Paul Ohm Guest-Blogging:

I'm delighted to report that Prof. Paul Ohm (University of Colorado Law School) will be guest-blogging this week. Paul specializes in computer crime law, criminal procedure, intellectual property, and information privacy; before going into teaching, he worked in the Computer Crime and Intellectual Property Section at the U.S. Justice Department, and before law school he worked as a computer programmer. Like me, Paul is a UCLA Law School graduate; go Bruins!

Paul will be discussing two of his recent articles this week. First, he will talk about "The Myth of the Superuser: Fear, Risk, and Harm Online," in which he critiques the rhetoric used in debates about online conflicts. On Thursday, he begin to talk about "The Analog Hole and the Price of Music," which gives the results of an empirical study he co-authored about what people are willing to pay for music online.

I downloaded the "Superuser" paper with some interest, but it does not start very auspiciously in the first sentence. There is a "Worcester" Massachusetts with an airport, and a "Winchester" MA that I don't think has an airport, but there is no "Worchester" MA.
4.9.2007 10:42am
Max Hailperin (mail) (www):
I am very glad that we well have the benefit of such an interesting author discussing such interesting papers. However, I'd like to state one regret about the "Myth of the Superuser" paper. Namely, I think Ohm's decision to use the word "Superuser" was ill-considered.

Ohm acknowledges (in footnote 8) that "superuser" already had an established meaning and that this meaning is different from his meaning for "Superuser". Perhaps he was not aware of how well established the prior meaning was; he cites a 1993 source, but in fact the word appears in well-circulated publications dating back to 1974 (and even further in more obscure sources). (Actually, the 1974 version was hyphenated as "super-user," but by 1975 the hyphen was gone.) Nor is it merely a word that has been in long use: it is also in common use. You would be hard pressed to find an expert on computer systems who was not intimately familiar with it. Many use it daily, including particularly in the computer security field.

This is noteworthy because one of Ohm's stated goals for the paper is to point out the role that computer security experts play in the myth-telling and persuade them to change their rhetoric. If he really wants to reach out to this community, he is off to a poor start with regard to clarity of communication by using a word they are already familiar with to mean something new.

In his footnote, Ohm offers a defense of sorts against this charge of unclear communication: he has used the upper-case "S" on "Superuser" to signal that he has overloaded the word with a second meaning. (He refers to the use of "overloading" in programming languages.) However it is well accepted in the programming language field that overloading must be used with great restraint if it is not to sacrifice clarity of communication. In particular, a common piece of stylistic advice for programmers is not to use two identifiers that differ only in capitalization, because of the ambiguity that results in contexts such as oral communication. With regard to Ohm's paper, I will point out that he uses the word "Superuser" in the title, where standard typographic conventions render it impossible to tell whether the word is "superuser" or "Superuser," because either would be capitalized in a title.

Compared to the damage Ohm has done to his ability to communicate with technical experts through his choice of "Superuser," his use of "hacker" is a comparatively minor issue. This term was once an honorable one used for someone with a deep, creative involvement with technology. Only later was it co-opted to mean "cracker." In my own writing, I show my respect for the original hackers by not using the word in its more recent sense. However, the more recent sense has become sufficiently common that there is certainly no loss of clarity through Ohm's use of it, unlike the case with "Superuser."
4.9.2007 11:27am
Riskable (mail) (www):
As one of Paul Ohm's described "Superusers" I look forward to seeing what he has to say. For reference, I am a professional security consultant (i.e. hacker) that both breaks into company systems and deals with governance and law (writing policies, procedures, and researching the like).

I'm about 50% done reading his paper regarding the Myth of the Superuser and so far I agree with the gist of it. I have yet to read whether or not he covers the fact that changing the law usually can't affect anything at all. For example, while unauthorized use of a computer system may be a crime that does not mean that you can actually determine who broke said law. Anonymizing tools are becoming more & more popular and less Superuser-like. Also consider that the popularity of anonymizing tools is directly related to the overreaching and oppressive nature of some laws (computer-related and non-computer-related alike).

Here's some things I hope he talks about:

* Oppressive search and seizures as they relate to computer-related investigations (e.g. taking people's monitors, mice, keyboards, televisions, clock radios, etc). Then subsequently never giving them back (or even better: Auctioning them off immediately or re-using them at police headquarters as happened in New Hampshire!). In some cases, law enforcement is seizing peoples stuff and then never charging them with any crimes at all (consider the recent case of John McCain's website being mocked--the user who performed the action had all of his electronics seized and, allegedly, has yet to be charged with anything--yet).

* Laws surrounding encryption... If your hard drive is encrypted and is subsequently seized by law enforcement can they compel you to give up your passphrase or encryption keys? How do the right to remain silent and the 5th amendment apply? The data storage portions of my laptop's hard drive are encrypted and contain loads of sensitive client information. If it were seized, how would the law limit the scope of the search not to include that data? Would they have to? All very interesting stuff.

* The impracticality of copyright laws as they pertain to computers and digital copies. For example, if I missed the latest episode of Law &Order on my cable TV subscription, is anyone really harmed by me going online and downloading it from an unauthorized source? What if a friend used a DVR to record it and then subsequently allowed me to copy that file off of his DVR to my home PC? What if my whole family had a single cable TV subscription and used a whole bunch of TV tuner cards and a recording system to distribute our favorite TV shows to all of our households? Even simpler: What if I had two homes but only one cable TV subscription... Would it be illegal/wrong for me to stream that connection to my second home? What if I recorded the shows then transmitted them separately?

* Open wireless access points. If an access point is broadcasting itself as available for connections and allowing anyone to connect to it (unencrypted) how can accessing said access point be considered unauthorized access? If a crime is committed from an IP address that happens to also have an open access point how can anyone be prosecuted if no evidence of said crime is found on their computer systems? Even simpler: How does the law deal with shared connections in general? Say, if you had a fraternity house that had many users behind one IP. Is it fair, just, or even legal for law enforcement to seize all the PCs in said home just to go on a fishing operation to determine who committed said crime?

* By seizing all of a person's computers and related equipment law enforcement isn't just performing a "search and seizure", they are handing out a punishment. They aren't just seizing a device that could have been used in a crime, they are taking away people's entire life's work, their family photos, their businesses, their ability to search for work, their means of communication with the world, their pastimes, etc. When a person is accused of selling drugs out of their home the police don't take away the place brick by brick, reassemble it somewhere else, and then demolish it. It seems to me that law enforcement is highly unjustified in such operations when you consider that any digital evidence (hard drives, cds, tapes, etc) can be quickly and cheaply copied and be returned immediately after with no worry of losing said evidence.

* Digital possession laws. How can anyone be prosecuted for, say, having child pornography on their computer if it is so easy for a Superuser (like me) to plant such evidence without leaving a trace? Shouldn't the law require that a person be caught in-the-act of transmitting said contraband? The law in this regards seems to be the most ridiculously oppressive we have in regards to computer-related crime.

There's lots of grey areas and situations the law is very unclear on that I'd love to see discussed here. It seems that the law is way off base just about everywhere computers and digital crime are concerned.

"I have a license to kill -9"
4.9.2007 12:05pm