|
| |
For ISPs: What to do about Carnivore/DCS1000
A lot of ISP owners and managers have written to us, asking
"Is there anything I can really do about this Carnivore/DCS1000 thing? I mean,
don't I have to install it if the Feds come to me with a warrant? I want
to protect my users' privacy, but do I even have a choice?"
In response to the queries of ISPs, and after some
deliberation on the situation, StopCarnivore.org founder Lance Brown has formulated the
following recommendation to ISPs. Be warned, this is an informal open letter to
ISPs, and does not constitute legal advice. Mr. Brown is not a lawyer, just a
professional thorn in the side of Government.
The letter was written to an executive representing a large
company. Small ISPs may want to consider the issue differently. In
addition, a site visitor and engineer at an ISP wrote in with a
pretty good suggestion (click or scroll down to read it).
Here is Lance Brown's letter:
| -My non-expert
recommendation is this: If I ran a major ISP (or a service like yours,
with the ISP bundled) I would make a major public announcement of my
company's opposition to invasive methods such as Carnivore, emphasize our
commitment to our users' privacy, and pledge to fight any Carnivore
warrant that is issued upon our networks with a vigorous court battle. I
would back this up by adding a "Carnivore clause" into our
current privacy policy. Word it similarly to Earthlink's
statement, except say that you will use all legal means available to
you to block any Carnivore warrant that is issued on your networks.
I think this tactic has many benefits, and few detriments. Let's break
it down:
-Benefit 1: You look great to your users, and to the
Internet community. The Internet community is almost universally
opposed to Carnivore, and you will look like a hero by opposing it
publicly and vocally. Your customers will know that you are doing all you
can to protect them from it- they don't expect you to go to the point of
obstructing justice- if you pledge to fight it in court, that's all you
can do for them. They know you can't just defy the FBI and the courts.
Plus, you get put on my Carnivore-Free ISPs
list! :)
-Benefit 2: By editing your privacy policy, and issuing a
new, edited version to your users (and the news outlets, and my site), you
cover your butt as far as the Carnivore loophole goes. In my opinion,
most ISP's current privacy policies (just like current wiretap laws) don't
address a tool like Carnivore. I think there is room in those policies for
a user to claim contract infringement, privacy violation, and so on, if an
ISP allows Carnivore to rifle through their (non-warranted) data. Once it
becomes known which ISPs have allowed this, maybe we will see one of those
lawsuits. If you openly acknowledge that Carnivore causes a wrinkle in
your policy, and make an attempt to address that within the policy, I
think you would be seen as being responsible to your contractual agreement
with your customers. ISPs whose policy says "we won't allow anyone
into your data without a valid warrant" are lying to their customers,
in my opinion. A warrant for info on Customer A is not a valid warrant to
sort through the info of Customers B-Z. Write into your policy the belief
that Carnivore warrants are not valid warrants, but that the FBI may
require you to implement it anyway (if you fail to beat it in court).
-Benefit 3: The FBI will stay away from you. As I said
before, the FBI doesn't need any more trouble on the Carnivore front
anytime soon. If you make news with your declaration and new policy, they
would be foolish to call your bluff. First, they must know that they could
lose. Second, I think they are learning that any Carnivore news is bad
Carnivore news- i.e., if they can avoid coverage of it, they will.
Carnivore ends up looking bad and scary in about 90% of the news items it
is featured in.
-Benefit 4: You will be an example for other ISPs, who will
join you in your pledge. You are not the only person struggling to
work out this little conundrum the FBI has dropped in your lap. Lots of
ISPs realize the "Catch-22" position they are in. Having a large company
like yours declare public opposition would give many other ISPs the push
they need to do the same. Additionally, the release of a re-worked,
anti-Carnivore privacy policy would create a template for other ISPs who
are struggling to bridge the gap the Carnivore has created in their (now-invalid) privacy policies. This would have the triple effect of
compounding the anti-Carnivore sentiment already floating around, giving
you a peer group of anti-Carnivore ISPs, and creating an upsurge in
awareness of all of those ISPs customers about Carnivore.
-Possible detriment 1: The FBI targets you for your stance.
I think this is super-unlikely, for the publicity reasons stated above.
But think of it this way. Right now, the FBI could unleash Carnivore on
you, and you are stuck in the position of having to violate your users'
privacy, etc. Plus you are put on the defensive, and you may be restricted
in what you can say or do in response. If you have the public statement,
plus an anti-Carnivore clause in your privacy policy, then the FBI is on
the defensive, as soon as they knock on your door. It would be unlikely
that a court would ignore your claim that you must put up a legal battle
(after all, you have a contractual obligation to your customers to fight
it, according to your re-vamped policy). Thus, more than likely, your
court fight will be public (unlike Earthlink's, which happened before
anyone knew about Carnivore). In any report on this public battle, you will
be seen as a hero who is defending their users against this unpopular
tool. I would hazard a guess that any legal costs would be made up for in
the free good publicity you would get from it, even if you lose.
I don't recommend that you merely bluff on the legal fight- I would
recommend you pursue it with vigor- and in that respect, planning ahead
for that eventuality helps your position if the FBI does decide to use you
as a Carnivore victim.
I'd be happy to talk further with any ISP that is trying to negotiate
the legal complications Carnivore is causing with their efforts to
maintain their users privacy. I am particularly interested in seeing a
"Carnivore clause" inserted into privacy policies, and I will
compose a draft clause soon for your consideration. You can e-mail me at lance@stopcarnivore.org
for any advice, or to respond to my suggestions here.
Be Well, Be Free,
Lance Brown
Founder
StopCarnivore.org |
A site visitor, and "Director of Engineering for
a wireless broadband ISP located in Pennsylvania," wrote in with this
suggestion, which seems to provide somewhat of a workaround for ISPs that are
forced to use Carnivore.:
Am I correct in assuming that if you would be
in compliance with a carnivore warrant if you placed it on a connection, server,
or router of the ISPs choice, as long as that connection point provided the
device with all the information which the warrant states will be gathered?
If that is the case, I would recommended to
fellow engineers out there that they allow installation of the carnivore
hardware if their company is not in a position to fight it. Here's the
catch: only allow it to be connected to your network via a firewall which
implements IP based packet filtering. In this way, only the data which the
warrant specifies will be diverted from your internal network to the carnivore
device. In addition, it would not allow the carnivore device to see any
data other than outlined in the warrant.
|
