Security and the Myth of the Superuser Mon 28 Jan 08
Bruce Schneier runs a great blog, Schneier on Security and I stumbled across a post of his from last May entitled The Myth of the Superuser. In a very understated way Schneier refers to what he describes as a "very interesting law journal paper". It certainly is. The paper in question is The Myth of the Superuser: Fear, Risk, and Harm Online by Paul Ohm, Associate Professor of Law and Telecommunications at the University of Colorado Law School.
The abstract states:
"Fear of the powerful computer user, "the Superuser," dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, ambiguous laws intended to ensnare the Superuser, but which are used instead against inculpable, ordinary users. This response is unwarranted because the Superuser is often a marginal figure whose power has been greatly exaggerated.
The exaggerated attention to the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely-held fear of the Internet. Building on the social science fear literature, this Article challenges the conventional wisdom and standard assumptions about the role of experts. Unlike dispassionate experts in other fields, computer experts are as susceptible as lay-people to exaggerate the power of the Superuser, in part because they have misapplied Larry Lessig's ideas about code.
The experts in computer security and Internet law have failed to deliver us from fear, resulting in overbroad prohibitions, harms to civil liberties, wasted law enforcement resources, and misallocated economic investment. This Article urges policymakers and partisans to stop using tropes of fear; calls for better empirical work on the probability of online harm; and proposes an anti-Precautionary Principle, a presumption against new laws designed to stop the Superuser. "
Don't let the "law journal" label scare you away. This really is a very interesting and thought-provoking read. Although phrases like "exaggerated attention to the Superuser" and "overbroad prohibitions" mind lead you to think that Ohm is downplaying the risk of lax computer security but upon careful reading I don't think he is. Rather what he is suggesting is a more balanced and reasoned approach to security.