore will catch the stupid person."