The shock judgement, delivered at Westminster Magistrates' Court on Friday, that computer activist Lauri Love can be extradited to the US has drawn a mixed reaction from the media and from the cyber-security industry.
Love, age 31, is charged in the USA with multiple counts of computer misuse and conspiracy, with charges emanating from three different district courts: the Southern District of New York, the District of New Jersey and the Eastern District of Virginia. Warrants for his arrest were issued by each court between February and May 2015.
The three indictments accuse him of working with others to conduct a series of cyber-attacks on government and corporate networks between October 2012 and October 2013. It is alleged that he stole and disseminated personally identifiable information including credit card details.
According to the judgement by Judge Tempia, Love exploited known vulnerabilities in Adobe ColdFusion and used SQL injection to attack the systems.
The FBI were led to Love after an anonymous source, employed by the FBI, was able to gather details about Love from a restricted chat room where he and others allegedly shared information about hacking. According to the informant, Love discussed how to exfiltrate the data and how it could be used.
On 25 October 2013, the National Crime Agency (NCA) raided Love's parents' house near Newmarket where he was living. It is reported that one of his computers was logged into the chat room.
The judge said that under UK law, Love could be sentenced to 14 years or more. She was satisfied that the offences with which he had been charged in the US would be considered crimes in the UK, namely under sections 1 and 2 of the Computer Misuse Act 1990 (carrying maximum sentences of two and five years respectively) and sections 327, 328 and 329 of the Proceeds of Crime Act 2002 (carrying maximum sentences of 14 years), as well as the common law offence of conspiracy.
A great deal of evidence was presented to the court about Love's physical and mental health, including expert testimony that he suffers from Asperger's Syndrome and depression. In addition, he has suffered from severe eczema most of his life which must be managed with a rigorous regime and flares up when Love is under stress. The judge accepted all of this as fact but said that the US prison system was capable of managing Love's mental and physical health.
Judge Tempia rejected the forum bar as a reason not to grant the extradition request. (The forum bar was introduced as a grounds for refusing extradition following the case of Gary McKinnon who was accused in 2002 of hacking into US government computers. After ten years of legal proceedings, the extradition request was denied by home secretary Theresa May.)
Judge Tempia rejected the argument that it would be in the interests of justice to try Love in the UK because:
The place where most of the harm occurred was in the US.
The interests of the victims, namely the companies and government departments who suffered millions of dollars in damage as well as individuals who lost personal data.
The Crown Prosecution Service has not indicated that it would be better to try Love in the UK – its silence on the issue was taken to mean it had no objection to extradition.
It was not clear that the anonymous informant would agree to testify in the UK and UK authorities would have no power to compel him.
It would be more difficult to provide all the evidence of the crime from the US to the UK than it would be to bring the information gathered in the UK to the US.
There are more than 20 witnesses in the US and it is easier and more desirable to allow them to give evidence in the US.
Love's connections in the UK – given that he is a single man living with his parents – were not sufficient reason to bar his extradition.
She also rejected Love's case that his Article 3 Human Rights would be violated if he were extradited. Article 3 of the HRA prohibit torture and inhuman and degrading treatment. While there was a risk that Love might commit suicide, the judge was satisfied that US authorities would be able to prevent it.
She also rejected his argument that his Article 6 right to a fair trial would be jeopardised in the US, saying that there was no evidence that the judicial system in the US was unfair.
In the final analysis, the factors in favour of extradition were:
A strong interest that the UK should honour its extradition treaty obligations.
The charges against Love are serious and were committed over a period of a year in three different districts.
Millions of dollars worth of damage were caused.
She acknowledged the defence case against extradition:
Love is a UK national and suffers from mental and physical ailments.
He is at high risk of committing suicide if extradited and his eczema must be managed by a strict daily regime.
Because he is a suicide risk, Love is likely to face a significant amount of time in solitary confinement.
The length of sentence he is likely to face.
Love is “of good character and is working and studying”.
However, the balance of these factors means that extradition “would be compatible with his Convention rights”.
The judge referred the case to the Secretary of State for the Home Office who will have the final say in whether to grant the extradition request.
Gary McKinnon's mother Janis Sharp wrote in the Guardian: “Lauri has not been convicted of any crime and extradition is a cruel punishment of a man with Asperger's who is after all, innocent until proven guilty, hopefully by a jury of his peers.”
The Daily Mail, in its coverage, recalled its campaign to prevent the extradition of Gary McKinnon.
Commentators from the cyber-security industry had a mixed view on the outcome of the hearing.
Ilia Kolochenko, CEO of web security firm High-Tech Bridge believes that hackers should be rehabilitated, not always punished, especially in light of the shortage of cyber-security experts. "Today many Black Hats are doomed to stay cyber-criminals as there is no painless 'way back' for them. Many young talents commit mistakes at the beginning of their careers without realising that they are doing something wrong or harmful. However, afterwards they continue following the wrong path as they cannot find a job appropriate for their skills and past technical experience.”
However, Chris Hodson, CISO EMEA at Zscaler, said that extradition would send a message to hackers.
“This extradition ruling could well be setting a new precedent for cyber-crime convictions. The penalties for cyber-crime have historically been disproportionate to in-person crime. However, this verdict could see that change, as cyber-crime is now more frequent and more damaging to nation states and businesses than ever before.
“By its very nature, hacking and online crime is complex and difficult to track, making attribution a tricky area for authorities. Even more so, when it comes to organised, financially-motivated criminal syndicates. The real challenge for courts and nation states is how they catch and prosecute the organised criminal syndicates that consistently cause economic loss and political havoc.
“This ruling should send a clear message to those who break the Computer Misuse Act and other international laws, thinking that extradition is unlikely.”And Stephen Gates, chief research intelligence analyst at NSFOCUS, said there was a clear take-away for hackers. “Apparently, the lesson here is that everyone has to ‘pay to play'. If you break the law, expect the consequences. Breaking into a network and stealing data is no different than physically breaking into someone's safe and stealing what's in it. Cyber-crimes need to be punished just like physical crimes. Just because you're not physically present, doesn't mean a crime wasn't committed. The alleged hacker's mental condition and motivations may draw some leniency in sentencing if found guilty; however, it's not a ‘get out of jail free' card. No one is above the law.”