News Analysis

McKinnon charges exaggerated by government

The British government may have exaggerated the charges against Gary McKinnon and distorted a High Court judgment, making it appear the hacker's extradition was irrefutable when it was not, according to evidence presented to courts as part of his extradition process.

 

Alan Johnson, the former home secretary, made the accusations against Gary McKinnon, a British citizen, on 1 December. Alan Johnson told Parliament he would not stop McKinnon being extradited to appear before a US court.

The home secretary said he could not interfere with the judicial process. The Extradition Act required him to represent in Parliament the interests of US prosecutors over those of a British citizen, before the case had even been brought to trial and where the prosecution evidence was in doubt.

"Gary McKinnon is accused of serious criminal offences," Johnson told Parliament on 1 December.

"He is alleged to have repeatedly hacked into US government computer networks over a period of 13 months, including 97 US military computers from which he deleted vital operating systems and then copied encrypted information on to his own computer, shutting down the entire US Army's Military District of Washington's computer network for 24 hours."

The accusation made McKinnon's hacking sound like a frontal attack on the heart of the US military. But these were not the allegations the US made against McKinnon. Nor were the actual allegations as serious as had been portrayed in the extradition case against the hacker.

The crucial allegation over which McKinnon is being extradited, and which rests on unsubstantiated US evidence, was that he brought down the Washington military computer network. But the "entire" Military District of Washington (MDWA) conducts little more than ceremonial, administrative and transport duties.

MDWA is responsible for conducting military parade ceremonies. It is home to The Old Guard, the US Army's ceremonial parade troop. It houses Pershing's Own, the US Army brass band. It is caretaker to the Arlington Military Cemetery. It provides a helicopter chauffeur service for army bigwigs and visiting dignitaries.

It does have the operational duty to provide emergency services to Washington should there be a disaster, and hosts the White House Transportation Agency, which runs the presidential motorcade. It also operates an HQ for the eight bases under the MDWA umbrella, spread as far away as New York, to which it provides administrative and janitorial services.

It is home to the National Defense University, operates a home removal service for army personnel, runs a bus service, operates a museum, keeps some fixed-wing aircraft and provides riverside housing for Army brass.

McKinnon was accused of knocking out an internet server, a computer that provided internet access to people at the MDWA HQ, Fort Leslie J McNair.

"Testimony of the system administrator will prove that the compromised computer was a network or domain controller (authenticates that users are permitted to access the network) for the MDWA network, which network provides email and internet services for military personnel at two US Army bases," said the affidavit accompanying the US extradition request, signed by Scott Stein, assistant US attorney.

The other base was Fort Myer, where the server was hosted, and where many of the ceremonial functions attributed to MDWA are located.

Myer also hosts a CID unit of the military police, the 1101st Signals, a secretive unit of cyber warriors, and the Directorate of Information - the IT department. Had McKinnon been able to outwit these units, his crimes may have been very serious indeed.

But McKinnon's hacking skills were not good enough to break into anything but unprotected computer systems. All 97 of the PCs hacked by McKinnon contained unclassified data - that is, none of them contained information that might damage US national security, were it exposed to hackers. They were so poorly secured their administrators used blank passwords.

McKinnon did try to get access to the US military's classified computer networks. He said he was looking for secrets about UFOs. But he was unable to break the security on the classified computers, as was revealed by US testimony to London's Bow Street Magistrate's court on 27 July 2005.

Evidential doubts

This raised the question about just how vital these PCs were to national defence and how proportionate was the US prosecution over McKinnon's intrusions. This question was raised by the Crown Prosecution Service (CPS), the UK's public prosecutor, after it assessed the US evidence.

"How apparent would it have been that they were secure military sites?" asked Russell Tyner, a prosecutor in the CPS Organised Crime Division, in his review of US evidence, Review Note 3, on 26 February 2009.

Noting US evidence lacked "information as to the sensitivity of data held on these computers", Tyner said the US evidence also lacked "details of the nature of the systems to which access has been gained and the use to which those computers are put".

There were other reasons to doubt the seriousness of the charges against McKinnon. The systems he was accused of disrupting were feeble. The US said the alleged file deletions knocked out the Fort Myer internet server for 24 hours.

Yet it is common for servers delivering sensitive or critical services to operate with a fail-over. If the server fails, as computers often do, the fail-over takes over, data is protected, service is maintained.

The CPS found more reasons to question the veracity of the US evidence. Yet the home secretary went further in exaggerating it. He told Parliament that the US accused McKinnon of "deleting vital operating systems". The US had made no such charge.

Neither did it allege, as Johnson told Parliament, that McKinnon had deleted vital operating systems from 97 computers, an act that would have involved the systematic and wanton destruction of data across incredible swathes of US computers.

Ambiguous charges

The US had not even alleged that McKinnon had deleted individual files from 97 computers. It had accused him of illegally accessing 97 insecure, unclassified PCs. These were most likely used by administrators on the edges of the US Army's computer networks, where the military typically keeps open lines to the internet so it can talk to the outside world. The US indictments against McKinnon described them as computers "used in interstate and foreign commerce and communication".

McKinnon has admitted hacking these machines. The more serious charge was that he had deleted unspecified "critical operating system files" from nine computers, including the one that stopped the MDWA internet server rebooting. McKinnon denied this. In any case, it was anyway a far less serious charge than the home secretary had led Parliament to believe. It was further compromised by being an ambiguous and unlikely event.

The US had variously described the few files McKinnon was supposed to have deleted as "critical operating system files" and "log files". McKinnon had admitting deleting log files, which are operating system files that record a log of activities on a computer, in order to cover his tracks.

But the deletion of log files does not normally cause the problems described by US prosecutors, Professor Peter Sommer of the London School of Economics said in an expert witness statement to the High Court, at the request of McKinnon's solicitor on 14 July 2009.

This ambiguous aspect of the US's key charge against McKinnon was also treated sceptically by the UK's CPS. "There is no evidence to explain why the deletion of the log files prevented these systems from re-booting, or what in fact re-booting means. Further explanation is required as to why it is that on some occasions the deletion of the log files prevented the systems rebooting where in other cases it did not," said Tyner in Review Note 3.

The allegations were simply "over-baked", Edward Fitzgerald QC, the human rights lawyer fighting McKinnon's extradition, told the High Court on 14 July 2009.

Dubious damages

This was also said of the financial damages the US claimed against McKinnon. They were only indirectly attributable to McKinnon's hacking - not a result of actual vandalism. The Virginia indictment claimed total damages of $700,000. It was the amount the US spent fumigating its computers and patching up their security after McKinnon's intrusions exposed their weakness.

"The amount of loss includes the costs of having qualified personnel respond to the locations of the compromised computers, review the computers to ascertain whether they were compromised, determine how the computers were compromised, examine other computers on the network for the same compromise and password vulnerability, review firewall and intrusion detection system logs for data showing connections to or from compromised computers, cleaning hard drives of compromised computers, re-installing operating systems and application software, and restoring or rebuilding user data on the compromised computers," said the indictment.

Professor Sommer told the High Court that insurers usually calculate a loss in relation to the amount of security with which a computer was protected. Valuable systems tend to be well secured.

"The stand-by machine which orders breakfast cereal for a military camp cannot be involved in the same level of loss as a computer controlling a robot assembly line," he stated. It is not clear why the US had charged to McKinnon the cost of securing unclassified PCs it had not deemed fit to secure in the first place.

Furthermore, Sommer told the High Court, every intrusion detection system he knew would have caught McKinnon's hacking. And "any firewall" should have blocked McKinnon's amateur intrusions.

The PCs McKinnon hacked were wide open. They contained no classified information. And McKinnon was caught straight away. US intelligence had been aware of his progress through its unsecured PCs ever since he first tried looking to the US military for UFO secrets on 1 February 2001.

"This indictment is the result of a 17-month co-operative investigation between British authorities, the NASA Office of Inspector General, the US Army Criminal Investigation Command's Computer Crime Investigative Unit, the Naval Criminal Investigative Service, the 902nd Military Intelligence Group-Information Warfare Branch, the Defense Criminal Investigative Service, and the Air Force Office of Special Investigations," said the NASA press release about McKinnon's indictment on 15 November 2002.

That 17-month investigation by the US military's A-grade computer exeprts continued for the 13 months in which McKinnon performed his hacks, and lasted until the US served his indictment in November 2002. PCs belonging to the US Army CID, 311th Theatre Signal Command and 902nd Military Intelligence are among those McKinnon is accused of hacking.

The most significant of the unsubstantiated evidence against McKinnon is stacked up in the last three of the 13 months in which he was trying to hack US military computers. It is a period when he seems to have had a breakthrough in access to PCs located at MDWA and the various military computer agencies that were investigating him. Then he was arrested.

Insufficient evidence

The CPS examined this evidence to see whether it could prosecute McKinnon in a British court. Doctors had advised a UK trial since he had been diagnosed with Asperger's Syndrome, a form of autism that made him socially vulnerable. So the CPS reviewed his case.

The CPS is only allowed to prosecute people before a British court when the evidence against them meets a standard of proof. This helps weed out cases too weak to stand up in court, and which might waste court time, tax payer's money and defendant's liberty.

McKinnon could have been prosecuted in a British court if he had admitted to the most serious allegation of malicious damage on the MDWA internet server. Since he had not, the CPS could only prosecute McKinnon if the US evidence met its standard of proof. But the US had not supplied enough evidence and what it did supply did not stand up to scrutiny.

"Mr McKinnon denies having any malicious intent and, in the absence of further evidence, there is insufficient evidence to prosecute him," said the CPS in January 2009.

CPS prosecutor Russell Tyner elaborated on the insufficiency of the US evidence, which was supplied in the form of witness statements from US investigators, in Review Note 3: "Their statements contain a lot of hearsay...it is not necessarily possible to ascertain how much of this material may be admissible."

"There is no evidence that ACPO guidance concerning the examination of digital material has been followed nor is there evidence of continuity," he wrote, comparing the US statements to the standards of electronic evidence collection demanded of UK prosecutions by the Association of Chief Police Officers (ACPO).

The US had not even supplied as much evidence as would be required to order someone before a British court. It did not have to supply any more evidence because the 2003 Extradition Act allowed it to order McKinnon's extradition without it.

McKinnon was thus caught in a Catch-22: he could only avoid extradition if he was prosecuted in the UK; but a UK prosecution was only possible if the evidence met the CPS standard of proof; but US hadn't supplied enough evidence because it could order McKinnon's extradition without it.

The 2003 Extradition Act allows the US to order British citizens to appear before its courts, thousands of miles from their homes, on the basis of only as much evidence as would be required for a British court to issue an arrest warrant. This amounts to "far less evidence", according to the Ministry of Justice, than would be required to actually take someone who is arrested and put them before a British court.

The Magistrates, Lords and High Courts were all required by the 2003 Extradition Treaty to consider McKinnon's appeals on the basis of this minimal US evidence. It was not their place to consider whether the evidence was good enough for the British courts. They all rather prosaically ruled that the extradition should proceed under the narrow remit of the 2003 Act.

But the home secretary, under pressure to justify his decision to a disapproving press, public and Parliament, repeatedly distorted the last and arguably key judgment in McKinnon's extradition hearings, making it appear that the judiciary was more passionately behind him than it was.

Distorted judgment

When on 1 December he told Parliament that he would not intervene in McKinnon's extradition, Johnson said Lord Justice Stanley Burnton had ruled it would be "manifestly unsatisfactory in the extreme for Mr. McKinnon to be tried in UK".

Pressed by David Burrowes, McKinnon's MP, to explain why the hacker was being extradited against doctor's warnings, the home secretary said again: "Lord Justice Burnton...said that it would be 'manifestly unsatisfactory in the extreme' were Mr. McKinnon to be tried anywhere other in the US."

Johnson relied on the same quote when the Home Affairs Select Committee challenged him over McKinnon on 10 November 2009. He repeated it twice, emphasising, "manifestly unsatisfactory in the extreme". And he repeated it before Parliament on 26 October, when challenged over McKinnon's medical reports.

But Lord Justice Burnton had not passionately insisted that McKinnon should be extradited. What would be "manifestly unsatisfactory", said Lord Justice Burnton in his judgment on 31 July 2009, was the unlikely possibility that McKinnon were prosecuted in the UK for lesser crimes than those for which he was accused by the US.

"It would be manifestly unsatisfactory in the extreme for the Claimant to be prosecuted and sentenced on the basis of what he is prepared to admit in this country rather than on the basis of what could be proved in the USA," said the Lord Justice.

This unsatisfactory possibility had been raised only because the Extradition Act allowed the US to make allegations against McKinnon without substantiating its claims with evidence. Had the US been required to supply evidence enough to meet the British standard of proof, McKinnon could have been prosecuted in the UK "on the basis what could be proved in the USA".

On the matter of whether or not McKinnon should be charged in the UK, the High Court did not have jurisdiction. Lord Justice Burnton did nevertheless concur with the CPS decision that, all things considered, McKinnon ought to be prosecuted in a US court. All things, however, were not considered, neither by the CPS nor the court.

Catch 22

The High Court considered only the narrow question of whether the Human Rights Act (HRA) should force either the home secretary or the CPS to stop the extradition.

Doctors had warned extraditing someone with Asperger's to face prosecutors nearly 4,000 miles from home would put them under extraordinary psychological strain. Fitzgerald argued that such an ordeal was unnecessary when the charges were not so serious and McKinnon might just as well be tried in the UK.

The Extradition Act gave the home secretary the means to stop the US order on this basis only if it could be proven to breach the HRA. But British human rights law was too weak. It could not stop an extradition even if it would kill someone, as long as their death were not at the hands of an executor.

McKinnon hoped instead that the CPS might have a humane duty to prosecute him in the UK, nulling the extradition order and making the home secretary's intervention unnecessary. But that route led to another Catch-22.

The Code of Crown Prosecutors requires the CPS to determine which cases are strong enough to be brought before a British court. That includes whether the evidence stands up. It also considers the public interest in prosecuting someone, such as when the high costs of bringing a case, or the mental health of the defendant, render the prosecution of minor charges futile.

The CPS is not charged with applying the public interest test to extradition cases. Nobody is. The District Courts test extradition orders on narrower terms defined by the Extradition Act, on the basis of minimal evidence.

Since McKinnon had hacked US computers from the UK, courts in both countries had jurisdiction over his actions. The CPS had considered prosecuting McKinnon in the UK. But lacking evidence and unable to assess McKinnon's medical reports in the public interest it could only decide which was the more practical place to launch the extradition.

The decision came down to cost. Computer cases are expensive because lawyers have to sift through the thousands of documents stored on suspects' hard disks. Professor Sommer says this became apparent in the prosecution of the Drink or Die software pirates in 2004, which as one of the most expensive cases in British legal history resulted in the first public defender to earn more than a million pounds in a single year.

James Sturman QC, the lawyer in question, said in 2005 that the prosecutors in the case had wasted taxpayers' money prosecuting a case that should have been put before the civil courts.

Thus the CPS decided McKinnon's case was better prosecuted in the US, which had the evidence and the witnesses. It also had a public interest in prosecuting the case regardless how much it cost.

That did not prevent the US providing enough evidence for the UK to assess whether it overawed the public interest in preventing a British citizen's extradition.

From McKinnon's point of view, in the trade-off between efficiency and justice, efficiency won. But in the trade-off between the US and UK public interest, there was never any competition. The US interest was established as a principle of the Extradition Act and was defended in Parliament by the home secretary.

The UK's public interest has never been asserted over the US prosecution in McKinnon's extradition, while the British courts, for all the hearings over McKinnon's extradition, have never assessed the evidence against him.

 

Gary McKinnon ruling: 'UK Extradition laws are a disgrace'

 

 

Hacker Gary McKinnon - Essential guide >>

Gary McKinnon - Wikipedia profile >>


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy