I still have not seen addressed widely is the issue of US enforcing laws on an international level
It's simple: if you do something which causes something illegal-in-the-US to happen on computers-located-in-the-US, you can be prosecuted by the US for it. There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea. There wasn't anything new about it recently when some bitcoin people were busted because they laundered their proceeds through US institutions. There isn't anything new about it when someone in another country hacks a US company's systems.
"The internet" is not a magical extra-territorial location which wipes away all concept of countries having jurisdiction. As long as a computer in one country can cause things to happen to/on a computer in another country, there's an opportunity for either country, or both, or others in between them on the network, to have jurisdiction over things that go wrong.
And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.
Hypothetical: A Pornhub executive flies from New York to Seoul on Etihad Airways. While transiting in Abu Dhabi airport, they are arrested on charges of obscenity. What would be the reaction in the US?
Factual: In 2006, David Carruthers was arrested while transiting through Dallas-Fort Worth Airport. He was convicted under the RICO act and sentenced to 33 months imprisonment. He was the CEO of the online gambling company BetOnSports, which operated in full compliance with the regulations in the UK and Costa Rica, but accepted bets from American gamblers. Gary Kaplan, another BetOnSports executive, was extradited from the Dominican Republic.
The precedent set in the BetOnSports case is either utterly hypocritical or extraordinarily dangerous. If we give every country the right to impose their laws across the whole internet, we don't have an internet any more. A Facebook user posts a comment critical of the Thai royal family; Zuckerberg is sentenced to life imprisonment for lèse-majesté. A Chinese internet user accesses anti-government material via a VPN hosted on AWS and a Google search; Bezos, Page and Brin are all sentenced to 10 years hard labour for subversion.
If you run a business, and decide to do business with people in another country, it's your responsibility to figure out if the business you're doing is legal for that country. This is only a strange idea to a certain segment of internet commenters. The rest of the world has just treated this as the way things are for a long, long, long time. The new, strange, radical idea out of step with established norms is the notion that "on the internet" is some magical lawless, stateless, jurisdictionless place where anything is fair game since nobody could ever prosecute for something that happened in this magical fairyland.
It really is time to stop being surprised that you can be arrested and prosecuted for your interactions and business relationship with people, property or other entities in a country of which you aren't a citizen.
Also, don't look now, but large tech companies headquartered in the US routinely make changes to their products/services to comply with other countries' laws. If Facebook wants to operate in Thailand, Facebook has to be prepared to comply with Thai law, for example. "We're on the internet" doesn't work as an out.
> If you run a business, and decide to do business with people in another country
I understand this to an extent if specific technical work was done to make a system function in a particular nation (e.g. if the betting site did technical work to accept USD as a payment).
But, it's very possible to build a website and not decide to do business with people in another country. It's possible to be running an online business and not need to know what country a user is from. If I never decided to do business with people from a particular country, am I still subject to its laws?
In the example, what if Facebook didn't specifically want to operate in Thailand? What if Facebook simple hadn't taken specific technical steps to block Thai users?
If Facebook doesn't want to account for a country's laws, Facebook needs to make sure it never hires employees in that country, never has any key personnel visit that country even briefly, etc.
Again: this is not a bizarre new unprecedented never-before-considered hypothetical.
In the gambling case, it's actually even easier, by the way, to create jurisdiction since the gambling site needs a way to actually pay out to its customers, which makes it very hard to avoid certain countries' financial rules. I don't particularly care for the US' stance on online betting (but let's face it, those folks aren't caught up in some kind of "how could I have known" situation -- they're like the people who ran the original p2p file-sharing networks saying they were shocked, shocked! to discover that what must have been a tiny, insignificant, sub-microscopic fraction of their users were openly violating laws), but the legal framework around being able to arrest/extradite people and prosecute for crimes which involve people on multiple sides of a border is pretty well-understood and I know of no way in which this is some sort of unprecedented abuse of it.
Again, look to the auction sites which got notice from Germany to either stop being accessible at all there, or start filtering out the Nazi stuff so Germans couldn't purchase it.
>If Facebook doesn't want to account for a country's laws, Facebook needs to make sure it never hires employees in that country, never has any key personnel visit that country even briefly, etc.
In practice, that means that nobody can ever travel internationally. It's impossible for anyone to know for sure that they've never broken the laws of another country. It's barely possible to know if you're abiding by the laws of your own country[1].
Facebook might filter out lèse–majesté comments to Thai users, but how can they be sure that the filters caught everything? How can they be sure that a user didn't circumvent their filtering? How can they be sure that the Thai judiciary will accept their defence that "we did everything we could to stop it, but something slipped through the net"? Even if Facebook employees never travel to Thailand, how can they be sure that they won't be extradited from a country that's sympathetic to Thailand's lèse–majesté laws?
I don't know what the solution is, but there are clearly immense risks here. America's habitual snatch-and-grab arrests of foreign nationals has legitimised all manner of human rights abuses.
So let's say a country enacts the two hypothetical laws:
- Any operating website which renders services to the greater internet must make its service available to traffic originating from this hypothetical country.
- Pornographic materials fall under obscenity laws
Now any website offering pornographic materials ends up in a catch 22; the only way to avoid violating a law of that country is to comply with the latter law, and not serve pornographic materials (even if one's own country has no laws outlawing it).
You see how this can be problematic given the global nature of the internet, with hundreds of countries each enacting their own laws? You shouldn't need to be able to solve the world's most complex constraint satisfiability problem to operate a website; you should only be required to comply with the laws in your own country, while making no active attempts to violate laws in other countries.
You see how this can be problematic given the global nature of the internet
You seem to be thinking that there's some sort of old sci-fi robot here that if you present it with a logical contradiction it will start yelling DOES NOT COMPUTE and its head will explode.
I suggest you stop thinking in those terms; laws don't work like computer programs, and the sooner you understand that, the better off you'll be. Legal frameworks can deal just fine with contradictions. And, yes, a sufficiently-malicious government could pass combinations of laws designed to force someone to commit a crime.
Yet somehow the world continues to work. And if there's a foreign jurisdiction with laws sufficiently odious to your business, well, you just stay home. Typical extradition treaties require that the alleged act be criminal in both countries in order to extradite for it, so as long as you stay in a country whose laws match what you want to do, or which has no extradition, you're good (this also is why so many criminal hacking cases are dead ends trailing off into countries that won't extradite to wherever the victims were, but this appears to be the outcome you want).
> If you run a business, and decide to do business with people in another country, it's your responsibility to figure out if the business you're doing is legal for that country.
I'd say it's the responsibility of the people in the other country to know their own laws. It's not reasonable for the business to know the laws of every country in the world, which is the only other option.
This is how it has traditionally worked. If it's illegal to possess a particular item in country A but not country B, and someone living in country A places a mail order from country B for one, one would normally expect that person in country to be held culpable under his or her own laws, not the business in country B legitimately selling it.
If there is an item that is illegal to possess, typically both the buyer and seller can be prosecuted. That's nothing new. You're just continuing to push the idea that "it is legal in my country" as a defense that's already been established as not a valid defense. This type of prosecution has been established way before the internet even existed.
Well, the legal system's that state that buying and/or selling a restricted or illegal item is punishable by law. I'm not familiar with the laws of every jurisdiction on the planet in this particular manner.
I'll admit I'm assuming that in cases where it is illegal to possess the item it is also likely illegal to sell said item. But I'm sure there are exceptions to the rule.
The owner is not in the US, has never been to the US the servers are not in the US and what they are doing is not illegal in their home nation but they are being sued in US courts
>>And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.
No that is infact not what my "slippery slope" argument is.. No where even remotely close to it
Shipping an item INTO the nation means clearly you must abide by their laws, what I am talking about would be Germany attempting to take legal action because I operate a website that has nazi symbols on it that a german person happens to visit.
>> There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea.
Seems to me that there is since the US is not just prosecuting people for their direct actions against US Computers but seem to be going after people many many steps removed from those actions that have the thinnest of connections to US Interests. This seems to be new and radical and terrifying from my point of view
Do you support the US in doing this? You seem to imply you have no problems with the current state of affairs
So, let's just put it clearly: suppose someone who is, at the time, not physically present in the US, breaks into a computer system which is physically present in the US at that time. Which of the following do you think most accurately describes the situation?
1. No crime has been committed, because these actions took place on the internet, where no laws apply and no country has jurisdiction.
2. A crime may have been committed, but only if breaking into computer systems is against the law of the country the person was in at the time, and so only that country could prosecute.
3. A crime was committed in the United States, but the United States cannot prosecute someone for a crime if some element of that crime took place physically outside the borders of the United States.
4. A crime was committed in the United States, and the United States can prosecute the person responsible, and has the power either to arrest that person if they happen to visit the US voluntarily, or to extradite that person from the country they're in if an extradition treaty exists between the United States and that country.
The accepted view, for the record, is (4), and appears to be the basis of this case: the indictment claims computers physically located in the US were affected, which gives the US jurisdiction to arrest and prosecute.
>>So, let's just put it clearly: suppose someone who is, at the time, not physically present in the US, breaks into a computer system which is physically present in the US at that time.
So your strawman has nothing to do with the topic at hand
The US Government in this case is not claiming this person broke into any computer system, they are saying this person developed a tool that was then sold (outside the US) to others that then may have been used by unnamed 3rd parties to break into computers.
So to make up a true hypothetical, if a person A in Russia make a small computer program that cracks passwords. Then sells that computer program to person B in Russia, then person B uses that program to break into a US Computer, did person A break US law, and be charged under US Law?
The indictment seems to think he was a bit more involved than that.
What you seem to want him to be is, to spin out an analogy, an innocent shopkeeper who happens to sell sporting goods, and is now saddened to learn that someone bought a cricket bat from him and used it to beat someone up. The indictment is alleging something more like "Anybody here looking to beat someone up? I've got cricket bats that are great for this, and am happy to provide assistance and pointers and work with you as you choose who to beat up and how!"
Seriously, read the indictment. If they can prove he either was involved in deploying/using/explaining how to use the malware against specific US victims, or that he knew who the intended victims were and provided the malware for use against them with that knowledge, then he's dead to rights on a US charge.
I have, and to the extent a conspiracy occurred that conspiracy was completely in another nation so to apply this to your analogy if this shop selling cricket bats with a owner that provides pointers to beat people up with it is located outside the US, then the person they provided pointers to travels to the US to beat someone up do you still believe the shop keeper has violated US law?
If the conspiracy was to break into or attack US computer systems, it's a crime the US has jurisdiction over.
If it had been a conspiracy to break into or attack French computer systems, France would have jurisdiction over it. If it were a conspiracy to break into or attack Mongolian computer systems, Mongolia would have jurisdiction over it.
The problem with all these approaches is that they sidestep what the internet is and isn't and change the rules as they see fit when they want a certain outcome.
If the internet is a digital territory made up of computer ETS, then we first have do solve the question of how to determine, who'se territory it is.
If it is only a communication tool to reach physical objects on a countries soil, then the usual treaties regulate a very different approach as the one taken.
Going back to the territory problem, a state as a person of international law should possess the following qualifications: (a) a permanent population; (b) a defined territory; (c) government; and (d) capacity to enter into relations with the other states. Good luck trying to use this on the internets.
State agents can't even identify themselves in a secure way so I could also nuke them virtually when they enter my virtual home... all the questions like taxation or citizen rights not even mentioned - you see the problems?!
States use arbitrary interpretations of clauses of often mutually exclusive treaties covering civil and criminal law to basically claim, that each one has dominion over all of the internets.
The real situation is more like international spaces, where states have some control over their systems, just like coastlines and out in the high seas it's everyone on it's own with the states neither willing nor able to enforce the rights of their citizens...
Ah, I see. You're going to derive a system contrary to Westphalian states from first principles in an effort to show why it's unjust that someone who hacks computers in Country A from Country B can be arrested and prosecuted by Country B, since the entire notion of state sovereignty is flawed!
Let me know when your treatise on this is finished.
Don't attack, just verify. The system is in place (hint: high seas), the states, especially those not in a state of denial of the applicability of international law, have to offer definitions for their regulations, especially those in Roman law countries, where the first section is always definitions... not doing so allows them to be challenged by other states.
In other news the kind of system you think is used is exactly why there ARE international treaties... to avoid those situations.
But perhaps you are right and we should have more cases based upon the Pinnochet precedent... e.g. Int. extradition of US border officials looking into protected communication a british lawyer takes to his client in the us - something that is prohibited and punishable both in civil and criminal law in most of the world?!
4. but you need to understand a very significant different: they kept the warrant secret to ensnare him. If they issued a warrant and then he visited the USA and gets arrested -- that's stupid. But he had no idea, worse he couldn't have any idea. Do you get my problem here?
Plenty of people have warrants out against them that they don't know about. Lots of jurisdictions, including developed modern Western nations other than the US, don't send you warning in advance that you're going to be arrested. They just show up with the handcuffs.
On foreign soil? They set a warrant out for you waiting for you to travel there, kept in secret? Not sending it to the home authorities? What's wrong with this picture?
As hard as it may be for you to believe, police in many countries are generally not in the habit of warning people in advance that they're going to be arrested. I know it's rude of them since it may inconvenience someone's travel plans, but that's just kinda how it is.
Going by your logic, US could proactively import a computer that is a victim of a crime from somewhere in the world onto US territory, and arrest the person responsible.
If you read the indictment, the claim alleged is that some of the computers affected were in the US at the time the crime occurred. Which would give the US jurisdiction.
This is not a new, dangerous, slippery, radical, unprecedented idea in law. It doesn't lead to people digging up murder victims' corpses and importing them to other countries to give those countries jurisdiction over the murder, etc., because the law has worked this way for a very long time.
The problem here, as I wrote above, is arresting a UK citizen in the USA. If they would've issued a warrant and the UK police decides to arrest him and then extradite him, that's fine.
But this sort of thing... this could potentially halt international travel. I am not kidding: how do you dare to travel anywhere if you can be arrested for something you did years ago which very well might have been legal in the country you resided in but not in the country you travel to?
What Malwaretech has been charged with here would likely be illegal under UK law as well as US law (section 37 of the Computer Misuse Act [1] appears to be analogous to the charges being brought against him). And regardless, the UK-US extradition treaty is written in such a way that the US charges do not have to be illegal under UK law for an extradition to take place (although the converse is not true).
Now, it may well have been the case that when the inevitable court case to challenge the extradition in the UK took place, it might have gone all Gary McKinnon on them [2], due to public support after WannaCry etc. which I'd suggest is probably why the FBI chose to arrest him in the US rather than put in a formal extradition request or work directly with the UK authorities (AFAIK).
But yes, I do agree that with the advent of a worldwide communications network, travel to countries with oppressive, obscure, or stricter legal regimes has become more dangerous for some. The thing I find curious is that others haven't perceived this change in risk.
I wouldn't necessarily say this is a bad thing either - note there have been a number of (accused) botnet operators/cyber-criminals originating from Russia who were arrested whilst holidaying in the EU, and then extradited to the US. Since Russia has a reputation for being lax about prosecuting such "crimes" (especially if they only target people outside of Russia), and also tends to refuse to extradite Russian nationals, it doesn't seem that there are many other options.
Why is it a problem that if you commit a crime and then visit a geographic location where the local governing entity has jurisdiction, you could get arrested?
If he had robbed a gas station in Las Vegas, would you be upset if Las Vegas police arrested him?
Do you believe that "I am not a citizen of your country" automatically provides exemption from a country's laws even when on their soil?
If I went on travel to a foreign country and committed a crime, I would expect to be arrested there. Where the damage was done is the key, not where I was at the time. If I create some malware that takes out UK servers, I would expect to be arrested for that if I ever set foot on UK soil.
If you ever posted a sickle-and-hammer to the web, visible to the Hungarian public -- distributing it -- then you possibly could be fined for it. If you visit Hungary and you got fined, would you consider it just? Here's the Hungarian Criminal Code article in question:
Article 335(1). Any person who
a) distributes;
b) uses in public;
c) exhibits in public;
a swastika, the SS sign, an arrow-cross, a hammer and sickle, a five-pointed red star or a symbol
depicting the above, – unless a graver crime is realised – commits a misdemeanour, and shall be liable to
punishment with a fine.
(2) The person who uses a symbol of despotism for the purposes of the dissemination of knowledge,
education, science, or art, or with the purpose of information about the events of history or the present
time shall not be punishable.
(3) The provisions of subsections (1) and (2) do not extend to the official symbols of states in force.
As I've already noted, Germany and other countries have enforced their no-Nazi-stuff laws against US-based entities.
If you do a thing that's illegal in Hungary, and then put yourself on Hungarian soil, I'm not going to be surprised when you get arrested. In other words, this is not the knock-down "that'll really show him!" counterexample you're looking for.
This seems untenable. Now, to travel to another country for holiday, I need to look back on everything I've ever done, (even something so minute as distribute an image of a hammer and sickle) and pore over the laws of that country and determine I have not ever been in violation of _any_ of them?
I don't think most people would say that's how it should be, it's just the way it currently is. Law enforcement typically does not care about your convenience.
While I agree that the US should arrest people or entities that tries to harm its citizen; it's important to note that the US doesn't really look for that criteria.
For example, they attacked Syria for crimes committed by Syrian against Syrian. The US wanted to carry the attack, and then found the excuse.
But why would this surprise anyone? Do anyone think that the US is spending billions on military weapons just for the fun of it?
It's simple: if you do something which causes something illegal-in-the-US to happen on computers-located-in-the-US, you can be prosecuted by the US for it. There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea. There wasn't anything new about it recently when some bitcoin people were busted because they laundered their proceeds through US institutions. There isn't anything new about it when someone in another country hacks a US company's systems.
"The internet" is not a magical extra-territorial location which wipes away all concept of countries having jurisdiction. As long as a computer in one country can cause things to happen to/on a computer in another country, there's an opportunity for either country, or both, or others in between them on the network, to have jurisdiction over things that go wrong.
And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.