British Hacker Faces Extradition To US, Not To Mention Five Years' Imprisonment In UK For Failing To Hand Over Encryption Keys
from the anything-else? dept
Techdirt followed the the saga of the hacker Gary McKinnon, whom the US authorities wished to extradite from the UK to face charges of causing damage to military computers, for some years before the UK Home Secretary blocked his extradition, and the case against him in the UK was dropped. That was a great result for McKinnon after a 10-year fight to avoid extradition, but it meant that the key issues that his situation raised were never addressed. Now a new case with many similarities to that of McKinnon's looks like it will revisit some of those legal questions -- and add some more of its own:
A British man has been charged in the US with hacking into thousands of computer systems, including those of the US army and Nasa, in an alleged attempt to steal confidential data.
But even before he can begin to fight that case, Love has an additional problem to deal with because of the following:
Lauri Love, 28, is accused of causing millions of pounds of damage to the US government with a year-long hacking campaign waged from his home in Stradishall, a village in Suffolk.On February 7th the deadline for Lauri Love to turn his encryption keys over to the UK government expired.
As the post on FreeAnons explains:
The UK government are now free to charge Lauri for his lack of cooperation with their demand for his passwords, in accordance with section 49 of the controversial Regulation of Investigatory Powers Act 2000, but what is section 49 and why is it being levied against Lauri Love?
Actually, RIPA's punishment for withholding keys seems to be up to two years' imprisonment in general, and up to five when the magic spell "national security" is invoked, but it's still a long time. And the crucial point is the following:
Section 49 essentially allows the UK government to compel, under threat of up to five years imprisonment (this doubles to ten years if national security is seen to be
at stake), any citizen to disclose their personal encryption keys. The law allows for this legal compulsion on grounds ranging from "the interests of national security" to "the purpose of preventing or detecting crime" and "interests of the economic well-being of the United Kingdom".Lauri has been charged with no crime in Britain, yet their government is still invoking this law to attempt to force him to provide information that could incriminate him or damage his defense should he go to trial.
So Love faces two extremely serious problems: the threat of imprisonment from RIPA, and the threat of extradition to the US, with a long prison sentence there if he's found guilty. Here's what the US Department of Justice is accusing him of:
The indictment, which was released by the US department of justice on Monday, describes Love as a "sophisticated and prolific computer hacker who specialised in gaining access to the computer networks of large organisations, including government agencies, collecting confidential data including personally identifiable information from within the compromised networks, and exfiltrating the data out of the compromised networks".
"Gaining access", "collecting confidential data", "exfiltrating data out": isn't that precisely what the NSA and GCHQ have been doing around the world on a rather larger scale...?
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, extradition, gary mckinnon, hacking, lauri love, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
The issue of whether this s49 power goes against rules on self-incrimination has been quite widely debated, but so far the English courts have decided that it doesn't.
[ link to this | view in thread ]
Re:
That has to have taken some serious twisting of logic and reasoning.
'You can either provide the password, and thereby grant access to the encrypted HD/flashdrive, providing evidence of your guilt should there be anything incriminating among the encrypted files, or refuse, and be charged with that.'
Such a law wouldn't be as bad if it included an automatic granting of immunity for anything found(still objectionable, just not as much), though given the entire purpose of such a law is to side-step laws against self-incrimination, it's natural they'd avoid any such immunity guarantee.
[ link to this | view in thread ]
[ link to this | view in thread ]
Also, forgetting your password shouldn't be a felony.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
The court's reasoning for this not being self-incrimination hinged on the difference between the encrypted information and the password. It is the information that is incriminating, but that exists independently of the defendant. The defendant is being compelled to provide the password only, which itself isn't necessarily incriminating. The court did note that there could be circumstances where the defendant's knowledge of the password would be incriminating, but then it would be open for them to argue that that information should not be used as evidence at trial.
It's also worth remembering that this is a pre-trial issue (or even pre-charge). It is part of the initial investigation. So if there are problems with self-incrimination that can be dealt with at a pre-trial hearing.
The Court's position seems to be that this law isn't designed to get around self-incrimination, but get around the fact that it is much harder to crack an encrypted drive than break open a safe.
[ link to this | view in thread ]
Re: Re: Re:
The issue of a pass-word is a UK issue.
The issue of a trial is a US issue.
In short provide the UK with the pass-word who will then provide it to the US or go to jail in the UK for 5 years.
If pass-word is provided to UK then information is provided by UK to US so then go to jail in US for 10 to 20.
Neat way of evading US 4th amendment and declaring one self guilty at same time. If pass-word is known and given up then that proves information on HD is yours and since according to US you voluntary gave up pass-word you have in-effect pleaded guilty in a US court.
[ link to this | view in thread ]
Re: Re: Re:
Though it very well could be, for example 'We had this encrypted data, we were fairly sure it was the defendant's, and though there's nothing in there that identifies them specifically, they knew the password, therefor it must be theirs.'
The court did note that there could be circumstances where the defendant's knowledge of the password would be incriminating, but then it would be open for them to argue that that information should not be used as evidence at trial.
Maybe it's my cynical nature kicking in, but I don't see that going well for the defendant, as they now have to fight to get evidence collected from the results of a legal order, the one that forced them to provide the password, and then try and argue that their rights against self-incrimination take precedence over 'legally gathered evidence'.
The Court's position seems to be that this law isn't designed to get around self-incrimination, but get around the fact that it is much harder to crack an encrypted drive than break open a safe.
Yeah, I'm just not seeing the difference.
In either case you're being forced to provide access to evidence that could then be turned around and used against you. Not only that, but as I noted above, by being able to unlock/unencrypt it, you've all but admitted 'this is mine' regarding anything they find, making it even easier for them to use anything they find against you.
As for the difference in difficulty between cracking a safe and cracking an HD's encryption, so what? If the end result is the same, then the laws regarding them should be likewise.
[ link to this | view in thread ]
New app to solve this.
Correct one = access to files
Special one = you get rickrolled while the information is overwriten.
[ link to this | view in thread ]
Re: New app to solve this.
You can essentially create 2 OSs, one as a decoy, both accessible with different passwords.
On the second one you can just download loads of cat pictures to make them laugh whilst the original OS is undetectable.
[ link to this | view in thread ]
Now this is what I call due process
[ link to this | view in thread ]
Re: Now this is what I call due process
[ link to this | view in thread ]
Re: New app to solve this.
Not only that, but they also employ "write blockers", pieces of hardware which block write commands while letting read commands pass through.
The only way this would work is if the real password is on a separate device, which will forget the password if it is powered off, opened, moved, tampered with, or if the correct sequence of six numbers is not entered periodically on a terminal.
[ link to this | view in thread ]
Re: Re: New app to solve this.
As for write blockers, they don't help with this sort of thing. A write blocker sits between the storage device and the processor. There is no physical way to connect one so it sits between a phone's memory and its processor. The best that could be done is to use a software blocker, but then you still have to be able to successfully unlock the phone first.
[ link to this | view in thread ]
Un-Fucking-Believable......how far its got, and fuck all cares
[ link to this | view in thread ]
Re: Now this is what I call due process
Also, back to time out for you.
[ link to this | view in thread ]
Re: Now this is what I call due process
[ link to this | view in thread ]
McKinnon
Try and imagine the same thing happening the other way?!?
[ link to this | view in thread ]
Re: McKinnon
[ link to this | view in thread ]
[ link to this | view in thread ]