This week, for the first time in 12 years, Gary McKinnon got lucky, when the Home Secretary, Theresa May, announced that she would not allow him to be extradited to the US because of his poor health. For McKinnon the relief was palpable: May's decision, he said, was a liberation from "living with a dark and hollow feeling" for more than a decade since his arrest in March 2002.
But Gary McKinnon's bad luck actually started much earlier than that. It began before he ever ventured on to the US defence network in February 2001. His problems started when he was spotted on the fringes of a separate sweep into much more serious hackers, conducted by British police.
McKinnon describes himself as a bumbling computer nerd. He's not wrong. His exploits were first discovered, he told an audience in 2006, because he had miscalculated the time zone when setting up his remote-control hacking software.
The truth is a little more clumsy than even that. McKinnon was first picked up during an IT "penetration" test run for an internet provider called Telewest. The experts, working with Surrey Police, quickly found that a "backdoor" in the system had been deliberately left open by a Telewest engineer for remote maintenance and that this had been discovered by hackers who shared news of its existence.
"Once we knew about the backdoor we just sat on it and watched," said one of the investigators. "There was a parade of hackers coming through and using the system to hide their tracks – and McKinnon was one of those."
The parade proved a rich source of information to the investigators, because the hackers sat inside the gateway and used it to share information with each other using chatroom software.
"We recorded the chat logs and keystrokes," the investigator explained, "and we grouped their activity into three different parts: information relating to the initial hack on a recruitment company; information relating to a hack into a number of top financial services organisations; a lot of junior 'bollocksy' people who were just kicking around. McKinnon was in the last group."
Indeed, the investigators back up McKinnon's claim that he was a bumbling nerd. The text of the chat logs showed him to be a very junior hacker who was asking for information all of the time .
"He was asking for passwords to US systems and ways to access them that were common knowledge to the other hackers that were in there," said the investigator. "He certainly did not hack an FBI database, he got his information from other hackers."
Nonetheless, McKinnon was unlucky enough to be doing so while he was being watched – and he was subsequently tracked as he made his way through the US systems. The investigators back up McKinnon's version of events: that he wrote a few lines of computer code to look through the US military computers for blank admin and password fields.
These were the same claims that McKinnon made to me when I carried out the first interview with him after his arrest. He was at pains to stress that what he had done was not that difficult.
"McKinnon was just looking for information and the way the US systems were set up made it easy for him," the investigator said. "On one of the networks he went on there were 10,000 computers that had all been configured... the same."
It was here that McKinnon's misfortune began again: the hackers were divided up into six "intelligence packages" sent to different police forces and organisations.
Living in London, he was passed to the Met – so his snooping on US defence computers brought him under the ambit of the National High-Tech Crime Unit (now disbanded). The unit passed the package on to the US Embassy at a time when the US was desperate to demonstrate it was taking a hard line on hacking.
At the US Embassy the package landed on the desk of Ed Gibson, a trained lawyer, FBI liaison and computer security specialist known affectionately in the computer industry as "Ed the Fed". Bad news for McKinnon. Meanwhile, the hackers who had stolen funds from banks and credit-card companies saw their cases quietly dropped. That left McKinnon uncomfortably exposed.
I first heard of McKinnon when I was at the National High-Tech Crime Unit, carrying out research for a book. I heard mention that the unit was about to arrest a Scottish hacker by the name of McKinnon who had been working his way through US defence computers. Two weeks later McKinnon was arrested and I was rung by fellow hackers to ask if I would like to interview him.
When I met him he was a very worried and nervous man, obsessed with the idea that he would be raped in a US prison. And if McKinnon was paranoid then, another 10 years of worry must have eroded his mental health even more. Gary McKinnon has been punished enough.
Peter Warren is an investigative journalist specialising in security, and Chairman of the Cyber Security Research InstituteReuse content