To view the entire article, go to http://washingtonpost.com/wp-dyn/articles/A48737-2000Nov21.html Study: FBI Tool Needs Honing The FBI's hotly debated Internet wiretap program is a sound law enforcement tool but needs modification to protect people's routine e-mail and other communications from being intercepted unlawfully, according to a draft study released yesterday by the Justice Department. The study, undertaken by the Illinois Institute of Technology Research at the request of the Justice Department, said although "Carnivore" can be "more effective" in protecting privacy and enabling lawful surveillance than other alternatives, it does not eliminate the risk of unauthorized monitoring of electronic communications by FBI agents. The report recommended that Carnivore be modified, subjected to further outside review and ultimately have its underlying "source code"--the technical details of how its software works--released to the public. Some privacy advocates say the institute, which the Justice Department paid $175,000 to review Carnivore, was biased in favor of the new technology. They also sa! y the FBI cannot be trusted to use Carnivore because the program can pick up all communications that pass through an Internet service provider--such as America Online--rather than monitoring e-mail traffic between suspects under surveillance. House Majority Leader Richard K. Armey (R-Tex.), a longtime Carnivore critic, said the selection of the evaluation team determined the nature of the report. "The Department of Justice selected reviewers and set the rules in order to ensure they would get the best possible review," Armey said. Justice officials said yesterday that the study confirms Carnivore is a legitimate law enforcement tool that can be refined to address concerns. They said the recommendations in the study would enable them to simplify and improve Carnivore's operation. "We are pleased with the findings and the constructive recommendations made in today's draft report," said Donald M. Kerr, head of the FBI's laboratory division. "From the beginning, we have welc! omed this review for two main reasons: First, subjecting Carnivore to outside scrutiny allows for practical criticism, feedback and suggestions for improvements which will ultimately benefit everyone," Kerr said. "Secondly, a review such as this presents the public with a clearer understanding of the facts, which is critical in maintaining public confidence in law enforcement's ability to effectively investigate and prevent serious crimes." The study said Carnivore poses no operational or security risks to Internet service providers, some of which feared that having the program installed would disrupt communications. The report also said that when the technology is used correctly under a valid court order, it gives investigators appropriate access to information. However, it said that since Carnivore poses the risk of going beyond court-permitted information collection in some instances, multiple versions of the wiretap system need to be developed. "This is a very fair repo! rt," a Clinton administration official said. "It doesn't give [Carnivore] a clean bill of health, but says Carnivore has better safeguards than other alternatives and has recommendations for how to improve the use of this technique. It also has suggestions for how to avoid accidental over-use." The report warned that while Carnivore was designed to perform fine-tuned searches, it is also capable of broad ones. "Incorrectly configured, Carnivore can record any traffic it monitors," the study said. But the study rejected fears that FBI agents would be reading all of the routine e-mail traffic of a given Internet service provider, saying that Carnivore "does not have nearly enough power" to do so. The FBI has legitimate reasons to oppose public release of Carnivore's underlying source code; the current version's technical limitations could enable hackers and others to defeat surveillance, the study said. The bureau needs to work toward public release of Carnivore's source code! by eliminating "exploitable weaknesses." Until that public release, outside, independent monitoring is needed to assess the effectiveness and risk of over- or under-collection of data, the study said. In addition, the bureau needs to simplify Carnivore and employ a formal development process in its next version to reduce errors. James Lewis, senior fellow at the Washington-based Center for Strategic and International Studies, said Carnivore is critical for law enforcement, but said selecting the name "Carnivore" has created a public relations problem for the bureau. "Right before Thanksgiving, 'Vegetarian' is the name I would go for," he said. McLean Pickett digex, Inc.