Monday, April 20, 2015

Blackshades, Conspiracy and Malware

As this press release explains, in May of 2014 a federal grand jury sitting in the U.S. District Court for the Southern District of New York returned a five-count indictment against Alex Yücel, which charged him with
two counts of computer hacking, each of which carries a maximum sentence of 10 years in prison; one count of conspiring to commit access device fraud, which carries a maximum sentence of seven-and-a-half years in prison; one count of access device fraud, which carries a maximum sentence of 15 years in prison; and one count of aggravated identity theft, which carries a mandatory term of two years in prison consecutive to any other sentence that is imposed.
After being indicted on the above charges, Yücel moved to dismiss “Count II of the Superseding Indictment (the `S1 Indictment’) on the grounds that the statute under which he is charged, 18 U.S. Code §1030(a)(5)(A), is void for vagueness as applied to him.” U.S. v. Yücel, 2015 WL 1609041 (U.S. District Court for the Southern District of New York 2015).  The U.S. District Court Judge who has the case noted, in the opinion in which he rules on Yücel’s motion, that Yücel was
indicted by a grand jury in this District on October 23, 2013, and charged with one count of conspiracy to commit computer hacking. On or about November 25, 2013, a different grand jury returned the S1 Indictment against Yücel, charging him with five counts, including the conspiracy count from the original indictment, and the count at issue on this motion, distribution of malicious software and aiding and abetting the same. Yücel is a citizen of Sweden . . ., and was extradited from the Republic of Moldova to the United States in May 2014.
U.S. v. Yücel, supra.
The U.S. District Court Judge who has the case begins the opinion in which he rules on Yücel’s motion to dismiss by outlining the “background” of the case:
Yücel is alleged to be one of the founders of an organization that distributed malicious software (`malware’) under the brand name `Blackshades.’ . . . The malware included a remote access tool (`RAT’), which enabled users `to remotely control victims' computers, including [by] captur[ing] the victims' keystrokes as they type’—the `keylogger’ function--`turn [ing] on their webcams, and search[ing] through their personal files.’ . . .

Keyloggers are frequently used to steal login information for online financial accounts. . . . The RAT also had a functionality that scanned victims' hard drives for 16–digit numbers, which were expected to be credit card numbers. . . . Blackshades also provided malware designed to launch distributed denial of service attacks. . . . To use the malware, customers were required to set up an account with the organization, typically through the Blackshades website. . . . There were at least 6,000 customer accounts created with the Blackshades organization. . . .

Yücel is alleged to be the original developer of the Blackshades RAT. . ., and controlled the server that hosted the Blackshades website. . . . That server, according to the government, contained thousands of stolen usernames and passwords. . . . This, together with email correspondence in which Yücel told a business partner that he had stolen credit card numbers . . ., supports, in the government's view, its assertion that Yücel not only sold malware but made use of it himself.
U.S. v. Yücel, supra.
The District Court Judge then took up Yücel’s void for vagueness argument with regard to the charge in Count II of the indictment.  He began his analysis by explaining that the
void-for-vagueness doctrine, rooted in the Due Process Clause of the 5th Amendment, `requires that a penal statute define the criminal offense [1] with sufficient definiteness that ordinary people can understand what conduct is prohibited and [2] in a manner that does not encourage arbitrary and discriminatory enforcement.’ U.S. v. Morrison, 686 F.3d 94 (U.S. Court of Appeals for the 2d Circuit 2012) (quoting Kolender v. Lawson, 461 U.S. 352 (1983)).

The first prong requires a court to determine `whether the statute, either standing alone or as construed, made it reasonably clear at the relevant time that the defendant's conduct was criminal.’ U.S. v. Roberts, 363 F.3d 118 (U.S. Court of Appeals for the 2d Circuit 2004) (quoting U.S. v. Lanier, 520 U.S. 259 (1997)). `A]lthough clarity at the requisite level may be supplied by judicial gloss on an otherwise uncertain statute, due process bars courts from applying a novel construction of a criminal statute to conduct that neither the statute nor any prior judicial decision has fairly disclosed to be within its scope.’ U.S. v. Roberts, supra (quoting U.S. v. Lanier, supra).

Under the second, `more important,’ prong, Kolender v. Lawson, supra, the inquiry is `whether the statutory language is of such a standardless sweep that it allows policemen, prosecutors, and juries to pursue their personal predilections.’  Arriaga v. Mukasey, 521 F.3d 219 (U.S. Court of Appeals for the 2d Circuit 2008) (quoting Smith v. Goguen, 415 U.S. 566 (1974). . . .) `A statute that reaches “a substantial amount of innocent conduct” confers an impermissible degree of discretion on law enforcement authorities to determine who is subject to the law.’ Arriaga v. Mukasey, supra (quoting City of Chicago v. Morales, 527 U.S. 41 (1999)).
U.S. v. Yücel, supra.
The judge went on to explain that
`[v]agueness challenges to statutes not threatening 1st Amendment interests are examined in light of the facts of the case at hand; the statute is judged on an as-applied basis.’ U.S. v. Coppola, 671 F.3d 220 (U.S. Court of Appeals for the 2d Circuit 2012) (quoting Maynard v. Cartwright, 486 U.S. 356 (1988)). In such cases, regardless of whatever ambiguities may exist at the outer edges of the statute, a defendant cannot successfully challenge its vagueness if his own conduct, as alleged, is clearly prohibited by the statute. U.S. v. Nadirashvili, 655 F.3d 114 (U.S. Court of Appeals for the 2d Circuit 2011).

Count II of the S1 Indictment charges Yücel with violating 18 U.S. Code § 1030(a)(5)(A), a provision of the Computer Fraud and Abuse Act (CFAA”) which prohibits `knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.’ Yücel argues that the terms `protected computer,’ `damage,’ and “without authorization” render the statute unconstitutionally vague as applied to him.
U.S. v. Yücel, supra.
The judge then analyzed whether these three terms – “protected computer”, “damage” and “without authorization” – were unconstitutionally vague as applied to Yücel by the indictment.  U.S. v. Yücel, supra.  As to “protected computer,” the judge began by explaining that the Computer Fraud and Abuse Act defines protected computer,
in relevant part, as a computer `which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.’ 18 U.S. Code § 1030(e)(2)(B). The government contends that this definition encompasses any computer with an internet connection, and a number of courts have so held. See Freedom Banc Mortg. Servs., Inc. v. O'Harra, 2012 WL 3862209 (U.S. District Court for the Southern District of Ohio 2012) (`[a] computer that is connected to the internet . . . satisfies § 1030(e)(2)'s interstate commerce requirement even if the plaintiff used that connection to engage in only intrastate  communications’); U.S. v. Fowler, 2010 WL 4269618 (U.S. District Court for the Middle District of Florida 2010) (evidence that computers were connected to the internet and were used to send emails was sufficient to show that they were `protected’). . . .

Many other courts have adopted this definition of `protected computer,’ although their cases also involved allegations or proof of actual involvement in interstate commerce, or addressed different questions. See, e.g., U.S. v. Nosal, 676 F.3d 854 (U.S.Court of Appeals for the 9th Circuit 2012) (stating that `”protected computer” is defined as a computer affected by or involved in interstate commerce—effectively all computers with Internet access’). . . .

This understanding of `protected computer’ derives from the text of the definition itself. See Freedom Banc Mortg. Servs., Inc. v. O'Harra, supra. As the Supreme Court has recognized, the phrase `affecting interstate or foreign commerce’ is a term of art used by Congress to signal that it is exercising its full power under the Commerce ClauseSee Russell v. U.S., 471 U.S. 858 (1985). . . .The Commerce Clause allows Congress to regulate instrumentalities of interstate commerce. Pierce Cnty., Wash. v. Guillen, 537 U.S.129 (2003). The internet is an instrumentality of interstate commerce. U.S. v. Sutcliffe, 505 F.3d 944 (U.S. Court of Appeals for the 9th Circuit 2007). . . . 

Any computer that is connected to the internet is thus `part of “a system that is inexorably intertwined with interstate commerce” and thus properly within the realm of Congress's Commerce Clause Power.’ U.S. v. Trotter, 478 F.3d 913 (U.S. Court of Appeals for the 8th Circuit 2007) (quoting U.S. v. MacEwan,445 F.3d 237 (U.S. Court of Appeals for the 3d Circuit 2006)). Much as Commerce Clause authority permits Congress to regulate the intrastate activities of railroad cars, S. Ry. Co. v. United States, 222 U.S. 20 (1911), it now permits Congress to regulate computers connected to the internet, even in the unlikely event that those computers made only intrastate communications. See U.S. v. Roque, 2013 WL 2474686 (U.S. District Court for the District of New Jersey 2013).
U.S. v. Yücel, supra.
The judge therefore found that the
widespread agreement in the case law on the meaning of `protected computer,’ which is derivable using accepted principles of statutory construction, gives adequate notice to potential wrongdoers of what computers are covered by the statute, under the first prong of the vagueness analysis. This is especially true as applied to Yücel, because the government appears to charge that he and Blackshades users targeted internet-connected computers indiscriminately, rather than targeting a subset of computers that might not qualify as `protected’ under a narrow reading of the term.
U.S. v. Yücel, supra.
He went on to point out that Yücel
contends this broad definition of `protected computer’ `would make the computers protected under the statute limitless,’ . . . an argument that relates to the second prong -- the potential for arbitrary and discriminatory enforcement. A statute that sweeps broadly, however, is not necessarily unconstitutionally vague. See, e.g., Wiemerslage ex rel. Wiemerslage v. Maine Twp. High School Dist. 207, 29 F.3d 1149 (U.S. Court of Appeals for the 7th Circuit 1994) (`flexibility or breadth should not necessarily be confused for vagueness’). . . .

Rather, the question is whether the outer limits of the statute's broad reach are ill-defined, such that a substantial amount of innocent conduct is potentially prohibited. Reading `protected computer’ to cover all computers connected to the internet causes no such problems. And although the `protected computer’ element does not serve as the CFAA's main limiting principle, prosecutorial discretion is reined in by the other elements of the offense: to obtain a conviction under section 1030(a)(5)(A), the prosecution must also prove that the defendant intentionally caused damage without authorization to the target computer.
U.S. v. Yücel, supra.
The judge then took up the next term Yücel claimed was unconstitutionally vague:  “damage”. U.S. v. Yücel, supra.  He began his analysis by explaining that the CFAA
defines `damage’ as `any impairment to the integrity or availability of data, a program, a system, or information.' 18 U.S. Code § 1030(e)(8). There are no Second Circuit opinions construing this definition, and thus the Court's analysis begins with the definition's terms, giving them their ordinary meaning. See U.S. v. Peters, 732 F.3d 93 (U.S. Court of Appeals for the 2d Circuit 2013) (`When a term in a statute is undefined, we are to give it its ordinary meaning’). `Integrity,’ as relevant here, means `[t]he condition of not being marred or violated; unimpaired or uncorrupted condition; original perfect state; soundness.’ Oxford English Dictionary (`OED’) (2d ed. online version Sept. 2014). `Impairment’ means `deterioration; injurious lessening or weakening.’ OED (2d ed. online version June 2012).
U.S. v. Yücel, supra.
He then found that,
[u]sing these definitions, the Blackshades RAT, as alleged, caused `damage’ under the statute, by `impairing the integrity’ of the victims' computer systems. When taken out of the box, an individual's new computer device operates only in response to the commands of the owner. Indeed, the technological revolution that spawned laptops, tablets and smartphones originated with the PC which, of course, stands for `personal computer.’

At trial, the government is expected to offer evidence that computers on which the Blackshades RAT has been installed are commonly used to store sensitive personal data, including income tax returns, banking information, credit card information, medical records and other confidential information. The government is expected to offer evidence that when the Blackshades RAT is surreptitiously loaded onto a computer, the computer no longer operates only in response to the commands of the owner. It now may be operated by unauthorized users who have the capability of extracting confidential information from the computer's hard drive.

This, if proven, would `impair’ the `uncorrupted condition’ of the computer system, and thus constitute `damage,’ because the system no longer operates as it did when it first came into the owner's possession and has an unwanted characteristic, which, if known, would negatively impact the economic value of the computer system, unless time and money are expended to remove it.
U.S. v. Yücel, supra.
The judge also found that the
ordinary meaning of the word `damage’ as used in the statute is dispositive in this case. Nevertheless, the legislative history also shows that Congress intended `damage’ to cover malware such as the Blackshades RAT. The definition of `damage’ was first added to the statute in 1996. Pub.L. No. 104–294, § 201(4)(D). The Senate Report explains that the definition was intended to cover situations such as the following:

`[I]ntruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information is damaged. Nonetheless, this conduct allows the intruder to accumulate valid user passwords to the system, requires all system users to change their passwords, and requires the system administrator to devote resources to resecuring the system. . . . Thus, the definition of “damage” is amended to be sufficiently broad to encompass the types of harm against which people should be protected.’

S.Rep. No. 104–357, at 11 (1996). The Report's example is strikingly similar to the RAT's keylogger function, which also copied passwords to Blackshades users' computers. Moreover, the Report suggests that the Blackshades RAT caused `damage’ even if Blackshades users covered their tracks by subsequently erasing any files associated with the RAT from the target computer.
U.S. v. Yücel, supra.
Yücel, though, pointed out that
remote access tools are perfectly legal and are used by system administrators to manage and test computer systems everywhere. In many workplaces, for instance, an employee experiencing trouble with his work computer can call a support hotline and allow a computer systems expert to take control of the computer and solve the problem.

That situation, however, is vastly different. Here, if the proof at trial is as described by the government, the `damage’ takes place when the Blackshades RAT is installed `without authorization,’ even though one manifestation of the `damage’ occurs at a later point in time, when and if an unauthorized person gains access and control of the computer. An authorized remote access tool does not cause `damage’ within the meaning of the statute, because only the owner and those persons who he has authorized, including other users and technical support staff, can access the computer. The authorized remote access tool does not corrupt or impair the computer, but modifies it in an open and intended manner that benefits the owner or user.

Yücel further argues that the meaning of `damage’ under the CFAA remains `elusive,’ and cites cases disagreeing on the question whether merely copying files from a computer constitutes damage. . . . This argument is unavailing. First, a statute is not unconstitutionally vague simply because courts have disagreed on its meaning. If that were the case, `there [would be] a frightful number of fatally vague statutes lurking about.’ U.S. v. Rybicki, 354 F.3d 124 (U.S. Court of Appeals for the 2d Circuit 2003). . .

Second, the disagreement identified by Yücel is irrelevant to the charges against him. The cases holding that copying files does not constitute damage under the CFAA involve disloyal employees who misappropriated customer lists or trade secrets upon leaving their employer. See, e.g., New S. Equip. Mats, LLC v. Keener, 989 F.Supp.2d 522 (U.S. District Court for the Southern District of Mississippi 2013) (defendant alleged to have breached confidentiality agreement with employer). . . .
U.S. v. Yücel, supra.
The judge therefore held that
[c]onstruing §1030(a)(5)(A) to cover Yücel's alleged conduct poses no notice problems, under the first prong of the vagueness analysis. On a basic level, `[n]o person of ordinary intelligence could believe that [it was] somehow legal’ to install the Blackshades RAT on victims' computers without their consent and harvest their financial information. U.S. v. Ulbricht, 2014 WL 3362059 (U.S. District Court for the Southern District of New York 2014). Furthermore, as explained, installing the Blackshades RAT falls comfortably within the statutory definition of `damage.’ The statute's mens rea requirement (the damage must be caused `intentionally’) acts to blunt any remaining notice concerns. See Skilling v. U.S., 561 U.S. 358 (2010).

With respect to the second prong, the Court notes that the terms of the statute's definition of `damage’ (`impairment,’ `integrity,’ and `availability’) are strikingly dissimilar to the sorts of terms, like `annoying,’ `indecent,’ see U.S. v. Williams, 553 U.S. 285 (2008), or `rogues and vagabonds,’ see Papachristou v. Jacksonville, 405 U.S. 156 (1972), that have been held to be vague. They do not require `wholly subjective judgments without statutory definitions, narrowing context, or settled legal meanings.’ U.S. v. Williams, supra.

Additionally, `damage’ under the CFAA is limited by the fact that it must be to `data, a program, a system, or information.’ Finally, prosecutorial discretion is further cabined by the other elements of the offense under §1030(a)(5)(A), including the mens rea requirement, which help to ensure that the statute does not sweep in innocent conduct.
U.S. v. Yücel, supra.
And, finally, he took up the third term:  “without authorization”. U.S. v. Yücel, supra.  He began by noting that
`[w]ithout authorization’ is not defined in the CFAA, and Yücel is correct in asserting that the concept of `authorization’ under the CFAA has divided courts. . . .That divide, however, has arisen in cases construing subsections of the CFAA that prohibit accessing a computer without authorization, not causing damage without authorization. See, e.g., JBC Holdings NY, LLC v. Pakter, 931 F.Supp.2d 514 (U.S. District Court for the Southern District of New York 2013) (discussing claims under 18 U.S. Code §§ 1030(a)(2)(C), (a)(4) and (a)(5)(C), all of which require showing that the defendant accessed a computer without authorization or exceeded authorized access); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (U.S. Court of Appeals for the 1st Circuit 2001) (discussing a claim under 18 U.S. Code § 1030(a)(4)).

Those cases all involve employees who used their workplace computers in an unapproved manner or former employees who transmitted proprietary information to their former employers' competitors. This Court is faced here with a vastly different factual situation.
U.S. v. Yücel, supra.
The judge found that,
[a]s applied to Yücel, there is nothing ambiguous about the phrase `without authorization.’ `Authorization’ is defined by reference to the verb `to authorize,’ which means `to . . . permit by or as if by some recognized or proper authority.’ Webster's Third International Dictionary 146 (1993). A defendant thus causes damage without authorization when he has not been permitted by the victim to cause that damage. This straightforward reading of the phrase easily satisfies both prongs of the vagueness test.
U.S. v. Yücel, supra. For these and other reasons, he denied Yücel’s motion to dismiss. U.S. v. Yücel, supra.

No comments: