This week we feature two stories that show how IT intersects
with national legal systems to produce novel scenarios of crime and
punishment.
A Dutch judge has given a team of security researchers from
Radboud University the go-ahead to publish information on how to
crack some of the security used on Transport for London's
Oyster card. The card uses the same
MiFare Classic chip as transport systems in
Boston, Hong Kong and the Netherlands, as well as building access
systems throughout Europe and the US.
The Dutch researchers should, some argue, have worked with
MiFare supplier NXP Semiconductors and users to find a solution
before disclosing the vulnerability.
This is the perennial security argument around disclosure. How
much publication of vulnerability and exploit information is for
the common good? Can, indeed, any such disclosure be in the public
interest, since it provides fodder for hackers?
Bart Jacobs, professor of computing security at Radboud
University says the aim of publication is to enable people to make
their own judgement on the seriousness of the vulnerabilities of
the smartcard technology. And the Dutch legal system has backed him
up, with as-yet undetermined consequences beyond the
Netherlands.
Meanwhile, Gary McKinnon continues to find himself enmeshed in a
transnational web of jurisdiction. He has lost his six-year battle
to avoid standing trial in the US for hacking into military
databases. The Law Lords unanimously decided that a plea bargain
offered to McKinnon by US officials was not coercive and an abuse
of the extradition process. McKinnon, an unemployed systems
administrator, now faces extradition to the US and charges that
carry a penalty of up to 60 years. His solicitors have stated that
the UK government has declined to prosecute McKinnon on the
territory from which he hacked to enable the US government to make
an example of him.
The long arm of the law has truly been extended in
cyberspace.