Specifically, I live in the UK and one of the complaints law enforcement has is that US companies can (and do) totally ignore valid court orders because they don't apply in the US (reddit being an arbitrary concrete example).
So, what would be the impact of GCHQ setting up a scheme where you can sell vulnerabilities to them (assuming they do the legwork to make it legal)? Would it violate some kind of trade agreement? I assume at minimum it would harm diplomatic relations given the pressure the big companies would exert on the US to push back.
A US company (or individual) should absolutely ignore court orders from a non-US court; such courts have no jurisdiction. A "valid" court order necessarily must come from a court with jurisdiction.
Similarly, I'd expect a UK company to ignore US court orders.
(And in both cases, I'd ideally hope the court knows better than to take the case in the first place or to issue such an order.)
Here's an example where a French court issued a court order to a US firm:
Remember: US privacy protections (e.g. 4th Amendment) don't apply to non-US people outside the USA. Please fix US courts & law to actually give us protection.
That aside, it is not really too much to ask that a company that does business in England abide by English law.
It's useful to read the terms of service:
All Google interactions are with the US entity: https://www.google.com/intl/en/policies/terms/ identify
The Services are provided by Google Inc. (“Google”), located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.
But "does business in England" and "has a legal nexus in England" are two different things, depending on your definition of "does business". For instance, if I sell a service online, and someone from England buys it, that might count as "does business in England" but it doesn't make either me or the service subject to English law or jurisdiction.
Really, calling themselves an "Irish" company seems like tax evasion to me, if it's in name only, with none of the negative ramifications.
Edit: speaking with regard to Apple, though other companies are in the same boat.
> Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”
> The National Security Agency bought hacking tools from a security firm, based on documents unearthed by a FOI request.
The US is doing it. The GCHQ likely does it too and I bet at least some of this list was built via information purchased from others: