The development of the Internet has facilitated global communications, new online spaces for the exchange of goods and information, new currencies and online marketplaces, and unprecedented access to information. These new possibilities in ‘cyberspace’ have been exploited for criminal activity and the rising challenge of various forms of ‘cybercrime’ in recent years has been well-documented.
As part of our cyber security and cybercrime seminar series at the Information Law and Policy Centre (ILPC) for 2017, lead speaker Dr Monique Mann explored the new challenges posed for policing and law enforcement by cybercrime and dissected the legal conundrums and human rights considerations raised by criminal activity which crosses international jurisdictions. The panel was also comprised of expert discussant, Professor Ian Walden (Queen Mary University of London), and was chaired by the ILPC’s Director, Dr Nóra Ni Loideain.
Mann’s current research – alongside her colleagues at the Queensland University of Technology and Deakin University – concerns the ‘legal geographies of digital technologies’. Her talk considered three case studies which formed the basis of broader conclusions in relation to the use of extraterritorial legal powers by states (particularly the United States) and the issues raised by extradition processes which have become prominent in several high profile hacking cases.
The Silk Road
Mann’s talk began with an analysis of the FBI’s investigation into the Silk Road – an illicit online marketplace trading drugs and other illegal items operated through the anonymity afforded by the Tor network. Mann stated that the equivalent of $1.2 billion in the cryptocurrency, Bitcoin, was exchanged by Silk Road users during the site’s operation between 2011 and 2013. She highlighted that the FBI’s investigation and attempts to prosecute the leaders of the site were dependent on a range of extraterritorial legal activities.
First, warrants to investigate the online activities of the suspects were issued only after the FBI had already managed to access information from a server in Iceland. It is not clear from public documents how the FBI gained access to this server. Moreover, the warrants – which were also relevant to individual citizens based outside the United States – were granted on the authority of a single US judge.
Secondly, in order to demonstrate conspiracy under the Continuing Criminal Enterprise Act, the FBI sought to access communications between the chief suspect in the case, Ross William Ulbricht, and co-offenders based in Ireland and Australia. This included an attempt by the FBI to access email content from Microsoft servers based in Ireland using a Mutual Legal Assistance Treaty (MLAT) request. Microsoft fought the request and the most recent ruling on this issue has designated the request as an impermissible extraterritorial search.
Finally, the FBI sought to extradite Irish-based suspect, Gary Davis, to the United States in order to face trial for his involvement in the Silk Road site. Taken together, the FBI’s investigative techniques in relation to the Silk Road site raise significant questions around the processes and outcomes of extraterritorial legal activities.
Extradition
Gary Davis’ case was the catalyst for the team to investigate extradition in greater detail as it is has become a central, if exceptional, feature of transnational justice cooperation. Mann and her colleagues have reviewed a number of high profile cases of citizens facing extradition including Davis, Gary McKinnon and Laurie Love. In the past, extradition has primarily been used as a tool to return a suspected criminal to his or her home country after he or she has fled. In the digital age, however, extradition is increasingly being used in cyber crime cases to extradite suspected criminals to a country they may never have even visited as the nature of transnational online offending means their crime effectively takes place in a different location to where they are physically based.
Courts have three options on being presented with an extradition request from another jurisdiction: accept the request and relocate the offender to face trial in the prosecuting country; deny the request altogether; or shift the prosecution to the ‘source of harm’ – i.e. the offender’s location.
Mann pointed out that in the cases of Gary McKinnon and Laurie Love, extradition requests from the United States have triggered protracted legal cases lasting many years as the defendants have (variously) argued that the extradition request infringes their Article 3, 6 and/or 8 rights under the European Convention of Human Rights. The cases have also hinged on the defendants’ physical and mental well-being, particularly in relation to Autistic Spectrum Disorders (emerging research suggests there is a link between online offending and ASDs).
The difficulties and legal complexities of these extradition cases, as well as a concern for the human rights of those involved, led the researchers to question whether it would not be better to shift the legal forum to the source – i.e. to the defendant’s home country.
Attendees at the ILPC seminar, however, highlighted that there are significant obstacles both in terms of cost and willingness to share evidence. It was argued, for example, that the UK was probably not willing to finance McKinnon’s trial here, nor would the US be interested in sharing sensitive information relating to the 73,000 US government computers – including NASA and military facilities – that McKinnon had hacked from his home computer.
Bulk Hacking and Child Exploitation Material
The final feature of extraterritorial law enforcement that Mann highlighted was the use of bulk hacking. These ‘watering hole’ or ‘honeypot’ operations have involved the FBI taking over an illegal website, moving it to a government server, continuing to operate the site, and then using it as a base to hack unsuspecting users.
In the Playpen example which Mann cited, the US government infected more than 8,000 computers in over 120 countries with a single warrant making it the largest known extraterritorial hacking operation. The investigation into Playpen – a site for the exchange of child exploitation material – has sparked 124 cases involving 17 defendants. One of the central legal questions here has been whether such activities constitute a “search” of the site’s users or whether they constitute online tracking.
Defendants have also attempted to argue that the US government has engaged in outrageous conduct in continuing to operate the Playpen website pointing out that during 2 weeks of operation the US government will have distributed 22,000 images of child exploitation material. Although the court in the case argued that the US government did not create the crimes committed, Mann nevertheless raised the question as to whether the ends do justify these means.
Implications and Issues
For Mann, the Silk Road, extradition and bulk hacking case studies focus attention on the role of the United States in the transnational jurisdictional sphere. How far has policing in the context of cybercrime become ‘Americanised’ and at the behest of US agendas (such as the war on drugs)? And what does US law enforcement activity mean for understandings of ‘ownership’ of the internet?
Addressing these points, the panel’s discussant, Professor Ian Walden, a leading expert in information and communications law, stated that the United States’ access to investigative and legal resources will continue to mean it is ‘an important player’ in the prosecution of transnational cybercrime. He also argued that greater efforts at resolving legal conflict and a focus on international cooperation will be required as crime increasingly traverses international boundaries and as jurisdictional claims of countries concurrently expands.
Walden was hopeful that international cooperation could be improved through international aid to raise standards of criminal and procedural law, and he acknowledged that in particularly serious cyber crime offences, such as child exploitation material, there is some harmonisation.
He was not convinced, however, that in the near future there would be any advance in international agreements on cooperation beyond the Council of Europe’s 2001 Convention on Cybercrime. Differing national agendas and legal standards, he said, also create difficulties for international cooperation and legal harmonisation. Walden noted that Kenyan parliamentarians, for example, regard the main ‘cybercrime’ issue as the use of Facebook to accuse them of corruption – an issue which is of little concern in other parts of the world; while in Nigeria, cybercrimes can lead to the death penalty – a sanction that would be unacceptable to many other legal jurisdictions and not a solid foundation for cooperation.
In conclusion, the panel observed that British and European law has also so far held up and blocked the extraditions of Gary McKinnon and Laurie Love to the United States in the ‘interests of justice’. As a consequence of these and similar obstacles to transnational cooperation, it is likely that jurisdictional clashes in these transnational cybercrime cases will become more commonplace – particularly if the scope for cybercrime increases with the ongoing spread of the internet and new communication technologies.
And perhaps, paradoxically, it might be the case that out of these clashes, new methods, techniques and agreements on transnational policing and law enforcement will have to emerge.
Daniel Bennett, Research Assistant, Information Law and Policy Centre