What's scary to me is that the crime doesn't fit the punishment. We're going to take a genius away from civilization where he could use his potential in constructive ways, and lock him up for something that, realistically, isn't as bad as when bankers launder many millions of dollars, or when identity thieves steal. So we will probably give this guy a life sentence for being smarter than 90% of the American workforce and almost uncovering secrets that shouldn't be being kept anyway. Why can't we throw the book at corrupt politicians and businessmen this hard?
The CFAA is too blunt of an instrument. At the very least it should have options for lesser charges.
But for some reason every politician's reaction to cyber events is to make the CFAA more draconian. President Obama is actually in favor of adding more provisions by amendment this year.
I'm not sure of the correct way to handle cybercrime laws, but I know the CFAA isn't it.
> But for some reason every politician's reaction to cyber events is to make the CFAA more draconian.
I forget who said this, but it's because to a lot of this generation of politicians, a lot of "hacking" and "cybercrime" is a modern-day witchcraft. Aside from a few allies in Congress, technological aptitude (and those that actually understand cybersecurity) will likely lag until a lot of these older career politicians are replaced by "digital natives".
It's not just politicians, either. Some execs at non-tech companies respond to penetration tests in the same way. "How did you do that?" "Why is this possible?" It's just completely outside of their realm of knowledge, and they trust their systems to be as failsafe as most mechanical ones.
No, its their fault as executives. Secure systems are expensive and they take time to build properly, which is fully at odds with, "I need this done yesterday". Unfortunately (for them), since they cut the checks, the also get what they pay for.
"LOVE and his conspirators unlawfully obtained information the victims identified in
thisIndictment morethan 100,000 employee records, including names, social security numbers,
addresses, phone numbers, and salary information, and more than 100,000 financial records,
including credit card numbers and names, and caused loss aggregating in excess of $5 million"
"On or about July4, 2013, LOVE wrote the following in an IRC chatroom using
the online nickname "peace": "it worked ... we have... easily 5-10k contractor and gov credit
cards "
"That same day, LOVE uploaded to a computer server a spreadsheet containing
information obtained from iq.govwin.com, including names, job titles,addresses, phone
numbers, and approximately 23,000 credit cards numbers with expiration dates and items
purchased. Other members of the conspiracy obtained copies of the spreadsheet from the server
on or about January 24,2014, and on or about March 10,2014"
In other chats published in the indictment, Love is alleged to have said: "You have no idea how much we can fuck with the US government if we wanted to," and, after describing the data as "really sensitive", adding: "It's basically every piece of information you'd need to do full identity theft on any employee or contractor for the [government agency]."
I assume he's referring to your intentional conflation of two different peoples' claims (namely, 'zelon88 ("[w]e're going to take a genius away from civilization" [0]) and the writer of the article ("Earlier, his lawyer said his alleged hacking had "embarrassed" US authorities")):
>He's a genius? I thought the US was embarrassed by how dumb the vulnerabilities he exploited were. Which is it? [0]
Probably assumed you were an astroturfer and/or troll, because, hey, that's pretty shitty behaviour.
Do I think he's a genius? Go read my comment again and see if you can understand my very simple position against your conflating different people and their different arguments.
Mods, please read this exchange, including 'tptacek's initial reply to 'zelon88. If this style of trolling is accepted on HN, I'd appreciate knowing about it -- I dearly love it and would like to ply it in these digital halls. Do you have to be as well-known a user as 'tptacek in order to get away with it?
No, I acknowledge that you might not think he's a genius --- in fact, I'd be surprised if you thought he was, hence my request.
What I don't acknowledge is that it's reasonable to comment about the "shitty behavior" of someone who makes a civil statement you happen to disagree with --- or, worse, a civil statement you actually do agree with, but don't want to acknowledge.
If you want to ask the "mods" something, the best way to do that is to mail hn@ycombinator.com. It's unlikely they're going to see your comment (this thread is old, and this part of the thread is buried pretty low in it).
>What I don't acknowledge is that it's reasonable to comment about the "shitty behavior" of someone who makes a civil statement you happen to disagree with --- or, worse, a civil statement you actually do agree with, but don't want to acknowledge.
Whether I disagree with you is immaterial. I merely refuse to stand by while some popular bully puts words in others' mouths. You can go on all day about how very, very civil you are, but it's clear to me that replying with a totally unsubstantive comment like
>He's a genius? I thought the US was embarrassed by how dumb the vulnerabilities he exploited were. Which is it? [0]
when the only the first three short words are relevant to the parent's actual statements [1]. The others were from the article, which you demonstratively either a) believe 'zelon88 wrote or b) have chosen to conflate with 'zelon88's statements. "Which is it?"
You're obviously not interested in discussions with people who don't agree with you -- I can tell by the way you choose not to engage with their arguments. You've obviously calmed down now, but hiding behind claims of civility shows a shocking lack of self-awareness, particularly in light of what's actually happened. Hope you're doing OK! Keep trolling!
I don't think name-calling is making you any more persuasive.
You seem upset that I didn't address the entirety of someone else's comment, but instead only part of it. But so long as the part we choose to address isn't taken out of context or inconsistent somehow with the rest of the comment, responding to the entirety of someone else's comment is unnecessary --- in fact, it's unproductive, if you don't have much to say about it.
So, in case this wasn't clear to you:
I object to the notion that the person we're talking to is a "genius", and to the idea that society is losing the potential of a genius because it's punishing him for breaking into government websites.
You are free to disagree with me and to make a case for his genius. You won't, because you don't disagree with me. But you're unhappy that I chose to bring this up; that's clear. I'm not interested. Move on? Or find some way to object to what I said that is actually coherent and productive; that would work too.
>You seem upset that I didn't address the entirety of someone else's comment, but instead only part of it
I seem upset with you responding to an idea that wasn't actually in a comment. Conflating the ideas of the author of a piece you disagree with, and the poster you initially replied to, is wrong, plain and simple. It's intellectually dishonest and doesn't belong on a forum like HN. You should know better -- you're ostensibly a power user around here. That's why I asked about the trolling, because this is pretty obviously that. 'zelon88 claimed the autistic man in question was a 'genius', you then attacked the idea that the US was embarassed by the hacks, which 'zelon88 didn't claim. It's very simple.
>But so long as the part we choose to address isn't taken out of context or inconsistent somehow with the rest of the comment, responding to the entirety of someone else's comment is unnecessary --- in fact, it's unproductive, if you don't have much to say about it
Are you seriously trying to claim that grabbing a single word out of a comment, fixating on it, and then continuing by attacking an idea not present in the comment is somehow not "out of context or inconsistent somehow with the rest of the comment"?!
So, in case this wasn't clear to you:
I object to the notion that the person who said "he's a genius" and the person who said "these hacks embarassed the US" are the same person when they're obviously, verifiably not. I've linked both posts ('zelon88's and your initial reply) several times now! Is it that you don't care?
You're not fooling me; yet you are replying. Perhaps you're fooling yourself? If this doesn't clear things up, then it surely must be trolling. Since you opened the comment above this one with an intentional misrepresentation of my argument (and the rest of the comment flowed from there), it's gotta be trolling.
I've read this comment like 3 times now and I can't figure out what it's trying to say. I summarized the point I was trying to make in the comment you just replied to; you know what it is now, so we don't have to dance around it anymore.
I think you and I talking more is unlikely to be productive.
>I think you and I talking more is unlikely to be productive
Eh, my goal has been reached. Your unbelievable perspective has been fully elaborated; several non-me comments clutter our discussion, each confused by your intransigence. For whatever reason (I'm guessing an ignorance defense, so's you can continue to troll in this way elsewhen), you're unable to accept or realize that a comment that puts words in another's mouth is not OK, and that you have done this. I can't put it any more simply than that. I'm sorry. I hope you get it someday.
whats annoying to me is this nonsense while the us employs people to hack into other government systems - including the uk, with impunity. (nsa hacking tools leak).
UK should be giving lauri love a new identity and a fat paycheck. Not pandering to the administration of a country soon to be run by either a crazed sickly war hawk or a full retard that gets all his world news from fox.
How can you compare the crime to the punishment when we don't know his punishment yet? He hasn't been convicted, let alone sentenced, and he won't get anywhere near 99 years.
It's stories like this that make me, as the parent of a high-functioning child with autism spectrum disorder, scared shitless. My son, as he gets older, shows over and over again that he has an amazing aptitude for pretty much anything he decides to learn.
He's not even a teenager, and can:
* Play the trombone better than peers two years older than he is, all because he inherited a trombone from his late grandfather, and wanted to honor his memory
* Compose music in GarageBand on his iPhone or Mac, and arrange covers of songs from memory, as well as play them on the trombone or piano/keyboard
* Write properly-formatted screenplays, direct and produce (with iMovie) and create VFX (with Apple Motion) for his own creations
* Write automation scripts for various Mac tasks with JavaScript
He has an amazing ability to understand advanced math and science concepts, and recently started positing theories about dark matter (!) during our nightly reading and chatting time. And he's proven that he'll effectively learn (and put into practice) anything he wants to, given the resources to do so. He's expressed more and more interest in computer programming, and I've indulged that interest by teaching him JavaScript (his first request) and now Swift.
And one day, he's going to frighten someone with his skills, and he won't understand why; for all his genius and talent, he's still on the autism spectrum, and one common disadvantage for those on the spectrum is an inability to put themselves in someone else's shoes. He cannot understand why others don't think exactly the way he does, or understand the intentions behind his actions. It is completely alien to him that subterfuge is employed by others, that words and deeds should be taken by anything but their literal or face value. He can't begin to comprehend why his stated intentions behind his words or deeds would not be completely and unconditionally believed by everyone else. It simply does not compute.
He gets services in school to help with his pragmatic communication, and I do everything I can to guide him as well. Once he's out of school, I can only hope we've made enough of a difference for him to live productively and happily in a world that vilifies people with above-average intelligence but below-average pragmatic or social communication skills.
My father, brother, both grandfathers, one grandmother and fiance (female) are all adults on the spectrum (Aspergers under DSM-4). Empathy can be systematized like anything else. This works in 99% percent of situations. Just give him opportunities to be around people at his speed (like 2E gifted magnet programs in a large urban center) and he can learn to mimic their social skills. Career-wise, we seem to keep going to school until we burn out due to boredom (introverts last longer, like masters or PhDs, extroverts seem to drop out of undergrad) and then end up owning small, obscure businesses as a dictator doing economically valuable intellectual things. Primarily the introverts of the family maintain no regular social relationships at all outside of immediate family, extroverts have weird friends of varying IQ levels. The biggest source of meaning seems to be family and intellectually difficult work. YMMV.
Would there be an opportunity to take advantage of his ability to learn anything he puts his mind to in the sense of understanding everyone else's motivations for why they do and say what they do some kind of fascinating project - treat it like a game. Perhaps spinning social function around like this will help him to grasp that empathy and understanding of others motivations(?)
I ask this rather than put it out there as a solution mostly because my only understanding of autistics that have come and gone in my life have all had this thread of bottomless abilities to absorb information on topics that fascinate them as well as loving things they can game. Would turning understanding emotions into a game assist his learning here?
> understanding everyone else's motivations for why they do and say what they do some kind of fascinating project - treat it like a game
Worked for me, although 'game' is perhaps unduly reductive; for me, it's more in the sense that this is how I can best make myself worthwhile. I don't claim to be on the spectrum, though, so I'm not sure how much 'worked for me' is worth.
My biggest fear as a parent of a child with ASD is the police [1] [2]. My next biggest fear is natural dangers (water, roads, etc). I can train/prevent for the latter danger, but I feel sad that I don't think there's much I can do for the biggest one.
Seems like his mental conditions (psychosis, Asperger syndrome and depression according a psychologist who testified on his behalf) should have been enough to have the request denied.
Edit: Apparently he's facing 99 years for the charges (yes I know he might get much less). I wonder if he can appeal to the European Court of Human Rights. I know in the past they've said whole-life sentences are ok but I can't see how such a sentence wouldn't be considered inhumane for computer hacking.
No. He will get "much less". If he's given a custodial sentence at all (he could plausibly be given probation, given his cognitive issues and the fact that his crime was non-remunerative), it'll almost certainly be low single-digits.
These "99 year" sentences are conjured by taking every charged count of an offense, assuming the maximum possible sentence for that class of offense, and then adding all the charges together.
But that's not how federal sentencing works. Like: at all. What happens in reality is that "like" charges group, and you're sentenced only according to the most severe count in the group of charges.
The federal sentencing guidelines are freely available. You can read through them to get a ballpark of where this case will land. There's a reason most convicted hackers who aren't running giant credit card rings spend single digit years in prison: the sentencing guidelines won't allow for a different sentence.
Single digits is still excessive, we are talking 5 or 6 years in jail for crimes which were void of any financial gain. I'm thinking g of weev and swartz who are both dealt with in the article.
I agree†. Sentences in general are too long. I don't think there's a corrective goal that a 5 year sentence for a non-financial computer crime that isn't served just as well in 1.
† With the nit that I don't believe a 5 year sentence would be in the cards for this particular offender.
I'm not so certain, his targets meet the "official victim" requirement, they will be free to choose the loss value which is unlikely to be Conservative, means of identification is likely met as it is a simple as accessing email addresses and even though they attacks have been called simplistic and the weaknesses well known they will claim that sophisticated means were used by virtue of a computer being involved. This on the face of it seems worse than weev as there were multiple targets involved.
He's not the first person to get caught hacking the USG, and thus far insane sentences haven't been a consequence of that sort of thing. We'll see, I guess.
> Seems like his mental conditions (...) should have been enough to have the request denied.
No, not because of that. There's this thing called “jurisdiction”, and countries have it over their own territory, but not that of others. The US should sue him in the UK, and try to get him sent to prison in the UK.
The U.S. absolutely has jurisdiction over crimes committed against computer systems within its territory. Why would you think U.S. law enforcement does not have jurisdiction over a criminal who committed crimes against U.S. property and persons located in U.S. territory?
I see comments like this one in a lot of threads involving prosecutions - off the cuff statements that "well, it FEELS like things should work this way, rather than the way they actually do." If you're not an expert on the legal issues at hand, perhaps consider refraining from making these types of comments.
Is Asperger's really a valid excuse for this sort of thing? People on the autism spectrum aren't incapable of understanding that actions can lead to consequences and that some things are wrong. Otherwise there would be an epidemic of autistic bank-robbers and murderers.
I will agree that it is bullshit thaw you can get extradited to a country you've never even been to and tried under their laws for committing a cyber-crime, though. He should remain in Britain for that reason alone. It's also pretty disgusting how if he had committed the exact same crime under the employment of the government they wouldn't have even filed charges.
"But the UK was the head of an empire in long-term decline. In 1956 the political elite in both the UK and France faced a crisis after the Suez crisis effectively slammed on the brakes on British imperial influence east of the Nile; the USA had asserted the primacy of its own interests. What to do? To paint with a very broad brush, the French response was, "we cannot rely on the perfidious Americans to back us up: we need to preserve the capability to act independently at all costs". The British response was, "we can no longer act alone without American support, so we need to preserve a good relationship with the Americans at all costs."
Mind you - we sometimes did refuse requests from the US (e.g. to get involved in Vietnam) but I think overall this goal does apply - in general we will do whatever it takes to keep in with the US, and the lack of what we would regard as fair treatment for one individual "hacker" is probably seen as a cheap price to pay.
This situation shows why, unfortunately, movements like Brexit are inherently legless. Here we have a case of a British citizen breaking a British law on British soil, yet being abducted by a foreign justice system under treaties that have destroyed national sovereignty. Yet because the UK is currently pushing back against one such agglomeration of power, it will actually supplicate harder to a different power rather than simply acting as its own country!
(And I say this as a USian who is actually concerned with the disastrous effects that exercising world jurisdiction is having on our own society. Why bother spending the effort to secure computers when you can just assuredly throw the witches into cages for decades?)
US citizens get extradited to Britain too. It works both ways.
In this instance we have someone who's pretty clearly committed a serious crime (stealing credit card info, for example), being extradited to the country which has jurisdiction with respect to the offense committed. It's a completely normal and proper instance of extradition. I'm surprised to see people here falling for the guy's rather overwrought sob story.
It's only "normal and proper" if one believes such treaties are reasonable. Clearly I do not, and just insisting it is does not form an argument.
I reject the idea that merely communicating with some place creates a legal nexus giving that place jurisdiction over you - it contradicts the general concept of freedom of speech. By such reasoning, holocaust denial is effectively criminalized in the US because such speech will reach Germany and possibly change people's minds there.
The specific crimes you list are generally accomplished completely through communication, and this seems to be true in this case.
(I assume you meant to type 'extradition'). I'm not opposed to all instances of extradition. It seems perfectly reasonable that if someone commits a crime on US soil and flees, that their destination isn't a a safe haven and they be brought back to the jurisdiction they were in.
But that's not what happened here - the alleged crime was committed while on British soil, and I don't think he's ever visited the US. So "extraditing" him is actually exporting him to a completely foreign jurisdiction!
You originally said that Love was "merely" communicating. That is not the case. He was also committing a crime. To say that he was merely communicating is like saying that a Nigerian scammer was "merely sending an email", or that a double agent was "merely carrying some documents in a briefcase".
There is no legal precedent for limiting extradition to instances where the person being extradited has been physically present within the jurisdiction in question. If you hack into US government computers, it obviously makes sense for the US government to prosecute you.
By the way, in relation to your Holocaust denial example, you should look into the concept of "dual criminality".
It is "mere communication" in the sense that the whole action is communication, as opposed to eg also physically gaining access. The strict sense you're attempting for "mere" is nonsensical - every communication is for some ultimate purpose, and so can be described as that purpose. By a strict sense, asking Aunt Mildred for her cookie recipe wouldn't be "mere" communication, because you're also "making cookies".
The dual criminality thing isn't surprising because it's the crudest way of resolving the immediate conundrum. But this case precisely highlights its flaw - a person has only violated the law if they are found guilty in a court. Lauri has not been found guilty in a UK court, and therefore his actions have not been found illegal under UK law! Not to mention the vastly different punishments between the places (owing to societal differences that he never opted into). So either the principle needs to be extended to take these things into account, effectively making him stand trial in a UK court but perhaps with a US prosecutor, or another basic principle needs to be found.
Obviously there is no legal precedent, because if there were we wouldn't be having this conversation (it is the tendency for these systems to grow and erode rights). But I'm arguing that there should be - if someone is not physically present in a jurisdiction, how can they be said to have positively assented to that jurisdiction?
In the age of instant global communication, we either have one world jurisdiction (role currently being filled by USG) or we need to adopt logical demarcation points between different ones. I believe freedom of speech scaled up to nation states makes a lot of sense, for the same pragmatic reasons that it makes sense applied to individuals - a receiver of information is able to easily filter much garbage, and so the onus should be on them to prevent being affected by it.
If that's what you mean by 'mere' then it doesn't matter that he was 'merely' communicating. Clearly it's possible to be 'merely' communicating in your sense and yet also committing a crime. The Nigerian scammer is 'merely' sending emails and yet also committing fraud. The idea that freedom of speech somehow makes hacking, fraud, or other such crimes permissible is simply silly.
You're also misunderstanding how dual criminality works. The requirement is that the offence for which the individual is being extradited must be a crime in both countries. That requirement is met in Love's case but not in your hypothetical Holocaust denial case.
I don't see why people should have to assent to being under any given jurisdiction. I didn't assent to being under British jurisdiction, but since I live in Britain, I am. You seem to be suggesting that the physical location of a person should impose hard-and-fast restrictions on which country's laws they may be subject to, but see no reason why that should be so.
Reread my comment if you think I didn't understand dual criminality. What I'm pointing out is that the concept needs to be extended or augmented for the modern networked world.
Previously it was adequate because one basically had to visit a jurisdiction to commit a crime there. But taking a look at https://en.wikipedia.org/wiki/Pornography_by_region, surely you wouldn't think it just for someone to be extradited from Iceland to Sudan for setting up a pornographic website.
I started off this thread explicitly saying that I reject the idea of communication creating a legal nexus. Borders and physical locations are a strong Schelling point for determining jurisdiction. I'm referencing free speech for its aspect of "what is said cannot hurt me", which is another Shelling point.
The Nigerian scammer is still committing fraud, but in Nigeria.
Your previous comment certainly appeared to misunderstand dual criminality since you thought it was relevant whether or not Lauri had been convicted of a crime in the UK. Clearly, however, that is not relevant to the satisfaction of the dual criminality requirement, which is the requirement that the offence for which the person is being extradited is also an offence in the country they're being extradited from.
With regard to your Iceland example, I doubt that Iceland and Sudan have an extradition treaty. If they do, I don't see in principle why someone who lived in Iceland but was involved in producing pornography in Sudan should not be extradited for it. In practice, however, the probable lack of an extradition treaty, and the probable flaws in the Sudanese justice system, would make it very unlikely that an Icelandic court would approve such a request.
I'm not really sure why you bring the example up. People don't in fact get extradited from Iceland to Sudan, so it's not as if it highlights a problem with the present system.
>The Nigerian scammer is still committing fraud, but in Nigeria.
I don't see how that is necessarily the case, if the victims are in other locations.
> Your previous comment certainly appeared to misunderstand dual criminality since you thought it was relevant whether or not Lauri had been convicted of a crime in the UK
An action can only be an offense if it illegal. And something can only be illegal if found so in a court of law. So, in abstract, dual criminality would require a proper trial in the extraditing country to determine if an offense was committed. The actual implementation takes shortcuts (because bureaucrats' goal is focused on achieving punishment), but this is an erosion of the legal system as I've been pointing out.
Surely you don't think that someone in a country with due process should be mechanically extradited to a country with no due process, but you're relying on a merciful extradition court to essentially try the case and provide due process before extradition.
> I don't see in principle why someone who lived in Iceland but was involved in producing pornography in Sudan should not be extradited for it
And distribution? eg just setting up a website that isn't not accessible from Sudan? I made this example because it shows how something can be technically "illegal" in two different places, yet have entirely different criminal procedures and punishments.
> I don't see how that is necessarily the case, if the victims are in other locations.
I have repeatedly stated that I'm rejecting the idea that communication can create a legal nexus. In this context since the fraudster has not left Nigeria, all his crimes are happening within Nigeria. This has been my main argument the whole time.
Rather than directly addressing my main point, you've only countered with how things currently are. Obviously if I thought the current state of affairs was worthwhile I would not be making this argument, so it's hardly a refutation.
>So, in abstract, dual criminality would require a proper trial in the extraditing country to determine if an offense was committed.
No, dual criminality requires that the person be extradited for (allegedly) doing something which is a crime in both countries. So for example, you can be extradited from the UK to the US on a murder charge because murder is a crime in both countries. Whether or not you have been found guilty of murder in the UK is irrelevant.
>Surely you don't think that someone in a country with due process should be mechanically extradited to a country with no due process,
That is why extradition treaties are generally only signed with countries which have due process. But all of these extradition requests have to go before a court; they're not "mechanical".
>I have repeatedly stated that I'm rejecting the idea that communication can create a legal nexus. In this context since the fraudster has not left Nigeria, all his crimes are happening within Nigeria.
This is just wrong on the face of it, and you've provided no supporting argument. If the fraudster is defrauding people in another country then his is potentially subject to the jurisdiction of that country.
>> I'm rejecting the idea that communication can create a legal nexus
> This is just wrong on the face of it, and you've provided no supporting argument
All of my comments have contained the supporting arguments, to which you've merely responded with how things currently are. This does not make for much of a refutation.
IMHO this is one of the problems with a common law legal system. It's all too easy to forget that its various principles and precedents are actually man made and not manifest immutable truths.
Your arguments were based on various hypothetical scenarios (extradition to Sudan on pornography charges, etc. etc.), which could not happen in the present system due to some combination of (i) the dual criminality requirement, (ii) the probable non-existence of the relevant extradition treaties, and (iii) the discretion that courts have to refuse extradition requests to countries which are unlikely to give a fair trial, or where disproportionate penalties are applied.
McKinnon's hearing was during the coalition, now the Tories have a straight majority. Wasn;t he thought to be a high suicide risk? Not quite the same as this case, but Aspergers - depending on degree - should be reason enough.
I suspect McKinnon would also have been extradited under the current administration.
Isn't Love thought to be a suicide risk too? At least that's what they were arguing. Would the coalition have effected the McKinnon decision? It was May who stopped it after all and introduced the forum bar to make it easier to stop extradition in certain cases.
I believe so, and with his conditions it seems a reasonable suggestion. The judge seems to think he can go on suicide watch. We'll have to wait for appeal.
McKinnon had wide support in parliament and media, and seemed to get a much higher profile than this case has. May's politics are complex - she's a liberal tory, but very right on some issues. The forum bar is probably window dressing - it looks designed to change little, and adds a prosecution certificate that can negate it (not sure how they get that certificate). Love just failed the forum bar. She also removed, in the same act, the ability of the Home Secretary to intervene on human rights grounds - passing that to the High Court. IANAL but that would see McKinnon extradited under current rules.
So, coalition or May? Can never be sure, but I think the coalition will have moderated.
>> "in the same act, the ability of the Home Secretary to intervene on human rights grounds - passing that to the High Court"
It seems like that's how it should be. Having politicians override the law willy nilly could be very dangerous. Worrying to think that preventing McKinnon's extradition required that though.
Oh I agree, though for extradition it's enabled a last minute sanity (popularity?) check - like McKinnon who had failed High Court appeal.
The problem is extradition sets too low a hurdle that the last act significantly lowered (no longer requiring evidence amongst other things), and that's quite unpopular. Has been for ages and no govt or Home Sec has managed to convince the public - yet there continue to be high profile cases - McKinnon, NatWest 3 (which was a farce) etc.
The US seems like it has a very undeveloped policy on digital defense. It seems like with this issue and the large breaches in security in the past, and the FBI pushing for even more weakening of encryption that the US government lacks a strong internal advocate to promote the development and installation defensive infrastructure for both in gov't and the US tech infrastructure.
Every country in the world has underdeveloped digital defense. There is no secure country anywhere. It has nothing whatsoever to do with encryption policy (one of the rare tech policy issues that I agree wholeheartedly with the HN conventional wisdom on). It's that software security is simply an unsolved problem, but the world is plowing full speed ahead into deploying more and more of it, and will continue to do so.
I guess I'm thinking less about the state of the technology deployment (which will always be in some sort of play), and more about the political/bureaucratic organizations within the government and their focus. It feels, from a very, very outside position, that the gov't (NSA, et al) used to put more resources on systematically figuring out how to move defensive side work forward. Maybe the orgs that used to be tasked with that were reorged or demphasized, I don't really know.
I think it is more correct to say that software security is not a priority. Another issue is why the US connect highly sensitive systems into the internet in the first place.
The US had one... even invented INFOSEC developing it... that mandated a combo of features, assurance, and pentesting by NSA hackers. Under Computer Security Initiative, DOD combined clear standards for how to do it with financial incentives for market to produce it. The result were quite a few systems produced that survived 2-5 years of pentesting with none at least admitting a hack in the field around 20 years. Standards evolved into EAL6/7 of Common Criteria but red tape and handwaiving dominates. That's because Congress changed acquisition policy to force them to buy more COTS garbage to benefit campaign contributors plus NSA started competing with market under MISSI. High-assurance mostly collapsed.
So, it can be done but politicians are preventing it. Market is bigger problem, though. Burroughs B5000 was first, high-security system nearly immune to code injection in 1961. They did good in market but IBM had better price/performance. That plus more feature improvements is all market will really buy. Something uglier, slower, a few less features, and cost double for the security? Most wont go for that. They usually dont do it even if the software is free and easy to use like a few in FOSS with strong security. So, suppliers are right to keep giving them the garbage they demand until they'll pay for something better.
Note: Companies and CompSci people continue developing higher, security stuff anyway. Just very few of them with commercial stuff costing big $$$ due to low volume/demand and academic stuff delivered in prototype form since FOSS people dont put time in them. Hard to see how it will get better on a large scale.
For the ones with the best intentions they probably think that, on average if not in every particular case, they're pulling the switch to make the trolley hit one person instead of five (so to speak), and that not doing so would make the world a worse place.
For the ones with the worst intentions, it's likely something to do with chasing material and/or social rewards. (edit) And they don't much care about how much it hurts others.
