[aidanhs]

To me this raises a question about selling security vulnerabilities to state actors in general (in the context of the Facebook vulnerability thread where the standard discussion about value is being hashed out).

Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).

So, what would be the impact of GCHQ setting up a scheme where you can sell vulnerabilities to them (assuming they do the legwork to make it legal)? Would it violate some kind of trade agreement? I assume at minimum it would harm diplomatic relations given the pressure the big companies would exert on the US to push back.

[JoshTriplett]

> Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).

A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.

Similarly, I'd expect a UK company to ignore US court orders.

(And in both cases, I'd ideally hope the court knows better than to take the case in the first place or to issue such an order.)

[ddebernardy]

Actually, the court would issue such an order _because_ it knows better: without it, you basically have little leverage when you try to enforce the same in the foreign country in a court that actually _has_ jurisdiction.

Here's an example where a French court issued a court order to a US firm:

https://en.wikipedia.org/wiki/LICRA_v._Yahoo!

[rmc]

> A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.

Remember: US privacy protections (e.g. 4th Amendment) don't apply to non-US people outside the USA. Please fix US courts & law to actually give us protection.

[wodenokoto]

The thing is, companies like Google, Facebook and Apple are kinda companies of great britain or at least Ireland. They have bases in Ireland for tax purposes and to comply with certain data retention laws.

That aside, it is not really too much to ask that a company that does business in England abide by English law.

[TAForObvReasons]

> The thing is, companies like Google, Facebook and Apple are kinda companies of great britain or at least Ireland.

It's useful to read the terms of service:

All Google interactions are with the US entity: https://www.google.com/intl/en/policies/terms/ identify

    The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.

Facebook actually segregates US/Canada users from users of other countries: https://www.facebook.com/legal/terms

    If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc.  Otherwise, this Statement is an agreement between you and Facebook Ireland Limited.  References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.

[JoshTriplett]

I'd certainly agree that a company with a legal nexus in a given country must obey that country's laws (or leave).

But "does business in England" and "has a legal nexus in England" are two different things, depending on your definition of "does business". For instance, if I sell a service online, and someone from England buys it, that might count as "does business in England" but it doesn't make either me or the service subject to English law or jurisdiction.

[murjinsee]

Yeah, but at the same time... If they want to reap the tax benefits of basing themselves out of a country, I would argue that they should be subject to that country's rule.

Really, calling themselves an "Irish" company seems like tax evasion to me, if it's in name only, with none of the negative ramifications.

Edit: speaking with regard to Apple, though other companies are in the same boat.

[fweespee_ch]

https://www.eff.org/deeplinks/2015/06/damn-equities-sell-you...

> Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”

http://www.zdnet.com/article/nsa-purchased-zero-day-exploits...

> The National Security Agency bought hacking tools from a security firm, based on documents unearthed by a FOI request.

The US is doing it. The GCHQ likely does it too and I bet at least some of this list was built via information purchased from others:

https://www.schneier.com/blog/archives/2014/07/gchq_catalog_...

[morgante]

Uh, state actors (including GCHQ) already are some of the primary buyers of vulnerabilities.

[Zigurd]

Imagine if some eager beaver out there started weaponizing microbes and selling them to the highest bidder. They would rightly be droned to a greasy smear on their lab wall. "Security researchers" who sell vulns to governments are no better.

[tantalor]

https://en.wikipedia.org/wiki/Treason