The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird

from the why-is-that-illegal? dept

So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the “evidence” didn’t seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let’s work off of his analysis.

The crux of the indictment is that Hutchins and the unnamed “co-conspirator” worked together to create and sell malware, leading Kerr to ask the fairly obvious question:

This raises an interesting legal question: Is it a crime to create and sell malware?

After all, as many others pointed out, there are lots of folks out there who build and sell malware of one kind or another — and, indeed, the US government is often a large purchaser of malware sold by others. Kerr’s initial gut reaction was more or less the same as mine: that the actual amount of evidence in the indictment is pretty minimal, though obviously they may have a lot more that just hasn’t been shared yet (or they may turn up more).

Do the charges hold up? Just based on a first look at the case, my sense is that the government?s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It?s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don?t have all the facts or even what the government thinks are the facts. So while we can?t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we?ll have to stay tuned.

From there, Kerr digs into each of the charges. The first is “conspiracy.” This one struck my layman’s mind as somewhat odd. Two people working together does not a conspiracy make. Kerr similarly calls it “odd” and notes that for this charge to work, the government has to argue that selling malware is the same as using malware to damage a computer. And that seems… difficult. Kerr points out that there are two conditions that must be met for this to work:

First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don?t appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It?s not obvious that Hutchins and X cared what the buyer did with the malware after so long as they paid. If Hutchins and X didn?t care what the buyer did with the malware, it?s hard to see how they could have a purpose to impair the availability or integrity of a computer.

Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware and the malware damages the machine. Here, though, the government?s theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.

That second point is especially interesting to me. We’ve seen more and more attempts to charge “intermediaries” with crimes based on actions of third party users of their tools (the Megaupload case being one big example). And that seems like a very dangerous path to go down. One of the reasons why we talk about “intermediary liability protections” on Techdirt so much is that they’re so important on a basic “blame the person who actually did the wrong” spectrum. It’s not the intermediary, it’s the user. Go after the user, even if that’s more difficult. Here, the DOJ seems to be going after the intermediary. Because.

The next three charges are all similar, and I didn’t quite get them at first, but Kerr explains. They’re making use of 18 U.S.C 2512 which Kerr describes as, “a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices.” Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a “device” under the law, and argues that may be difficult as well.

In Potter v. Havlice, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling ?Activity Monitor,? which was billed as ?an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online.? After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that ?Activity Monitor is not a device as contemplated by Section 2512.?

Section 2512 makes the manufacture and/or trafficking of ?any electronic, mechanical, or other device? illegal. The phrase ?electronic, mechanical, or other device? is defined in 18 U.S.C. § 2510(5) to generally mean ?any device or apparatus which can be used to intercept a wire, oral, or electronic communication?.? Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.

Also, the definition of the word ?device? does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines ?device? as ?a piece of equipment or a mechanism designed to serve a special purpose or perform a special function.? Activity Monitor alone is not a piece of equipmentor a mechanism.

So… that’s going to make this interesting. Of course, then there’s the further question of whether or not the malware itself is really intercepting communications. Either way, this feels like a way to try to twist a law targeting older technology to pretend that it applies to a very different kind of technology. I know this happens semi-frequently, but it always troubles me. You get bad results this way, because the technology that was originally being regulated, and what it’s now being used against, are very different, and should be treated differently. But when you try to shove something like malware into laws created to stop wiretapping devices… you end up with bad results, where rulings can be made about something being “bad” without realizing the wider reverberations it may have.

And, finally, there’s a CFAA claim, because if there’s a criminal case that could be summarized as “behaving badly on a computer” you have to expect an eventual CFAA claim.

This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, they need to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party?s intentional act of sending the malware was required for that to happen.

Again… this seems quite difficult to actually show, though perhaps there’s more evidence that the DOJ hasn’t yet revealed.

In the meantime, others are insisting that the DOJ has the wrong guy. A friend and colleague of Hutchins, Kevin Beaumont, insisted that the DOJ is simply wrong, and that Marcus has more or less dedicated his life to fighting malware, not creating it:

On top of that, the BBC spotted the fact that Marcus asked on Twitter if anyone had a sample of Kronos after it first was discovered:

Now, of course, that alone is not evidence of much. After all, if he really had created it, why not tweet something like that to make sure people think he hadn’t? But, still, it is worth pointing out, along with multiple other folks saying that they simply don’t believe Hutchins would have been behind the malware, let alone the broader legal question of whether or not making and selling malware is even illegal in the first place.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird”

Subscribe: RSS Leave a comment
51 Comments
Anonymous Coward says:

Given your record predicting court cases, he's toast.

An overlap between white and black hat is also likely. Others speculate he was behind Wannacry, or that he stopped the NSA’s extortion with it. Or they’re squeezing him for info, including the bits he snagged at DefCon.

We don’t know! But key point for sure is that Masnick leaps to defend a hacker. (A British hacker: avoided extradition!)

Ninja (profile) says:

Considering he works with security and more specifically with vulnerability exploits through malware one can go conspiracy and argue he found out stuff he shouldn’t have or probed the wrong botnet. From the little I read about Hutchines he does everything quite in the open. You know, if you are doing everything right you have nothing to fear? Yeah about that…

Anonymous Coward says:

Re: HMG reaction [was ]

the british government have been strangely silent

Oh, seeing the latest comment bumped this thread for me.

I wasn’t really going to bother posting a link to this Dustin Volz tweet, but that tweet contains a short statement for publication from Peter Heaton-Jones, Member of Parliament (Conservative, North Devon). As of half-an-hour ago or so, I hadn’t see the statement anywhere else besides Twitter.

(Via @cfarivar retweet.)

Anonymous Coward says:

Another notable lawyer

Orin Kerr … famed lawyer

Thomas Fox-Brewster writing at Forbes has a piece today ( “Kronos Malware Dealer On WannaCry Killer Charges: What Charges?”, Aug 4, 2017) with some reaction from attorney Tor Ekeland:

Tor Ekeland, a lawyer specializing in Computer Fraud and Abuse Act (CFAA) cases, described the charges as "a disaster", claiming the government is trying to punish Hutchins for "non-alleged harms that other people may have committed with Kronos."

In the next paragraph, that piece goes on to further quote Mr Ekeland. All in all, though, it’s a much shorter take than the analysis by Professor Kerr.

“A disaster”.

Norahc (profile) says:

“The next three charges are all similar, and I didn’t quite get them at first, but Kerr explains. They’re making use of 18 U.S.C 2512 which Kerr describes as, “a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices.” Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a “device” under the law, and argues that may be difficult as well.”

The government’s viewpoint:
Malware equals a wiretap
Stingray does not equal a wiretap

Anonymous Coward says:

Novel legal interpretation

Supposing for the sake of argument that the DOJ actually prevails with their odd theory that selling computer-impairing software is illegal even when the seller had no particular interest in how the buyer would use it, that could open a fascinating mess with regard to the selling of software that impairs computers not because it is malicious, but because it is very poorly written. This could also have interesting chilling effects on anyone who creates toolkits that readily can be converted into malware (e.g. Windows-hosted VNC servers aren’t that far off if you compile out the pieces that make it easy for the console user to know VNC is running, tell it to stand down, or tell it to stop), even when the toolkit has substantial non-malicious uses.

Since we’re contemplating criminal law, rather than civil law, the usual EULA disclaimer about “not liable for damage caused by defects even if the vendor knew, should have known, or was warned about these defects” would not apply.

Anonymous Coward says:

Re: Re: Extending the Novel legal interpretation

The eventual “logical” conclusion is to take it to the hardware vendors and include the PC’s themselves. Because the PC is a necessary piece of equipment to create and run the software that impairs another computer.

You could also include the internet provides, etc., etc.

Anonmylous says:

Ugh...

Yes two can conspire, happens all the time in murder cases, usually with attempts to hire not involving an undercover agent posing as the hitman. But its a catch-all, and might actually get them if they provided more than basic instruction on how to use the software. Supporting a buyer by providing additional instruction beyond bug fixes and troubleshooting installation on their own machines could net them a conviction. Luckily, in order to do that, they’ll have to prove that Marcus and the other guy really did create or at least distribute this malware, and that they did support it afterwards. That said, the other charges should crumble. If he gets a competent attorney and it looks like he intends to fight it, the Gov will either re-charge with something more concrete, or drag it out a long while then fold. This is gonna suck either way.

Wyrm (profile) says:

Re: Ugh...

Regarding you comparison with hiring a hitman, this is a backwards comparison.

In the case of A hiring B to kill C, A actually has the intent to kill a specific target. The intermediary B would do the actual murder, but A provided the intent first.

In the case of A creating a malware that B then buys to infect C’s computer, B had the intent, and B is the one to execute the task. A here doesn’t have intent, nor does he acts against C’s computer. He only created a general tool that might be used for nefarious purposes, or for research, or then again for legal investigation…

There is no valid comparison here.

Anonymous Coward says:

Representation

Yesterday, a Reuters article by Dustin Volz and John L. Smith (“Cyber expert who stopped ‘WannaCry’ attack arrested in U.S. on hacking charges”, Aug 3, 2017) reported:

Hutchins appeared before U.S. Judge Nancy Koppe in Las Vegas on Thursday. Dan Coe, a federal public defender, told the court Hutchins "had cooperated with the government prior to being charged."

The hearing was scheduled to continue Friday afternoon to determine whether he will be represented by private legal counsel or a public defender.

“Friday” would be today.

(Via retweet of an @MattBlaze retweet.)

Anonymous Coward says:

Re: Re: Re: Shackles [was Representation]

            … the docket indicated they had him in shackles…

US v Hutchins Docket (D.Nev., 2:17-mj-00825)

Document 2: MINUTES OF PROCEEDINGS

Initial Appearance in Rule 5(c)(3) Proceeding as to Marcus Hutchins held on 8/3/2017 before Magistrate Judge Nancy J. Koppe. . . . Defendant shall have no restraints during court proceedings. . . .

(Emphasis added.)

Anonymous Coward says:

Re: Re: Representation

… attorney Adrian Lobo … Facebook video

Fwiw, Dan Goodin asked whether anyone knew for certain whether Marcus Hutchin had entered a plea.

In KSNV News 3 reporter Christy Wilcox’s Facebook video posted earlier this afternoon, I believe that Mr Hutchin’s attorney Adrian Lobo answers that question.

About the “-6:05” mark in the video (counting up with negative time):

Adrian Lobo: He pled not guilty.… That was yesterday’s hearing.

Anonymous Coward says:

the main purpose of the USA, certainly the law enforcement side, seems to be to find someone, charge them with something, regardless of whether they actually did what they are charged with or anything at all, come to that, then get them into court, convicted and imprisoned for a life term, even if all they had done was really to spit in the gutter! this paranoia that everyone except law enforcement are bad is ridiculous and has to stop! the country is being turned into a penal nation with just law enforcement supposedly doing no wrong! we know already that that is not the case and in actual fact, those who are supposed to uphold and live by the law are the worst offenders! perhaps how they are conducting themselves is to try to cover up all of their own illegal activities? if so, they need to remember that sooner or later, the truth comes out and severely bites you in the ass!!

Peter (profile) says:

Hutchins real crime? He took away fantastic opportunity from the FBI

Finally, with WannaCry, the big, nasty Cybermonster showed its head. Big money on the horizon for the FBI, lots of new people to be hired. Promotions. Brave FBI-cyberwarriors protecting America from the evil Cyberthreat.

But no. Along comes Hutchins, and pulls the plug on this Fairy tale. The FBI is back to hunting UFOs or mysterious Russian Hackers that no sane person believes in. Back to propping up some misfits with FBI bombs and FBI undercover terrorist cells to get a few fleeting moments of media attention.

Roy (profile) says:

3rd party liability protection

This is the most important part of this whole thing. If I’m the NRA I’d be filing an amicus brief over this. Eroding 3rd party liability protection is the path to punishing gun makers for murders. If I can build something that someone else can use to harm another – I can become a target of the DOJ. That can go a long way beyond software.

Toom1275 (profile) says:

Re: 3rd party liability protection

Doing security research in a laboratory environment, such as those engineers studying air-gap-defeating malware and suffer a malicious breach that sees your “proof-of-concept” used against the world? Now the government can attack you instead of an actual criminal.

All they need is your “intent” for the software to “harm” a computer, even if it’s your own.

Of course, none of this applies if you’re the NSA cultivating and distributing malware.

Pronounce (profile) says:

The Register Picked Up on This Story

The commenters were warning against traveling to the U.S., and I agreed with their assessment. But it seemed to me that they failed to consider that Britain is still a member of Five Eyes, and so it’s doubtful the UK would afford you much protection if the U.S. wanted you bad enough. (for evidence see the case against Kim Dotcom)

The smell of this is very Aaron Swartz, or Tamerlan Tsarnaev, -ish to me.

The U.S. government is notorious for first demonizing you in the media, and then eliminating you as a threat.

Good luck to you, Marcus Hutchines, your life might be cut short, but at least you did good before getting the U.S. government treatment.

Anonymous Coward says:

Look no farther

than what the FBI might want from someone they have leverage against.

How many folks have the funds to afford a competent defense in a criminal trial? (Don’t cry to me that public defenders can make it all better either.)

Bruce C. says:

The other part that’s weird to me is that they aren’t charging him with 500 counts or more of each offense. How many computers did Kronos infect? I’ll be interested to see their timeline. There are way too many plausible scenarios where Hutchins may have inadvertently given/sold Kronos to someone under the impression they were a researcher, or an accidental release due to a gap in a sandbox environment.

Also, is anyone actually accusing him of writing the malware other than the media? The indictment appears to speak to small scale distribution consistent with research.

Anonymous Coward says:

Re: Re:

Also, is anyone actually accusing him of writing the malware other than the media?

According to KSNV News 3 reporter Christy Wilcox’s story yesteday, “Malwaretech hailed hero gets bail after allegation of producing malicious malware” (Aug 4, 2017), in court before Magistrate Judge Nancy Koppe, AUSA Dan Cowhig accused Mr Hutchins of writing the malware.

Nevada Assistant Attorney General Dan Cowhig told the court Hutchins admits he wrote Kronos bank malware, he then sold it and profited from the sale.

(Note that “Nevada Assistant Attorney General” appears to be an unusual way to refer to an assistant United States attorney (AUSA).)

Also see 4.a. on p.3 of the indictement, where it is alleged:

Defendant MARCUS HUTCHINS created the Kronos malware.

Anonymous Coward says:

Re: Re: Followup [was ]

            Also, is anyone actually accusing him of writing the malware other than the media?

According to KSNV News 3 reporter Christy Wilcox… AUSA Dan Cowhig accused Mr Hutchins of writing the malware.

The transcript of the Aug 4 hearing contains, on pp.7-8:

MR. COWHIG: […] In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another.

Among the evidence that the Government will present at his trial will be that there are chat logs in which Mr. Hutchins discusses with an associate the sale of the Kronos banking trojan through his associate splitting the proceeds of the Kronos trojan with his associate, where he complains about the amount of money that he received for the sale of the banking trojan and where he received a request from that associate to update the Kronos banking trojan. The associate in these chats is the person from whom the law enforcement agents purchased the Kronos trojan on AlphaBay as specified in the indictment.

(Note that I’m seeing this transcript for the first time on Fri, Aug 11, 2017. This story is no longer on Techdirt’s front page.)

Anonymous Coward says:

There are several disturbing issues here:

1. If you do something that is completely legal and socially acceptable in your home country, say burp, and then go to a foreign country does the foreign have the right to prosecute you for burping? According to the concept of:

Wikipedia
https://en.wikipedia.org/wiki/Universal_jurisdiction

Universal jurisdiction allows states or international organizations to claim criminal jurisdiction over an accused person regardless of where the alleged crime was committed, and regardless of the accused’s nationality, country of residence, or any other relation with the prosecuting entity. Crimes prosecuted under universal jurisdiction are considered crimes against all, too serious to tolerate jurisdictional arbitrage.

The point here is nationalism. Does a country have the right to claim a legal action in one’s home country and performed there is a prosecutable and illegal actin their country.

2. Under universal jurisdiction does a country not only have the right to declare that legal actions in one’s home country are not only illegal but are extraditable/ If I recall correctly that is exactly what the US did to a UK subject. Extradite him to the US for trial and conviction for performing legal actions in the UK.

3. What is going to happen when China, Russia, Arabia decide that free speech made in the US violates their laws, that universal jurisdiction applies, and then foreseeable extradite (kidnap from US perspective) US politicians to stand trial followed by lengthy prison terms?

Anonymous Coward says:

Eastern District of Wisconsin Docket

CourtListener (RECAP) finally has a page up copying the docket from the Eastern District of Wisconsin.

US v Hutchins docket (E.D.Wis. 2:17-cr-00124)

Document 6: Redacted Indictment as to Marcus Hutchins

The link to (another) copy of the indictment is just an indicator that this is in fact the docket for the Hutchins case. Currently, CourtListener still has this docket page titled as “United States v. SEALED”.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...