>Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.
How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?
I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.
An alleged spy (or confirmed wife of spy) recently ran over and killed a teenager near a US base (where Americans are regularly seen driving on the wrong side of the road) here in the UK and they managed to claim some kind of diplomatic immunity and run away, they can basically get away with anything in the right place.
There is a big difference between diplomatic immunity versus crimes in absentia.
In the former case a physical crime was committed where the suspect and criminal act were both in the geography where the crime is alleged. If not for diplomatic status there would be nothing unique about this case and criminal proceeding would move forward with the suspect in apprehension.
In the later the suspect has no relationship to the geography where the crime was committed. The suspect is not a resident or citizen and was not present or planning to visit the geography in question. Furthermore the suspect was likely acting on orders of a nation-state and so bears limited responsibility. There is no legal recourse to apprehend the suspect.
>There was no diplomatic immunity in this instance.
Well that's just wrong.
There's diplomatic immunity unless the visiting country explicitly waves it. It's not based on some hypothetical legal theory of whether she should have it or not. The visiting country either waves it, or doesn't.
In this case, the police requested a diplomatic waiver and were denied.
in particular, the Vienna Convention on Diplomatic Relations does extend the diplomatic immunity to family members who form part of the diplomat's household.
Additionally, the husband was not on a diplomatic mission, was not a registered diplomat, and does not qualify for diplomatic immunity by the rules of the host country.
The rules only matter with regard to who's allowed entry under what status. They're not subject to review after entering, except for expulsion.
I'm going to assume you're conflating the definitions of diplomat. The Vienna convention only sets a minimum standard. The things you're taking about might matter if it's the US and maybe Libya.
For friendly countries, there are agreements that extend the diplomatic privileges well beyond the core diplomatic party.
And once rules are agreed upon, they only apply to who is let into the country under what status. So entry can be denied, but once allowed in with a diplomatic or official passport, the host country can't change that status. All they can do is expel the person.
If the UK allowed entry under a diplomatic / official passport, that's all that matters.
Regardless, in a "possession is 9/10s if the law" sort of way, the only thing that matters in practice is if the visiting country waives immunity.
I read about this story a while back, very sad. However, she not only had diplomatic immunity, but a foreign government was saying she should be thrown in jail for up to 14 years for an accident. How can you blame her for returning to her own country and claiming that immunity?
The claim of diplomatic immunity was tenuous at best. Her husband was not listed as an official diplomat (the claim was that she had immunity via her husband).
The victim's family recently accused the driver of working for the CIA, and if she was in fact a spy she absolutely doesn't have immunity. That's just an accusation, of course.
If your country backs up your claim for diplomatic immunity, it's pretty much good.
There's no other measure of quality that matters in a practical sense. If the host country wants to dispute that, their recourse is expulsion.
And CIA and other agencies certainly do act under the auspices of diplomatic protection. Barring any movie-like treasonous behavior, why wouldn't they? They're government officials working in an official capacity while abroad.
Besides, being ex-CIA doesn't disqualify spousal immunity. Even if the host country had a problem with that, the recourse is... expulsion.
"she should be thrown in jail for up to 14 years for an accident."
This is such an American-centric view of the world. If you don't want to abide by the moral standards of another country, maybe... uh... don't go there?
On top of that, it is VERY easy to write what JB775 did above if you read about this in the news. If it was his/her child though the sentiment of the comment would be very different.
Laws and courts are there for all. The fact that this lady killed a child, and chose to flee the country, says a lot about her character. All this would have probably been resolved with a generous compensation (by the US gov to the victim's family)(all except bringing the child back). She didn't do anything on purpose until she flipped the finger to UK justice and the victim's family and ran away like the rat she is (let's not forget that she killed a child). US gov on the other hand protects its citizens (even those who kill children and flee justice - great job USA)(she was in the UK, she would have a fair trial). It's a messed up sorry that only has pain, sorrow, and anger.
My sister was killed 5 months ago as a result of injuries from a car accident where someone was negligent. That person is currently in prison. My family had the opportunity to make the penalties much harsher for that person, but we decided against it. It reached a point where we didn't see the point in causing even more pain to an already excruciating situation. Not to mention they need to go about the rest of their life living with what they've caused.
I'm not saying there shouldn't be any compensation or repercussions, but the possibility of 14 years for an accident is absurd. If it wasn't an accident or if she was in fact negligent, that's another story. And what precedent would the US gov be setting by turning over gov employees working abroad (or their families)?
Now that you know I basically have gone through this, maybe you should re-think your sentiment.
That's not the point. If the law in some place says so and so, and you break it (even if involuntarily), you can't say 'oh I disagree with that law so I'm going to flee the country and that's morally ok because in my country we have different ideas about responsibilitiea of car drivers'.
> I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.
On the contrary, I think we are pulling in too many assumptions into "cyber". Imagine this: if someone had left their door unlocked and someone came in and stole their lawn mower, you could say they deprived the owner of use of their lawn mower. However, imagine if equifax removed [authorize] in an http endpoint like /v2/person/:id allowing anyone to just GET /v2/person/1 .. 999999999 consecutively. Is this a criminal matter? I'd say no. I'd go further and say that this "cyber" fearmongering has gone too far and we should ABOLISH the CFAA. The EFF has still laid their hopes on reform but I for one think it is irredeemable and must be abolished with no replacement.
Just to play devil's advocate: If an armored Brinks truck gets in an accident and cash spills all over, it's not legal to take just because it's no longer protected and on public land.
Intent has to matter a lot in these cases, though.
If a bill blows a mile away and somebody happens to find it with no knowledge of the crash, that's qualitatively different than witnessing the accident and then rushing to grab the money you watched spill out.
Just to be practical: the internet is not a magical place just one where anonymity is so practical that one can not justify a figurative brink truck failing. Moreover, it's absolutely unacceptable for institutions like Equifax to fail given the importance of identity security and the apparent lack of (or unwillingness to consider) alternatives to the social security number such as PKI; PGP for example. If you've ever seen a bitcoin paper wallet with QR codes printed on it you'll know what I'm talking about. I don't care if it's Apache Struts or PHP + mySQL they should have tested to the point of impossibility of intrusion. I think it's also reasonable to assume that the government is full of shit, and the most likely scenario is that these people in China admitted this to the government because they wanted us to know that they did it. If anything they're doing us a favor, but I still think the real solution to the problem is to stop relying so heavily on pseudo-secret identities like the social security number and to at least offer people an alternative means that uses cryptography at least for the people who care about doing things right and taking responsibility for their own security since the government can only make fraudulent guarantees that we're ever going to be safe.
Maybe I'm wrong about this, but I'm pretty damn sure if you use tor the right way they're not ever going to find you unless you give yourself away some other way.
no for sure, stealing is a dick thing to do. But I like to keep my expectations reasonable. Can I reasonably expect to carelessly leave my phone at a table in a place where crime is known to happen when I know better?
I do not see how, given that this is about the equifax events. Is it really different if you copy a "top secret" text file or if you take photographs of your screen displaying it?
Nobody will care if you take a photo of money. Copying the money, as in making a physical copy is a problem.
This is different from information which is inherently not physical, so any copy of representation is a copy. The grey area of course is a lossy copy... redistributed low-res copies of art, etc.
One problem is the metaphor of place. The internet is not composed of tool sheds that contain lawnmowers; it is not composed of places at all. The internet is a network that allows hosts to send packets to other hosts. These packets are, fundamentally, communications. A communication can constitute a fraud or a slander or a copyright violation or certain other communication-oriented crimes or torts, but communication is never theft.
The "place" metaphor was intended to help people who don't have an intuitive understanding of communication networks. Since POTS had existed for many decades, it's not clear that this metaphor was ever necessary. No one ever confused a phone number with a place. Now that most living people have had childhoods during which the internet existed, the metaphor is certainly not necessary now.
If host A on the internet responds to a simple unauthenticated GET from host B with PII, we really shouldn't be blaming host B. The "place" metaphor obscures that fact.
Of course it's a criminal matter! When a bank is negligent and leaves the doors unlocked, they're on the hook for massive civil liability if people's deposit boxes are robbed. The thief is still going to jail if caught, though.
IANAL (I am not a lawyer) - but I think there’s a distinction here in that the lawn mower is going to be on private property, but having urls in the Internet is generally assumed to be public.
According to the DMCA, even if it’s up for public viewing, the mere act of making a copy is theft. For example, if the MPAA posted a full length movie on YouTube for free viewing, and you made a copy, you’ve committed a crime. That’s ignoring the fact that you already do make a copy: your browser cache. It’s perverted, but it’s what the law is.
> How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?
It depends, I'd say mostly on the public outcry. For "extralegal renditions" aka kidnapping by the CIA in Europe, some investigations were happening, some charges were brought, but I haven't heard anything about conclusions.
Cyberspace attacks even against allies have generally been considered part of diplomacy, e.g. the US breaking into Germany's telecommunication systems to spy on Merkel's SMS.
Since this isn't even a state <=> state issue, it's more like the NSA's decades long industrial espionage: business as usual.
It's partly a matter of jurisdiction. Most of the time criminals are in the same location as their alleged crimes. Not so with hacking over the internet. Thats one reason why "cyber" gets special treatment and can be tricky.
And that's ignoring the implications of it possibly being a state actor.
How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?
I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.