mnemonic@eff.org (Mike Godwin) (04/08/91)
The following e-mail from Walter Milliken is posted with his permission. I'm reposting it because I liked his response on the issue of search-and-seizure technical guidelines. From milliken@BBN.COM Fri Apr 5 11:15:09 1991 Return-Path: <milliken@BBN.COM> Received: from MANNIX.BBN.COM by eff.org (4.1/Spike-2.0) id AA07641; Fri, 5 Apr 91 11:15:06 EST Message-Id: <9104051615.AA07641@eff.org> Date: Fri, 5 Apr 91 12:08 EDT From: Walter Milliken <milliken@BBN.COM> Subject: Re: Less intrusive, more efficient searches and seizures To: Mike Godwin <mnemonic@eff.org> Status: R >This is actually good for us as well, since it eliminates probable cause >to do highly intrusive searches in most cases. An analogy to paper record searches would be useful, perhaps -- after all, the suspect might have rigged his safe or filing cabinet to incinerate all his records with a single button push, or if opened improperly. Or as I said before, he might have all his records in a code. I don't know if that happens in real life, but I've certainly seen it mentioned in mystery stories, so obviously people have considered it. Is this a justification for no-knock searches? Incidentally, there's another reason why it's unlikely a programmer would hide stuff under simple self-destruct mechanisms -- it's too easy to set them off by accident. I make typos all the time -- a one-key destruct that did "rm *" would be disaster for me. As far as hiding data goes, I can sympathize with the searchers -- it's pretty trivial to hide data by mislabeling it. But this must happen with "paper" searches too. A simple "grep" through the whole system disk, on premises, should suffice to turn that sort of thing up. More complex hiding would normally necessitate a special access program. The answer, I think, is for the law enforcement people to have a bag of tools for dealing with the system they're planning to search. One good one would be some sort of CRC check for commercial application programs -- you could tell if the user had modified a standard application to contain other data or non-standard code to decrypt his own data. Ultimately, you could give the searchers a toolkit to take on the search that was they could just put in the floppy drive, boot, and feed some set of judge-approved search words of phrases to. It would verify any standard applications, point out any non-standard ones, and any files containing the keywords. If the user only has standard applications (rather likely, unless he's a programmer), you can declare the system clean within a few hours. (You'd have to scan every floppy disk, too.) But the searchers would never actually look at the files, except suspect ones. If there are unusual application programs, you dump the disk and have an expert analyze the programs to see what they do. All of this can be done on-site rather easily, and the searchers would no longer need to be computer experts -- just trained on how to use the program. I'll bet this would handle 95% of all cases quite trivially. ---Walter -- Mike Godwin, (617) 864-0665 | "Language is a virus mnemonic@eff.org | from outer space." Electronic Frontier | Foundation |