Outside of the clear concerns about if this person is falsely accused of creating malware for the purposes of victimizing people one concern I still have not seen addressed widely is the issue of US enforcing laws on an international level
Even if all of the charges are true, these "crimes" would have taken place in the UK or where ever this person is living outside the US, so how then can the US justify charging them with violation of US law.
I know this is not the first time this has happened, nor will it be the last time this happens, but it is increasingly concerning that crimes completely committed online are open to US Jurisdiction and sets a TERRIBLE precedent.
As a US Citizen I do not want to be held to another nations laws, laws I may not be familiar with, because of my online activities.
It is only a matter of time before a EU nation attempts to extradite or arrest a US Citizen traveling abroad for a hate speech law violation or some other violation that occurred online from the US which is not a violation of US law but is a violation of EU Law.
As a Canadian citizen, open source developer, free minded tinkerer (I don't dare to say hacker in this context) I am fucking scared to enter the USA. The law in question was written largely as an answer to the Wargames movie, it was not a good law then and 30 years later it's downright terrifying.
If they think I broke some USA law they better issue a warrant and ask Canada to extradite me. That's a thing. But this sort of ... ambush ... or what do I call it, that's just scary. Let's say I scrape a website whose ToS said, don't scrape me. Is that a felony? Perhaps. Want to crank it to eleven? Let's say I left accidentally a security hole in Drupal (I have 1299 commit mentions in Drupal) which powers, well, certainly more than ten websites in the United States. Is that a felony? Can it be twisted into a felony? Is it likely? No? Possible? Fuck knows.
You could say, hey the CFAA is older than my boots, nothing has changed, why are you scared only now? My answer is, you know, the leader of the executive branch is an old man without political experience who certainly shows signs of dementia and while I can't professionally evaluate how it changes the situation I have a bad feeling it makes it worse than it was.
Yes. The legal code is so byzantine that most citizens (and most visitors) are permanently in breach somehow, somewhere: an error in some form you filed, a permit you didn't know you needed, a clause that's very rarely enforced, a law worded vaguely that can be made to fit.
This is the origin of the cliche "to throw the book at someone" - to threaten or exact retribution, by hunting for all the ways they are breaking the law, related to the original arrest or not. It is also why the advice is not to speak to police voluntarily.
Fortunately for most folks the US is a mostly benign state (which is why exceptions are somewhat notable). But this is not a unique US issue. It is only a change of intent away from the widespread persecution of political opponents.
As long as most of us believe a 'political enemy' is our enemy too (like those evil hackers), the state is free to throw the book where it pleases with public indifference or even support.
> As a Canadian citizen [...] I am fucking scared to enter the USA
Add Thailand to the list:
> The operation included the arrest on 5 July of of suspected AlphaBay founder Alexandre Cazes, a Canadian citizen detained on behalf of the US in Thailand. Cazes, 25, died a week later while in Thai custody. [1]
I am well aware of Dmitry Skylarov (he was charged under the DMCA, though) and, of course, poor Aaron. Nonetheless, somehow I have evaluated the risk of entering the USA acceptable. I feel the risk grew under Trump.
GP didn't say things weren't already bad, just speculated that if the new president's personality has an effect it would probably be to make things worse.
There are only very few countries which will not extradite you to the US.
Recently they even got a russian hacker from the Maledives, which has no extradition treaty with the US.
Out of my head the list of recent cases was: Cyprus, Maledives, Thailand, UK, Canada, Mexico, Poland, Czech, New Zealand (not clear yet. Police did support the NSA, but law still refuses to extradite Dotcom), and all interpol countries with a few exceptions.
The reverse list is shorter: Germany refuses to extradite the VW managers but who knows what they'll do with hackers. Italy and Spain is risky. Ecuador and Bolivia, who knows? Venezuela probably.
Only Russia and some of its allies should be safe for criminals.
China? Probably also according to Snowden. But they'll probably kill you before sending you over, as they have interesting fraud laws.
This is exactly why the "the Internet is a different place" arguments (such as [1]) make me sad. Because, without a formal worldwide treaty (seems unlikely), it will never be the case. Whilst you might perceive your actions on the Internet to be either only policeable on the Internet or in the worst case in the location you perform them from, the law (in multiple countries, over and over again) sees your actions as occurring in any place they affect. You may have initiated the activity in country A - but if that action is then caused to happen/repeated/perhaps even observed in country B, you probably shouldn't be surprised that if it breaks country B's laws then they might want to speak to you about it.
Guess what - if you (as an example) encourage Chinese dissent online and it gets past the Chinese firewall - you stand a good chance of being picked up by the Chinese authorities should you go there. The only way the Internet is a different place is if you never leave the Internet/your home jurisdiction. The good news for US citizens is an extradition along the lines you mention seems unlikely (unless you also broke US law). In the UK (for example), the situation is far more bleak as their extradition treaties with the US and others are less protective.
P.S. this is in no way commentary on MalwareTech's guilt - that is for a judge and/or jury to decide - just discussing a common perception
Your assertion is that the US should not arrest someone on US soil for crimes committed against US citizens by the person while they were in another country. That doesn't make sense to me. If an American was mailing handguns that are legal in the US to people in the UK I think no one would have a problem with them being arrested if they visited the UK. Disagreeing with the laws of another country is reasonable and your home country has the ability to at least try to intervene in your behalf. But when you are traveling to another country you are subject to its judicial system. If this minimum of enforcement is not acceptable how are any of us to defend ourselves against criminals in developing countries that will never enforce their own laws?
The concept that we get to take our home legal system waltzing around the world with us as we travel is arrogant. You may be morally and legally free to post a cartoon mocking Mohammed on your Facebook page, but don't be surprised if you get detained on a trip through Saudi Arabia.
At least in the US he's innocent until proven guilty and will probably get a fair trial. And he wasn't arrested for posting his opinions on social media or bashing the president. The software in question was designed to steal people's access to their shopping and banking accounts. And the accusation is he conspired to sell it and offer support to criminals to help them abuse their victims. I would have no problem with an American getting arrested under similar circumstances while visiting another country.
> If an American was mailing handguns that are legal in the US to people in the UK I think no one would have a problem with them being arrested if they visited the UK
I would. I would fully expect the UK to engage with the US, not ambush someone.
That's a good point. But there was an article in the BBC that stated at least one agency in the UK was aware of the situation. Given that the guy is temporarily at least a hero, the short time frame since Alphabay was taken down and the evidence discovered, and the fact he was traveling to the US, it was probably better for everybody that it happened in the US. I don't think politicians in the UK would have enjoyed the prospect of extraditing him to the US. My impression is not that they were sitting on this for a couple years, but that the Alphabay operation unveiled a lot of info that they couldn't act on until it was finished. But that's all pure speculation on my part.
I still have not seen addressed widely is the issue of US enforcing laws on an international level
It's simple: if you do something which causes something illegal-in-the-US to happen on computers-located-in-the-US, you can be prosecuted by the US for it. There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea. There wasn't anything new about it recently when some bitcoin people were busted because they laundered their proceeds through US institutions. There isn't anything new about it when someone in another country hacks a US company's systems.
"The internet" is not a magical extra-territorial location which wipes away all concept of countries having jurisdiction. As long as a computer in one country can cause things to happen to/on a computer in another country, there's an opportunity for either country, or both, or others in between them on the network, to have jurisdiction over things that go wrong.
And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.
Hypothetical: A Pornhub executive flies from New York to Seoul on Etihad Airways. While transiting in Abu Dhabi airport, they are arrested on charges of obscenity. What would be the reaction in the US?
Factual: In 2006, David Carruthers was arrested while transiting through Dallas-Fort Worth Airport. He was convicted under the RICO act and sentenced to 33 months imprisonment. He was the CEO of the online gambling company BetOnSports, which operated in full compliance with the regulations in the UK and Costa Rica, but accepted bets from American gamblers. Gary Kaplan, another BetOnSports executive, was extradited from the Dominican Republic.
The precedent set in the BetOnSports case is either utterly hypocritical or extraordinarily dangerous. If we give every country the right to impose their laws across the whole internet, we don't have an internet any more. A Facebook user posts a comment critical of the Thai royal family; Zuckerberg is sentenced to life imprisonment for lèse-majesté. A Chinese internet user accesses anti-government material via a VPN hosted on AWS and a Google search; Bezos, Page and Brin are all sentenced to 10 years hard labour for subversion.
If you run a business, and decide to do business with people in another country, it's your responsibility to figure out if the business you're doing is legal for that country. This is only a strange idea to a certain segment of internet commenters. The rest of the world has just treated this as the way things are for a long, long, long time. The new, strange, radical idea out of step with established norms is the notion that "on the internet" is some magical lawless, stateless, jurisdictionless place where anything is fair game since nobody could ever prosecute for something that happened in this magical fairyland.
It really is time to stop being surprised that you can be arrested and prosecuted for your interactions and business relationship with people, property or other entities in a country of which you aren't a citizen.
Also, don't look now, but large tech companies headquartered in the US routinely make changes to their products/services to comply with other countries' laws. If Facebook wants to operate in Thailand, Facebook has to be prepared to comply with Thai law, for example. "We're on the internet" doesn't work as an out.
> If you run a business, and decide to do business with people in another country
I understand this to an extent if specific technical work was done to make a system function in a particular nation (e.g. if the betting site did technical work to accept USD as a payment).
But, it's very possible to build a website and not decide to do business with people in another country. It's possible to be running an online business and not need to know what country a user is from. If I never decided to do business with people from a particular country, am I still subject to its laws?
In the example, what if Facebook didn't specifically want to operate in Thailand? What if Facebook simple hadn't taken specific technical steps to block Thai users?
If Facebook doesn't want to account for a country's laws, Facebook needs to make sure it never hires employees in that country, never has any key personnel visit that country even briefly, etc.
Again: this is not a bizarre new unprecedented never-before-considered hypothetical.
In the gambling case, it's actually even easier, by the way, to create jurisdiction since the gambling site needs a way to actually pay out to its customers, which makes it very hard to avoid certain countries' financial rules. I don't particularly care for the US' stance on online betting (but let's face it, those folks aren't caught up in some kind of "how could I have known" situation -- they're like the people who ran the original p2p file-sharing networks saying they were shocked, shocked! to discover that what must have been a tiny, insignificant, sub-microscopic fraction of their users were openly violating laws), but the legal framework around being able to arrest/extradite people and prosecute for crimes which involve people on multiple sides of a border is pretty well-understood and I know of no way in which this is some sort of unprecedented abuse of it.
Again, look to the auction sites which got notice from Germany to either stop being accessible at all there, or start filtering out the Nazi stuff so Germans couldn't purchase it.
>If Facebook doesn't want to account for a country's laws, Facebook needs to make sure it never hires employees in that country, never has any key personnel visit that country even briefly, etc.
In practice, that means that nobody can ever travel internationally. It's impossible for anyone to know for sure that they've never broken the laws of another country. It's barely possible to know if you're abiding by the laws of your own country[1].
Facebook might filter out lèse–majesté comments to Thai users, but how can they be sure that the filters caught everything? How can they be sure that a user didn't circumvent their filtering? How can they be sure that the Thai judiciary will accept their defence that "we did everything we could to stop it, but something slipped through the net"? Even if Facebook employees never travel to Thailand, how can they be sure that they won't be extradited from a country that's sympathetic to Thailand's lèse–majesté laws?
I don't know what the solution is, but there are clearly immense risks here. America's habitual snatch-and-grab arrests of foreign nationals has legitimised all manner of human rights abuses.
So let's say a country enacts the two hypothetical laws:
- Any operating website which renders services to the greater internet must make its service available to traffic originating from this hypothetical country.
- Pornographic materials fall under obscenity laws
Now any website offering pornographic materials ends up in a catch 22; the only way to avoid violating a law of that country is to comply with the latter law, and not serve pornographic materials (even if one's own country has no laws outlawing it).
You see how this can be problematic given the global nature of the internet, with hundreds of countries each enacting their own laws? You shouldn't need to be able to solve the world's most complex constraint satisfiability problem to operate a website; you should only be required to comply with the laws in your own country, while making no active attempts to violate laws in other countries.
You see how this can be problematic given the global nature of the internet
You seem to be thinking that there's some sort of old sci-fi robot here that if you present it with a logical contradiction it will start yelling DOES NOT COMPUTE and its head will explode.
I suggest you stop thinking in those terms; laws don't work like computer programs, and the sooner you understand that, the better off you'll be. Legal frameworks can deal just fine with contradictions. And, yes, a sufficiently-malicious government could pass combinations of laws designed to force someone to commit a crime.
Yet somehow the world continues to work. And if there's a foreign jurisdiction with laws sufficiently odious to your business, well, you just stay home. Typical extradition treaties require that the alleged act be criminal in both countries in order to extradite for it, so as long as you stay in a country whose laws match what you want to do, or which has no extradition, you're good (this also is why so many criminal hacking cases are dead ends trailing off into countries that won't extradite to wherever the victims were, but this appears to be the outcome you want).
> If you run a business, and decide to do business with people in another country, it's your responsibility to figure out if the business you're doing is legal for that country.
I'd say it's the responsibility of the people in the other country to know their own laws. It's not reasonable for the business to know the laws of every country in the world, which is the only other option.
This is how it has traditionally worked. If it's illegal to possess a particular item in country A but not country B, and someone living in country A places a mail order from country B for one, one would normally expect that person in country to be held culpable under his or her own laws, not the business in country B legitimately selling it.
If there is an item that is illegal to possess, typically both the buyer and seller can be prosecuted. That's nothing new. You're just continuing to push the idea that "it is legal in my country" as a defense that's already been established as not a valid defense. This type of prosecution has been established way before the internet even existed.
Well, the legal system's that state that buying and/or selling a restricted or illegal item is punishable by law. I'm not familiar with the laws of every jurisdiction on the planet in this particular manner.
I'll admit I'm assuming that in cases where it is illegal to possess the item it is also likely illegal to sell said item. But I'm sure there are exceptions to the rule.
The owner is not in the US, has never been to the US the servers are not in the US and what they are doing is not illegal in their home nation but they are being sued in US courts
>>And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.
No that is infact not what my "slippery slope" argument is.. No where even remotely close to it
Shipping an item INTO the nation means clearly you must abide by their laws, what I am talking about would be Germany attempting to take legal action because I operate a website that has nazi symbols on it that a german person happens to visit.
>> There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea.
Seems to me that there is since the US is not just prosecuting people for their direct actions against US Computers but seem to be going after people many many steps removed from those actions that have the thinnest of connections to US Interests. This seems to be new and radical and terrifying from my point of view
Do you support the US in doing this? You seem to imply you have no problems with the current state of affairs
So, let's just put it clearly: suppose someone who is, at the time, not physically present in the US, breaks into a computer system which is physically present in the US at that time. Which of the following do you think most accurately describes the situation?
1. No crime has been committed, because these actions took place on the internet, where no laws apply and no country has jurisdiction.
2. A crime may have been committed, but only if breaking into computer systems is against the law of the country the person was in at the time, and so only that country could prosecute.
3. A crime was committed in the United States, but the United States cannot prosecute someone for a crime if some element of that crime took place physically outside the borders of the United States.
4. A crime was committed in the United States, and the United States can prosecute the person responsible, and has the power either to arrest that person if they happen to visit the US voluntarily, or to extradite that person from the country they're in if an extradition treaty exists between the United States and that country.
The accepted view, for the record, is (4), and appears to be the basis of this case: the indictment claims computers physically located in the US were affected, which gives the US jurisdiction to arrest and prosecute.
>>So, let's just put it clearly: suppose someone who is, at the time, not physically present in the US, breaks into a computer system which is physically present in the US at that time.
So your strawman has nothing to do with the topic at hand
The US Government in this case is not claiming this person broke into any computer system, they are saying this person developed a tool that was then sold (outside the US) to others that then may have been used by unnamed 3rd parties to break into computers.
So to make up a true hypothetical, if a person A in Russia make a small computer program that cracks passwords. Then sells that computer program to person B in Russia, then person B uses that program to break into a US Computer, did person A break US law, and be charged under US Law?
The indictment seems to think he was a bit more involved than that.
What you seem to want him to be is, to spin out an analogy, an innocent shopkeeper who happens to sell sporting goods, and is now saddened to learn that someone bought a cricket bat from him and used it to beat someone up. The indictment is alleging something more like "Anybody here looking to beat someone up? I've got cricket bats that are great for this, and am happy to provide assistance and pointers and work with you as you choose who to beat up and how!"
Seriously, read the indictment. If they can prove he either was involved in deploying/using/explaining how to use the malware against specific US victims, or that he knew who the intended victims were and provided the malware for use against them with that knowledge, then he's dead to rights on a US charge.
I have, and to the extent a conspiracy occurred that conspiracy was completely in another nation so to apply this to your analogy if this shop selling cricket bats with a owner that provides pointers to beat people up with it is located outside the US, then the person they provided pointers to travels to the US to beat someone up do you still believe the shop keeper has violated US law?
If the conspiracy was to break into or attack US computer systems, it's a crime the US has jurisdiction over.
If it had been a conspiracy to break into or attack French computer systems, France would have jurisdiction over it. If it were a conspiracy to break into or attack Mongolian computer systems, Mongolia would have jurisdiction over it.
The problem with all these approaches is that they sidestep what the internet is and isn't and change the rules as they see fit when they want a certain outcome.
If the internet is a digital territory made up of computer ETS, then we first have do solve the question of how to determine, who'se territory it is.
If it is only a communication tool to reach physical objects on a countries soil, then the usual treaties regulate a very different approach as the one taken.
Going back to the territory problem, a state as a person of international law should possess the following qualifications: (a) a permanent population; (b) a defined territory; (c) government; and (d) capacity to enter into relations with the other states. Good luck trying to use this on the internets.
State agents can't even identify themselves in a secure way so I could also nuke them virtually when they enter my virtual home... all the questions like taxation or citizen rights not even mentioned - you see the problems?!
States use arbitrary interpretations of clauses of often mutually exclusive treaties covering civil and criminal law to basically claim, that each one has dominion over all of the internets.
The real situation is more like international spaces, where states have some control over their systems, just like coastlines and out in the high seas it's everyone on it's own with the states neither willing nor able to enforce the rights of their citizens...
Ah, I see. You're going to derive a system contrary to Westphalian states from first principles in an effort to show why it's unjust that someone who hacks computers in Country A from Country B can be arrested and prosecuted by Country B, since the entire notion of state sovereignty is flawed!
Let me know when your treatise on this is finished.
Don't attack, just verify. The system is in place (hint: high seas), the states, especially those not in a state of denial of the applicability of international law, have to offer definitions for their regulations, especially those in Roman law countries, where the first section is always definitions... not doing so allows them to be challenged by other states.
In other news the kind of system you think is used is exactly why there ARE international treaties... to avoid those situations.
But perhaps you are right and we should have more cases based upon the Pinnochet precedent... e.g. Int. extradition of US border officials looking into protected communication a british lawyer takes to his client in the us - something that is prohibited and punishable both in civil and criminal law in most of the world?!
4. but you need to understand a very significant different: they kept the warrant secret to ensnare him. If they issued a warrant and then he visited the USA and gets arrested -- that's stupid. But he had no idea, worse he couldn't have any idea. Do you get my problem here?
Plenty of people have warrants out against them that they don't know about. Lots of jurisdictions, including developed modern Western nations other than the US, don't send you warning in advance that you're going to be arrested. They just show up with the handcuffs.
On foreign soil? They set a warrant out for you waiting for you to travel there, kept in secret? Not sending it to the home authorities? What's wrong with this picture?
As hard as it may be for you to believe, police in many countries are generally not in the habit of warning people in advance that they're going to be arrested. I know it's rude of them since it may inconvenience someone's travel plans, but that's just kinda how it is.
Going by your logic, US could proactively import a computer that is a victim of a crime from somewhere in the world onto US territory, and arrest the person responsible.
If you read the indictment, the claim alleged is that some of the computers affected were in the US at the time the crime occurred. Which would give the US jurisdiction.
This is not a new, dangerous, slippery, radical, unprecedented idea in law. It doesn't lead to people digging up murder victims' corpses and importing them to other countries to give those countries jurisdiction over the murder, etc., because the law has worked this way for a very long time.
The problem here, as I wrote above, is arresting a UK citizen in the USA. If they would've issued a warrant and the UK police decides to arrest him and then extradite him, that's fine.
But this sort of thing... this could potentially halt international travel. I am not kidding: how do you dare to travel anywhere if you can be arrested for something you did years ago which very well might have been legal in the country you resided in but not in the country you travel to?
What Malwaretech has been charged with here would likely be illegal under UK law as well as US law (section 37 of the Computer Misuse Act [1] appears to be analogous to the charges being brought against him). And regardless, the UK-US extradition treaty is written in such a way that the US charges do not have to be illegal under UK law for an extradition to take place (although the converse is not true).
Now, it may well have been the case that when the inevitable court case to challenge the extradition in the UK took place, it might have gone all Gary McKinnon on them [2], due to public support after WannaCry etc. which I'd suggest is probably why the FBI chose to arrest him in the US rather than put in a formal extradition request or work directly with the UK authorities (AFAIK).
But yes, I do agree that with the advent of a worldwide communications network, travel to countries with oppressive, obscure, or stricter legal regimes has become more dangerous for some. The thing I find curious is that others haven't perceived this change in risk.
I wouldn't necessarily say this is a bad thing either - note there have been a number of (accused) botnet operators/cyber-criminals originating from Russia who were arrested whilst holidaying in the EU, and then extradited to the US. Since Russia has a reputation for being lax about prosecuting such "crimes" (especially if they only target people outside of Russia), and also tends to refuse to extradite Russian nationals, it doesn't seem that there are many other options.
Why is it a problem that if you commit a crime and then visit a geographic location where the local governing entity has jurisdiction, you could get arrested?
If he had robbed a gas station in Las Vegas, would you be upset if Las Vegas police arrested him?
Do you believe that "I am not a citizen of your country" automatically provides exemption from a country's laws even when on their soil?
If I went on travel to a foreign country and committed a crime, I would expect to be arrested there. Where the damage was done is the key, not where I was at the time. If I create some malware that takes out UK servers, I would expect to be arrested for that if I ever set foot on UK soil.
If you ever posted a sickle-and-hammer to the web, visible to the Hungarian public -- distributing it -- then you possibly could be fined for it. If you visit Hungary and you got fined, would you consider it just? Here's the Hungarian Criminal Code article in question:
Article 335(1). Any person who
a) distributes;
b) uses in public;
c) exhibits in public;
a swastika, the SS sign, an arrow-cross, a hammer and sickle, a five-pointed red star or a symbol
depicting the above, – unless a graver crime is realised – commits a misdemeanour, and shall be liable to
punishment with a fine.
(2) The person who uses a symbol of despotism for the purposes of the dissemination of knowledge,
education, science, or art, or with the purpose of information about the events of history or the present
time shall not be punishable.
(3) The provisions of subsections (1) and (2) do not extend to the official symbols of states in force.
As I've already noted, Germany and other countries have enforced their no-Nazi-stuff laws against US-based entities.
If you do a thing that's illegal in Hungary, and then put yourself on Hungarian soil, I'm not going to be surprised when you get arrested. In other words, this is not the knock-down "that'll really show him!" counterexample you're looking for.
This seems untenable. Now, to travel to another country for holiday, I need to look back on everything I've ever done, (even something so minute as distribute an image of a hammer and sickle) and pore over the laws of that country and determine I have not ever been in violation of _any_ of them?
I don't think most people would say that's how it should be, it's just the way it currently is. Law enforcement typically does not care about your convenience.
While I agree that the US should arrest people or entities that tries to harm its citizen; it's important to note that the US doesn't really look for that criteria.
For example, they attacked Syria for crimes committed by Syrian against Syrian. The US wanted to carry the attack, and then found the excuse.
But why would this surprise anyone? Do anyone think that the US is spending billions on military weapons just for the fun of it?
> It is only a matter of time before a EU nation attempts to extradite or arrest a US Citizen traveling abroad for a hate speech law violation or some other violation that occurred online from the US which is not a violation of US law but is a violation of EU Law.
Even if all of the charges are true, these "crimes" would have taken place in the UK or where ever this person is living outside the US, so how then can the US justify charging them with violation of US law.
I know this is not the first time this has happened, nor will it be the last time this happens, but it is increasingly concerning that crimes completely committed online are open to US Jurisdiction and sets a TERRIBLE precedent.
As a US Citizen I do not want to be held to another nations laws, laws I may not be familiar with, because of my online activities.
It is only a matter of time before a EU nation attempts to extradite or arrest a US Citizen traveling abroad for a hate speech law violation or some other violation that occurred online from the US which is not a violation of US law but is a violation of EU Law.