Skip to main content

How the UK exaggerated the case against McKinnon

The British Government exaggerated the charges against Gary McKinnon after approving a request by US prosecutors for the autistic hacker's extradition.

US prosecutors had charged McKinnon with hacking US military computers and requested that he be tried before a US court. But the US ordered the hacker's extradition on minimal evidence over which serious questions have been raised by the UK's prosecuting authorities.

McKinnon's situation has provoked concerns over the basis on which the UK will concede to another country's request for one of its citizens. It has also highlighted how the 2003 Extradition Act can require the Government to represent foreign prosecutors in cases too weak to be allowed before a British court.

When Alan Johnson, then Home Secretary, told Parliament on 1 December last year that the Government would not stop the US order for McKinnon's extradition, he was required by the Extradition Act to deputise for the US prosecution and represent their interests in Parliament.

Johnson exaggerated the US prosecution's evidence against the hacker, even after the UK's prosecuting authorities and experts who had seen the evidence in summary had doubted its veracity.

Johnson said (opens in new tab): "[McKinnon] is alleged to have repeatedly hacked into US Government computer networks over a period of 13 months, including 97 US military computers from which he deleted vital operating systems and then copied encrypted information on to his own computer, shutting down the entire US Army's Military District of Washington's computer network for 24 hours."

This allegation was false and it made the US charges against McKinnon sound more serious than they were.

The US had not accused McKinnon of "deleting vital operating systems" from 97 computers. It accused him of deleting unspecified operating system files from a handful of PCs. Even this allegation was in doubt.

The US had not even specified which files McKinnon was supposed to have deleted. Its evidence was vague enough for the UK Crown Prosecution Service (CPS), the UK public prosecutor, to raise questions about its veracity.

Weak evidence
A significant weakness in the US evidence was its failure to address doubts that the files it accused McKinnon of deleting could have caused the sort of disruptions it claimed had occurred as a result of the hacking.

These doubts had been raised by both the CPS and Professor Peter Sommer, of the London School of Economics, in an expert witness statement to the High Court in one of McKinnon's appeals against the extradition last year. McKinnon had admitted to hacking into 97 PCs. But he denied the damage charge. That charge may not have been even as serious as was claimed by US prosecutors. His actions were certainly not as serious as the Home Secretary claimed they were.

The most serious allegation the US made against McKinnon was that the unspecified files he had deleted included vital operating system files on a computer that provided Internet access to two military bases in Washington DC. The US claimed McKinnon interrupted Internet and email services provided by this computer for 24 hours. The "entirety" of Military bases in the District of Washington for which Johnson and US prosecutors claimed McKinnon interrupted Internet access consists of (opens in new tab) facilities dedicated to ceremonial, transport and low-level administrative functions for the US Army.

All of the machines McKinnon hacked contained unclassified data: that means they contained no sensitive military data. They were PCs used by administrators. This is why they were not protected with passwords. And this is why McKinnon, in his technically and politically naive search for UFO conspiracies, was able to hack into them in 2001. McKinnon had tried to break into the classified computer networks where the US keeps the sensitive data conspiracy theorists most want to see. But his hacking skills were not good enough.

This had all been a cause of scepticism among the UK prosecuting authorities. After a detailed review of the US evidence against McKinnon last year, the Crown Prosecution Service (CPS) raised questions about how secure the US computers were, how sensitive was the data they contained and how important were the Army functions they supported.

The UK's High Court also heard last year how the US had exaggerated its damage claim against the hacker. The US charge that McKinnon damaged the computers he attacked appeared to rest on the logic that the act of electronic trespass was equal to an act of damage.

The US claim of $700,000 damages from McKinnon was for the money it spent investigating and patching up security on PCs where there had simply not been any security in the first place.

Whether or not electronic trespass equates to damage in law, Professor Sommer told the High Court that it was usual for damage claims on computers to be deduced from the seriousness of the computers involved, and for the seriousness of the computers to be deduced from the lengths their owners had gone to secure them. If the PCs McKinnon hacked had been protected with firewalls, they would have stopped McKinnon, whose amateur hacking had been only as ingenious as the manual from which he copied his hacks.

The sum of all the evidence the US military had supplied in support of its allegations against McKinnon was easily picked apart, leaving it wide open to the criticism that it was trumped up. Had the US shown more of its evidence to the UK, it might have made a stronger case for McKinnon's extradition.

Legal predicament
But the US did not need to make a strong case. The 2003 Extradition Act allowed the US to order McKinnon before its courts on the basis of no more evidence than is required for a British judge to issue an arrest warrant. It would require much more evidence to convince a judge to allow McKinnon's case to be brought to before a British court.

The British courts that considered McKinnon's extradition request were forced by the Extradition Act to treat the minimal evidence supplied by the US as though it were enough to justify putting someone before a court. This was nowhere more apparent than in the judgment District Judge Nicholas Evans made on McKinnon's extradition on 10 May 2006. He presented the US military's allegations against the hacker as "facts". Yet the CPS, which is required to vet every case that goes before a British court, had found the US evidence begged still more questions. The evidence rested on "hearsay", said the CPS, (opens in new tab) and raised the possibility that it might not be admissible in court, were it brought before a court that was required to examine it.

The CPS had examined the US evidence because it had considered prosecuting McKinnon in the UK instead of handing him over to the US. A UK trial was possible because it was a cross-border crime. A UK trial had also become desirable ethically since McKinnon had been diagnosed with Asperger's Syndrome, a form of autism, and doctors had warned that he should be tried in the UK.

British Human Rights law, which was the only basis on which the Extradition Act would allow the government to cancel the US court order, was too weak to step in on the basis of McKinnon's mental disability, no matter what medical experts said. The hacker could therefore only be tried in the UK if the US evidence was good enough to stand up in a British court. The US had supplied the UK with all the evidence it was required to supply under the Extradition Act. But the CPS found (opens in new tab) the US evidence was "insufficient" for the British courts.

If the US had better evidence against McKinnon and had been required to supply it to the UK, then the UK may have prosecuted McKinnon in a British court as medical as experts had requested. The British courts did have legal jurisdiction over McKinnon's crime, but this gap in the extradition law prevented them from securing enough evidence to exercise their power. monitors all leading technology stories and rounds them up to help you save time hunting them down.