Sunday, 23 May 2010

Blogging on McKinnon

Next weekend I will be doing a blogpost providing a skeptical view on the McKinnon case.

If there are any points or links you think I should consider, please comment below.

Please note this blog's comments moderation policy; also, I am unlikely to publish flaming or venting comments.


No purely anonymous comments will be published; always use a name for ease of reference by other commenters.


endless psych said...

I believe you have already seen and RT this but here it is again:
Might write an updated version.

Tim said...

To quote Tony Attwood, author of the Complete Guide to Aspergers Syndrome.

"The overwhelming majority of people with Asperger's syndrome are law-abiding citizens, often with very clear and conventional opinions as to what is morally etc etc."

Someone who may be worth contacting for a meaningful opinion? /

Stephen Moss said...

As Asperger's belongs to the autism spectrum disorders, in which there is a vast range of severity wrt level of handicap, it should surely be necessary to assess each case individually. The condition is one where it is not possible to apply a single rule to all.

Even then, the issue of AS may be irrelevant, and the more important consideration may be whether the US justice system can be relied upon to deliver a sentence judged to be fair by UK standards?

My uninformed view is that a country which still applies the death penalty is not one that we should entrust with this responsibility.

Dingdongalistic said...

I think it'd be better to consider the implications of the way the probably plea bargaining would colour a fair trial in the US, regardless of whether McKinnon's Aspergers makes him deserving of different treatment. Also look at the proportionality of the US's response, and the nature of the extradition arrangement, where the US constitution protects its citizens in a way which we are simply not protected.

Tom Evans said...

I'm interested in under what circumstances can a person be extradited to a country he has never visited?

For example if were to draw Mohammed and be judged guilty of sending a grossly offensive message under the s. 127 offence, could I be extradited to serve a prison sentence in Saudi Arabia despite never having been there? (assmuing a treaty and guarantee of no tortue/death)

wilhil said...

As per twitter request, here is a blog post I made - ( )

I have been seeing this case on the news for ages and it has really interested me.

The blog post above is trying more to look at how it affects other people who work with computers and the case itself rather than the other facts (health etc.).

But, I am not a lawyer and I wrote that when I was half asleep, maybe you will think it is a load of rubbish!

Alex said...

"where the US constitution protects its citizens in a way which we are simply not protected."

The US Constitution delineates between "citizens" and "persons". The rights relevant to this discussion, like due process, apply to anyone(1) regardless of what country they're from.

(1) Except those detained without charge in the War on Terror.

Dr. Brian Blood said...

Tom Evans' point is easily answered.

McKinnon allegedly broke into sensitive US computers via the web. His excuse was that he was looking for information about UFOs.

His alleged 'crime' took place (had its immediate effect) on US-sited machines, owned, I presume, by the Department of Defense.

It seems entirely proper that the US authorities would want to charge and prosecute him in the US whatever his 'alleged' medical problems.

What is not clear, though, as others have pointed out, is the 'fairness' of the US legal system at least with regards to the inordinately extended and uncertain 'time to trial'.

It would seem to me that the best solution is for US authorities to interview McKinnon in the UK with either US or UK lawyers present and that he be held on bail here in the UK until the trial is about to commence, assuming that , if the US authorities are still minded to continue with it.

Then, McKinnon should be 'shipped' to the US for his trial and whatever sentence should be left to the US courts. If this were to include a term of imprisonment then it is open to the UK authorities to have agreed beforehand that McKinnon serve that sentence in the UK in a UK jail.

Alex said...

I used to think the McKinnon case was a travesty like most people, but then I read a judgement from the Lords, and it seemed to make more sense than what I thought before.

A useful comparison, would be to the NatWest Three, where similar complaints about the extradition treaty were made, propagated by a PR team:

There were also complaints of how bad the US judicial system would treat the three men, like there are now with McKinnon, but this harshness never materialised, and they are now serving the rest of their terms in jail in the UK.

And guess what? The same PR firm is representing McKinnon:

Some interesting Parliamentary debate on the subject here:

I'm no fan of Alan Johnson, but he seems right to me. Looking forward to what someone who understands the law has to say on this issue.

Jamie said...

As I understand it, Gary wrote a letter to the DPP, in which he admitted to offences under section 2 of the Misuse of Computers Act. This section covers ‘unauthorised access with intent to commit or facilitate commission of further offences’. Given his repeated denial of any damage done to US systems, this seems a little strange – especially when you consider that section 1 covers ‘unauthorised access to computer material’ without the ‘further offences’ bit.

I guess that leaving messages on the site could count as a 'further offence', so that might not be as damning as it appears. Still an interesting detail, though.

As for the time it's taken to come to trial and the effect on Gary's health, how much of that delay has simply been down to Gary (understandably) trying to prevent his extradition?

Nick Sharratt said...

I disagree with Dr. Brian Blood that the question of the location of the crime and jurisdiction can be easily dismissed, and I see similar issues to those raised regarding lible tourism in the UK.

There is a philosophical question of where a crime is committed if using tools which allow action at a distance, although there is probably ample legal prescedent deeming that the crime is committed where the damage is done. Indeed, in a physical world that makes sense. One could imagine a circumstance of someone standing one side of a national boundary shooting someone on the other side. In that case it would seem obvious that the crime is committed where the person is shot, not where the gun is fired. The question then is if the authorities with jurisdiction gain the cooperation of those where the perpetrator stands to act on it.

However, what if the 'crime' were calling someone a name? What if that act were legal in one jurisdiction but not the other? ie what is the 'damage' were virtual?

In such an instance, it seems to me that philosophically, the 'act' is what is important and it is only illegal if the act takes place in the relevant jurisdiction.

So, in this case, where the ACT took place in the UK, it would seem that should be where the crime is prosecuted, and the legal framework which should be applied.

I doubt legal precedent agrees with this interpretation, but because it has ramifications for many virtual crimes which could be declared in any country of the world and which anyone could therefore be guilty of through ignorance, I see this case as vital prescedent - although unfortunately it is not being looked at in this way.

My concern is that any country in the world could for instance enact a law saying 'it is illegal to transmit or cause to be transmitted any file including the word "spoon"'. Since Internet traffic may be routed through that country without any awareness of the individual, anyone anywhere in the world may break that law and be subject to prosecution in that country. (a ridiculous example I know - deliberately so)

So my key question in this case is what framework establishes that the UK should concider that a crime has been committed by someone in anoher country when the crime is virtual and the act was in this country?

With regard to the specifics of this case, as an IT proffesional, the estimate of damages appears excessive unless it includes an estimate of lost work caused by the unavailability of systems. Certainly the work required to address any direct impact as described would be a tiny fraction of $700,000. As a non-lawer, I'm unclear if consequential unintended damages are usually included in such cases. For instance, if someone intended to steal a nut costing $1 inadvertantly caused a builing to collapse (which had been fundamentally flawed and it was unreasonable to expect the removal of a single nut to cause the failure), would the thief be liable for the nut or the whole building? I think in US law at least it's the latter (from the reliable source of CSI on TV!) but is that also true in UK law?

There are many strands to this case - from the US government losing face after having their woefully poor secuity exposed and attempting to portray this as requiring more technical competance than it did, to the selective choice of language to describe the act to imply additional malace (eg deleting OS files and copying them by reading between the lines means dumping the SAM for offline brute force cracking and removing log files/replacing files with compromised ones), to the question of due process/different cultural approaches to plea bargins, to mitigating factors of mental health, to jurisdiction. Certainly worthy of your blog and I look forward to your analysis of all the points :)

Tom Evans said...

"Tom Evans' point is easily answered.

McKinnon allegedly broke into sensitive US computers via the web."

In my example wouldn't I be causing gross offense to people a crime here and there) in Saudi Arabia (a crime here and there), on Saudi computers?

ajohnson said...

Extradition is a very significant event, It has a very significant impact on someone's life. They will be forcibly relocated away from familiy, friends amd job etc. and it places them at a disadvantage defending themselves under an unfamiliar legal system.
It should therefore only be applied when it concerns a serious offence, there is reasonable evidence and there is good evidence that they will receive a fair trial.
The ability to challenge extradition on these grounds and examine the evidence is essential to defend citizens against unjust persecution by a foreign governments or legal system. The treaty with the US removes the ability of UK courts to defend UK citizens and should be repealled immediately.

In the case of the US there is doubt about a fair trial for anyone who is accussed of terrorism or a terrorism related offence. This should be a narrow concern but is not because of the ludicrously wide scope of actions the US has described as terrorism including unauthorised access of a computer. It is also a concern
that the US seems to distinguish between US citizens and non-citizens in terms of the legal rights to a fair trial etc.
No one should be extradited to the US who has been accussed or associated with terrorism until these issues are resolved.

On the specifics of Gary McKinnon there are questions about the honesty of the prosecution.
The statements about cyber-terrrorism are grotesque hyperbole and raise questions about the
honesty of the prosecuting authorities. There are also serious questions about the scale of the damage alleged.

I do not see Gary's alleged Autism as significant. This is something that the US courts can and should take into account as a UK court should.

Jurisdiction is something that is interesting to think about in general for internet related actions as an alleged offence could take place in many countries and the accussed mught not of even been aware of what country he was accessing. In this case however
the alleged damage was made to equipment in the US and Gary knew he was accessing equipment in the US so this it is not unreasonable that he is prosecuted there.

Dandelion said...

The question of jurisdiction has already been dismissed by the US courts, who have ruled that online activity takes place at the keyboard and no-where else.

As regards the 'damage' caused, that has been dismissed also, and the extradition allegations in their entirety dismissed as "an embarrassment to the prosecution" by LJ Burnton, and acknowledged as such by CPS (July 09).

The question is whether it is just or lawful to extradite a person (retrospectively) when a non-extraditable offence took place in the UK, and when the criteria for extradition under the present (rotten) treaty have demonstrably not been met. Clearly, the answer is no.

The AS is relevant only in terms of explaining motive (for a non-extraditable offence) and in terms of the differential impact on his Human Rights that extradition represents, relative to a non-autistic person.

The Human Rights angle is only being discussed because the extradition act 03 removes every other right of defence to extradition, and because the courts have failed thus far even to apply the paltry protections afforded by the act.

Never have I heard so much ill-informed b/s talked about by so many.

vp said...

According to the Wikipedia article on McKinnon, his activities did not constitute extraditable offences at the time they were committed.

Assuming that the penalties he would face in the US are higher than those he would face in the UK (which seems highly likely), then his extradition would seem to violate the principle of Nullum crimen, nulla poena sine praevia lege poenali

In other words, McKinnon would be facing legal punishment which he could not have anticipated at the time he contemplated performing the offence. If McKinnon were a US citizen facing extradition to the UK in such a situation, would the extradition not violate the constitutional ban on ex post facto laws?

On the other hand, the Daily Mail has started a campaign against McKinnon's extradition... so maybe I should support it.

Dr. Brian Blood said...

I would strongly recommend we all read the House of Lords judgment:

I think we might find quite a number of misunderstandings settled there.

Under the present extradition treaty with the US there is little doubt that the courts have found it impossible to resist the US request, the more so because McKinnon has admitted his part in this affair, and his behaviour once inside the various US computers appears to have been anything but benign.

The House of Lords judgment includes the following observation by Lord Brown of Eaton-under-Heywood:

"the gravity of the offences alleged against the appellant should not be understated: the equivalent domestic offences include an offence under section 12 of the Aviation and Maritime Security Act 1990 for which the maximum sentence is life imprisonment."

The role of various politicians in this case has been worrying - this should never have become a political matter.

I fear that what might have been a 'good deal' namely,

"Mr Stein [for the US justice department] confirmed that he was authorised to offer the appellant a deal in return for not contesting extradition and for agreeing to plead guilty to two of the counts laid against him of “fraud and related activity in connection with computers". On this basis it was likely that a sentence of 3-4 years (more precisely 37-46 months), probably at the shorter end of that bracket, would be passed and that after serving 6-12 months in the US, the appellant would be repatriated to complete his sentence in the UK. In this event his release date would be determined by reference to the UK’s remission rules namely, in the case of a sentence not exceeding four years, release at the discretion of the parole board after serving half the nominal sentence, release as of right at the two-thirds point. On that basis, he might serve a total of only some eighteen months to two years."

has been overtaken by the fallout from the involvement of politicians, newspapers and an outside chance that extradition could be resisted through the courts.

Shaun Hollingworth said...

Mr McKinnon did not perform the deed in the US. His actions were performed on UK soil. Mr McKinnon is not subject to US LAW, he is not resident in the US, nor is he a US citizen so the US should not be able to attempt to extend their jurisdiction here. The US can only regard itself as a victim, of someone who broke UK laws (which Mr. McKinnon IS subject to) regardless of where the target computer or victim was located. The hacking activitiy was performed in the UK, not in the US and therfore the crime was committed here, not in the US. The US should therefore seek redress under the UK legal system in UK courts.

In any case I would like to see how they assess the damages at so high a figure. As far as I am aware no damage was done to the data, and nothing was altered. It seems to me that the people in the US responsible for computer security have egg all over their faces and want someone else to pay the price for their negligence. It isn't fair. Yes the US will have to spend money. Money that should have been spent anyway, making their computer systems much more secure if the data on them is that critical and that secret.