Path: utzoo!attcan!uunet!maverick.ksu.ksu.edu!ux1.cso.uiuc.edu!iuvax!purdue!spaf From: spaf@cs.purdue.EDU (Gene Spafford) Newsgroups: comp.org.eff.talk Subject: Search Warrants & Organizations (was Re: Missing mission) Message-ID: <11522@medusa.cs.purdue.edu> Date: 2 Sep 90 16:46:57 GMT References: <11446@medusa.cs.purdue.edu> <1990Aug26.063940.29357@chaos.cs.brandeis.edu> <36814@ut-emx.UUCP> <11502@medusa.cs.purdue.edu> <1990Sep2.030722.25255@cs.rochester.edu> Sender: news@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Organization: Department of Computer Science, Purdue University Lines: 93 In article <1990Sep2.030722.25255@cs.rochester.edu> yamauchi@heron.cs.rochester.edu (Brian Yamauchi) responds to my posting: >I don't think anyone is arguing that the victims should be ignored, but >I have yet to see any reasonable justification for actions such as the >confiscation of equipment from Steve Jackson Games just because they >publish a Cyberpunk role-playing game. There is no evidence that the SJG system was confiscated "just because they publish a Cyberpunk role-playing game." (Of course, there has been no evidence that that was not the reason, either.) If you are going to be objective and fair about this, you can say "it APPEARS to ME that the system was confiscated because...." Three key things about this one incident (and related) that should be considered before making statements about such seizures: 1) The presentations made to the judges leading to the issue of search warrants have often been sealed. Therefore, it is not clear why the agencies involved felt they needed to confiscate the systems (and why the judge went along with them). 2) The law enforcement people involved have not (and in most cases cannot, because the cases are still pending) make public statements about the facts of these cases. 3) It often takes many months to do a thorough analysis of confiscated equipment, gather further evidence, and present an indictment. Just because an indictement has not yet been issued does not mean that one will not. Neither does it mean one will (or can be). Now, contrary to what some people claim, I'm not trying to defend the seizure of the equipment at SJG or claim that they (folks at SJG) were involved in something illegal. HOWEVER, I am also not claiming the opposite. The only side of the story we've heard so far is from the folks at SJG, and they would obviously not admit to anything illegal. Indeed, if only one person there was using the system for something illegal, the protestations of the rest would indeed be sincere and honest. We just don't know the full story yet -- if we ever will. Nobody should automatically be blamed in these situations; we do not automatically assume the guilt of the people whose equipment was confiscated, and neither should we automatically assume an abuse of power by government because we aren't privy to their investigation. The seizure of equipment at Steve Jackson Games may well turn out to be a terrible abuse by Federal investigators. It may turn out to be a terrible mistake. And it may turn out to be a step in a valid investigation. When statements are made, all three possibilities should be borne in mind. The real problems with this case (and others like it) have to do with how long it takes to search a computer system, the grounds under which a search warrant is issued, and the length of time it takes to either return the equipment or file charges. Those problems exist in other arenas, too, although we don't often hear about them because the people don't have e-mail access. >Certainly there is a role for anti-cracking, anti-virus organizations, >but such organizations exist (CERT and NCSC, for example). Not good examples. CERT responds to break-in reports and tries to help close up system holes. They don't do anything proactive. Neither does the (ex-)NCSC -- they develop security standards for systems, and do analysis of security methods. My "missing mission" statements didn't involve these groups because I wasn't talking about standards or response or enforcement -- I was talking about fostering a sense of responsibility along with any claim of rights. The two are very closely tied. >However, up >until now there have been no organizations devoted to protecting >electronic rights from government infringement -- EFF seems to be ready >to do so. I think it's unreasonable to require that EFF do the job of >CERT, just as it would be unreasonable to require that the ACLU do the >job of the FBI. I have not suggested that the EFF do the job of the CERT; if you think that, you misundstand the reasons the CERT exists, as well as misunderstand the reasons for my statements. The ACLU has a poor reputation with a segment of the population because of their (to some) one-sided approach to the law. I would like to see the EFF get across-the-board support from everybody, but that can't happen if they get a similarly one-sided reputation. Rights do not come without responsibilities. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf