[Paul Ohm (guest-blogging), April 10, 2007 at 9:40am] Trackbacks
The Myth of the Superuser, Part Two, Harm:

First, a quick note to lawyers: today's installment about my article is much more law-focused than yesterday's.

I am grateful for yesterday's comments. Many of you took issue with my use of the word, "Superuser." You all have almost persuaded me to use "Superhacker" instead, although it would be a painful change. After living with this article for the past year-plus, it'll be hard to think of it as anything but the Superuser piece. I'm still on the fence, so for the rest of my stay here, I'll continue to call these mythical people, Superusers.

Why should we care whether exaggerated arguments about Superusers cause legislators to address risks that are unlikely to materialize? Because many, significant harms flow from the Myth of the Superuser. Due to the near-universal belief in the Myth, there has never been a thorough accounting of these harms, and we have been doomed to repeat and extend them. In my article, I discuss six harms which flow directly from policies and laws that are justified by the Myth. Today, I want to focus on two:

1. Overbroad laws. Congress's typical response to the Myth of the Superuser is to write broad criminal prohibitions. It is haunted by the possibility that someday a Superuser who commits a horrific wrong will not be able to be brought to justice because of a narrow prohibition in the law. They fear an American version of Onel de Guzman, the Philippine citizen who confessed to writing the "I LOVE YOU" virus but escaped punishment because Philippine law did not criminalize the type of harm he had caused.

Consider, for example, the principal federal law that prohibits computer hacking, the Computer Fraud and Abuse Act (CFAA). Many of the statute's prohibitions apply expansively, and I contend that Congress has repeatedly broadened the law, in large measure, to deal with the scary prospect of Superuser hackers. For proof, count the number of stories about anonymous Superusers in any House or Senate Report accompanying an amendment to the CFAA; an especially egregious example is the 1996 Senate Report.

The CFAA's prohibitions cover an expansive laundry list of activity. You might be a felon under the CFAA's broad "hacking" provisions if you: breach a contract; "transmit" a program from a floppy to your employer-issued laptop; or send a lot of e-mail messages. And even if the FBI decides not to prosecute you for these transgressions, the broad CFAA gives it the right to investigate you, to read your e-mail messages and maybe even wiretap your phones and Internet connections.

2. Infringements of Civil Liberties. Part of what is terrifying about the Superuser is how the Internet allows him to act anonymously, hopping from host to host and country to country with impunity. To find the Superuser, the police ask for better search and surveillance authorities and tools, as well as the latitude to pursue creative solutions for piercing anonymity.

But broadened search authorities can be used unjustifiably to intrude upon civil liberties. Search warrants for computers are a prime example; the judges who sign and review computer warrants usually authorize sweeping and highly invasive searches justified by storytelling about the Superuser Data Hider.

It has become standard boilerplate for agents in their affidavits supporting search warrant applications to talk about sophisticated technology that can be used to hide data. According to this boilerplate, criminals "have been known" to use kill switches, steganography and encryption to hide evidence of their crimes. In addition, file names and extensions are almost meaningless, because users can easily change this information to hide data.

Convinced of the prowess of the data hider, a typical judge will usually sign a warrant that authorizes the search of every single file on a suspect's computers; that authorize the search of parts of the hard drive that don't store files at all; and that allow off-site computer searches, where data is forensically examined for months or maybe even years. In upholding the scope of these kinds of searches, reviewing courts make bare and broad proclamations about what criminals do to hide evidence. These broad pronouncements (which are also citable precedent) are built upon nothing but an agent's assertions and a judge's intuitions about computer technology.

If, in reality, some criminals tend not to hide data inside obscured filenames or unusual directories, then judges might feel compelled to ask the police to cordon off parts of a computer's hard drive.

So where does this particular myth end and reality begin? Common sense suggests that some criminals are paranoid enough to hide evidence. But it's highly improbable that all criminals are equally likely to use these tactics. Home computer users who are committing relatively non-technological crimes — death threats or extortion via e-mail, for example — may have less incentive to hide evidence and no access to the tools required to do so. Painting all criminals in every warrant application as uniformly capable of hiding information is a classic example of the Myth.

In the Article, I call for judges to require a more particularized showing of "criminal tradecraft" before they sign sweeping warrants. How do we know that this class of criminal is likely to have used these particular tactics? The hurdle need not be very high; police training and experience are owed deference. But deference is not the same thing as acceptance of sweeping generalizations. In some cases, constraints on the police on the allowable scope of the search of a hard drive may be sensible, and perhaps even required by the particularity clause of the Fourth Amendment.

Very briefly, in addition to these two harms — overbroad laws and civil liberties infringements — the other four harms I identify are guilt by association (think Ed Felten); wasted investigative resources (Superusers are expensive to catch); wasted economic resources (how much money is spent each year on computer security, and is it all justified?); and flawed scholarship (See my comment from yesterday about DRM).

Tomorrow, I will conclude my discussion of the Superuser by focusing on a root cause of the myth, the failure of expertise.