The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird
from the why-is-that-illegal? dept
So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the "evidence" didn't seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let's work off of his analysis.
The crux of the indictment is that Hutchins and the unnamed "co-conspirator" worked together to create and sell malware, leading Kerr to ask the fairly obvious question:
This raises an interesting legal question: Is it a crime to create and sell malware?
After all, as many others pointed out, there are lots of folks out there who build and sell malware of one kind or another -- and, indeed, the US government is often a large purchaser of malware sold by others. Kerr's initial gut reaction was more or less the same as mine: that the actual amount of evidence in the indictment is pretty minimal, though obviously they may have a lot more that just hasn't been shared yet (or they may turn up more).
Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.
From there, Kerr digs into each of the charges. The first is "conspiracy." This one struck my layman's mind as somewhat odd. Two people working together does not a conspiracy make. Kerr similarly calls it "odd" and notes that for this charge to work, the government has to argue that selling malware is the same as using malware to damage a computer. And that seems... difficult. Kerr points out that there are two conditions that must be met for this to work:
First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don’t appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It’s not obvious that Hutchins and X cared what the buyer did with the malware after so long as they paid. If Hutchins and X didn’t care what the buyer did with the malware, it’s hard to see how they could have a purpose to impair the availability or integrity of a computer.
Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware and the malware damages the machine. Here, though, the government’s theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.
That second point is especially interesting to me. We've seen more and more attempts to charge "intermediaries" with crimes based on actions of third party users of their tools (the Megaupload case being one big example). And that seems like a very dangerous path to go down. One of the reasons why we talk about "intermediary liability protections" on Techdirt so much is that they're so important on a basic "blame the person who actually did the wrong" spectrum. It's not the intermediary, it's the user. Go after the user, even if that's more difficult. Here, the DOJ seems to be going after the intermediary. Because.
The next three charges are all similar, and I didn't quite get them at first, but Kerr explains. They're making use of 18 U.S.C 2512 which Kerr describes as, "a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices." Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a "device" under the law, and argues that may be difficult as well.
In Potter v. Havlice, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling “Activity Monitor,” which was billed as “an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online.” After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that “Activity Monitor is not a device as contemplated by Section 2512.”
Section 2512 makes the manufacture and/or trafficking of “any electronic, mechanical, or other device” illegal. The phrase “electronic, mechanical, or other device” is defined in 18 U.S.C. § 2510(5) to generally mean “any device or apparatus which can be used to intercept a wire, oral, or electronic communication….” Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.Also, the definition of the word “device” does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines “device” as “a piece of equipment or a mechanism designed to serve a special purpose or perform a special function.” Activity Monitor alone is not a piece of equipmentor a mechanism.
So... that's going to make this interesting. Of course, then there's the further question of whether or not the malware itself is really intercepting communications. Either way, this feels like a way to try to twist a law targeting older technology to pretend that it applies to a very different kind of technology. I know this happens semi-frequently, but it always troubles me. You get bad results this way, because the technology that was originally being regulated, and what it's now being used against, are very different, and should be treated differently. But when you try to shove something like malware into laws created to stop wiretapping devices... you end up with bad results, where rulings can be made about something being "bad" without realizing the wider reverberations it may have.
And, finally, there's a CFAA claim, because if there's a criminal case that could be summarized as "behaving badly on a computer" you have to expect an eventual CFAA claim.
This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, they need to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party’s intentional act of sending the malware was required for that to happen.
Again... this seems quite difficult to actually show, though perhaps there's more evidence that the DOJ hasn't yet revealed.
In the meantime, others are insisting that the DOJ has the wrong guy. A friend and colleague of Hutchins, Kevin Beaumont, insisted that the DOJ is simply wrong, and that Marcus has more or less dedicated his life to fighting malware, not creating it:
To be absolutely clear @MalwareTechBlog's business is reversing malware to monitor botnet traffic. The DoJ has seriously fucked up.
— Kevin Beaumont (@GossiTheDog) August 3, 2017
I know Marcus. He has a business which fights against exactly this (bot malware), it's all he does. He feeds that info to US law enforcement
— Kevin Beaumont (@GossiTheDog) August 3, 2017
On top of that, the BBC spotted the fact that Marcus asked on Twitter if anyone had a sample of Kronos after it first was discovered:
Now, of course, that alone is not evidence of much. After all, if he really had created it, why not tweet something like that to make sure people think he hadn't? But, still, it is worth pointing out, along with multiple other folks saying that they simply don't believe Hutchins would have been behind the malware, let alone the broader legal question of whether or not making and selling malware is even illegal in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, conspiracy, doj, indictment, kronos, malware, malwaretech, marcus hutchins, orin kerr, selling malware
Reader Comments
Subscribe: RSS
View by: Time | Thread
Given your record predicting court cases, he's toast.
We don't know! But key point for sure is that Masnick leaps to defend a hacker. (A British hacker: avoided extradition!)
[ link to this | view in chronology ]
Re: Given your record predicting court cases, he's toast.
[ link to this | view in chronology ]
Re: Given your record predicting court cases, he's toast.
Uh, how about: "..Masnick leaps to defend an innocent-until-proven-guilty hacker."
[ link to this | view in chronology ]
Re: Given your record predicting court cases, he's toast.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
HMG reaction [was Re: ]
Oh, seeing the latest comment bumped this thread for me.
I wasn't really going to bother posting a link to this Dustin Volz tweet, but that tweet contains a short statement for publication from Peter Heaton-Jones, Member of Parliament (Conservative, North Devon). As of half-an-hour ago or so, I hadn't see the statement anywhere else besides Twitter.
(Via @cfarivar retweet.)
[ link to this | view in chronology ]
Another notable lawyer
Thomas Fox-Brewster writing at Forbes has a piece today ( “Kronos Malware Dealer On WannaCry Killer Charges: What Charges?”, Aug 4, 2017) with some reaction from attorney Tor Ekeland:
In the next paragraph, that piece goes on to further quote Mr Ekeland. All in all, though, it's a much shorter take than the analysis by Professor Kerr.
“A disaster”.
[ link to this | view in chronology ]
The government's viewpoint:
Malware equals a wiretap
Stingray does not equal a wiretap
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Novel legal interpretation
Since we're contemplating criminal law, rather than civil law, the usual EULA disclaimer about "not liable for damage caused by defects even if the vendor knew, should have known, or was warned about these defects" would not apply.
[ link to this | view in chronology ]
Extending the Novel legal interpretation
[ link to this | view in chronology ]
Re: Extending the Novel legal interpretation
You could also include the internet provides, etc., etc.
[ link to this | view in chronology ]
Ugh...
[ link to this | view in chronology ]
Re: Ugh...
In the case of A hiring B to kill C, A actually has the intent to kill a specific target. The intermediary B would do the actual murder, but A provided the intent first.
In the case of A creating a malware that B then buys to infect C's computer, B had the intent, and B is the one to execute the task. A here doesn't have intent, nor does he acts against C's computer. He only created a general tool that might be used for nefarious purposes, or for research, or then again for legal investigation...
There is no valid comparison here.
[ link to this | view in chronology ]
Re: Re: Ugh...
[ link to this | view in chronology ]
They need someone to blame
[ link to this | view in chronology ]
Representation
Yesterday, a Reuters article by Dustin Volz and John L. Smith (“Cyber expert who stopped 'WannaCry' attack arrested in U.S. on hacking charges”, Aug 3, 2017) reported:
“Friday” would be today.
(Via retweet of an @MattBlaze retweet.)
[ link to this | view in chronology ]
Re: Representation
On a nonviolent offender, that's a strong indicator of a made-up, bogus case.
[ link to this | view in chronology ]
Shackles [was Re: Re: Representation]
US v Hutchins Docket (D.Nev., 2:17-mj-00825)
Document 5: Assertion Of Right To Be Present In Court Unshackled
[ link to this | view in chronology ]
Re: Shackles [was Re: Re: Representation]
Document 2: MINUTES OF PROCEEDINGS
(Emphasis added.)
[ link to this | view in chronology ]
Re: Representation
This afternoon, reporter Christy Wilcox (KSNV News 3) has posted two different videos with statements from Marcus Hutchin's attorney Adrian Lobo:
Twitter video (very brief)
[ link to this | view in chronology ]
Re: Re: Representation
Fwiw, Dan Goodin asked whether anyone knew for certain whether Marcus Hutchin had entered a plea.
In KSNV News 3 reporter Christy Wilcox's Facebook video posted earlier this afternoon, I believe that Mr Hutchin's attorney Adrian Lobo answers that question.
About the “-6:05” mark in the video (counting up with negative time):
[ link to this | view in chronology ]
Re: Re: Representation
Incidentally, I was looking at what I presume is Ms Lobo's website. Her list of “Criminal Practice Areas” does not appear to show the CFAA as a specialty.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hutchins real crime? He took away fantastic opportunity from the FBI
But no. Along comes Hutchins, and pulls the plug on this Fairy tale. The FBI is back to hunting UFOs or mysterious Russian Hackers that no sane person believes in. Back to propping up some misfits with FBI bombs and FBI undercover terrorist cells to get a few fleeting moments of media attention.
[ link to this | view in chronology ]
Conspiracy...
[ link to this | view in chronology ]
3rd party liability protection
[ link to this | view in chronology ]
Re: 3rd party liability protection
[ link to this | view in chronology ]
Re: 3rd party liability protection
All they need is your "intent" for the software to "harm" a computer, even if it's your own.
Of course, none of this applies if you're the NSA cultivating and distributing malware.
[ link to this | view in chronology ]
"Two people working together does not a conspiracy make."
[ link to this | view in chronology ]
Re: "Two people working together does not a conspiracy make."
[ link to this | view in chronology ]
Re: Re: "Two people working together does not a conspiracy make."
15 USC § 1 (Sherman Act § 1)
DoJ Antitrust Primer: Price Fixing, Bid Rigging, and Market Allocation Schemes
But this is going way off-topic.
[ link to this | view in chronology ]
The Register Picked Up on This Story
The smell of this is very Aaron Swartz, or Tamerlan Tsarnaev, -ish to me.
The U.S. government is notorious for first demonizing you in the media, and then eliminating you as a threat.
Good luck to you, Marcus Hutchines, your life might be cut short, but at least you did good before getting the U.S. government treatment.
[ link to this | view in chronology ]
Re: The Register Picked Up on This Story
The IETF have already moved a meeting because of the US travel ban and this will just make it look like a very good decision.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Didn't Sony get prosecuted over thier rootkit?
I don't recall the discussion of when the FBI investigated, arrested executives, and prosecuted people there though. Can someone remind me please?
[ link to this | view in chronology ]
No good deed goes unpunished
[ link to this | view in chronology ]
Look no farther
than what the FBI might want from someone they have leverage against.
How many folks have the funds to afford a competent defense in a criminal trial? (Don't cry to me that public defenders can make it all better either.)
[ link to this | view in chronology ]
Governments irritation
[ link to this | view in chronology ]
Also, is anyone actually accusing him of writing the malware other than the media? The indictment appears to speak to small scale distribution consistent with research.
[ link to this | view in chronology ]
Re:
According to KSNV News 3 reporter Christy Wilcox's story yesteday, “Malwaretech hailed hero gets bail after allegation of producing malicious malware” (Aug 4, 2017), in court before Magistrate Judge Nancy Koppe, AUSA Dan Cowhig accused Mr Hutchins of writing the malware.
(Note that “Nevada Assistant Attorney General” appears to be an unusual way to refer to an assistant United States attorney (AUSA).)
Also see 4.a. on p.3 of the indictement, where it is alleged:
[ link to this | view in chronology ]
Followup [was Re: Re: ]
The transcript of the Aug 4 hearing contains, on pp.7-8:
(Note that I'm seeing this transcript for the first time on Fri, Aug 11, 2017. This story is no longer on Techdirt's front page.)
[ link to this | view in chronology ]
1. If you do something that is completely legal and socially acceptable in your home country, say burp, and then go to a foreign country does the foreign have the right to prosecute you for burping? According to the concept of:
Wikipedia
https://en.wikipedia.org/wiki/Universal_jurisdiction
Universal jurisdiction allows states or international organizations to claim criminal jurisdiction over an accused person regardless of where the alleged crime was committed, and regardless of the accused's nationality, country of residence, or any other relation with the prosecuting entity. Crimes prosecuted under universal jurisdiction are considered crimes against all, too serious to tolerate jurisdictional arbitrage.
The point here is nationalism. Does a country have the right to claim a legal action in one's home country and performed there is a prosecutable and illegal actin their country.
2. Under universal jurisdiction does a country not only have the right to declare that legal actions in one's home country are not only illegal but are extraditable/ If I recall correctly that is exactly what the US did to a UK subject. Extradite him to the US for trial and conviction for performing legal actions in the UK.
3. What is going to happen when China, Russia, Arabia decide that free speech made in the US violates their laws, that universal jurisdiction applies, and then foreseeable extradite (kidnap from US perspective) US politicians to stand trial followed by lengthy prison terms?
[ link to this | view in chronology ]
How about the FBI/CIA/NSA for actually deploying the malware? seems like a really weird case to prosecute.
[ link to this | view in chronology ]
Vendors of security hardened systems have a legitimate interest in buying or otherwise acquiring malware in order to test the security of their hardened systems.
[ link to this | view in chronology ]
Aug 4, 2017 Hearing Transcript
Transcript of Aug 4, 2017 hearing in US v Marcus Hutchins (2:17-MJ-0825-NJK): “Continued Initial Appearance In Rule 5(c)(3) Proceeding” before Magistrate Judge Nancy Koppe.
(Via Lorenzo Franceschi-Bicchierai.)
[ link to this | view in chronology ]
Eastern District of Wisconsin Docket
CourtListener (RECAP) finally has a page up copying the docket from the Eastern District of Wisconsin.
US v Hutchins docket (E.D.Wis. 2:17-cr-00124)
The link to (another) copy of the indictment is just an indicator that this is in fact the docket for the Hutchins case. Currently, CourtListener still has this docket page titled as “United States v. SEALED”.
[ link to this | view in chronology ]