Study by FBI is confident in "Carnivore" software Draft"s findings represent victory for the FBI By Ted Bridis THE WALL STREET JOURNAL WASHINGTON, Nov. 21 A draft review of the Federal Bureau of Investigation's "Carnivore" Internet surveillance system expresses confidence overall in the government's continued use of the eavesdropping software. But it also urges changes in the way agents adjust the program's intricate settings for fear that simple errors could allow the FBI to mistakenly capture e-mail, Web browsing or other data from innocent citizens. The draft study, being released Tuesday by the Justice Department, also will urge FBI engineers to build better mechanisms into Carnivore to detect tampering with digital evidence. But the draft's findings generally represent a victory for the bureau, which had faced a firestorm of criticism over its software's capabilities. "We found that the system does not overcollect, and that it basically does what it's represented to do," says Henry Perritt Jr., head of the review panel and dean of the Chicago-Kent College of Law. "Some of the larger concerns were way, way overblown." The FBI reiterated that it was unaware of any electronic information inappropriately collected during the roughly two-dozen uses of Carnivore since the software's inception in April 1999. But serious concerns about that happening were among the few issues consistently raised during interviews with FBI experts by the review panel from the Illinois Institute of Technology and the Kent law school. The precise language of this draft study was closely guarded. The institute turned over its draft last week to the Justice Department for editing, as required under its $172,559 federal contract. Department officials spent the weekend determining whether sections of the report contained information sensitive enough that they needed to be blacked out. The Clinton administration also was briefed on the capabilities of the software on the eve of the draft's release. "To the extent we revealed weaknesses in the existing system, it would be understandable if Justice didn't want to communicate those to people who might use them to circumvent lawful surveillance," Mr. Perritt said. Carnivore is specialized software created by the FBI, and typically installed at an Internet provider, to record online traffic such as e-mail sent or received by a terrorist or criminal suspect. Although the FBI maintains that no innocent communications are recorded, civil-rights groups have complained that Carnivore effectively scans all passing data to find relevant messages and that it is ripe for abuse in part because of the secrecy surrounding exactly how it operates. But Mr. Perritt cautioned, "This thing can't come close to sucking up all the communications of an [Internet provider] of any size." In public documents, the review panel reserved fully six weeks of its 11-week study to look at Carnivore's configuration screens. And during interviews with FBI engineers, including one marathon session that included a four-hour demonstration and nearly four more hours for questions, the panel expressed concerns about how agents adjust Carnivore settings and the chances for careless errors. The review panel has urged FBI engineers to consider using confirmation boxes that pop up on the computer screen when an important choice is made, such as setting Carnivore to record all Internet traffic from a suspect, rather than capturing just e-mail addresses on messages. Broader electronic searches require greater scrutiny by judges, yet the choice between "full" capture and a "pen" capture of only e-mail addresses is a single check-box on Carnivore's configuration screen. The reviewers also complained about some of Carnivore's default settings; the software begins scanning a suspect's Internet traffic for e-mail addresses, for example, unless an FBI agent specifies otherwise. "They did basically bring up some good points about potential problems, where you click a choice," said Marcus Thomas, who helped develop Carnivore at the FBI laboratories in Quantico, Va., under a project known internally as "Dragon Net." He said engineers already are making some of the suggested changes to the next major version of Carnivore, expected to be finished as early as February. The review panel also urged the Justice Department to continue to permit outside reviews of future versions of Carnivore. Mr. Thomas already has acknowledged weaknesses in the way that agents configure Carnivore settings, calling the myriad of choices "pretty complicated." He told an industry group during a demonstration last month that one of the primary goals of the next version of Carnivore will be "to simplify this mess." Copyright © 2000 Dow Jones & Company, Inc. All Rights Reserved.