As this press release explains, in May of 2014 a federal grand jury sitting in the U.S. District Court for the Southern District of New York returned a five-count indictment against Alex Yücel, which charged him
with
two counts of computer hacking, each of
which carries a maximum sentence of 10 years in prison; one count of conspiring
to commit access device fraud, which carries a maximum sentence of
seven-and-a-half years in prison; one count of access device fraud, which
carries a maximum sentence of 15 years in prison; and one count of aggravated identity theft, which carries a mandatory term of two years in prison
consecutive to any other sentence that is imposed.
After being indicted on the above charges, Yücel moved to
dismiss “Count II of the Superseding Indictment (the `S1 Indictment’) on the
grounds that the statute under which he is charged, 18 U.S. Code §1030(a)(5)(A), is void for vagueness as applied to him.” U.S. v. Yücel, 2015 WL 1609041 (U.S. District Court for the
Southern District of New York 2015). The
U.S. District Court Judge who has the case noted, in the opinion in which he
rules on Yücel’s motion, that Yücel was
indicted by a grand jury in this
District on October 23, 2013, and charged with one count of conspiracy to
commit computer hacking. On or about November 25, 2013, a different grand jury
returned the S1 Indictment against Yücel, charging him with five counts,
including the conspiracy count from the original indictment, and the count at
issue on this motion, distribution of malicious software and aiding and
abetting the same. Yücel is a citizen of Sweden . . ., and was extradited from
the Republic of Moldova to the United States in May 2014.
U.S. v. Yücel, supra.
The U.S. District Court Judge who has the case begins the
opinion in which he rules on Yücel’s motion to dismiss by outlining the
“background” of the case:
Yücel is alleged to be one of the
founders of an organization that distributed malicious software (`malware’)
under the brand name `Blackshades.’ . . . The malware included a remote access
tool (`RAT’), which enabled users `to remotely control victims' computers,
including [by] captur[ing] the victims' keystrokes as they type’—the
`keylogger’ function--`turn [ing] on their webcams, and search[ing] through their
personal files.’ . . .
Keyloggers are frequently used to steal
login information for online financial accounts. . . . The RAT also had a
functionality that scanned victims' hard drives for 16–digit numbers, which
were expected to be credit card numbers. . . . Blackshades also provided
malware designed to launch distributed denial of service attacks. . . . To use
the malware, customers were required to set up an account with the
organization, typically through the Blackshades website. . . . There were at
least 6,000 customer accounts created with the Blackshades organization. . . .
Yücel is alleged to be the original
developer of the Blackshades RAT. . ., and controlled the server that hosted
the Blackshades website. . . . That server, according to the government,
contained thousands of stolen usernames and passwords. . . . This, together
with email correspondence in which Yücel told a business partner that he had
stolen credit card numbers . . ., supports, in the government's view, its
assertion that Yücel not only sold malware but made use of it himself.
U.S. v. Yücel, supra.
The District Court Judge then took up Yücel’s void for
vagueness argument with regard to the charge in Count II of the
indictment. He began his analysis by
explaining that the
void-for-vagueness doctrine, rooted in
the Due Process Clause of the 5th Amendment, `requires that a penal statute
define the criminal offense [1] with sufficient definiteness that ordinary
people can understand what conduct is prohibited and [2] in a manner that does
not encourage arbitrary and discriminatory enforcement.’ U.S. v. Morrison, 686
F.3d 94 (U.S. Court of Appeals for the 2d Circuit 2012) (quoting Kolender v. Lawson, 461 U.S. 352 (1983)).
The first prong requires a court to
determine `whether the statute, either standing alone or as construed, made it
reasonably clear at the relevant time that the defendant's conduct was
criminal.’ U.S. v. Roberts, 363 F.3d 118 (U.S. Court of Appeals for
the 2d Circuit 2004) (quoting U.S. v. Lanier, 520 U.S. 259 (1997)). `A]lthough clarity at the requisite level may be supplied by judicial
gloss on an otherwise uncertain statute, due process bars courts from applying
a novel construction of a criminal statute to conduct that neither the statute
nor any prior judicial decision has fairly disclosed to be within its scope.’ U.S.
v. Roberts, supra (quoting U.S.
v. Lanier, supra).
Under the second, `more important,’
prong, Kolender v. Lawson, supra, the inquiry is `whether the statutory
language is of such a standardless sweep that it allows policemen, prosecutors,
and juries to pursue their personal predilections.’ Arriaga v. Mukasey, 521 F.3d 219 (U.S.
Court of Appeals for the 2d Circuit 2008) (quoting Smith v. Goguen, 415 U.S. 566 (1974). . . .) `A statute
that reaches “a substantial amount of innocent conduct” confers an
impermissible degree of discretion on law enforcement authorities to determine
who is subject to the law.’ Arriaga v. Mukasey, supra (quoting City of Chicago v. Morales, 527 U.S. 41 (1999)).
U.S. v. Yücel, supra.
The judge went on to explain that
`[v]agueness challenges to statutes not
threatening 1st Amendment interests are examined in light of the facts of the
case at hand; the statute is judged on an as-applied basis.’ U.S. v.
Coppola, 671 F.3d 220 (U.S. Court of Appeals for the 2d Circuit 2012) (quoting
Maynard v. Cartwright, 486 U.S. 356 (1988)). In such cases,
regardless of whatever ambiguities may exist at the outer edges of the statute,
a defendant cannot successfully challenge its vagueness if his own conduct, as
alleged, is clearly prohibited by the statute. U.S. v. Nadirashvili, 655
F.3d 114 (U.S. Court of Appeals for the 2d Circuit 2011).
Count II of the S1 Indictment charges
Yücel with violating 18 U.S. Code § 1030(a)(5)(A), a provision of the
Computer Fraud and Abuse Act (CFAA”) which prohibits `knowingly caus[ing] the
transmission of a program, information, code, or command, and as a result of
such conduct, intentionally caus[ing] damage without authorization, to a
protected computer.’ Yücel argues that the terms `protected computer,’
`damage,’ and “without authorization” render the statute unconstitutionally
vague as applied to him.
U.S. v. Yücel, supra.
The judge then analyzed whether these three terms –
“protected computer”, “damage” and “without authorization” – were
unconstitutionally vague as applied to Yücel by the indictment. U.S. v.
Yücel, supra. As to “protected
computer,” the judge began by explaining that the Computer Fraud and Abuse Act
defines protected computer,
in relevant part, as a computer `which
is used in or affecting interstate or foreign commerce or communication,
including a computer located outside the United States that is used in a manner
that affects interstate or foreign commerce or communication of the United
States.’ 18 U.S. Code § 1030(e)(2)(B). The government contends that this
definition encompasses any computer with an internet connection, and a number
of courts have so held. See Freedom Banc Mortg. Servs., Inc. v.
O'Harra, 2012 WL 3862209 (U.S. District Court for the Southern District of Ohio 2012) (`[a] computer that is connected to the internet . . . satisfies §
1030(e)(2)'s interstate commerce requirement even if the plaintiff used that
connection to engage in only intrastate communications’); U.S. v. Fowler,
2010 WL 4269618 (U.S. District Court for the Middle District of Florida 2010) (evidence
that computers were connected to the internet and were used to send emails was
sufficient to show that they were `protected’). . . .
Many other courts have adopted this
definition of `protected computer,’ although their cases also involved
allegations or proof of actual involvement in interstate commerce, or addressed
different questions. See, e.g., U.S. v. Nosal, 676 F.3d 854 (U.S.Court of Appeals for the 9th Circuit 2012) (stating that `”protected
computer” is defined as a computer affected by or involved in interstate
commerce—effectively all computers with Internet access’). . . .
This understanding of
`protected computer’ derives from the text of the definition itself. See Freedom
Banc Mortg. Servs., Inc. v. O'Harra, supra. As the Supreme Court has
recognized, the phrase `affecting interstate or foreign commerce’ is a term of
art used by Congress to signal that it is exercising its full power under the
Commerce Clause. See Russell v. U.S., 471 U.S. 858 (1985).
. . .The Commerce Clause allows Congress to regulate instrumentalities of
interstate commerce. Pierce Cnty., Wash. v. Guillen, 537 U.S.129 (2003). The internet is an instrumentality of interstate commerce. U.S.
v. Sutcliffe, 505 F.3d 944 (U.S. Court of Appeals for the 9th Circuit 2007).
. . .
Any computer that is connected to the
internet is thus `part of “a system that is inexorably intertwined with
interstate commerce” and thus properly within the realm of Congress's Commerce
Clause Power.’ U.S. v. Trotter, 478 F.3d 913 (U.S. Court of Appeals for the 8th Circuit 2007) (quoting U.S. v. MacEwan,445
F.3d 237 (U.S. Court of Appeals for the 3d Circuit 2006)). Much as Commerce
Clause authority permits Congress to regulate the intrastate activities of
railroad cars, S. Ry. Co. v. United States, 222 U.S. 20 (1911),
it now permits Congress to regulate computers connected to the internet, even
in the unlikely event that those computers made only intrastate
communications. See U.S. v. Roque, 2013 WL 2474686 (U.S. District Court for the District of New Jersey 2013).
U.S. v. Yücel, supra.
The judge therefore found that the
widespread agreement in the case law on
the meaning of `protected computer,’ which is derivable using accepted
principles of statutory construction, gives adequate notice to potential
wrongdoers of what computers are covered by the statute, under the first prong
of the vagueness analysis. This is especially true as applied to Yücel, because
the government appears to charge that he and Blackshades users targeted
internet-connected computers indiscriminately, rather than targeting a subset
of computers that might not qualify as `protected’ under a narrow reading of
the term.
U.S. v. Yücel, supra.
He went on to point out that Yücel
contends this broad definition of
`protected computer’ `would make the computers protected under the statute
limitless,’ . . . an argument that relates to the second prong -- the potential
for arbitrary and discriminatory enforcement. A statute that sweeps broadly,
however, is not necessarily unconstitutionally vague. See, e.g., Wiemerslage
ex rel. Wiemerslage v. Maine Twp. High School Dist. 207, 29 F.3d 1149 (U.S. Court of Appeals for the 7th Circuit 1994) (`flexibility or breadth should
not necessarily be confused for vagueness’). . . .
Rather, the question is whether the
outer limits of the statute's broad reach are ill-defined, such that a
substantial amount of innocent conduct is potentially prohibited. Reading `protected
computer’ to cover all computers connected to the internet causes no such
problems. And although the `protected computer’ element does not serve as the
CFAA's main limiting principle, prosecutorial discretion is reined in by the
other elements of the offense: to obtain a conviction under section 1030(a)(5)(A),
the prosecution must also prove that the defendant intentionally caused damage
without authorization to the target computer.
U.S. v. Yücel, supra.
The judge then took up the next term Yücel claimed was
unconstitutionally vague: “damage”. U.S. v. Yücel, supra. He began his analysis by explaining that
the CFAA
defines `damage’ as `any impairment to
the integrity or availability of data, a program, a system, or information.' 18 U.S. Code § 1030(e)(8). There are no Second Circuit opinions construing this
definition, and thus the Court's analysis begins with the definition's terms,
giving them their ordinary meaning. See U.S. v. Peters, 732
F.3d 93 (U.S. Court of Appeals for the 2d Circuit 2013) (`When a term in a
statute is undefined, we are to give it its ordinary meaning’). `Integrity,’ as
relevant here, means `[t]he condition of not being marred or violated;
unimpaired or uncorrupted condition; original perfect state; soundness.’ Oxford
English Dictionary (`OED’) (2d ed. online version Sept. 2014). `Impairment’
means `deterioration; injurious lessening or weakening.’ OED (2d ed. online
version June 2012).
U.S. v. Yücel, supra.
He then found that,
[u]sing these definitions, the Blackshades
RAT, as alleged, caused `damage’ under the statute, by `impairing the
integrity’ of the victims' computer systems. When taken out of the box, an
individual's new computer device operates only in response to the commands of
the owner. Indeed, the technological revolution that spawned laptops, tablets
and smartphones originated with the PC which, of course, stands for `personal
computer.’
At trial, the government is expected to
offer evidence that computers on which the Blackshades RAT has been installed
are commonly used to store sensitive personal data, including income tax
returns, banking information, credit card information, medical records and
other confidential information. The government is expected to offer evidence
that when the Blackshades RAT is surreptitiously loaded onto a computer, the
computer no longer operates only in response to the commands of the owner. It
now may be operated by unauthorized users who have the capability of extracting
confidential information from the computer's hard drive.
This, if proven, would `impair’ the
`uncorrupted condition’ of the computer system, and thus constitute `damage,’
because the system no longer operates as it did when it first came into the
owner's possession and has an unwanted characteristic, which, if known, would
negatively impact the economic value of the computer system, unless time and
money are expended to remove it.
U.S. v. Yücel, supra.
The judge also found that the
ordinary meaning of the word `damage’
as used in the statute is dispositive in this case. Nevertheless, the
legislative history also shows that Congress intended `damage’ to cover malware
such as the Blackshades RAT. The definition of `damage’ was first added to the
statute in 1996. Pub.L. No. 104–294, § 201(4)(D). The Senate Report
explains that the definition was intended to cover situations such as the
following:
`[I]ntruders often alter existing
log-on programs so that user passwords are copied to a file which the hackers
can retrieve later. After retrieving the newly created password file, the
intruder restores the altered log-on file to its original condition. Arguably,
in such a situation, neither the computer nor its information is damaged.
Nonetheless, this conduct allows the intruder to accumulate valid user
passwords to the system, requires all system users to change their passwords,
and requires the system administrator to devote resources to resecuring the
system. . . . Thus, the definition of “damage” is amended to be sufficiently
broad to encompass the types of harm against which people should be protected.’
S.Rep. No. 104–357, at 11 (1996).
The Report's example is strikingly similar to the RAT's keylogger function,
which also copied passwords to Blackshades users' computers. Moreover, the
Report suggests that the Blackshades RAT caused `damage’ even if Blackshades
users covered their tracks by subsequently erasing any files associated with
the RAT from the target computer.
U.S. v. Yücel, supra.
Yücel, though, pointed out that
remote access tools are perfectly legal
and are used by system administrators to manage and test computer systems
everywhere. In many workplaces, for instance, an employee experiencing trouble
with his work computer can call a support hotline and allow a computer systems
expert to take control of the computer and solve the problem.
That situation, however, is vastly
different. Here, if the proof at trial is as described by the government, the
`damage’ takes place when the Blackshades RAT is installed `without
authorization,’ even though one manifestation of the `damage’ occurs at a later
point in time, when and if an unauthorized person gains access and control of
the computer. An authorized remote access tool does not cause `damage’ within
the meaning of the statute, because only the owner and those persons who he has
authorized, including other users and technical support staff, can access the
computer. The authorized remote access tool does not corrupt or impair the
computer, but modifies it in an open and intended manner that benefits the
owner or user.
Yücel further argues that the meaning
of `damage’ under the CFAA remains `elusive,’ and cites cases disagreeing on
the question whether merely copying files from a computer constitutes damage. .
. . This argument is unavailing. First, a statute is not unconstitutionally
vague simply because courts have disagreed on its meaning. If that were the
case, `there [would be] a frightful number of fatally vague statutes lurking
about.’ U.S. v. Rybicki, 354 F.3d 124 (U.S. Court of Appeals for
the 2d Circuit 2003). . .
Second, the disagreement identified by
Yücel is irrelevant to the charges against him. The cases holding that copying
files does not constitute damage under the CFAA involve disloyal employees who
misappropriated customer lists or trade secrets upon leaving their
employer. See, e.g., New S. Equip. Mats, LLC v. Keener, 989
F.Supp.2d 522 (U.S. District Court for the Southern District of Mississippi 2013)
(defendant alleged to have breached confidentiality agreement with employer). .
. .
U.S. v. Yücel, supra.
The judge therefore held that
[c]onstruing §1030(a)(5)(A) to
cover Yücel's alleged conduct poses no notice problems, under the first prong
of the vagueness analysis. On a basic level, `[n]o person of ordinary
intelligence could believe that [it was] somehow legal’ to install the Blackshades
RAT on victims' computers without their consent and harvest their financial information.
U.S. v. Ulbricht, 2014 WL 3362059 (U.S. District Court for the Southern District of New York 2014). Furthermore, as explained, installing the
Blackshades RAT falls comfortably within the statutory definition of `damage.’
The statute's mens rea requirement (the damage must be caused
`intentionally’) acts to blunt any remaining notice concerns. See Skilling
v. U.S., 561 U.S. 358 (2010).
With respect to the second prong, the
Court notes that the terms of the statute's definition of `damage’
(`impairment,’ `integrity,’ and `availability’) are strikingly dissimilar to
the sorts of terms, like `annoying,’ `indecent,’ see U.S. v. Williams, 553 U.S. 285 (2008), or `rogues and vagabonds,’ see Papachristou v.
Jacksonville, 405 U.S. 156 (1972), that have been held to be vague.
They do not require `wholly subjective judgments without statutory definitions,
narrowing context, or settled legal meanings.’ U.S. v. Williams, supra.
Additionally, `damage’ under the CFAA
is limited by the fact that it must be to `data, a program, a system, or
information.’ Finally, prosecutorial discretion is further cabined by the other
elements of the offense under §1030(a)(5)(A), including the mens rea requirement,
which help to ensure that the statute does not sweep in innocent conduct.
U.S. v. Yücel, supra.
And, finally, he took up the third term: “without authorization”. U.S. v. Yücel, supra. He
began by noting that
`[w]ithout authorization’ is not
defined in the CFAA, and Yücel is correct in asserting that the concept of
`authorization’ under the CFAA has divided courts. . . .That
divide, however, has arisen in cases construing subsections of the CFAA that
prohibit accessing a computer without authorization, not causing
damage without authorization. See, e.g., JBC Holdings NY, LLC v.
Pakter, 931 F.Supp.2d 514 (U.S. District Court for the Southern
District of New York 2013) (discussing claims under 18 U.S. Code §§
1030(a)(2)(C), (a)(4) and (a)(5)(C), all of which require
showing that the defendant accessed a computer without authorization or
exceeded authorized access); EF Cultural Travel BV v. Explorica, Inc., 274
F.3d 577 (U.S. Court of Appeals for the 1st Circuit 2001) (discussing a claim
under 18 U.S. Code § 1030(a)(4)).
Those cases all involve employees who
used their workplace computers in an unapproved manner or former employees who
transmitted proprietary information to their former employers'
competitors. This Court is faced here with a vastly different factual
situation.
U.S. v. Yücel, supra.
The judge found that,
[a]s applied to Yücel, there is nothing
ambiguous about the phrase `without authorization.’ `Authorization’ is defined
by reference to the verb `to authorize,’ which means `to . . . permit by or as
if by some recognized or proper authority.’ Webster's Third International
Dictionary 146 (1993). A defendant thus causes damage without authorization
when he has not been permitted by the victim to cause that damage. This
straightforward reading of the phrase easily satisfies both prongs of the
vagueness test.
U.S. v. Yücel, supra. For
these and other reasons, he denied Yücel’s motion to dismiss. U.S. v. Yücel, supra.
No comments:
Post a Comment