Ireland cannot extradite Darren Martyn and Donncha Ó Cearrbhail

dlofnep

I know we have an ongoing discussion about the Lulzsec arrests, but I'd like to discuss the legal basis for extradition, and why the United States have no grounds to extradite Darren Martyn and Donncha Ó Cearrbhail.

Firstly - the alleged crimes would have had to be committed in Ireland. If I hack a US server tomorrow from my bedroom, the crime is committed in Ireland as that is where I would have been physically situated at the time of the hypothetical crime.

I refer you to the case of Seán Garland who was on an extradition request to the United States for his alleged involvement in counterfeit money. The request was rejected by the court on the basis of Section 15 of the Extradition Act of 1965 – which says extradition cannot be granted when the alleged offence had taken place in this State.

Therefore, I submit that Darren Martyn and Donncha Ó Cearrbhail cannot be extradited to the US, because the alleged crimes would have been committed in Ireland.

http://www.irishstatutebook.ie/1965/en/act/pub/0017/print.html#sec15

15.—Extradition shall not be granted where the offence for which it is requested is regarded under the law of the State as having been committed in the State.

schrodinger

Sounds plausible that they aren't likely to be extradited but the U.S. will push for this. I don't know what the grounds are, I know SFA about the legal ins and outs. I'm sure the S. will argue that the the FG site was hosted from Arizona, iirc.

dlofnep

Yes - but if the crime is physically committed in Ireland, then the location of the server is irrelevant.

schrodinger

Let's hope that really is the case and that the legal system remembers that.

900913

http://www.telegraph.co.uk/news/uknews/law-and-order/9043736/Judges-try-to-speed-up-Gary-McKinnon-extradition-case.html

dlofnep

Ireland is not in the UK, so it's not pertinent to this case I don't think.

900913

The feds will probably try to use similar grounds for extradition.

dlofnep

The feds have no say in Irish law. It will be a matter for an Irish court to decide. They can plead their case, but that doesn't mean that they will be successful. See the extradition case of Seán Garland for more info.

knuth

Is the uk law different to the Irish one for extradition?

MadYaker

Should this not be in the legal discussions forum?

h57xiucj2z946q

MadYaker wrote: »

Should this not be in the legal discussions forum?

its related to some lad that posted in the Security forum before. If it was in Legal forum, I would not have looked for the thread int he first place there. I think here is probably a better targeted audience.

Besides you could use this thread in the Legal forum: http://www.boards.ie/vbulletin/showthread.php?t=2056572220

dlofnep

MadYaker wrote: »

Should this not be in the legal discussions forum?

There is another discussion in the legal forum, but one of the lads in question is a part of this forum's community - so we are discussing it between ourselves here also.

LoLth

I get where you're coming from on this but in all honesty,

The servers were on US soil

The companies hosting the servers are American

The businesses affected by the actions were American

The very nature of the internet brings the whole question of physical presence into question and a better metric would be to ask "where was the damage done, where exactly was the act of trespassing?"

From that standpoint then yes, hacking a server on american soil means a crime was committed on american soil against american citizens (businesses).

My personal point of view is that, the FBI will request extradition and it is quite likely that it will be granted.

why?

Ireland is trying to present itself to the world as a hi-tech market, we dont want the reputation of allowing/harbouring high profile hackers and lulzsec made themselves high profile through their own actions and their posts/tweets/statements.

Given the current economic climate we *want* US hi-tech companies to set up over here and expand. Politically it might not look the best if we, at the same time, refuse to hand over members of an organised group that took illegal action against a US organisation. The FBI recently briefed the senate on the very real threat (when, not if) of cyber terrorism and made reference to anonymous. I honestly hope lulzsec are not viewed as terrorists but thats the mentality over there at the minute.

What message would it send if they werent handed over? if someone as high-profile as lulzsec can get away with it then whats the harm in a few low profile hacks here and there. its not like the gardai can do much, if anyhting to investigate.

I think a fair outcome would be if, upon conviction, any found guilty were returned to their home country to serve their sentence. To have to serve your time in a foreign land removed from the possibility of visits by family and friends would be a punishment beyond incarceration.

benefits of this:
home country foots the bill for the prison sentence which will encourage countries to police hacking activities and not just go "not our problem".

Non-US citizens do not have to suffer the US prison system.

I also think the length of sentences for hacking crimes are way out of proportion but thats another argument.

Seachmall

Garland ruling may make extradition more difficult.

Taken from AH discussion, figured it's relevant here.

dlofnep

LoLth wrote: »

I get where you're coming from on this but in all honesty,

The servers were on US soil

The companies hosting the servers are American

The businesses affected by the actions were American

The very nature of the internet brings the whole question of physical presence into question and a better metric would be to ask "where was the damage done, where exactly was the act of trespassing?"

But that is not what it states in the extradition act.

15.—Extradition shall not be granted where the offence for which it is requested is regarded under the law of the State as having been committed in the State.

The key point is highlighted - it doesn't state what it was committed on, but rather if it was committed in the state. Now the alleged attacks may have been committed on an American server, but they were not committed in America. I think that is key.

LoLth

dlofnep wrote: »

But that is not what it states in the extradition act.



The key point is highlighted - it doesn't state what it was committed on, but rather if it was committed in the state. Now the alleged attacks may have been committed on an American server, but they were not committed in America. I think that is key.

y'see that quoted law is more suited to burglary than it is to modern technology.

you break into a house in ireland, then the act is committed in ireland.

you break into the American embassy, then the act is committed on american soil.

in both those cases the perpetrator and the action are in the same place.

now, is the ACT of hacking at the keyboard or at the server? Where does the data actually get accessed? on the hackers PC or on the server the data is stored on?

the hacker may be in ireland but the hack itself occured in the States.

antoher way to think of it that might be more in line with that law:

If you throw a rock through an embassy windows from outside the embassy grounds, which jurisdiction does the crime fall under? no criminal damage was done on home soil but no rock was thrown on embassy soil.

dlofnep

I disagree. Seán Garland was requested for extradition because the alleged crime (counterfeit American bank-notes) affected the US. But because it was not committed in the US, then they rejected it.

If someone hacks a system, I am of the view that the crime is committed at the keyboard. They may be accessing virtual data in the US, but they are not situated in the US.

LoLth

both ireland and the US have signed up to the International Cybercrime Convention (the Budapest convention 2001)

list of countries signed:
http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=28/10/2010&CL=ENG

And the convention does provide allowances for extradition. So the question is not *can* they be extradicted, yes htey can, but *should* they be and also *will* they be extradicted.

I'm reading through the convention now (and an explanatory essay on it - which is almost as confusing as the convention) and there seems to be some contradictory points.

historically, in Rome labs, a data sniffer was found on a system in an American laboratory. the two hackers were identified and tried in the UK.

however, Tore Tvedt was tried under US law for left wing propaganda stored on a US server even though its not illegal in his home country.

For hacking (as opposed to content) it seems that urisdiction and extradition are very much down to both nations agreeing on what to do. So, yes, they could be tried in Ireland seeign as we have laws here to cover their crime but Ireland could agree to have them subject to US minimum sentences or just hand them over.

Still reading so I could be wrong.

relevant links for anyone else that wants to have a go at it

Convention document: http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
extremely hard to read essay on jurisdiction wrt the convention: http://www.ejls.eu/6/78UK.htm

(copy and paste to a word document to make it easier to read).

Most importantly though, the general view seems to be that normal law cannot be applied to technological situations (look at the best evidence rules for example) so references to cases involving murder, breaking and entering etc are irelevant.

also a factor is that these arent just two kids hacking a server in the states for a laugh. these are two members of a hacking organisation and as such, the organisation as a whole would most likely be on trial and the fairest way to achieve that is to have them all in the one place. most likely the States.

Gavin

dlofnep wrote: »

I disagree. Seán Garland was requested for extradition because the alleged crime (counterfeit American bank-notes) affected the US. But because it was not committed in the US, then they rejected it.

If someone hacks a system, I am of the view that the crime is committed at the keyboard. They may be accessing virtual data in the US, but they are not situated in the US.

Well that's not the way Irish law views it

http://www.irishstatutebook.ie/1991/en/act/pub/0031/sec0005.html#sec5

A person who without lawful excuse operates a computer—
(a) within the State with intent to access any data kept either within or outside the State, or
(b) outside the State with intent to access any data kept within the State

dlofnep

Gavin wrote: »

Well that's not the way Irish law views it

http://www.irishstatutebook.ie/1991/en/act/pub/0031/sec0005.html#sec5

I never stated that it wasn't a crime, my argument was that there was no basis for extradition because the act was committed in the state.

gerryk

dlofnep wrote: »

I never stated that it wasn't a crime, my argument was that there was no basis for extradition because the act was committed in the state.

True, however section (b) of the law linked also mentions unauthorised access of data hosted in the state, but from outside the state, as still being a crime committed in the state.

The corollory to this is that unauthorised access to data in another jurisdiction from Ireland, as well as being an offence in Ireland, may also be an offence in that jurisdiction, depending on their local laws.

Anita Blow

LoLth wrote: »

I get where you're coming from on this but in all honesty,

The servers were on US soil

The companies hosting the servers are American

The businesses affected by the actions were American

The very nature of the internet brings the whole question of physical presence into question and a better metric would be to ask "where was the damage done, where exactly was the act of trespassing?"

From that standpoint then yes, hacking a server on american soil means a crime was committed on american soil against american citizens (businesses).

My personal point of view is that, the FBI will request extradition and it is quite likely that it will be granted.

why?

Ireland is trying to present itself to the world as a hi-tech market, we dont want the reputation of allowing/harbouring high profile hackers and lulzsec made themselves high profile through their own actions and their posts/tweets/statements.

Given the current economic climate we *want* US hi-tech companies to set up over here and expand. Politically it might not look the best if we, at the same time, refuse to hand over members of an organised group that took illegal action against a US organisation. The FBI recently briefed the senate on the very real threat (when, not if) of cyber terrorism and made reference to anonymous. I honestly hope lulzsec are not viewed as terrorists but thats the mentality over there at the minute.

What message would it send if they werent handed over? if someone as high-profile as lulzsec can get away with it then whats the harm in a few low profile hacks here and there. its not like the gardai can do much, if anyhting to investigate.

I think a fair outcome would be if, upon conviction, any found guilty were returned to their home country to serve their sentence. To have to serve your time in a foreign land removed from the possibility of visits by family and friends would be a punishment beyond incarceration.

benefits of this:
home country foots the bill for the prison sentence which will encourage countries to police hacking activities and not just go "not our problem".

Non-US citizens do not have to suffer the US prison system.

I also think the length of sentences for hacking crimes are way out of proportion but thats another argument.

As far as I know, it's the judiciary which decides on extradition, not government. The judiciary have no place in granting/refusing extradition on the grounds that "we *want* US hi-tech companies to set up over here and expand". It's not their job to attract investment, it's their job to uphold the law. They can only act within that law and the current precedent is very clear. If you believe that the article quoted had burglary more in mind than hacking, well then that's a shortcoming of the act. It doesn't mean the judiciary can just fill in the blanks itself and make up rules as it goes along.

They committed the crimes on Irish soil and as far as our current extradition laws are concerned, that's enough to refuse extradition.

LoLth

and a legal decision has never been swayed by political or economic motivations?

They committed the act on irish soil so yes, its enough to refuse extradition BUT it does not exclude the possibility of extradition and the Cybercrime convention (signed but not ratified by Ireland) does make extradition a possibility dependign on the agreement of both law enforcement agencies.

And no, the judiciary does not fill in blanks and make up rules as they go along but they can interpret rules based on precedence both at home and abroad (we actually follow very closely behind rulings in England as we have a very similar legal system). Has there been an international Hacking trial in ireland before? was an extradition order sought? if so, then that would be the best place to look for hints about what is to happen, if not, then we have to look elsewhere (UK, Europe) for examples and given the framework set out by the European Council (linked above) extradition is very much a possibility - not a certainty granted, but my honest feeling is that its likely.

as I said, I'm open to correction so if you can find legal precedent then please post it and I will happily reconsider my opinion.

dlofnep

I still think the case for Seán Garland is a compelling example. I simply can't imagine Ireland would extradite two mischievous young students.

gerryk

dlofnep wrote: »

I still think the case for Seán Garland is a compelling example. I simply can't imagine Ireland would extradite two mischievous young students.

I would hope you're right. The penalties in the US are not proportionate to the crime. The penalties here are far more suited.

I had a conversation about this over the weekend with someone who claims to have a little bit of visibility over what is happening. Their claim is that there is not a duality of crime... i.e. the crime(s) that they are being charged with do not exist in Irish law... specifically, conspiracy to commit computer crime.

I would imagine that the actuality of who committed a given crime would be very hard to make stick (7 proxies etc...) but that the testimony of one (Sabu?) as to the involvment of the two would be enough for a conspiracy charge.

In order for an extradition request to be even considered, the same crime has to exist in both jurisdictions, which it apparently does not.

I am not a lawyer, nor do I play one on TV. This is mostly stuff I heard over a pint, and should be taken as such, but it is an interesting angle.