US Govt Pursue UK hacker

[Idaho]

US want to extradite hacker

I am ever amazed about how vindictive the US govt is. Tey really want to put this guy in prison for the rest of his life. All for the sake of a few unprotected files.

[Rodion Romanovich]

I liked this part:

"My intention was never to disrupt security. The fact that I logged on with no password showed there was no security to begin with."

No password protection for military files...

Seems like the good old days when a hacker could get hired by CIA instead of put in jail are gone...

[Fragony]

Well it wasn't a very smart thing to do, I would say that hacking in a military network is a pretty big offence, but it doesn't seem like there was any bad intention. Let the UK trial him, that is where he did it after all. Could be worse, there was a dutch drugdealer who sold drugs in Holland to an american, america wanted him flown overseas. Even more crazy, 'we' allowed it.

[Joker85]

US want to extradite hacker

I am ever amazed about how vindictive the US govt is. Tey really want to put this guy in prison for the rest of his life. All for the sake of a few unprotected files.

"It said one attack at the Earle Naval Weapons Station took place soon after September 11, 2001 made it impossible to use critical systems. The US Department of Justice said it took a month to get systems working in the aftermath of this attack."

Poor guy, spent two years F'ing up a place he had no buisness being, but he's the victim.

I think I'll rob a bank tommorow and work my way into the safe. If I get caught I can always say "I was just doing it out of curiosity I didn't take anything!!!"

He openly admits he was trying to find, steal, and release technology that belonged to the government. That is not harmless looking around. He was actively trying to damage the dod.

Noone told him to spend 2 years of his life trying to F the govt and release classified technology.

He'll get 5-10 years and a fine and should consider himself lucky it's not worse. If he gets a slap on the wrist it will encourage every moron with too much time on his hands to try and crack their way into dod/govt systems and steal technology to release/sell.

[Rodion Romanovich]

Actually, if there's no password protecting a computer system, it's generally considered to be free to visit for everyone, and it isn't an offense to do so. With the logic of the persecutors in this case it would be illegal to visit for example the .org if the .org one day suddenly decides it's not open for everyone who wants to visit... Now if you have a bad, easy to break password, that's another thing. But if there's no obvious access denied message like a password requirement, then it's hardly a crime to bypass... ehm ... bypass what? There's no crime in this case, any sentence at all for visiting a not at all password or bio-protected (retina scan/fingerprint reader) or credit card number protected system or service would be outrageous. Just face it - they need to hire a couple of experts at computer security and try to make sure they don't repeat this mistake again. Making an innocent kid a scapegoat for it is just ridiculous.

[Joker85]

Actually, if there's no password protecting a computer system, it's generally considered to be free to visit for everyone, and it isn't an offense to do so. With the logic of the persecutors in this case it would be illegal to visit for example the .org if the .org one day suddenly decides it's not open for everyone who wants to visit... Now if you have a bad, easy to break password, that's another thing. But if there's no obvious access denied message like a password requirement, then it's hardly a crime to bypass... ehm ... bypass what? There's no crime in this case, any sentence at all for visiting a not at all password or bio-protected (retina scan/fingerprint reader) system would be outrageous.

Well without knowing the facts of the case, I think it's safe to assume that simply because there was no password does not mean it was as easy as typing go to www.letmeinyoursystems.com and you have instant access to highly sensetive DoD systems and techs.

While there may have been no password, I'm sure there were other security measures he had to violate to hack his way in.

To use your analogy about the .org a bit further. If the mods had a secret board for other mods only and the only way to have access to view it was to have them change your member status to "super duper cool guy" they might not password protect those forums because they assume the only people with access will be those who get super duper cool guy status. So if someone hacks his way into them, gets caught, and says, "but they wern't password protected!" it wouldn't really matter would it?

[Rodion Romanovich]

To change the member status to "super duper cool guy" you need to type in a password to access the database. Thus, it's password protected.

I think that if you knew more about computers, you'd realize that the "guilt" in this case is completely on the side of the military computer systems. If you're responsible for a nation's military resources then it's your duty to hire a professional at computer security or you're a threat to your nation. In fact those responsible for the lack of computer security should rather be tried in court to see if they took proper measures to hire experts at the subject. This thing is like wanting to punish the little child that goes pass the embassy and happens to see a confidential paper that a diplomat accidentally dropped.

[edyzmedieval]

"super duper cool guy"

Maybe that's the password.

[Joker85]

Also, let me add, it's not about making him a scapegoat. If all he did was read around for a while for the "coolness" of being in a secret place I would understand. But he spent two years trying to find, steal, and release classified US technology. That takes it much further. He was actively attempting to damage the dod and research that in all probability cost millions. His attacks also crippled systems after 9/11 that were needed in the response.

He has caused a great deal of damage and is not some innocent scapegoat who got caught looking around. His actions and intentions were not "free of malice" as he claims. No more so then me deciding I can break into someone's house and steal their property because "well they left their door unlocked".

[Rodion Romanovich]

Well, if you make research for millions and don't password protect it you've committed a serious crime. Accessing a page that wasn't password protected is not. The stuff about crippling 9/11 response is just a fake excuse, just say 9/11 bla bla and it sounds like it's serious. No, it's fully the responsibility of the chiefs of computer security within these military networks.

In computers it's not the same as doing burglary because the door was left unlocked, because you can end up accessing networks you didn't intend to depending on how you get the reference to them. For instance you might google and find a subpage within a site. On the front page it says "access denied", but on the subpage it doesn't say so. Have you committed a crime then? No. Similarly you might bookmark and often visit that subpage, without ever finding out the main page said "access denied". For purposes of legal security the principle is that anything you can access without being asked for a password is free to visit.

[Joker85]

To change the member status to "super duper cool guy" you need to type in a password to access the database. Thus, it's password protected.

I think that if you knew more about computers, you'd realize that the "guilt" in this case is completely on the side of the military computer systems. If you're responsible for a nation's military resources then it's your duty to hire a professional at computer security or you're a threat to your nation. In fact those responsible for the lack of computer security should rather be tried in court to see if they took proper measures to hire experts at the subject. This thing is like wanting to punish the little child that goes pass the embassy and happens to see a confidential paper that a diplomat accidentally dropped.

I think you should re-read his quote.

"The fact that I logged on with no password showed there was no security to begin with."

First considering that he is not exactly unbiased in this, it goes back to my point that he had to get into the system in the first place to be able to logon and try to steal technology. It would be interesting to learn the security measures taken to prevent that.

Or, are you simply taking his word at 100% and because he said it was "your fault for making it easy" believing that.

Going back to my question about breaking in. If you forget to lock your door and someone breaks in and steals your stuff, is the "guilt completely on the side" of you? Of course not.

You do not have the right to exploit someone else's slip or percieved slip in security and steal their properity. If you believe a person does, then we find ourselves at a disagreement that will never be resolved.

He was a place he did not belong, trying to steal something that was not his. He has admitted both things. His only defense is "well they try hard enough to stop me". If you try to use that argument about any victim in any court of law in the western world you will be laughed out of it. Unless your victim is the government I guess. Then it's ok to steal as you please and blame them for not doing more to make sure you couldn't.

[Joker85]

Well, if you make research for millions and don't password protect it you've committed a serious crime. Accessing a page that wasn't password protected is not. The stuff about crippling 9/11 response is just a fake excuse, just say 9/11 bla bla and it sounds like it's serious. No, it's fully the responsibility of the chiefs of computer security within these military networks.

In computers it's not the same as doing burglary because the door was left unlocked, because you can end up accessing networks you didn't intend to depending on how you get the reference to them. For instance you might google and find a subpage within a site. On the front page it says "access denied", but on the subpage it doesn't say so. Have you committed a crime then? No. Similarly you might bookmark and often visit that subpage, without ever finding out the main page said "access denied". For purposes of legal security the principle is that anything you can access without being asked for a password is free to visit.

I'm sorry, but he has already admitted he went there with the purpose of stealing "suppressed technology" which means he KNEW he was not supposed to be where he was or do what he was doing. Therefore he did not "stumble into a place".

You are making it out as if he accidently found something and never went back and was arrested. No, he spent two years actively trying to steal from a place he knew he shouldn't be. And, furthermore, his claim that it "did not require a password to logon" says nothing of his other means used to bypass security to gain access. You are taking his word 100% and conveniently dismissing anything the govt says. There is no point in debating because anything they do say is dismissed as "oh they are just saying that" while anything he says is taken as the word of God.

[Rodion Romanovich]

I don't think you're too ignorant about how computer networking works to be able to understand that the parable with the burglary isn't relevant to this situation. Read my post above, it was probably registered as edited after you posted your response. I explain it again:

In computers it's not the same as doing burglary because the door was left unlocked, because you can end up accessing networks you didn't intend to depending on how you get the reference to them. For instance you might google and find a subpage within a site. On the front page it says "access denied", but on the subpage it doesn't say so. Have you committed a crime then? No. Similarly you might bookmark and often visit that subpage, without ever finding out the main page said "access denied". For purposes of legal security the principle is that anything you can access without being asked for a password is free to visit.

Again, no matter if this guy is considered guilty or not, those responsible for the computer security of the network are guilty of a very serious crime in not hiring proper experts at computer security to protect networks containing research for millions of dollars. It's their responsibility to their nation. I guess they just spent that budget on champagne and russian caviar representation parties. Well, in any case, no matter the guilt of the British guy, they should be tried in court for such behavior, to see if they really did hire any experts, as is their responsibility.

[Fragony]

I'm sorry, but he has already admitted he went there with the purpose of stealing "suppressed technology" which means he KNEW he was not supposed to be where he was or do what he was doing. Therefore he did not "stumble into a place".

In that case this was a terrorist act, let me guess, one of these extreme leftist militant types? Forget what I said, put him on the plane right now.

[Rodion Romanovich]

I'm sorry, but he has already admitted he went there with the purpose of stealing "suppressed technology" which means he KNEW he was not supposed to be where he was or do what he was doing. Therefore he did not "stumble into a place".

You are making it out as if he accidently found something and never went back and was arrested. No, he spent two years actively trying to steal from a place he knew he shouldn't be.

Maybe you've heard of provocation to crime (or what the proper English term is)? If you're making a crime too easy then whoever commits it can't be considered guilty. Now if you enable someone to log into a network without being asked for a password then you're trying someone's curiosity quite a lot.

And, furthermore, his claim that it "did not require a password to logon" says nothing of his other means used to bypass security to gain access.

Well, the failure of the government to prove the existence of any such further security requirements implies so.

You are taking his word 100% and conveniently dismissing anything the govt says. There is no point in debating because anything they do say is dismissed as "oh they are just saying that" while anything he says is taken as the word of God.

Well, since the government refuses to say which those further security systems would be, let alone prove it, their statements are just regular political BS. "It hurt the 9/11 response", it's like "why do you hate freedom?". You can say that anything hurt the 9/11 response - this salesman had run out of donuts so this diabetic policeman was too hungry to be able to get to the 9/11 site quickly enough but could maybe have helped more if he got there faster. That guy had chosen bad shoes on the morning so he couldn't walk faster, so OMG he's guilty of hurting the 9/11 response. No, all the arguments from the government so far are just BS and no real facts that can be proved. However it can be proved quite easily that the networks the British guy accessed weren't password protected. Therefore his single statement is, unlike those of the government, containing facts rather than just rhetorics. If this guy is really sentenced to anything, then it's a threat to democracy, the Internet and regular people.

[Joker85]

Well, in any case, no matter the guilt of the British guy, they should be tried in court for such behavior, to see if they really did hire any experts, as is their responsibility.

Well I believe that if the security is found to be as weak as this man claims, then the person who was responsible for ensuring the system and files stayed classified should be at the very least fired and possibly court martialed if there were advanced warnings that the security measures could be exploited and bypassed.

But my issue is with passing off the blame from him to the victim. Regardless of how easy he claims it was for him to hack into the dod system to try and steal someone else's technology, that does not change the fact that he did it. Therefore he should be jailed for it. If someone from the dod's neglegence made that easier than it should have been for this man to commit his crimes, then they should be held accountable for their incompetence as well.

But he is not a scapegoat, or a victim, and his crimes indeed caused damage. That is why he is being brought back to the US to answer for it.

[Joker85]

Maybe you've heard of provocation to crime (or what the proper English term is)? If you're making a crime too easy then whoever commits it can't be considered guilty.

Interesting, I don't think we have anything even similar to that in the US. If a woman is wearing provacative clothing and is raped, we don't say "well you shouldn't have dressed like a slut" or "well you shouldn't have been walking down a dark alley drunk at 3 in the morning".

So you did dismiss my burglury argument and even though I disagree with you I chose to let it go.

However, now that you have broadened the subject not to computer crimes but to all crimes and claimed that under British law "if you make a crime too easy whoever commits it can't be considered guilty", I think I'll bring it up again.

Under British law, if you leave your door unlocked and someone steals your property, is it your fault?

If British law indeed works that way, and you can blame a victim for making it "too easy for a crime to be commited against you" then I can see why we are disagreeing here.

Unfortunately for this man, he did not commit his crimes against the UK, he commited them against the US, that is why he is being extradited to the US to answer according to our laws.

[Rodion Romanovich]

Well, computer networking works in the way that you request a service, you're given the service via 5 different hosts, and end up being connected to a 6th host you didn't ask the service from. That's how the basic infrastructure works. You can never be assured that you don't accidentally ask for a resource you're not supposed to get, and if it happens to not be password protected, then you've ended up in there. Now the fact that this guy has been doing it for so long is just a matter of him not being discovered earlier. He has never received a formal message that he shouldn't be there, but he might be guessing he isn't allowed to be there. That's a clear distinction. Plus computer security laws are not yet built out to cover all new technology, so you can't really apply any normal laws to it yet, and have to stick to the mildest interpretations until proper laws have been founded. It's like the situation when you play a game with kids, then you discover a flaw in your rules. You don't change the rules to apply also to the instance which made you realize the rules were flawed, but you apply the rule for all future cases from the moment you made the new rule.

Interesting, I don't think we have anything even similar to that in the US. If a woman is wearing provacative clothing and is raped, we don't say "well you shouldn't have dressed like a slut".

No, the rules are thought-through and fair. If you put an unlocked motorbike outside a bar where people get drunk, it's provocation. The drunk people that exit the bar behave less responsibly than a sober person, and the unlocked motorbike wouldn't give any insurance coverage either. If you leave your door to your house open, it's much more clear that it wasn't provocation. Similarly any clothing is allowed (but in some countries it's common that running around entirely naked apart from during special festivals is considered "anger-causing behavior" or something like that...).

So you did dismiss my burglury argument and even though I disagree with you I chose to let it go.

However, now that you have broadened the subject not to computer crimes but to all crimes and claimed that under British law "if you make a crime too easy whoever commits it can't be considered guilty", I think I'll bring it up again.

Under British law, if you leave your door unlocked and someone steals your property, is it your fault?

I dismissed your burglary argument because computers work entirely different. It's not immediately clear what is allowed and what isn't, sometimes you even need to "hack" around some bug which doesn't enable you to immediately show what you wanted to show. It's not immediately clear what is allowed or not until you get a formal request for a password. Just like in other laws, there must be clear definitions of when it's provocation of crime, or when there's a formal message of access denied or traditionally well-known that it's access denied. It's traditionally well-known that you may not enter a house for burglary, there's formal "access denied" when you enter a bank and ask if you can get one million bucks without providing them with either data (password) for your account number which hopefully contains one million, or ask for a loan and they think your income status etc makes you able to pay it back according to their rules.

Unfortunately for this man, he did not commit his crimes against the UK, he commited them against the US, that is why he is being extradited to the US to answer according to our laws.

That's another part of computer related law that isn't completely adapted to modern inventions yet. He was in UK when he committed the crime. His crime, if any, was against the US. So which law applies?

[English assassin]

Legio means incitement to crime, but I can't go so far as to say that a badly protected computer system is incitement.

I'm afraid I don't have huge sympathy. Its not a case of him logging onto the Org and finding out that unknown to him the Org techheads have hosted it in a secret place behind the pentagon firewall. He did hack computer systems that were obviously in the US and that he really did know he wasn't supposed to be in.

All right, the Americans are now going to go ape and give him some completely ridiculous sentence, but he should have thought of that beforehand shouldn't he.

[Joker85]

All right, the Americans are now going to go ape and give him some completely ridiculous sentence, but he should have thought of that beforehand shouldn't he.

I hope not and don't think he will. I mean I don't want his life to be over because of this, but I do want a serious enough sentence that it sends a clear message to other people that it's not a game and you can't hack into govt systems to try and steal technology.

As I said earlier I see 5-10 years and a fine. If he gets 15-20+ years it would be too much.

[Haudegen]

I just wonder why the USA wants revenge here. I mean, it´s not like he has sold some stuff to hostile nations or planned to do this. IMHO the USA should say: Hmm this guy has hinted us towards some security problems, we´ll fix them, and now let´s remain quiet about it.

In the trial that is about to begin, the government will have to talk about details of this affair if they want a conviction. Is that such a good thing for national security?

Or will the prosecutor just say: Mr Judge, I have evidence that he´s guilty but unfortunately I can´t show you. Please convict him now! That would be a true crime, I think.

[English assassin]

You see, I just am not buying this white hat business. White hat is hacking into the pentagon one night, sending them an email the following day telling them everything wrong with their system, and never doing it again. Its not having a good old rummage for two years.

OK so he says he was looking for suppressed info on UFO FTL drives and not the launch codes for the ICBMs, but its not a rule that you only prosecute the successful criminals.

@joker, 5-10 years in a US jail is more or less what I meant by going ape and giving him a ridiculous sentence, but like I said, he should have thought of that first.

[Haudegen]

I have little doubts that he has committed computer crimes and I was not trying to apologize him. My point is that I think that the US interests were served better if they had kept it under the carpet.

[Louis VI the Fat]

Mr McKinnon will obviously face a sentence in the US that the general UK public would find disproportionate. Therefore I would trial him before a UK court.

The UK is an independent country and well up to the task of arresting and prosecuting her own citizens, under her own laws.

[Xiahou]

Actually, if there's no password protecting a computer system, it's generally considered to be free to visit for everyone, and it isn't an offense to do so.

Yeah right. Just like if you forget to lock your door when you go away your house is free for everyone to come inside, snoop around your personal records and release anything interesting they find to the public. Get real.

I dismissed your burglary argument because computers work entirely different. It's not immediately clear what is allowed and what isn't, sometimes you even need to "hack" around some bug which doesn't enable you to immediately show what you wanted to show.

He knew full well he wasnt supposed to be there- he's admitted to it. The analogy applies. Had he just wandered in, realized where he was and then quickly logged out- your argument might hold some water. But 2 yrs? I think not.

Interesting, I don't think we have anything even similar to that in the US. If a woman is wearing provacative clothing and is raped, we don't say "well you shouldn't have dressed like a slut" or "well you shouldn't have been walking down a dark alley drunk at 3 in the morning".

Beat me to that one too.

I hope they throw the book at this guy- he destructively hacked into DoD computers with the intent to steal national security secrets. Yes, it's shameful that the DoD had such lax security- but it doesnt excuse his crimes.

[English assassin]

But, if Biff Chunks III hacked into Scotland Yard's computers from his home in Gatorville, Florida, it would be a UK computer he compromised so I'd want him dealt with over here. And lucky Biff because he's get about six months in jail featuring decent telly and no anal rape. Well, the telly's not that good anymore. And there might be a little bit of anal rape. But it would still be a cakewalk compared to the US.

So I have to let the US have the same priviledge when its the other way about.

[Redleg]

But, if Biff Chunks III hacked into Scotland Yard's computers from his home in Gatorville, Florida, it would be a UK computer he compromised so I'd want him dealt with over here. And lucky Biff because he's get about six months in jail featuring decent telly and no anal rape. Well, the telly's not that good anymore. And there might be a little bit of anal rape. But it would still be a cakewalk compared to the US.

So I have to let the US have the same priviledge when its the other way about.

Agreed

The United States is following the process that both countries use when dealing with criminal activies.

The arguement about unprotected systems because of a lack of password protection doesn't seem to hold much water in the English judicial system.

So either the judge didn't buy his story, or found major fault with his reasoning.

[Rodion Romanovich]

Yeah right. Just like if you forget to lock your door when you go away your house is free for everyone to come inside, snoop around your personal records and release anything interesting they find to the public. Get real.

He knew full well he wasnt supposed to be there- he's admitted to it. The analogy applies. Had he just wandered in, realized where he was and then quickly logged out- your argument might hold some water. But 2 yrs? I think not.

Beat me to that one too.

I hope they throw the book at this guy- he destructively hacked into DoD computers with the intent to steal national security secrets. Yes, it's shameful that the DoD had such lax security- but it doesnt excuse his crimes.

Because you aren't clever enough to read the responses I already made when Joker85 made those comments, I think it might be appropriate to point out that below the post of mine that you quoted, you can find my responses to those comments, so I don't have to post them again.

It's obvious that you have no idea of how computer networks work. It's about the principle you're using to judge, and it can't be compared to any non-computer related situation. If you sentence this guy you've said yes to principles which mean any normal day surfer could be a criminal and sentenced at random. Computer networking consists of making request and getting responses. If you're not authorized you get a "access denied" response, or no response at all. That response doesn't necessarily mean you're never allowed to go there, it means that the last request posted isn't to be considered allowed to give the wanted response. Also, most applications do these requests for the user, so you don't really know exactly what requests they make. There's a chance, small but still existing, of network traffic accidentally being corrupted in the control data part, so you receive or packages that aren't yours, or send requests you didn't intend to. Sending any request message must be allowed, given that: 1. programs generate the request messages, 2. there's no built-in functions in the protocols that tell whether a negative response means access denied forever, server having temporary problems, or access denied at this specific time. 3. without asking explicitly for it, many requests are made via other servers. Normal policy is that any request message is allowed, and all responses you receive are allowed to receive, but that you aren't allowed to hack past a password. Now if there's no password then it's really easy to get inside the systems by accident. If your principles of "guilt" apply then anyone can be accused of being hacking illegally and sentenced, because if there's no password it's very easy to accidentally end up inside the systems even for a regular user. It's the duty of the host to provide a password or challenge response system both to protect himself, and to protect someone else from accidentally committing a crime they didn't want to commit. And if the host fails to fulfill his part of the agreement, then it's really hypocritical to try and call the user a breaker of the agreement and a criminal. The guy is innocent, and any sentence at all for that guy would be a shame. I think we both agree that there should be some kind of legal protection against this hacking, but the principal requests he made over the Internet can hardly be differentiated from normal computer communication at all, so unless there are explicit access denied signals like asking for password it's really impossible to see the difference between the two types of communication. That's why it's necessary for anyone to have a password prompt before he can speak of anyone being guilty for entering the system, because it's possible, and easy, to do it by mistake. You might say that "he did it for so long time", but what is long time? Is there any formal legal limit on for how long you're allowed to do it before it's a crime? You can't draw lines with "long time", "quite big", "pretty long", "I thought it looked cruel" etc., that's not a serious way of approaching the subject of law. It's not comparable to burglary, because you can't commit burglary by accident. It's not comparable to any non-computer related situation. If people who know nothing about computer security and networking in general make statements about computer related laws it's pretty ridiculous AND dangerous as they seem to quite often end up making the definitions in a way such that normal usage becomes possible to interpret as criminal, which is a threat to the security of citizens.

[Don Corleone]

So the guy basically found a DoD website that posted national secrets for anybody that cared to look, Legio? I find that hard to believe. Wouldn't that be the real shock of this story, not that the DoD was actually going after him? What's more, if that's the case, why do they refer to him as a 'hacker'? Just accessing a network PoP makes you a user. 'Hacking' implies that you have taken some step to defeat privacy/security protocols, no?

He himself admits that he was looking to steal secrets and that he thwarted security measures to do so. The fact that he claims he wasn't motivated by profit has no bearing. He caused some very real damage and who knows what his actual intentions were. For all we know, he's an agent of the PRC and he was indeed highly motivated by profit.

[Rodion Romanovich]

So the guy basically found a DoD website that posted national secrets for anybody that cared to look, Legio? I find that hard to believe. Wouldn't that be the real shock of this story, not that the DoD was actually going after him? What's more, if that's the case, why do they refer to him as a 'hacker'? Just accessing a network PoP makes you a user. 'Hacking' implies that you have taken some step to defeat privacy/security protocols, no?

So how come they can't mention a single security protocol that they had? And since they seem to not have had any proper security it's very embarassing to them and they obviously know very little about computers so they call him a hacker. You can call someone terrorist if you don't like what they think, even if they've never used any violence. That doesn't make them guilty of being terrorists. It's when they beyond reasonable doubt plan or carry out such actions that they become terrorists. The problem in this case is that since there are no security protocols there's nothing in his communication that differs it enough from normal usage that you can formulate it into a general law. Only if you use passwords and accept any request message but respond to unauthorized with an access denied and question for password response message, can you clearly differ between when it's hacking and not hacking, in a way that can easily be formulated into a law.