US users bite back at snooping law

In the UK, the right to privacy is an unstated assumption. Not so in the US, where people take their constitution very seriously.

The Fourth Amendment specifically says: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated ..."

For example, 86 per cent of internet users want opt-in privacy - in other words, website organisers must keep their data secret until the user says otherwise, according to research released by charity the Pew Internet & American Life project.

That's the opposite, incidentally, of a policy just negotiated by the US government with internet advertisers, under which websites can track user activity unless they have taken steps to opt out of monitoring.

More than a quarter of the 2000 US citizens questioned in the Pew survey also said they would never provide personal information to a website - somewhat undermining hopes for the widespread use of ecommerce. And 94 per cent said companies abusing privacy rules should be punished.

Against this background it's not too surprising what Americans think of their government's equivalent to the sealed boxes that UK security services can install at ISPs under the Regulation of Investigatory Powers Act. As in, not much. Both Congress and civil liberties groups have attacked the FBI for its somewhat sinisterly-named 'Carnivore' project, introduced by President Clinton.

Sealed boxes
As with the UK, the Carnivore project features sealed boxes, installed at the operations centre of US ISPs, which monitor network traffic - in fact, it seems possible that the UK boxes will be modelled on the US ones.

In each country, service providers have no control over the box, and thus no way of ensuring the privacy of their customers.

Last month, US deputy assistant attorney general Kevin Di Gregory tried to reassure legislators that Carnivore will only read what the security forces have the appropriate warrants to read.

"Carnivore is, in essence, a special filtering tool that can gather the information authorised by court order, and only that information," Di Gregory told a House sub-committee.

"It permits law enforcement, for example, to gather only the email addresses of those persons with whom the drug dealer is communicating, without allowing any human being, either from law enforcement or the service provider, to view private information outside of the court's order."

He added that the system also keeps an audit of its work - thus making it a friend of privacy.

But what if you don't trust these sealed boxes?

Open to abuse?
Chris Byrne, vice president of global security at analyst Meta Group, said: "An organisation that doesn't violate laws isn't seriously threatened by being monitored, but monitoring should be limited because of the potential for abuse. Carnivore is highly abuseable."

The FBI could heighten confidence in Carnivore by releasing information about how it works, of course. But where exactly the Carnivore device sits and the precise nature of the technology has not been disclosed, as US law enforcers are anxious to avoid providing hackers with enough information to subvert the system.

But Byrne argues that businesses are nervous that hackers could still find a way in and exploit the information, even with the cloak of secrecy surrounding Carnivore. All this results in pressure for the authorities to reveal the source code of the software so organisations can get some idea of how safe the system is.

It all comes down to trust. Robert Cringely, presenter of IT industry TV hit Revenge of the Nerds, claims that the FBI has no reason to have a specific black box to monitor email - it could all be done using the ISP's own equipment.

"What bothers me is the damned box. Why would the FBI need a box? You don't need a sealed box to do any of these tasks, most of which are already being done right inside of the router at every ISP," says Cringely.

In a column for website PBS (Public Broadcasting Service) Online, Cringely went on to claim that the US might have a more underhand motive for Carnivore.

"If we ever hear of a proposal from the FBI in which it plans to install Carnivores at all 6000 ISPs in the US, we'll be giving the government the power to do something that it can't do right now: shut the internet down."

Addressing fears
The US government has already made moves to calm fears. In June, the Federal Office of National Drug Control Policy ended its use of cookies, after complaints that this could be used to track where those interested in drug policy went on the web. In July, the Federal Trade Commission stopped bankrupt electronic retailer Toysmart.com selling its customer data to the highest bidder.

And the FBI has also started addressing fears on Carnivore itself. Two weeks ago, it said it will release some of the 3000 pages of documents concerning the system at the end of September, with more following at 45-day intervals - although it has not said how long it will take for all the documentation to be released, or whether any will be held back.

In addition, attorney general Janet Reno has pledged that a university will carry out an independent review of Carnivore by the start of December.

Will the UK government follow the US's line? Perhaps - if the British public become as vociferous in defence of their privacy as the Americans.

The nearest British equivalent of the US Constitution - the European Convention on Human Rights, heavily influenced by British lawyers when it was written just after the Second World War, and part of English law from October - includes Article 8: "Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law ..."

It seems the struggle between the individual's expectation of privacy, and the state's need to know, continues.

Additional reporting by Joe Devo.