[Paul Ohm (guest-blogging), April 9, 2007 at 10:11am] Trackbacks
The Myth of the Superuser, Part One:

Thanks very much, Eugene, for inviting me to talk about my latest research. I'm offering the VC reader a twofer: Today through Wednesday I'll describe my ideas about the Myth of the Superuser, and Thursday and Friday I'll discuss an empirical project involving the Analog Hole. (Quick plug: The Superuser article is looking for a law review to call home, so if you choose articles for a journal, please give it a read!)

My first project is a critique of the rhetoric we use when we debate online conflict. In our debates, storytelling is epidemic, and the dominant trope is the myth of power. To restate it like a less-charged version of Godwin's Law (I'd call it "Ohm's Law," but that's taken): as a debate about online conflict progresses, the probability of an argument involving powerful computer users approaches one.

For example, law enforcement officials talk about the spread of zombie "botnets" to support broader computer crime laws. Privacy advocates fret about super-hackers who can steal millions of identities with a few keystrokes. Digital rights management opponents argue that DRM is inherently flawed, because some hacker will always find an exploit. (The DRM debate is unusual, because the power-user trope appears on both sides: DRM proponents argue that because they can never win the arms race against powerful users, they need laws like the DMCA.)

These stories could usefully contribute to these debates if they were cited for what they were: interesting anecdotes that open a window into the empirical realities of online conflict. Instead, in a cluttered rhetorical landscape, stories like these supplant a more meaningful empirical inquiry. The pervasive attitude is, "we don't need to probe too deeply into the nature of power in these conflicts, because these stories tell us all we need to know."

Too much attention is paid to the powerful user, or the Superuser as I call him. (UNIX geeks, I'm aware I'm overloading the term.) Today I focus on the first part of the argument, my "proof" that the Superuser's importance is often exaggerated. Superusers inhabit the Internet, but they are often so uncommon as safely to be ignored.

(Two quick asides, that are sure to come up in comments: First, even a few Superusers deserve attention if they act so powerfully that they account for a significant portion of the harm. Measuring the impact of the Superuser requires more than a head count; it also means measuring the amount of harm caused by any one Superuser. Second, Superusers can empower ordinary users by building easy-to-use tools; I address this so-called "script kiddy" problem in the article.)

We know that the Superuser's power is often exaggerated for three reasons:

First, some statements of Superuser harm are so hyperbolic as to be self-disproving. For example, as Cybersecurity Czar under the Clinton and second Bush administrations, Richard Clarke was fond of saying, "digital Pearl Harbors are happening every day." I'm not sure what meaning Clarke was giving to the phrase, digital Pearl Harbor: he may have meant attacks with the psychologically damaging effect, horrific loss of life, terrifying surprise, size of invading force, or historical impact of the December 7, 1941 attack; no matter which of these he meant, the claim is a horribly exaggerated overstatement.

Second, experience suggests that some online crimes are committed by ordinary users much more often than by Superusers. Take data breach and identity theft. Data breachers are often portrayed as genius hackers who break into computers to steal thousands of credit card numbers. Although some criminals fit this profile, increasingly, the police are focusing on non-Superusers who obtain personal data using non-technical means, like laptop theft. Similarly, identity thieves are often not computer wizards; the New York Times reported last year that many District Attorneys see more meth addicts committing identity theft than any other segment of the population.

Consider also claims that terrorists are plotting to use computer networks to threaten lives or economic well-being. There has never been a death reported from an attack on a computer network or system. In fact, many experts now doubt that an attack will ever disable a significant part of the Internet.

Of course, there are limits to using opinions and qualitative evidence to disprove the Myth, because they share so much in common with the anecdotes that fuel it. The third way to dispel the Myth is through studies and statistics. As one very recent example, Phil Howard and Kris Erickson of the University of Washington released a study which found that sixty percent of reported incidents of the loss of personal records involved organizational mismanagement, while only thirty-one percent involved hackers.

This is just a taste; in the Article, I go into much greater depth about why the Myth is not to be believed. Tomorrow, I will discuss the significant harms that result from Myth-influenced policymaking. Finally, on Wednesday, I will focus on a root cause of the problem: the inability of computer security experts to discriminate between high risk and low risk harms online.