The FBI has revised the name of its e-mail monitoring device from the ominous Carnivore to the geeks and more neutral DCS-1000. But the move hasn't stopped fears among technology managers and Internet service providers that e-mail eavesdropping device may damage a company's technology infrastructure, compromise privacy, and open security holes that hackers could exploit. Some critics believe Carnivore may even violate the constitutional rights of customers and employees.

Carnivore is actually a part of the DragonWare Suite, which allows FBI to reconstruct - e-mail messages, downloaded files or even WebPages. Apart from Carnivore, Packeteer and Coolminer are also components of the DragonWare Suite. No official information is given out about these two and very little about Carnivore. With whatever little information given out, it seems to work like a packet sniffer software commonly used by network administrators to monitor systems and perform diagnostics.

It is said to be an e-mail version of a telephone wiretap. Instead of the tap being placed in the user’s telephone, a device is placed on the mail servers of the business or its ISP. Carnivore tracks and records e-mail headers, but not the actual contents of the e-mail. Law enforcement officials more frequently seeks warrant to obtain headers because the legal standard for getting that kind of court order is less demanding than the standard for a so-called full-content retrieval warrant.

Carnivore checks the headers of all e-mails traveling past the device and plucks out the ones it wants based on the search warrant's parameters. But if that was all it did, there wouldn't be much of a controversy. The Carnivore issue goes much deeper, and it produces strong reactions and feelings. Critics feel that there may be bugs in the program and it may lead to violation of privacy of the people. This is because the source code of the program is not released to the public in fear of hackers getting over it. Most individuals involved in the Carnivore controversy refuse to discuss the details of specific incidents on the record. Only in the past few months have FBI officials given industry presentations about Carnivore, but those presentations include only information that has already been disclosed.

The FBI has named none of the ISPs hit with a Carnivore warrant publicly, because the agency keeps such information confidential. But one name is known: EarthLink Inc., America’s second-largest ISP with more than 4.7 million subscribers. CBI has come out with an agreement to use Carnivore to track criminals in India. In the information Technology Bill that was by India, there was a provision, which would have mandated that cyber cafes keep detailed records of their users and their user’s activities. The deputy superintendent of police dropped that, but a provision has been made that allows warrant less searches. It’s only a matter of time that a system like this will be installed on any of the mail server or ISP in India.

Warning alarm for enterprises against the prowl of the carnivore

Given the vast range of activities going on in an enterprise, it should be apparent that it is not possible to do business without using monitored channels. The prudent businessman assumes every fax, email, phone call, etc. is monitored sometime between the moment it leaves the local environment and before it arrives at its destination.

Many users encrypt only critical communications, flagging those communications as important to anyone looking. If you do not choose to encrypt everything, what you do choose to encrypt is very important. Encrypting everything with a very weak key is more effective than encrypting a few things with a very strong key. If those few things indicate potentially valuable data, it is easy to track their destination and use various means to extract the content.

There are a small number of companies, including badabiz.com and hushmail, that have implemented moderately rigorous end to end encryption in a client-server environment via client side encryption and server "common carriage". While many applications manage this in traditional "heavy" applications, most "secure" client-server applications trust in the reliability of firewalls.

Wrapping up, Carnivore can be an effective program if its source code is released to the public and make it usable as it is intended to work. This way, the law enforcement officials can ensure the privacy and security of the enterprises.