Encryption could starve carnivore

ChainMail and Sigaba are among the companies promoting encryption technology designed to render any captured email meaningless to third parties. Meanwhile, developers like Privada and Zero-Knowledge offer anonymity to both sender and recipient, so a third party has no idea whose email it is reading. In most cases, you need to rely on your internet service provider to implement this level of technology, which keeps private your email - right down to its address.

Carnivore, so named for its capability to "get at the meat" of electronic communications, is a Windows-based "packet-sniffer" program that also runs on an ISP's systems. The FBI uses it to pick out email communications from a party that is under investigation.

Carnivore is the online equivalent of a telephone wiretap, but its capability to snoop is much more pervasive, according to Stephen Satchell, a consultant on internet performance and security issues. Because no discrete "email line" corresponds to individuals on the internet, Carnivore actually scans every data packet from every party that uses the ISP. Privacy advocates are concerned that law enforcement could easily abuse this system to spy on people who are not covered by the warrant.

The FBI claims that Carnivore looks only at address information on email, not its content, until it finds correspondence from the party under investigation. Then, Carnivore copies the whole message. But critics doubt that Carnivore ignores content entirely.

"The only reason they could not look at content is because they chose not to look at content, not because they can't," says Richard Bliss, a Sigaba spokesperson.

Some ISPs seem to have similar regard for both the FBI and encryption vendors. America Online, for example, lets no one near its servers without a court warrant, according to AOL spokesperson Nicholas Graham.

The FBI has not approached AOL about using Carnivore on its network. But if it did, "Carnivore would not be allowed on our system and would be against our goal and mission of protecting our members' privacy," Graham says. That policy similarly prohibits use of server-based encryption programs. Graham says AOL has not decided whether to offer its own encryption solution to members.

EarthLink, takes a similar position, and has spurned advances of at least one encryption vendor, says Steve Dougherty, director of technology acquisition. Customers may use their own encryption or anonymity scheme, but he does not expect EarthLink will provide such services.

Subscribers don't seem interested, Dougherty adds, but that could change. "This is so new, it's too early to tell what anyone will be doing," he says.

That's what the software developers are banking on as they prepare their server-level tools to thwart Carnivore.

Sigaba and ChainMail are refining encryption technology to protect email from Carnivore and other predators. Encryption uses a complex mathematical formula, called an algorithm, together with a unique numerical variable to scramble data into meaningless gibberish called ciphertext. The recipient of ciphertext must use the same numerical variable, called a key, to decode the message.

Encrypting email is not a new idea. But most consumers are slow to adopt the technology, partly because it's difficult to manage keys and because all recipients must use a compatible system. Until recently, it hasn't been possible to encrypt Web-based email like Hotmail or Yahoo mail. Nevertheless, increasing public anxiety about privacy has bolstered interest in encryption.

ChainMail, for example, has released a beta version of an open-source encryption product called Antivore that scrambles email using the popular Pretty Good Privacy (PGP) algorithm. But Antivore goes a step beyond simple content encryption and adds a secure, encrypted "pipeline" between you and your ISP. It's similar to the secure socket layer used to transmit credit card numbers to electronic-commerce sites. But both the correspondents and their ISPs must adopt Antivore.

Antivore is actually an interim product that ChainMail accelerated because of the Carnivore controversy, notes Sean Steele, director of business development. In development is an internet server product named Mithril, which includes encryption. Both programs run on an ISP's servers. ChainMail hopes the open source community will help perfect Antivore, and plans to incorporate improvements into a final, open source version of Mithril as well as other encryption applications.

ChainMail has made some progress with smaller ISPs. Broadband Network Service, a regional ISP in central Virginia, is among those beta-testing Antivore. Most of the ISP's customers are small and mid-size businesses that aren't equipped to manage their own email and security, says Colin Learmonth, president.

"We don't necessarily see [Antivore] as combating Carnivore, but as a way of securing your email ... from any third party," Learmonth says.

Sigaba takes a slightly different approach that doesn't directly involve the ISP. When a Sigaba subscriber sends an email, the company's server issues a unique one-time encryption key to both sender and recipient. Sigaba's email plug-in on the sender's machine then uses the key to encrypt the message. The same plug-in on the recipient's machine uses the key to decrypt it.

"We're just passing a key," says Sigaba's Bliss. "We never get in the business of delivering mail." The entire process is transparent to users, and neither Sigaba nor the ISP sees the unencrypted message.

Sigaba expects to release its server software this fall. In the meantime, it offers free plug-ins that work with Outlook 2000, Eudora 4.3, and Internet Explorer, and also encrypt Web-based email. Support for other mail programs is in development.

While Sigaba encrypts the body of a message, it does not hide the address information (or "header") that routes traffic online. Carnivore or another packet-sniffer could still identify correspondents, which could still give the FBI the information it wants.

"Traffic patterns can tell you about as much as the content of the messages," Satchell says.

Antivore encrypts address information by sending information via the latest version of secure socket layer, known as transport layer security. The technology is becoming a de facto encryption standard. It's already adopted in the latest version of Sendmail, one of the leading mail server applications for ISPs. And Netscape, which developed SSL, offers the encryption in its Messenger email client. Both Lotus Notes and Microsoft Outlook include SSL, and Qualcomm representatives say Eudora will support SSL this year.

Privada takes another approach to hiding header information. When a correspondent on a Privada system sends an email message, the software strips out the header, replaces it with a Privada account ID, and sends the message to a Privada server either at the ISP or hosted for the ISP at Privada's facilities. Privada doesn't encrypt the message, but the company says it's impossible for the FBI or anyone else to associate a Privada-protected message with a specific sender or recipient. The product offers anonymity for all internet transactions, not just email, says Rick Jackson, Privada CEO.

Privada expects "about a dozen" ISPs to sign up for the service when it becomes available by year-end, Jackson says, although he won't say which ones. You can already use its technology through Privada's own servers, but your correspondents must also sign up for the encryption to be effective. Zero-Knowledge offers a similar end-user service.

All these companies say they are committed to working with law enforcement for legitimate surveillance of criminal suspects.

"Privacy is a right," says Privada's Jackson. "But it doesn't mean the right to hide behind it" to commit crime. Privada will cooperate with law enforcement in specific circumstances, so Carnivore surveillance is not necessary, he says.

Privada and its ISP partners require a court warrant before they'll release their encryption keys to unlock a specific account. Then they'll encrypt the communications for delivery to law enforcement, which uses its own key to decrypt the communications. Neither the ISP nor Privada can decipher messages, Jackson says. Nor can they match a Privada account ID with a subscriber's real-world identity. Jackson says he has discussed general issues of privacy with the FBI, but has not specifically discussed Carnivore.

Likewise, ChainMail representatives say they will provide encryption keys to a specific account covered by a warrant. "The only way to recover a key forcibly is for a legal entity such as the FBI to issue a warrant," the company states. "It's a way to keep the FBI honest," says ChainMail's Steele.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Seán Captain

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?