16 February 2008
The Electronic Frontier Foundation has obtained an FBI document describing a mistake that was made in monitoring someone's email: the ISP sent the FBI all of the email for the entire domain, rather than just the suspect's email.
Needless to say, any wiretapping system (whether supplied by an ISP or the FBI) relied upon to extract legal evidence from a shared, public network link must be audited for correctness and must employ strong safeguards against failure and abuse. The stringent requirements for accuracy and operational robustness provide especially fertile ground for many familiar risks.The context then was Carnivore, but the problem is the same. On the same subject, Matt wrote
First, there is the problem of extracting exactly (no more and no less) the intended traffic.
More seriously, I suspect that the meat (so to speak) of any meaningful analysis of Carnivore's security and behavior lies not in its core source code but rather in the parameters used when it is actually configured and installed.
In fact, errors by third parties are not uncommon. The New York Times report on this incident makes it clear:
Past violations by the government have also included continuing a wiretap for days or weeks beyond what was authorized by a court, or seeking records beyond what were authorized. The 2006 case appears to be a particularly egregious example of what intelligence officials refer to as "overproduction" — in which a telecommunications provider gives the government more data than it was ordered to provide.
The problem of overproduction is particularly common, F.B.I. officials said. In testimony before Congress in March 2007 regarding abuses of national security letters, Valerie E. Caproni, the bureau's general counsel, said that in one small sample, 10 out of 20 violations were a result of "third-party error," in which a private company "provided the F.B.I. information we did not seek."
From what has been released, the FBI did nothing wrong here. In fact, they say that they destroyed the unwanted (and unauthorized) emails when they noticed the problem. But mistakes will happen. This is why I and others have warned about the dangers of too-close linkage to the telecommunications system: other plausible configuration errors could give malicious parties access to the network.
Surveillance is difficult. Complexity and interconnections make it dangerous, too.