British Hacker Faces Extradition To US, Not To Mention Five Years' Imprisonment In UK For Failing To Hand Over Encryption Keys
from the anything-else? dept
Techdirt followed the the saga of the hacker Gary McKinnon, whom the US authorities wished to extradite from the UK to face charges of causing damage to military computers, for some years before the UK Home Secretary blocked his extradition, and the case against him in the UK was dropped. That was a great result for McKinnon after a 10-year fight to avoid extradition, but it meant that the key issues that his situation raised were never addressed. Now a new case with many similarities to that of McKinnon’s looks like it will revisit some of those legal questions — and add some more of its own:
A British man has been charged in the US with hacking into thousands of computer systems, including those of the US army and Nasa, in an alleged attempt to steal confidential data.
Lauri Love, 28, is accused of causing millions of pounds of damage to the US government with a year-long hacking campaign waged from his home in Stradishall, a village in Suffolk.
But even before he can begin to fight that case, Love has an additional problem to deal with because of the following:
On February 7th the deadline for Lauri Love to turn his encryption keys over to the UK government expired.
As the post on FreeAnons explains:
The UK government are now free to charge Lauri for his lack of cooperation with their demand for his passwords, in accordance with section 49 of the controversial Regulation of Investigatory Powers Act 2000, but what is section 49 and why is it being levied against Lauri Love?
Section 49 essentially allows the UK government to compel, under threat of up to five years imprisonment (this doubles to ten years if national security is seen to be at stake), any citizen to disclose their personal encryption keys. The law allows for this legal compulsion on grounds ranging from “the interests of national security” to “the purpose of preventing or detecting crime” and “interests of the economic well-being of the United Kingdom”.
Actually, RIPA’s punishment for withholding keys seems to be up to two years’ imprisonment in general, and up to five when the magic spell “national security” is invoked, but it’s still a long time. And the crucial point is the following:
Lauri has been charged with no crime in Britain, yet their government is still invoking this law to attempt to force him to provide information that could incriminate him or damage his defense should he go to trial.
So Love faces two extremely serious problems: the threat of imprisonment from RIPA, and the threat of extradition to the US, with a long prison sentence there if he’s found guilty. Here’s what the US Department of Justice is accusing him of:
The indictment, which was released by the US department of justice on Monday, describes Love as a “sophisticated and prolific computer hacker who specialised in gaining access to the computer networks of large organisations, including government agencies, collecting confidential data including personally identifiable information from within the compromised networks, and exfiltrating the data out of the compromised networks”.
“Gaining access”, “collecting confidential data”, “exfiltrating data out”: isn’t that precisely what the NSA and GCHQ have been doing around the world on a rather larger scale…?
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: encryption, extradition, gary mckinnon, hacking, lauri love, uk
Comments on “British Hacker Faces Extradition To US, Not To Mention Five Years' Imprisonment In UK For Failing To Hand Over Encryption Keys”
Just to be really picky, but failure to disclose a password when ordered to by the court using the Part III RIPA procedure is a crime. So failing to disclose it can lead to being charged with a crime. Generally there is some underlying crime being investigated (in this case the hacking), but I’m not sure they have to charge him with that crime.
The issue of whether this s49 power goes against rules on self-incrimination has been quite widely debated, but so far the English courts have decided that it doesn’t.
Re: Re:
The issue of whether this s49 power goes against rules on self-incrimination has been quite widely debated, but so far the English courts have decided that it doesn’t.
That has to have taken some serious twisting of logic and reasoning.
‘You can either provide the password, and thereby grant access to the encrypted HD/flashdrive, providing evidence of your guilt should there be anything incriminating among the encrypted files, or refuse, and be charged with that.’
Such a law wouldn’t be as bad if it included an automatic granting of immunity for anything found(still objectionable, just not as much), though given the entire purpose of such a law is to side-step laws against self-incrimination, it’s natural they’d avoid any such immunity guarantee.
Re: Re: Re:
I guess these issues haven’t been debated enough…
The court’s reasoning for this not being self-incrimination hinged on the difference between the encrypted information and the password. It is the information that is incriminating, but that exists independently of the defendant. The defendant is being compelled to provide the password only, which itself isn’t necessarily incriminating. The court did note that there could be circumstances where the defendant’s knowledge of the password would be incriminating, but then it would be open for them to argue that that information should not be used as evidence at trial.
It’s also worth remembering that this is a pre-trial issue (or even pre-charge). It is part of the initial investigation. So if there are problems with self-incrimination that can be dealt with at a pre-trial hearing.
The Court’s position seems to be that this law isn’t designed to get around self-incrimination, but get around the fact that it is much harder to crack an encrypted drive than break open a safe.
Re: Re: Re: Re:
Funny, Funny
The issue of a pass-word is a UK issue.
The issue of a trial is a US issue.
In short provide the UK with the pass-word who will then provide it to the US or go to jail in the UK for 5 years.
If pass-word is provided to UK then information is provided by UK to US so then go to jail in US for 10 to 20.
Neat way of evading US 4th amendment and declaring one self guilty at same time. If pass-word is known and given up then that proves information on HD is yours and since according to US you voluntary gave up pass-word you have in-effect pleaded guilty in a US court.
Re: Re: Re: Re:
The defendant is being compelled to provide the password only, which itself isn’t necessarily incriminating.
Though it very well could be, for example ‘We had this encrypted data, we were fairly sure it was the defendant’s, and though there’s nothing in there that identifies them specifically, they knew the password, therefor it must be theirs.’
The court did note that there could be circumstances where the defendant’s knowledge of the password would be incriminating, but then it would be open for them to argue that that information should not be used as evidence at trial.
Maybe it’s my cynical nature kicking in, but I don’t see that going well for the defendant, as they now have to fight to get evidence collected from the results of a legal order, the one that forced them to provide the password, and then try and argue that their rights against self-incrimination take precedence over ‘legally gathered evidence’.
The Court’s position seems to be that this law isn’t designed to get around self-incrimination, but get around the fact that it is much harder to crack an encrypted drive than break open a safe.
Yeah, I’m just not seeing the difference.
In either case you’re being forced to provide access to evidence that could then be turned around and used against you. Not only that, but as I noted above, by being able to unlock/unencrypt it, you’ve all but admitted ‘this is mine’ regarding anything they find, making it even easier for them to use anything they find against you.
As for the difference in difficulty between cracking a safe and cracking an HD’s encryption, so what? If the end result is the same, then the laws regarding them should be likewise.
So the UK government has ordered Lauri Love to surrender encryption keys so that they can “gain access”, “collect confidential data”, and “exfiltrate data out” of his computer because the US government is looking for evidence of him “gaining access”, “collecting confidential data”, and “exfiltrating data out” of their computers? And in an “innocent until proven guilty” country no less?
Yes, this is exactly what the NSA/GCHQ have been unconstitutionally doing for the last decade. For the DOJ to go after a UK citizen for essentially doing the exact same thing, is hypocrisy at it’s finest.
Also, forgetting your password shouldn’t be a felony.
the irony being that he’s gonna be screwed for hacking, (i obviously dont know if he did or not) and it took the USA government a year to discover this? on top of that, how did he cost millions of dollars in damage? because the security wasn’t good enough to keep him out, isn’t his fault, it’s theirs. then there’s the little matter of the US government, via the NSA and whoever else you can think of going through every persons belongings on the planet, ably aided by the UK government, via GCHQ, with no sign of any let up, let alone any actual stopping of the spying, accompanied by apologies, yet this guy gets screwed fucking rotten and imprisoned for withholding his password? if the security forces are as good as they keep telling us at stopping all sorts of terrorist attacks and god only knows what else, why cant they crack his password? and dont forget that these same security agencies have been acting totally illegally for years spying on, infiltrating, exfiltrating data and collecting data on an absolutely massive scale for years!! but because it’s the government and they think they are entitles to do whatever they like whilst no one else can, he’s gotta suffer! what a way for the world to be heading!!
It’s like the drug cartel whore calling a street corner dealer a scourge on society. The court of public opinion has no doubts just who the real criminals are here. It’s just another day in the hood.
New app to solve this.
Encryption program that allows 2 passwords.
Correct one = access to files
Special one = you get rickrolled while the information is overwriten.
Re: New app to solve this.
Truecrypt has this feature.
You can essentially create 2 OSs, one as a decoy, both accessible with different passwords.
On the second one you can just download loads of cat pictures to make them laugh whilst the original OS is undetectable.
Re: New app to solve this.
Every forensic investigator will do their work with a copy of the original, so there is no way to overwrite the information.
Not only that, but they also employ “write blockers”, pieces of hardware which block write commands while letting read commands pass through.
The only way this would work is if the real password is on a separate device, which will forget the password if it is powered off, opened, moved, tampered with, or if the correct sequence of six numbers is not entered periodically on a terminal.
Re: Re: New app to solve this.
This is why your security system should include wiping the device when an unrecognized USB device is connected to it.
As for write blockers, they don’t help with this sort of thing. A write blocker sits between the storage device and the processor. There is no physical way to connect one so it sits between a phone’s memory and its processor. The best that could be done is to use a software blocker, but then you still have to be able to successfully unlock the phone first.
Now this is what I call due process
And obviously Masnick and his moderators will hide this comment, again.
Re: Now this is what I call due process
What comment? I can’t see anything 😉
Re: Now this is what I call due process
‘Do what those in power demand, even if it means providing incriminating evidence against yourself, or face another charge for refusing’… yeah, that seems to fit your idea of ‘due process’ to a T there AJ, hardly surprising you’d be for it.
Also, back to time out for you.
Re: Now this is what I call due process
l o l
“Section 49 essentially allows the UK government to compel, under threat of up to five years imprisonment (this doubles to ten years if national security is seen to be at stake), any citizen to disclose their personal encryption keys.”
Un-Fucking-Believable……how far its got, and fuck all cares
McKinnon
As with McKinnon: It pisses me off that a British citizen, with a British passport, who is not charged with any crime in the UK can be considered for extradition to the USA because some court in the USA thinks they may have committed a crime there.
Try and imagine the same thing happening the other way?!?
Re: McKinnon
Ya – wouldn’t happen
Hmm…Provide the password, or provide the keys? It really is a no win situation…