WASHINGTON (Reuters) - Even if U.S. investigators find out who hacked into Google’s email system, the chances of prosecuting them appeared highly unlikely, especially if they are in China.
Google has said the attack came from within China, but that will be difficult for prosecutors to prove. Beijing has denied any connection to the hack and hackers could have made it look like they were operating from China while actually basing elsewhere.
Getting the hackers into a U.S. courtroom would be the next challenge -- and a daunting one at that.
The United States and China have not signed an extradition treaty, so any individuals accused of hacking would have to leave China and enter a country where local officials could arrest and extradite them.
“If you get into people who are in countries with no extradition treaties, where there might be state-sponsored support, it could be difficult to get really, really clear identification of who is responsible,” said Chris Ridder, a fellow at Stanford Law School’s Center for Internet and Society.
“That’s one of the unique new problems with cyber warfare in particular, there’s a lot of plausible deniability out there because it’s difficult to convincingly identify hackers,” he said.
An attempt to go after Chinese nationals for cyber crimes would be complicated by broader geo-political considerations and already tense relations between Washington and Beijing.
Ridder, a partner at his own firm Ridder, Costa and Johnstone LLP, noted an investigation into another hack attack several years ago, codenamed Titan Rain by U.S. authorities, has not resulted in any charges.
In the United States, there appears to only have been a handful of prosecutions involving foreign individuals who were extradited to the United States to face hacking charges.
A Venezuelan man arrested in Mexico was extradited to face charges that he hacked into networks for Internet telephone providers and sold more than 10 million minutes of service which caused a loss of $1.4 million to such providers.
Edwin Pena was sentenced in 2010 to 10 years in a U.S. prison and ordered to pay more than $1 million in restitution.
Another more serious case emerged in 2009 when prosecutors indicted eight people from Estonia, Russia and Moldova for hacking into a computer network used by the credit card processing company RBS WorldPay and stole more than $9.4 million.
The ring was charged with breaking into RBS WorldPay’s computer network for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. The money was stolen in less than 12 hours from more than 2,100 ATMs around the world.
Only one individual has been extradited from Estonia to the United States, Sergei Tsurikov. He and three others have already been convicted in Estonia on fraud charges related to ATM withdrawals, according to the U.S. Justice Department.
Robert Sloane, a professor at the Boston University School of Law, said that whoever was responsible for the hacking attack would either have to come to the United States or travel to a country which would extradite them to face prosecution.
“If you have somebody who has broken a law that exists in the United States and there are extradition treaties with a number of other states that would cooperate, then that person had better be careful about going to those other states,” he said.
Sometimes extraditions can take months if not longer. A Russian who is accused of trafficking in credit card data, Vladislav Horohorin, was arrested last August in France but still has not been sent to the United States nearly a year later.
Editing by Cynthia Osterman