pageok
pageok
pageok
[Paul Ohm (guest-blogging), April 10, 2007 at 9:40am] Trackbacks
The Myth of the Superuser, Part Two, Harm:

First, a quick note to lawyers: today's installment about my article is much more law-focused than yesterday's.

I am grateful for yesterday's comments. Many of you took issue with my use of the word, "Superuser." You all have almost persuaded me to use "Superhacker" instead, although it would be a painful change. After living with this article for the past year-plus, it'll be hard to think of it as anything but the Superuser piece. I'm still on the fence, so for the rest of my stay here, I'll continue to call these mythical people, Superusers.

Why should we care whether exaggerated arguments about Superusers cause legislators to address risks that are unlikely to materialize? Because many, significant harms flow from the Myth of the Superuser. Due to the near-universal belief in the Myth, there has never been a thorough accounting of these harms, and we have been doomed to repeat and extend them. In my article, I discuss six harms which flow directly from policies and laws that are justified by the Myth. Today, I want to focus on two:

1. Overbroad laws. Congress's typical response to the Myth of the Superuser is to write broad criminal prohibitions. It is haunted by the possibility that someday a Superuser who commits a horrific wrong will not be able to be brought to justice because of a narrow prohibition in the law. They fear an American version of Onel de Guzman, the Philippine citizen who confessed to writing the "I LOVE YOU" virus but escaped punishment because Philippine law did not criminalize the type of harm he had caused.

Consider, for example, the principal federal law that prohibits computer hacking, the Computer Fraud and Abuse Act (CFAA). Many of the statute's prohibitions apply expansively, and I contend that Congress has repeatedly broadened the law, in large measure, to deal with the scary prospect of Superuser hackers. For proof, count the number of stories about anonymous Superusers in any House or Senate Report accompanying an amendment to the CFAA; an especially egregious example is the 1996 Senate Report.

The CFAA's prohibitions cover an expansive laundry list of activity. You might be a felon under the CFAA's broad "hacking" provisions if you: breach a contract; "transmit" a program from a floppy to your employer-issued laptop; or send a lot of e-mail messages. And even if the FBI decides not to prosecute you for these transgressions, the broad CFAA gives it the right to investigate you, to read your e-mail messages and maybe even wiretap your phones and Internet connections.

2. Infringements of Civil Liberties. Part of what is terrifying about the Superuser is how the Internet allows him to act anonymously, hopping from host to host and country to country with impunity. To find the Superuser, the police ask for better search and surveillance authorities and tools, as well as the latitude to pursue creative solutions for piercing anonymity.

But broadened search authorities can be used unjustifiably to intrude upon civil liberties. Search warrants for computers are a prime example; the judges who sign and review computer warrants usually authorize sweeping and highly invasive searches justified by storytelling about the Superuser Data Hider.

It has become standard boilerplate for agents in their affidavits supporting search warrant applications to talk about sophisticated technology that can be used to hide data. According to this boilerplate, criminals "have been known" to use kill switches, steganography and encryption to hide evidence of their crimes. In addition, file names and extensions are almost meaningless, because users can easily change this information to hide data.

Convinced of the prowess of the data hider, a typical judge will usually sign a warrant that authorizes the search of every single file on a suspect's computers; that authorize the search of parts of the hard drive that don't store files at all; and that allow off-site computer searches, where data is forensically examined for months or maybe even years. In upholding the scope of these kinds of searches, reviewing courts make bare and broad proclamations about what criminals do to hide evidence. These broad pronouncements (which are also citable precedent) are built upon nothing but an agent's assertions and a judge's intuitions about computer technology.

If, in reality, some criminals tend not to hide data inside obscured filenames or unusual directories, then judges might feel compelled to ask the police to cordon off parts of a computer's hard drive.

So where does this particular myth end and reality begin? Common sense suggests that some criminals are paranoid enough to hide evidence. But it's highly improbable that all criminals are equally likely to use these tactics. Home computer users who are committing relatively non-technological crimes — death threats or extortion via e-mail, for example — may have less incentive to hide evidence and no access to the tools required to do so. Painting all criminals in every warrant application as uniformly capable of hiding information is a classic example of the Myth.

In the Article, I call for judges to require a more particularized showing of "criminal tradecraft" before they sign sweeping warrants. How do we know that this class of criminal is likely to have used these particular tactics? The hurdle need not be very high; police training and experience are owed deference. But deference is not the same thing as acceptance of sweeping generalizations. In some cases, constraints on the police on the allowable scope of the search of a hard drive may be sensible, and perhaps even required by the particularity clause of the Fourth Amendment.

Very briefly, in addition to these two harms — overbroad laws and civil liberties infringements — the other four harms I identify are guilt by association (think Ed Felten); wasted investigative resources (Superusers are expensive to catch); wasted economic resources (how much money is spent each year on computer security, and is it all justified?); and flawed scholarship (See my comment from yesterday about DRM).

Tomorrow, I will conclude my discussion of the Superuser by focusing on a root cause of the myth, the failure of expertise.

Jake (Guest):
I agree that you have identified troubling legal consequences, but I'm not persuaded that they are unique to computer crimes, or that they exist because of mythical supervillains.

Take the CFAA example--any crime is going to cover behavior that falls within its definition but doesn't seem to warrant criminal sanction (or at least warrant full punishment). Here, you identify the definition of "transmit" as being overbroad. Maybe so, but I don't see a strong argument that the reason Congress didn't nail down a definition of "transmit" was because of a fear of superusers. It seems more likely that it's just a difficult concept to define precisely without leaving loopholes.

On the warrant example, I don't think this sort of "worst case scenario" warrant drafting is limited to computer crimes, or is prompted by superuser fears. It seems more likely that the police generally tend to err on the side of caution. When cars are seized and torn apart in ia search for drugs, do we say that that behavior is prompted by fear of a different kind of super-user? Do courts make more than these "bare and broad" declarations before granting permission to search physical spaces? Do judges generally direct precisely how physical spaces must be searched, or do they leave that to the police?

Again, I agree that broadly defined crimes are a problem, and that police shenanigans with seized evidence are deplorable, but I'm not seeing a distinction here between computer crimes and other crimes.
4.10.2007 11:05am
Bruce:
I'm wondering the same thing as Jake -- don't search warrants for physical spaces tend to authorize searches of entire houses, and not just particular rooms? How is search of an entire hard drive different?
4.10.2007 11:29am
Lior:
This may have been hashed in the comments to the previous story, but would you consider the term "(super-)cracker" rather than "hacker"? In the culture of computer programmers, a "hacker" roughly means a good programmer -- someone who finds clever solutions to problems and constructs significant software this way. It is a term of respect -- just search for kernel hackers and see what you get.

In popular culture "hacker" has taken a very different meaning -- someone who breaks into computer systems. There is a word for this already: "cracker". Would you consider using it?

Turning to the matter at hand, you may also consider that many users encrypt their data for reasons of privacy (especially data carried on laptops, which are commonly stolen). I suspect that finding encrypted data tends to lead to "does this person have something to hide?"

Finally, a big problem here is the incompetence of the courts, rather than the law itself. I don't think the case of the fomer employee who sent a mass mailing (5600 recipients) using his authorized account supports your point. The problem there was not a fear of "super-crackers". The problem there was a court so clueless about technology that it credited the argument that 5600 e-mails consitute a "server overload" that damaged the computer system (increasing power consumption, limiting the availability for other users...). Clearly this judge has no idea about how computers work or what they can do (it would probably overload a human currier to package and devliver 5600 pieces of mail) and therefore was not competent to rule on the arguments made in this caes. The obvious solution for an independent expert to assist the court -- not one supplied by the parties. In this I have ignored the non-technology related issue in thie ruling -- it essentially holds that if the owner of the mail server happens to dislike the contents of an e-mail you send, then your sending of the e-mail through the server retroactively becomes a federal felony even if your mail program interacted with the mail server according to the usual protocols.
4.10.2007 11:30am
Tomm:
Under what circumstances can a suspect be compelled to turn over passwords to the investigators? Anyone who is a 'power-' and up user can find an encryption program, like truecrypt, and make their files inaccessible to anyone without either the key or a few decades to brute force it. All investigators would be able to do, without assistance from the user, is see that some files are encrypted.
4.10.2007 11:46am
Vintner (mail):
Your use of "Superuser" is really an bad mistake. Just because you've gotten used to that mistake in your own thinking does not make it an effective communication strategy. "In matters of language, the tyranny of the majority is absolute."
4.10.2007 11:59am
Bruce Hayden (mail) (www):
Of course, the absurdity is that most of the likely perps wouldn't bother encrypting their stuff, setting it to erase, etc. Just too much bother, it slows everything down, and they don't think it likely that they will be busted anyway, otherwise, they wouldn't be doing it in the first place.

I should also note that this overbreadth problem due to technological ignorance on the part of the judges is nothing new and is also relevant in the civil realm. I am reminded of all those Ex Parte Writs of Search and Seizure granted to the Scintologists a decade or so ago when they were using a search for their sacred scriptures to track down their opponents. They would get one of these Ex Parte writs, then bring the police along to serve it. They would seize the alleged perp's hard drives in order to search for their stolen scriptures, and then end up reading all their email too, looking for the next link in the chain, which was the real purpose of the Writ in the first place. It was frankly amazing how many judges naively signed onto this sort of nonsense, after being fed a bunch of terribles, such as Paul is suggesting that the police do for search warrants of computers.
4.10.2007 12:22pm
Tim Howland (mail) (www):
There is another aspect of computer crimes that makes over-broad legislation very challenging; it is the virtual nature of the forensic evidence.

Once an attacker has full control over a system, it is impossible to trust any piece of information in that system. This means that timestamps, log entries, and audit trails are no longer trustworthy; further, the underlying operating system tools used to monitor these records and logs are often compromised as well.

If a malicious attacker compromises a system and uses it to attack someone, they can leave records that indicate the perpetrator was an innocent third party. Over-broad legislation means that the innocent's entire online life becomes subject to detailed and disruptive review.

I think that the myth of the superhacker is given its power because of the asymptotic way that technical people interact with systems. Good technical people are exponentially better at running computer systems than normal folks, and the curve seems to go up as skill improves. I think it was one of Yourdon's death march books that had the stat that the best 10% of programmers were 100 times as effective as the next 10%.

Part of the problem is that security analysis must work on the basis of capability, not likelihood. When I set up a network with a trusted partner, I still put a firewall on it to restrict their access. This isn't because I think they are going to try and break into my accounting system, it's because I don't want the possibility of it happening to even be a question. Non technical people have a difficult understanding the difference between capability and intent when network people talk about it.

The odds that any given computer crime will involve an elite user are pretty slim; however, any investigation of an elite cracker's methods is extremely difficult, because the evidence is often utterly unreliable. It's pretty challenging to think that untrained police officers and judges will be able to understand this, and we technical folks need to figure out more meaningful ways to discuss security without causing undue alarm.
4.10.2007 12:46pm
Dave N (mail):
When I first read this post, I thought that punishing someone for sending a lot of e-mails was a very kind way of saying, "Spammers who fill my e-mail box with crap." Since I do not need to invest in Nigeria, meet hot women, or lose 300 pounds, those e-mails do nothing but annoy me when I am looking for important stuff--particularly when spam outnumbers e-mail I care about by a 7 or 8 to 1 margin.

But when I read the linked story--about Bret McDaniel, who alerted 5000 people about a security hole on his former employer's system--specifically people who were vulnerable to that hole.

My version of hell for most spammers is to make them spend eternity reading spam and following links to various loathesome websites. As for Bret McDaniel, however, I agree completely with Paul Ohm and Chris Sprigman (who wrote the Findlaw article in the link). He was wrongly convicted.
4.10.2007 12:47pm
Aultimer:
The whole thing reminds me of the gubmint's ongoing, glacially slow recognition that treating encryption as a munition is a complete waste of resources. Terrorists got PGP, game over, move crypto export control from DOD to Commerce, terrorists still have PGP, create exceptions in BXA for mass market software, terrorists still have PGP... No crypto was kept out of terrorist hands, but BXA had expanded ability to control technology export.

The real goal of raising the SuperUser boogeyman is to expand LE effectiveness by more easily snooping on dumb users, the way export officials got more effective export control of general technology with the Crypto boogeyman.
4.10.2007 1:05pm
Paul Ohm (mail) (www):
Let me try to convince Jake and the first Bruce that what I have identified isn't simply the same thing that happens offline. This may be a matter of difference of degree, not kind, but I think it's a matter of difference.

First, the substantive law. Sure, the police (and also law enforcement :) use hyperbole and exaggeration to argue for broader laws in the non-computer context. I think there are several distinctions:

First is frequency. Look at how often the CFAA has been overhauled (not simply amended). I count at least five significant changes since it was passed in 1984. This may simply be the product of a new statute about new technology, but I think it's partly due to the fact that everybody is afraid of the Superuser.

Second, read the 1996 Senate Report. S. Rep. No. 104-357 (1996). I think you'll be struck by how often Congress recites vague, anonymous, and hypothetical stories of power to justify broadening the CFAA.

Here's a specific example. In 1996, Congress added subsection 1030(a)(7) -- essentially making it a federal crime to threaten a computer. I think the law is kind of comical -- it seems as if HAL 9000 drafted it, but I know that others disagree. But look at some of the language the Senate Subcommittee used to explain and justify it:

"According to the Department of Justice, threats have been made against computer systems in several instances. One can imagine situations in which hackers penetrate a system, encrypt a database and then demand money for the decoding key."

That's all of the empirical evidence they cite: one set of anonymous stories and a hypothetical. This is not legislative fact-finding that gives me confidence.

Third, with computer crime and unlike most non-computer crime, Congress will defer to two different kinds of DOJ expertise: a layer of law enforcement expertise and a layer of computer expertise.

Fourth, written opinions about technology crime and search and seizure tend to be rare, and DOJ will clammer for change every single time they get an adverse district court opinion, and Congress will usually oblige. They did it with Morris, and LaMacchia, and Bach (all tech cases, but not all 1030 cases). In other fields -- think drugs or immigration -- Congress tends not to jump every time a district court judge issues an opinion.

Fifth, where is the counter-narrative? Who is lobbying Congress not to change 1030? EPIC, EFF, and CDT will mount some resistance, but it's not on the level with which they participate when the Copyright Act or ECPA is up for amendment. I submit that even they believe that the Superuser can do what DOJ claims they can do (or at least, they calculate that given the prevalence of the myth, it's not worth the fight.)
4.10.2007 1:07pm
Paul Ohm (mail) (www):
I'm sorry about the long comments, so I'll write a short comment about Search and Seizure law.

Computer search warrants tend to be broader than their real-world counterparts. Read Orin's article for more detail.

House searches are not analogous. Those are limited in time and scope (if you're looking for a gun, you can't page through the papers in the filing cabinet.) A bumper-to-bumper, ripping-up-the-upholstery car search is a closer analogy, but cops don't routinely write warrants for that kind of search.

Imagine if cops routinely wrote affidavits for warrants that said, "criminals have been known to stash their evidence of tax fraud inside mattresses, so we seek permission to rip open every mattress." Or, "criminals have been known to hide drugs within walls, so we seek permission to x-ray all of the walls." A judge wouldn't sign these warrants without more particularized information.

I think these are the relevant analogs.
4.10.2007 1:15pm
Avatar (mail):
I'm not certain those analogues are relevant. Say what you will about overbreadth of searching "an entire hard drive", but it's not a destructive process. A typical search warrant might not give officers the permission to rip open every mattress, but they certainly would be able to look UNDER every mattress, and I can't imagine you would manage to get the evidence excluded with the argument that the search warrant didn't specify looking under mattresses.

I don't know what a good solution would look like, I'm afraid. It's easy to say "issue a warrant looking for one specific type of evidence, and automatically exclude anything that the police turn up that isn't the evidence specified in the warrant", but that doesn't square at all with real-life search/seizure procedure.

If anything, I'd say that the chain of custody issue is a lot more important. When you're talking about computer forensics, if someone who is not the user has physical access to the machine (and the user hasn't taken security measures that few people do against their own computers, and would frustrate a law enforcement search anyway), can you really trust that the data on that machine is the data that was on it when it was seized? Sure, there's time stamps and logs, but they're as easily falsifiable as anything else on a PC. Were I in the business of trumping up charges against people, "we searched your computer on warrant X and didn't find anything in the warrant, but you DID have a hundred gigs of child porn on there, sicko" would be an excellent method.

Heck, you can't even really trust that data on a computer reflects an action by the user -before- it got seized. Plenty of computers with compromised security distributing illegal material with no knowledge of the user whatsoever. Didn't this actually fly as a legal defense in the UK recently? So, paradoxically, if you're actually doing something criminal on your computer, you can always "poison the well" by getting yourself back-doored by something innocious... or if you're more sophisticated, just set up logs that demonstrate that anything illegal was planted by someone else, then point to those logs in your defense.

This is also the problem with protracted physical seizure of the machine - you have to actually have the box and be able to testify that it remained in your custody in order for the data to have any validity in court; "we pulled a hard drive image" might sound good, but it's open to the same kind of charge above - "my hard drive never had that data on it". That sort of situation is unusually open to police abuse.

Finally, Mr. Ohm, I have to second the recommendation to change it from "superuser" as well. Like it or not, it is a term of the art; it would be like a tech geek writing an article using "solicitor" as synonymous with "ambulance chaser". Even if it reflects your thinking, it's going to distract greatly from the actual issue at hand - or more to the point, convince technically-informed readers that you don't have a clue about your topic.
4.10.2007 2:37pm
Just Dropping By (mail):
"A judge wouldn't sign these warrants without more particularized information."

Really? Maybe it's a by-product of selection bias in the media I consume, but if someone had asked me I would have guessed such warrants were routinely granted (and, in fact, that such searches of cars are routinely conducted without even a warrant). That's why I had the same reaction as Jake, Bruce, etc. -- my perception is that this problem is pervasive throughout all aspects of criminal law. We may be wrong, but I suspect that a substantial part of any audience for your writings will be having the same reaction.
4.10.2007 2:58pm
Dave-TuCents (www):
While not all superusers are mythologized, I think that the Myth of the Super-User (or Superuser) is perfectly acceptable usage. It evokes the correct image, even if it isn't a precise use of a technical term of art in a non-technical context.

Say what you will about overbreadth of searching "an entire hard drive", but it's not a destructive process.

I strongly disagree. Seizing all the computers and holding them for years is a wonderful way to bankrupt anyone who makes their living or runs their business on a computer. I consider that to be at least as destructive as taking something apart.

I also take issue with these laws' highly selective enforcement. How many Sony execs are in jail after they deliberately hacked (rootkitted) a few million computers? OK, Sony was just using a script kiddie technique, but would any individual get away as cheaply?

In many ways, there is also the harm of 'destroying respect for the law in general' that comes from the direputable laws now on the books. Isn't that worth something?
4.10.2007 3:27pm
Bruce:
On the title, I don't really have a dog in whatever hunt is irking the computer scientists around here. But I would note that for a non-techie, it's not immediately clear what your title means. It's not until you get into the paper that it becomes clear that "super-user" is supposed to be something scary. Otherwise, it just sounds like someone who surfs the web a lot. "Super-hacker" would immediately convey what you have in mind to just about everyone.

Second, read the 1996 Senate Report. S. Rep. No. 104-357 (1996). I think you'll be struck by how often Congress recites vague, anonymous, and hypothetical stories of power to justify broadening the CFAA.

I agree legislating by anecdote is problematic, but I'm not sure it's a problem unique to computer issues. At random I went searching through the public laws of the 109th Congress (so far all the 110th has done is name post offices). P.L. 109-569 amends "the Railroad Retirement Act of 1974 to provide for continued payment of railroad retirement annuities by the Department of the Treasury." Here's the justification for it, in S. Rep. 109-257:

The U.S. General Services Administration (GSA) annually spends more than $30 billion dollars for products and services from the private sector that the agency resells to federal agencies through two different services--the Federal Technology Service (FTS) and the Federal Supply Service (FSS). Each service manages its own funding mechanism. . . . While this construct made sense when information technology was in its infancy, the business case for separate systems to handle IT goods and services no longer exists. Instead, the separate funds have now become a barrier to coordinated acquisition management services and technology needed to support a total solution.


That sounds pretty vague--and there's not even a single anecdote to back it up.
4.10.2007 4:34pm
logicnazi (mail) (www):
Avatar (and others):

There is no way in which physically seizing and holding the box really makes the data more reliable than making an image. One needs to trust that the police (or their expert) didn't plant the data on the physical machine to the same extent that you need to trust them to have kept a reliable copy of the image. If the police expert is willing to lie and plant evidence you are screwed either way.

Overall I tend to think that the myth of the superuser is just one facet of the bigger problem that neither judges nor juries understand the technology. People are scared by things they don't understand, especially in criminal hands. The myth of the evil superuser is really the computer incarnation of the drug dealer offering you free hits or the pot crazed murderer.

Unfortunatly when people feel powerless and afraid they are at their worst. They strike out against the thing that makes them feel small and try to show their dominance over it by passing harsh laws (or in the past lynch mobs). This is also the explanation for the crazy ill conceived laws about child molesters. Even though rational analysis would reveal that these laws likely increase the threat media has convinced parents that child molesters might be lurking anywhere and they react to that feeling of fear and powerlessness by demanding blood.

Unfortunately this means that the myth of the power user is not something that can be solved by simply pointing out that such users are virtually non-existant or so rare as not to warrant these violations of civil liberty just as it does not good to point out statistics about child molesters. So long as people's don't understand computers they will never have the common sense that let's people reject this kind of demand for extra powers to catch the criminal. Sadly, it is never the reasoned consideration of harms and benefits that deterimines where the line should be drawn between catching the bad guys and civil liberty but the point at which people say, 'ohh c'mon that's not really necessary.'

If there is a silver lining in this it is only that this will probably fix itself in a generation or two.
4.10.2007 4:34pm
Taeyoung (mail):
Search warrants for computers are a prime example; the judges who sign and review computer warrants usually authorize sweeping and highly invasive searches justified by storytelling about the Superuser Data Hider.

It has become standard boilerplate for agents in their affidavits supporting search warrant applications to talk about sophisticated technology that can be used to hide data. According to this boilerplate, criminals "have been known" to use kill switches, steganography and encryption to hide evidence of their crimes. In addition, file names and extensions are almost meaningless, because users can easily change this information to hide data.


Not my main point here, but this seems like a reasonable concern. I use encryption and bogus file names myself. And, although you do not mention it, I sometimes use foreign languages too, when something is particularly embarassing or sensitive -- writing something encoded in Japanese script, for example, causes the file to show up on non-Japanese-enabled systems as gibberish or a bunch of boxes or dots. I know a fair number of document review systems seem to have trouble with East-Asian language text, preventing searches and so forth. Anyhow, it's not like you need to be a sophisticated user to do most of this stuff. I do it just to prevent casual guest users on my systems popping open my files -- I'm sure many people with consciousness of wrongdoing would do as much or more.

Convinced of the prowess of the data hider, a typical judge will usually sign a warrant that authorizes the search of every single file on a suspect's computers; that authorize the search of parts of the hard drive that don't store files at all; and that allow off-site computer searches, where data is forensically examined for months or maybe even years. In upholding the scope of these kinds of searches, reviewing courts make bare and broad proclamations about what criminals do to hide evidence. These broad pronouncements (which are also citable precedent) are built upon nothing but an agent's assertions and a judge's intuitions about computer technology.

If, in reality, some criminals tend not to hide data inside obscured filenames or unusual directories, then judges might feel compelled to ask the police to cordon off parts of a computer's hard drive.


I'm not a forensics expert, and I've never dealt with this kind of issue in the criminal context, but at least as far as civil cases involving hard-drive reviews have been concerned, I've seen peoples' entire hard-drives getting picked over by forensic specialists and lawyers. I know that's not a good guide to what the law is or ought to be in the criminal context, but as a practical matter, I don't really see the issue with the overbroad "entire harddrive" search. When you talk about cordoning off sections of the harddrive, that suggests to me either a problem of wasted law enforcement resources (plowing through useless system junk, or hiring forensic people to go through the harddrive sector by sector to see if there are file fragments left over from an incomplete wipe or something), or a privacy-type problem, where people are having their files picked apart for no good reason. But I don't see the real issue with either of these.

To explain -- the entire hard-drive includes all kinds of useless junk, like system files, program databases, drivers, inf files, etc. And because most of that material, which, yes, could be cordoned off, there's probably a fair amount of waste involved in the process, as forensic specialists pick through them on the off chance that they're hiding useful superhacker data. So I understand that concern -- only I expect that law enforcement should understand that concern as well, and target their resources appropriately.

For privacy, these kinds of system files also don't seem, to me, to implicate major privacy concerns -- you probably aren't storing anything really private in your Windows system directory, after all. So I don't see a major concern there either.

More likely, the areas where there would be real privacy issues -- and indeed, where people occasionally voice their privacy concerns (to, as far as I know, no avail) -- are in the areas where people actually do store their own data. Email, for example, or wherever they store their Word docs. For more hacker-y users, perhaps they have a directory or a nest of directories where they store their programming scratchwork or something. Another area that comes up is peoples' internet caches and temp directories, where, for whatever reason, you occasionally find the remains of old documents that might potentially be relevant to whatever you're doing at the moment -- and that certainly involves oddly named files and directories.

But these kinds of areas are exactly the areas you'd want to look -- the areas where, if users are storing incriminating files, those files would be found. I don't see how there could be a search that cordons off the useless files and gives only the kinds of files worth looking at, without looking at all the files and determining their content beforehand.

Am I missing some issue with these overbroad "every file on the harddrive" orders here? What's the real problem?
4.10.2007 4:39pm
Taeyoung (mail):
Re: Dave Tu-Cents
Seizing all the computers and holding them for years is a wonderful way to bankrupt anyone who makes their living or runs their business on a computer. I consider that to be at least as destructive as taking something apart.

Fair enough -- there should be a provision permitting people to obtain an image of the seized harddrive. But isn't law enforcement required to turn over copies of the evidence in its possession anyhow? Is there an exception for super-dangerous superusers? If so, then that's a problem. But the suspect shouldn't need the original any more than anyone else -- he can just work off a copy.

I mean, apart from any kooky Windows verification system. I've heard Vista is supposed to be set up so that hardware changes require you to re-verify with Microsoft or something.
4.10.2007 4:48pm
Unix-Jedi (mail) (www):
Paul Ohm:

Let me be yet another to say "superuser" has a meaning in this context, and loading another meaning onto it will cause you mass problems and confusion.

I'd avoid the hacker/cracker argument altogether, as well.

I would think "Computer Mastermind" would work far better, given your context.

Taeyoung:

The problem with the "entire harddrive" search: Because all the data is identical, all of it's suspect, and all of it now becomes germane for investigation. Versus a search warrent "We were looking for a dog, and look what we found taped under the sink!", there's no "reasonable" way that you can say "data is obviously not on that part of the drive", thus all the data gets examined. As others have pointed out, this means any hard drive examination has the potential for merely being a fishing expedition to find out what is possible to find out, and then amending the complaint/suit to deal with what had been found.
4.10.2007 4:51pm
Bruce:
Something seems to have gone wrong with my statutory cite. S. Rep. 109-257 concerns P.L. No. 109-313, amending "title 40, United States Code, to establish a Federal Acquisition Service, to replace the General Supply Fund and the Information Technology Fund with an Acquisition Services Fund, and for other purposes."
4.10.2007 5:19pm
Paul Ohm (mail) (www):
Taeyoung,

The concern is that the police get a warrant to look for "evidence of drug trafficking," and they spend the entire afternoon looking through your image files for child porn. (See U.S. v. Carey, 172 F.3d 1268 (10th Cir. 1999)). True, I suppose the target might have scanned in all of his drug ledgers and converted them into jpegs, but should a court just accept that based on the barest assertions in an affidavit about what criminals "tend to do"?

And, no, law enforcement is not required to return seized evidence. Under the Federal Rules, the party deprived of his computer can bring a Rule 41(g) motion for a return of property, and the government may be required to return non-contraband if the court holds that the person is "aggreived by the government's continued possession," but these motions are often (usually?) denied.
4.10.2007 6:30pm
Taeyoung (mail):

The concern is that the police get a warrant to look for "evidence of drug trafficking," and they spend the entire afternoon looking through your image files for child porn.

That happens in civil situations, though. I have no idea how it all turned out, but in one case I know about (though was not involved in), the attorneys reviewing harddrives came across a stash of child porn and turned over the material (and the user) to the authorities. The limitation you seem to be proposing -- search files of this type, not of that type -- may be reasonable in some cases, but I'm hard-pressed to think of a case in which you wouldn't worry you were excluding significant relevant material. I may not be a drug dealer, but I scan receipts and stuff regularly (because otherwise I will lose them), and if you wanted to catch me at doing something naughty with my receipts, you'd probably have to review every JPEG and GIF on my harddrive. You could make a judgment about which directories to search -- e.g. I don't keep receipt scans together with my photos, so you probably don't need to look at the MyPictures directory -- but then again, who knows? There's lots of other stuff I keep all mixed together, and a lot of this you simply wouldn't know until you already had the chance to look through my harddrive. It's idiosyncratic.

Also, re: the returning the evidence -- I wasn't suggesting return of physical property or anything. Only that a copy needs to be available to the defense, so the defense can look through it too (though again, I don't know whether this is so or not). For a business, buying a slew of new computers could be extremely expensive, but I'm inclined to see the business data on the harddrives as the really crucial bit, without which the business could not function. And a copy is good enough for that.
4.11.2007 1:09pm
ShaiHah:
In addition, file names and extensions are almost meaningless, because users can easily change this information to hide data.

This line made me see a big flaw in your argument. Just how "super" are these mythical superusers? Are you saying that only mythical "superusers" know how to change file names and file extensions? This is covered in the first ten pages of the manual that comes with the PC.

Steganography and encryption might be harder, but all it takes to use those technologies is (1) download the proper software (wikipedia will tell you where to look!) and (2) use it.

Is it really such a reach for judges to conclude that people might use these dead-simple techniques?
4.14.2007 3:39pm