MalwareTech Prosecution Appears To Be Falling Apart As Gov't Plays Keep Away With Documents Requested By Defense
from the piling-up-fatal-errors? dept
Marcus Hutchins, a.k.a. MalwareTech, went from internet hero (following his inadvertent shutdown of the WannaCry ransomware) to federal government detainee in a surprisingly short amount of time. Three months after saving the world from rampaging malware built on NSA exploits, Hutchins was arrested at the Las Vegas airport as he waited for his flight home to the UK.
When the indictment was published, many people noted the charges didn't seem to be backed by much evidence. The government accused Hutchins of creating and selling the Kronos malware, but the offered very little to support this claim. While it's true much of the evidence against Hutchins will be produced in court, the indictment appeared to be stretching legal definitions of certain computer crimes to their limits.
The government's case appears to be weak and reliant on dubious legal theories. It's not even 100% clear that creating and selling malware is an illegal act in and of itself. The charges the government brought rely heavily on proving Hutchins constructed malware with the intent to cause damage to computers. This isn't so easily proven, especially when the government itself is buying malware to deploy for its own purposes and has yet to bring charges against any of the vendors it buys from. Anyone selling exploits to governments could be said to be creating malware with intent to cause harm. That it's a government, rather than an individual, causing the harm shouldn't make any difference -- at least not if the government wants to claim selling of malware alone is a federal offense.
The case appears to be even weaker now that more paperwork has been filed by both parties. If the government has a lot of evidence to use against Hutchins, it has yet to present it to Hutchins' lawyers. What's detailed in the motion to compel recently filed by Hutchins' defense team shows the government is either playing keep-away with crucial information or simply does not have much evidence on hand.
Marcy Wheeler digs into the motion to compel [PDF] and notes it appears to show the government's case is incredibly weak. And if sketchy, minimal evidence doesn't undo the government's case, the actions of the FBI agents involved might.
First, there are some questions about the circumstances surrounding Hutchins' detainment at the Las Vegas airport. As the motion points out, there's a good chance Hutchins was in no condition to consent to an interrogation, having been up late the night before drinking and celebrating the wrap-up of the conferences he had attended.
The defense needs all communications and materials related to the surveillance and arrest of Mr. Hutchins to help establish that his post-arrest statements were involuntary and in violation of Miranda. The defense intends to argue that the government coerced Mr. Hutchins, who was sleep-deprived and intoxicated, to talk. As such, his decision to speak with the agents was not knowing, intelligent, and made in full awareness of the nature of the right given up and the consequences of giving up that right, as the law requires. Coleman v. Hardy, 690 F.3d 811, 815 (7th Cir. 2012).
The Seventh Circuit recognizes that intoxication is relevant to the voluntariness—legally, in terms of a statement’s admissibility, and factually, in terms of the weight to be given to an admissible statement—of post-arrest statements. See, e.g., United States v. Carson, 582 F.3d 827, 833 (7th Cir. 2009). The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest.
Note the mention of the Miranda warning. This poses its own problems for a couple of reasons. As the motion points out, it's unclear how (or when) [or if] Hutchins was Mirandized. The FBI could have given Hutchins the actual Miranda warning, which makes it clear arrestees have both the right to remain silent and the right to an attorney. Or the agents could have decided the UK version was more applicable for the British citizen. This version does not guarantee the right to an attorney and notes remaining silent can be used against you in court.
Given the fact Hutchins is being prosecuted in the US, it's likely agents would have given him the American version. But there's no way to tell which version Hutchins received because the FBI's recording of the interrogation doesn't contain any recording of a Miranda warning being delivered.
After Mr. Hutchins was taken into custody, two law enforcement agents interviewed him at the airport. The memorandum of that interview generically states: “After being advised of the identity of the interviewing Agents, the nature of the interview and being advised of his rights, HUTCHINS provided the following information . . .” A lengthy portion of Mr. Hutchins’ interview with the agents was audio recorded. Importantly, however, the agents did not record the part of the interview in which they purportedly advised of him of his Miranda rights, answered any questions he might have had, and had him sign a Miranda waiver form.
If the government plans to introduce the interrogation recording as evidence, the lack of a recorded Miranda warning or signed Miranda waiver should weigh against the admissibility of any incriminating statements Hutchins might have made. Combine that with Hutchins' alleged mental state (exhausted, intoxicated) at the time of the questioning and the FBI may have proactively destroyed a substantial amount of first-hand testimony.
The motion to compel goes on to point out there's plenty of information the government has yet to turn over to the defense. Hutchins' defense still hasn't seen anything related to his alleged co-conspirator (who still remains at large) -- not even the information the government apparently received as the result of an MLAT (Mutual Legal Assistance Treaty) request sent to the co-conspirator's home country.
The defense also wants more info on the FBI's witness known only as "Randy." The government is trying to have it both ways here. "Randy" appears to be a witness, but the government has downgraded "Randy" to a mere "tipster" to avoid turning any info over on "Randy" to the defense. Informant confidentiality can be maintained under some circumstances, but not if the government is hoping to use this informant as a witness.
Here, the government’s refusal to disclose even the identity of “Randy’s” attorney is apparently the result of miscategorizing an important witness as a mere tipster. “Randy” is a cooperating witness, one whose provision of information to law enforcement was facilitated by consideration—proffer immunity, at the least—from the government. This circumstance alone weighs against continuing confidentiality because “Randy” surely knows his cooperation will be revealed…
The defense expects “Randy” to testify at trial because he is alleged to have had extensive online chats with Mr. Hutchins around the time of the purported crimes in which Mr. Hutchins discussed his purported criminal activity. Any communications and materials relating to “Randy” are therefore material to defense preparations.
Wheeler speculates the hide-and-seek nature of the government's handling of "Randy"-related material has something to do with "Randy's" possible lack of usefulness. Hence the last-minute downgrade of "Randy's" stature and the ongoing refusal to produce documents.
I’m guessing if the government were required to put “Randy” on the stand they’d contemplate dismissing the charges against Hutchins immediately. I’m guessing the government now realizes “Randy” took them for a ride — perhaps an enormous one. And given how easy it is to reconstitute chat logs — but here, it’s not even clear “Randy” has the chat logs, but just claimed to have been a part of them, in an effort to incriminate him — I’m guessing this part of the case against Hutchins won’t hold up.
The defense is also seeking discovery of the grand jury instructions. As noted earlier in this post, the government set a high bar for itself, offering up charges that require it to prove intent to harm, rather than simply the creation and distribution of malware. As the government appears to have only limited evidence related to proof of intent, it may have secured the indictment by glossing over the "intent" part of the charges. If the instructions were insufficiently clear, the indictment itself might be in trouble.
Wheeler suggests now might be the time for government to cut its losses and give Hutchins back his freedom. But, as she notes, the government prefers to double-down when on hole-digging in these situations. If the government is realizing its case against Hutchins is bullshit, it may dig in and impede discovery efforts just to make the accused pay for daring to fight back.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, evidence, fbi, kronos, malware, malwaretech, marcus hutchins
Reader Comments
The First Word
“Feds Have a Serious Credibility Problem
I'm reminded of this quote almost every time the FBI is involved in a case.
He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions.
Thomas Jefferson
The FBI lies so habitually I fail to see how any judge can treat them as credible.
made the First Word by Ninja
Subscribe: RSS
View by: Time | Thread
And this is why...
Why? Because trying to be nice doesn't work. At best, the report will be denied, the followup will be stonewalled, the company/country will make groundless accusations, and then eventually, maybe, the problem will be quietly addressed and someone else will take credit for it.
At worst, the door will be kicked down at 5 AM and all my stuff will be confiscated, I'll be arrested and charged with anything/everything, and my ability to make a living will be destroyed. If I ever manage to get out from under the legal problems, I'll be bankrupt and then homeless.
So while I could do some modest good here and there, I'm going to lift a finger. I've learned the lesson.
[ link to this | view in chronology ]
Re: And this is why...
[ link to this | view in chronology ]
Re: And this is why...
Sadly, I agree with this. Every time I have been nice, I've been threatened with lawsuits and my employers have been contacted and told to fire me. Luckily, my employers have basically told them to pound sand and ask them when they are going to fix their shit. With that, and this, it ain't worth my time or energy to do it the right way.
[ link to this | view in chronology ]
Mad Dogs and Englishmen WAS Re: And this is why...
A fine "protest" would be to make some open source code on more open hardware like a Raspberry PI to allow people who'd like to be at, say, DefCon have remote tele presence. Futureama Hall of Presidents style. Perhaps call it Rsides?
[ link to this | view in chronology ]
So
[ link to this | view in chronology ]
Re: So
[ link to this | view in chronology ]
One of the following is fake news
Perhaps Trump should sue the FBI for defamation. Then we can get to the bottom of this.
[ link to this | view in chronology ]
Now, now, kids: relying on technicalities likely means DOOMED.
Trying to take back what admitted is going to be tough.
This isn't blurting once "I did it!", which might be misunderstanding or confusion, but apparently long series of statements by a highly intelligent indiv, among which are admitting writing the malware.
For perverse cause that always intrigues me, Techdirt, knowing no more than me, just automatically sides with likely criminals. Here, a confessed author of malware makes for likely regardless of all else, yet Techdirt tries to 'splain that away as having all sorts of possible good reasons.
Never change, Techdirt! You are the patron site of lost causes.
[ link to this | view in chronology ]
Re: Now, now, kids: relying on technicalities likely means DOOMED.
[ link to this | view in chronology ]
Re: Now, now, kids: relying on technicalities likely means DOOMED.
If he had planted it himself and caused destruction of property in some form then that's illegal and he should suffer the consequences. If you can manage a few minutes of critical thinking and reading comprehension you'll see that's not what this article describes.
TD defends rights, not "feels".
[ link to this | view in chronology ]
Re: Now, now, kids: relying on technicalities likely means DOOMED.
But if he is so malicious and guilty (as you seem to believe), then why did he shut down the WannaCry ransomware?
[ link to this | view in chronology ]
Re: Now, now, kids: relying on technicalities likely means DOOMED.
[ link to this | view in chronology ]
Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.
You know, minor quibbles like that.
[ link to this | view in chronology ]
Re: Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.
[ link to this | view in chronology ]
Re: Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.
[ link to this | view in chronology ]
Re: Now, now, kids: relying on technicalities likely means DOOMED.
I'm just going to take pleasure in the fact that you automatically side with the likes of Verizon and John Steele.
[ link to this | view in chronology ]
Re: Now, now, kids: relying on technicalities likely means DOOMED.
just automatically sides with likely criminals.
Accused, Techdirt sides with the accused, just remember this next time you yourself are accused and wish people to side with you rather than call you criminal.
[ link to this | view in chronology ]
Feds Have a Serious Credibility Problem
I'm reminded of this quote almost every time the FBI is involved in a case.
He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions.
Thomas Jefferson
The FBI lies so habitually I fail to see how any judge can treat them as credible.
[ link to this | view in chronology ]
How can any judge can treat the FBI as credible?
When both have the common cause of putting warm bodies into prison, FBI witnesses can say they saw the accused starting the Chicago Fire, and the judge will believe them.
[ link to this | view in chronology ]
Wonder??
Convention??
WOW, how about an ADVANCED SWAT??
Lets pick on the guy who helped the government..
Who needs a hack when you just call the FBI/CIA about terrorism.
[ link to this | view in chronology ]
Milwaukee County and Wisconsin has plenty of crooked timbers when it comes to lawyers.
At least California was willing to throw out a lawyer who was accused of wife strangulation and plead out to battery.
In Wisconsin you can act as the lawyers for a company, claim the general manager doesn't know who the owners are of the company THEN do 40+ hours of billable work against the company while NOT being the attorneys of record. Why does the state bar do nothing? Your CEO is the treasurer for an appellate court judge may be a factor.
Meanwhile the chief judge of Milw County is secreting court records as they would show the court worked to prevent charges being pressed against a public official who 'recanted' his sworn statements.
As the one judge said to me "We do things loose here".
[ link to this | view in chronology ]
I thought that was illegal, could get one disbarred, held in contempt and possible jail time.
[ link to this | view in chronology ]
https://en.wikipedia.org/wiki/Wikipedia:Randy_in_Boise
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
They represent a huge liability to companies who prefer security by obscurity, to pocket the savings.
They represent a huge threat to the government, they might discover vulnerabilities, that they paid out handsomely for, and patch them. (Ignoring their habit of letting them lay around on any old server).
How dare these regular people invest their own time into trying to secure everyone, and make the governments job of hacking & stealing harder.
We squeezed this little fish into a ramp to a bigger target & amazingly our case lacks reality. We loved the story of this whitehat turning to the dark side, and working against the interests of the US. It was thrilling & we were sure we'd get bonuses & that sweet sweet cyber money added to our budget. We didn't need to check anything, he talks computer he must be evil.
[ link to this | view in chronology ]
On that which has not yet been evidenced....
What are their options? For example, maybe they can easily claim a "withheld" document is not yet discovered, and then later reveal "oh look, this just in". Is that possible? Easy to get away with? Undesirable for some strategic reason?
A lot hinges on how these cases tend to play out. Otherwise we all just guess.
[ link to this | view in chronology ]
Re: On that which has not yet been evidenced....
There are 3 "sets" of "rules" at play here. Rules of evidence, the bar rules and the rules for the prosecutor. The Discovery rules state things can be turned in later 'as found'. Bar rules talk about honesty to the tribunal. And the rules for the prosecutor - I've not used but when I've looked at 'em they appear to be more strict than the bar rules.
ENFORCEMENT of the rules, well, that is another matter. My guess is it is lip service and as this case is Judge Statmuller and he's a DOJer from the 1970's I'm guessing that unless people are lined up deeper in that courtroom than the Aug hearing "seeking answers" as to why the prosecutor isn't answering Discovery he'll be favorable to the DOJer.
[ link to this | view in chronology ]
Re: On that which has not yet been evidenced....
[ link to this | view in chronology ]
You’re an idiot.
[ link to this | view in chronology ]