The Kronos indictment: Is it a crime to create and sell malware?

The Justice Department has indicted Marcus Hutchins, a security researcher, for allegedly creating and selling malware. The Verge explains:

A noted security researcher has been arrested by the FBI, as first reported by Motherboard. Marcus Hutchins (better known as MalwareTech) appears to have been stopped by the FBI yesterday afternoon as he prepared to board a flight from Las Vegas back to his home in London. Hutchins was in the US for the Black Hat and Defcon security conferences, although he did not present any research.

Hutchins was arrested for his role in "creating and distributing the Kronos banking trojan," according to a federal indictment against him and an unnamed co-defendent. Kronos was a malware program that harvested online banking credentials and credit card data, first discovered in July 2014.

This raises an interesting legal question: Is it a crime to create and sell malware?

The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability—basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts. So while we can't say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we'll have to stay tuned.

Here's an overview of the six counts in the indictment, together with my tentative thoughts on them.

Count One: Conspiracy to Damage Computers

The first count charges Hutchins and the unnamed co-conspirator (whom I'll call X) with conspiring to violate 18 U.S.C. 1030(a)(5)(A). Section 1030(a)(5)(A) is the computer damage statute. It punishes sending out a command or program that intentionally damages a computer without authorization. Notably, the charge says that the conspiracy was between Hutchins and X. Together, it says, they conspired to make and sell the malware.

This charge strikes me as odd. If I understand it correctly, the government is saying that the act of selling the malware—distributing it to a third party—was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage).

I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.

First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don't appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It's not obvious that Hutchins and X cared what the buyer did with the malware afterward, so long as they paid. If Hutchins and X didn't care what the buyer did with the malware, it's hard to see how they could have a purpose to impair the availability or integrity of a computer.

Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware, and the malware damages the machine. Here, though, the government's theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.

Of course, it's probably the case that Hutchins and X knew that whoever bought the malware would use it illegally. But under the statute, mere knowledge isn't enough. For Hutchins and X to be liable on this count, causing the impairment of the availability and integrity of information must have been their goal.

Counts Two, Three and Four: The 2512 Charges

Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. If you can't legally advertise, make or sell wiretapping devices, then people who want to engage in illegal wiretapping won't have an easy way to find the illegal devices and won't be as inclined to engage in wiretapping.

Notably, the crime here isn't making, selling or advertising malware generally. Rather, it's making, selling or advertising "any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications." In other words, the problem is that the malware was designed so that its primary use was to engage in surreptitious wiretapping.

One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here. In most wiretapping cases, use of a software program to wiretap someone counts as using a "device" because the physical computer running the software is a device. See, e.g., United States v. Szymuszkiewicz, 622 F.3d 701, 707 (7th Cir. 2010).

This doesn't help in a Section 2512 case, however, at least where the government is charging the creating, selling and advertising of computer code alone. And there is at least some authority that a computer program can't itself be a "device" in a Section 2512 case.

In Potter v. Havlicek, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling "Activity Monitor," which was billed as "an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online." After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that "Activity Monitor is not a device as contemplated by Section 2512."

Section 2512 makes the manufacture and/or trafficking of "any electronic, mechanical, or other device" illegal. The phrase "electronic, mechanical, or other device" is defined in 18 U.S.C. § 2510(5) to generally mean "any device or apparatus which can be used to intercept a wire, oral, or electronic communication…." Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.

Also, the definition of the word "device" does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines "device" as "a piece of equipment or a mechanism designed to serve a special purpose or perform a special function." Activity Monitor alone is not a piece of equipment or a mechanism.

Havlicek submits another definition of the word "device" for consideration. According to Havlicek, The American Heritage Dictionary of the English Language states that a "device" is "something devised or constructed for a particular purpose" or "a plan or scheme." Again, however, computer software alone, Activity Monitor in this case, does not fit into this definition.

I don't know whether another court would follow this reasoning. But it is an issue that will be litigated.

Count Five: Wiretapping

The fifth count of the indictment charges Hutchins and X with intentionally intercepting, endeavoring to intercept or procuring any other person to intercept or endeavor to intercept an electronic communication. Basically, it is saying that they either wiretapped someone, tried to wiretap someone, tried to persuade someone else to wiretap someone or aided and abetted someone else's wiretapping. We don't know which theory the government is pursuing here, and we don't have enough facts to judge the claim. The indictment uses the date that they sold a copy of the program as the relevant date, so that is probably the act the government has in mind. But we don't know, so it's hard to go into a lot of detail on this count.

It's important to note, however, that all of these theories require the government to show intent to further an act of illegal wiretapping. Hutchins and X need to either have actually and intentionally wiretapped someone, to have taken a substantial step toward wiretapping someone or to have aided and abetted someone who actually did wiretap someone. Merely writing the program and selling it—with the actual wiretapping act being the buyer's act and up to the buyer—likely wouldn't count.

Count Six: Computer Damage

The last count in the indictment charges Hutchins and X with violating the computer damage statute on the date that they sold a copy of the program. This is similar to the conspiracy count in count one, but it is alleging the substantive crime. Not only did they agree to sell the program in count one, but they actually did sell the program in count six.

This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, the government needs to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party's intentional act of sending the malware was required for that to happen.