British Hacker Faces Extradition To US, Not To Mention Five Years' Imprisonment In UK For Failing To Hand Over Encryption Keys

from the anything-else? dept

Techdirt followed the the saga of the hacker Gary McKinnon, whom the US authorities wished to extradite from the UK to face charges of causing damage to military computers, for some years before the UK Home Secretary blocked his extradition, and the case against him in the UK was dropped. That was a great result for McKinnon after a 10-year fight to avoid extradition, but it meant that the key issues that his situation raised were never addressed. Now a new case with many similarities to that of McKinnon's looks like it will revisit some of those legal questions -- and add some more of its own:

A British man has been charged in the US with hacking into thousands of computer systems, including those of the US army and Nasa, in an alleged attempt to steal confidential data.

Lauri Love, 28, is accused of causing millions of pounds of damage to the US government with a year-long hacking campaign waged from his home in Stradishall, a village in Suffolk.
But even before he can begin to fight that case, Love has an additional problem to deal with because of the following:
On February 7th the deadline for Lauri Love to turn his encryption keys over to the UK government expired.
As the post on FreeAnons explains:
The UK government are now free to charge Lauri for his lack of cooperation with their demand for his passwords, in accordance with section 49 of the controversial Regulation of Investigatory Powers Act 2000, but what is section 49 and why is it being levied against Lauri Love?

Section 49 essentially allows the UK government to compel, under threat of up to five years imprisonment (this doubles to ten years if national security is seen to be at stake), any citizen to disclose their personal encryption keys. The law allows for this legal compulsion on grounds ranging from "the interests of national security" to "the purpose of preventing or detecting crime" and "interests of the economic well-being of the United Kingdom".
Actually, RIPA's punishment for withholding keys seems to be up to two years' imprisonment in general, and up to five when the magic spell "national security" is invoked, but it's still a long time. And the crucial point is the following:
Lauri has been charged with no crime in Britain, yet their government is still invoking this law to attempt to force him to provide information that could incriminate him or damage his defense should he go to trial.
So Love faces two extremely serious problems: the threat of imprisonment from RIPA, and the threat of extradition to the US, with a long prison sentence there if he's found guilty. Here's what the US Department of Justice is accusing him of:
The indictment, which was released by the US department of justice on Monday, describes Love as a "sophisticated and prolific computer hacker who specialised in gaining access to the computer networks of large organisations, including government agencies, collecting confidential data including personally identifiable information from within the compromised networks, and exfiltrating the data out of the compromised networks".
"Gaining access", "collecting confidential data", "exfiltrating data out": isn't that precisely what the NSA and GCHQ have been doing around the world on a rather larger scale...?

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: encryption, extradition, gary mckinnon, hacking, lauri love, uk

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Duke (profile), 27 Feb 2014 @ 4:48pm

    Re: Re:

    I guess these issues haven't been debated enough...
    You can either provide the password, and thereby grant access to the encrypted HD/flashdrive, providing evidence of your guilt should there be anything incriminating among the encrypted files, or refuse, and be charged with that.
    The court's reasoning for this not being self-incrimination hinged on the difference between the encrypted information and the password. It is the information that is incriminating, but that exists independently of the defendant. The defendant is being compelled to provide the password only, which itself isn't necessarily incriminating. The court did note that there could be circumstances where the defendant's knowledge of the password would be incriminating, but then it would be open for them to argue that that information should not be used as evidence at trial.

    It's also worth remembering that this is a pre-trial issue (or even pre-charge). It is part of the initial investigation. So if there are problems with self-incrimination that can be dealt with at a pre-trial hearing.

    The Court's position seems to be that this law isn't designed to get around self-incrimination, but get around the fact that it is much harder to crack an encrypted drive than break open a safe.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.