Scientists Refusing to Review FBI's 'Carnivore'

Some of the nation's top computer scholars are refusing to review the FBI's controversial "Carnivore" e-mail surveillance software, saying that doing so would make them little more than shills for the Justice Department.

They [the Justice Department] were not looking for an independent review," said Jeffrey Schiller, a security expert and network manager at the Massachusetts Institute of Technology. "In essence, what they wanted to do was borrow the reputation of any institution doing the review."

A Justice Department spokeswoman said such criticism was unfounded, and that the department was looking for an open and honest study of Carnivore.

At her weekly briefing Thursday morning, Attorney General Janet Reno would not comment on the criticism, but she did admit, "I'm as frustrated sometimes as you are by the process."

Reno last month issued guidelines for "an independent technical review" to address public concerns about the computer system.

Carnivore collects e-mail messages moving in and out of the servers of an Internet service provider (ISP), such as America Online, in order to target a suspect's correspondence. It's so far been used about 25 times, the FBI has said.

Schiller said the fine print in the DOJ's request for review would place numerous unacceptable restraints on the process, including giving the department the right to read, edit and even junk the report before the public saw it.

In other words, any negative feedback from scientists could be cut out — while the DOJ would still be able to claim that those scientists, and the universities associated with them, reviewed the software.

Security experts at MIT declined to submit proposals by Wednesday's deadline, as did the University of California at San Diego.

"They were not comfortable with the terms of the Justice Department requirements," said UCSD's David Hart, referring to Tom Perrine of UCSD's San Diego Supercomputer Center and 12 other experts who had dubbed themselves "the Open Carnivore group" and had considered offering their services to the DOJ.

"I believe most other universities declined to submit for similar reasons," Hart added.

MIT's Schiller said colleagues at another prestigious engineering school, Purdue University, expressed the same reservations. Officials at Purdue declined to comment.

"I would say there's a real good chance the whole thing will collapse and no one will do it," Schiller said. "I'd be real surprised if a university with any real reputation would chose to take it."

DOJ spokeswoman Chris Watney said scholars had sent "multiple proposals" by the 1 p.m. deadline, although she would not say how many. She also would not say which schools applied. The DOJ plans to award a contract to build the Carnivore system by September 25.

She denied that the chosen review board's final report would be altered before release.

"We have said all along we were not going to edit the report or censor the report. The report is meant to be public."

The only part that may go unreleased, she said, is the software's source code, which would be the proprietary information of the company that developed it, and also could help criminals beat Carnivore.

Schiller pointed out another problem with the DOJ's guidelines — it gives the Justice Department the right to choose which individuals at a particular university would conduct the review.

Watney said that's just a matter of knowing ahead of time exactly who would be doing the work. "We want to make sure the same people that are represented in the application documents are the people doing the review."

Schiller says the problems with the Carnivore review process are the same problems with Carnivore itself.

"The problem they're trying to solve is real," he said. But conducting an independent review of the source code and making a technical statement are not the right things to do, he added.

"It's not really about technology, it's about oversight. The verification needs to be more than just 'we trust the FBI.'"

The questions about Carnivore that the independent review would ostensibly answer are whether the system constitutes an invasion of privacy by collecting e-mail not authorized for collection by a court order in order to find e-mail that is.

The end results of the evaluation process would be a first draft report due November 17, which will be released for public comment, and a final report due December 8.