The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird

Legal Issues

from the why-is-that-illegal? dept

So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the “evidence” didn’t seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let’s work off of his analysis.

The crux of the indictment is that Hutchins and the unnamed “co-conspirator” worked together to create and sell malware, leading Kerr to ask the fairly obvious question:

This raises an interesting legal question: Is it a crime to create and sell malware?

After all, as many others pointed out, there are lots of folks out there who build and sell malware of one kind or another — and, indeed, the US government is often a large purchaser of malware sold by others. Kerr’s initial gut reaction was more or less the same as mine: that the actual amount of evidence in the indictment is pretty minimal, though obviously they may have a lot more that just hasn’t been shared yet (or they may turn up more).

Do the charges hold up? Just based on a first look at the case, my sense is that the government?s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It?s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don?t have all the facts or even what the government thinks are the facts. So while we can?t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we?ll have to stay tuned.

From there, Kerr digs into each of the charges. The first is “conspiracy.” This one struck my layman’s mind as somewhat odd. Two people working together does not a conspiracy make. Kerr similarly calls it “odd” and notes that for this charge to work, the government has to argue that selling malware is the same as using malware to damage a computer. And that seems… difficult. Kerr points out that there are two conditions that must be met for this to work:

First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don?t appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It?s not obvious that Hutchins and X cared what the buyer did with the malware after so long as they paid. If Hutchins and X didn?t care what the buyer did with the malware, it?s hard to see how they could have a purpose to impair the availability or integrity of a computer.

Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware and the malware damages the machine. Here, though, the government?s theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.

That second point is especially interesting to me. We’ve seen more and more attempts to charge “intermediaries” with crimes based on actions of third party users of their tools (the Megaupload case being one big example). And that seems like a very dangerous path to go down. One of the reasons why we talk about “intermediary liability protections” on Techdirt so much is that they’re so important on a basic “blame the person who actually did the wrong” spectrum. It’s not the intermediary, it’s the user. Go after the user, even if that’s more difficult. Here, the DOJ seems to be going after the intermediary. Because.

The next three charges are all similar, and I didn’t quite get them at first, but Kerr explains. They’re making use of 18 U.S.C 2512 which Kerr describes as, “a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices.” Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a “device” under the law, and argues that may be difficult as well.

In Potter v. Havlice, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling ?Activity Monitor,? which was billed as ?an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online.? After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that ?Activity Monitor is not a device as contemplated by Section 2512.?

Section 2512 makes the manufacture and/or trafficking of ?any electronic, mechanical, or other device? illegal. The phrase ?electronic, mechanical, or other device? is defined in 18 U.S.C. § 2510(5) to generally mean ?any device or apparatus which can be used to intercept a wire, oral, or electronic communication?.? Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.

Also, the definition of the word ?device? does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines ?device? as ?a piece of equipment or a mechanism designed to serve a special purpose or perform a special function.? Activity Monitor alone is not a piece of equipmentor a mechanism.

So… that’s going to make this interesting. Of course, then there’s the further question of whether or not the malware itself is really intercepting communications. Either way, this feels like a way to try to twist a law targeting older technology to pretend that it applies to a very different kind of technology. I know this happens semi-frequently, but it always troubles me. You get bad results this way, because the technology that was originally being regulated, and what it’s now being used against, are very different, and should be treated differently. But when you try to shove something like malware into laws created to stop wiretapping devices… you end up with bad results, where rulings can be made about something being “bad” without realizing the wider reverberations it may have.

And, finally, there’s a CFAA claim, because if there’s a criminal case that could be summarized as “behaving badly on a computer” you have to expect an eventual CFAA claim.

This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, they need to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party?s intentional act of sending the malware was required for that to happen.

Again… this seems quite difficult to actually show, though perhaps there’s more evidence that the DOJ hasn’t yet revealed.

In the meantime, others are insisting that the DOJ has the wrong guy. A friend and colleague of Hutchins, Kevin Beaumont, insisted that the DOJ is simply wrong, and that Marcus has more or less dedicated his life to fighting malware, not creating it:

On top of that, the BBC spotted the fact that Marcus asked on Twitter if anyone had a sample of Kronos after it first was discovered:

Now, of course, that alone is not evidence of much. After all, if he really had created it, why not tweet something like that to make sure people think he hadn’t? But, still, it is worth pointing out, along with multiple other folks saying that they simply don’t believe Hutchins would have been behind the malware, let alone the broader legal question of whether or not making and selling malware is even illegal in the first place.

Filed Under: cfaa, conspiracy, doj, indictment, kronos, malware, malwaretech, marcus hutchins, orin kerr, selling malware