Posts

When Insisting on the Letter of the Law Counts Amounts to Being “Hyper-Technical”

After almost two months, the Magistrate in the MalwareTech case, Nancy Joseph, has finally responded to his motions to dismiss his interview and most charges in the indictment (here’s my snarky summary of the arguments the judge considered, with links to those motions). She ruled against him on every motion.

I won’t deal with Hutchins’ challenge to his interview statements; as I’ve said all along, that was unlikely to succeed, but the process of getting here did introduce evidence that should damage the arresting officers’ credibility on the stand for the trial.

There may be no evidence in the CFAA charges but there is enough to withstand this challenge

Hutchins’ first challenge is to a series of Computer Fraud and Abuse Act and Wiretapping charges, which his team argued did not correctly apply the statutes.

Hutchins moves to dismiss the first superseding indictment for failure to state an offense under Federal Rule of Criminal Procedure 12(b). In this motion, Hutchins contends that (1) Counts One and Seven fail to allege any facts that show he intended to cause “damage” to a computer within the meaning of the Computer Fraud and Abuse Act; (2) Counts One through Six do not state an offense because software such as Kronos and UPAS Kit is not an “electronic device” within the meaning of the Wiretap Act; and (3) Counts One, Four through Eight, and Ten do not allege the necessary intent and causation required to prove a conspiracy.

In her recommendation, Joseph suggests there may not be proof to support these charges, but unless this challenge is an issue regarding the application of the law to a set of undisputed facts, then insufficient evidence is not adequate to throw out a charge.

On a pretrial motion to dismiss, an indictment “is reviewed on its face, regardless of the strength or weakness of the government’s case.” White, 610 F.3d at 958. A defendant may not, via pretrial motion, challenge the sufficiency of the government’s proof. See United States v. Yasak, 884 F.2d 996, 1001 (7th Cir. 1989) (“A motion to dismiss is not intended to be a ‘summary trial of the evidence.’”). The court dismisses an indictment only if the government’s inability to prove its case appears convincingly on the face of the indictment. Castor, 558 F.2d at 384.

With this and later charges, she then analyzes the sufficiency of the indictment based on whether it includes the language of the statute, not whether it uses that language in the way the Circuit has ruled it should be or Congress intended it. So, in spite of the fact that there’s no evidence Hutchins had the intent to damage computers, because the government has defined programs Hutchins contributed to as “malware” and then defined malware as “code intended to damage a computer” (which, Hutchins argued, is not how the Seventh Circuit defines malware) their charge is sufficient.

Hutchins ignores that the indictment itself describes Kronos and UPAS Kit as “malware,” which it defines as “malicious computer code intended to damage a computer.” (Id. at 1(d)–(f).) That is sufficient to allege intent to cause damage. The crux of Hutchins’ argument is that the government cannot prove this.

Asking that the government adhere to the law as Congress wrote it is “hyper-technical”

Similarly, in spite of the fact that Congress defined wiretapping as an “electronic, mechanical, or other evidence,” Joseph says the way the government applies it instead to software passes muster until Hutchins proves that software is not hardware at trial.

Hutchins argues that the Wiretap Act’s definition of this phrase, “any device or apparatus which can be used to intercept a wire, oral, or electronic communication,” does not include software because software is not within the ordinary meaning of “device.”

As noted above, it is not appropriate to dismiss criminal indictments without undisputed facts supporting the conclusion that a jury trial is unnecessary. While the indictment briefly defines Kronos and UPAS Kit, the details of their functions and their relationships to more traditional “devices” such as computers will be a matter for the jury.

Permitting the government to sustain any possible definition of wiretapping

Her decision to permit the government to define malware as a device makes it unsurprising that she keeps both charges two and three, which charge the same advertising a wiretapping device twice. The government defended this charging decision based on its assertion of the right to pick its own dictionary, and having already ceded the government that authority, keeping both charges two and three is consistent with her other decisions.

Mistaking the conspiracy for the direct sale

The way in which Joseph dismisses Hutchins’ challenge to how the government charged him with conspiracy to commit CFAA is curious for other reasons. This is a conspiracy case, and while I think it possible the government could succeed at trial in arguing that because Hutchins’ alleged co-conspirator fully intended his customers (like the government’s informant) to hack computers, that means he entered into a conspiracy to do so. Joseph doesn’t rely on the powerful way the government uses conspiracy charges at all. Indeed, she edits out mention of that co-conspirator, without whom no sale would have taken place.

Hutchins argues that the indictment “conflates [Hutchins’] alleged selling of the software with a specific intent for buyers to commit an illegal act with the software. There is no allegation that Mr. Hutchins . . . intended any specific result to occur because of the sales. . . . Merely writing a program and selling it—when any illegal activity is up to the buyer to perform—is not enough to allege specific intent by Mr. Hutchins.” (Id. at 95.) Here again, Hutchins tries to impose a standard for civil pleading on a criminal indictment.

The language about intent and causation tracks the statutory elements, and that is all that is required in an indictment.

Effectively, Joseph seems to be arguing a CFAA charge itself rather than a conspiracy to commit CFAA charge. That’s problematic given that Hutchins raised a Seventh Circuit standard applying to conspiracies to sell stuff (drugs) that would be on point.

Intentionality is required but attempts are sufficient

In one of the charges where Hutchins is personally charged with CFAA, rather than conspiracy, Joseph permits the government’s effort to effect a conspiracy anyway, by first agreeing that intent is required, but then saying that attempting to do something even in absence of intent amounts to intent anyway.

To prove an attempt to violate § 1030(a)(5)(A), the government must prove that (1) Hutchins knowingly took a substantial step toward committing a violation of § 1030(a)(5)(A) and (2) that he did so with the intent to violate § 1030(a)(5). Seventh Circuit Pattern Jury Instruction 4.09. Accordingly, although Hutchins is correct that §1030(a)(5) does require that the damage be intentional, he is incorrect that the charge does not allege intentionality. It alleges an attempt, and intentionality is a necessary component of an attempt. In other words, the phrase “intentionally attempted” would be redundant.

Because Count Seven, read practically and not in a hyper-technical manner, sets forth the elements of an attempt to violate § 1030(a)(5), it is sufficient.

Again, “hyper-technical” is doing a lot of work here.

A YouTube in California is an overt act in Wisconsin

Hutchins may have fucked himself a bit by waiving all venue challenges to Wisconsin (venue here comes from an Agent buying two pieces of malware and then committing no crimes with it). Still, his argument clearly lays out parts of the government’s claim that he can be charged in the United States — notably, via a YouTube had no tie to and his co-conspirator only linked — that argue there were no overt acts in the US.

Joseph ignores the parts of the argument where Hutchins lays out that the government doesn’t argue any basis for venue and declares the allegations sufficient.

Count One alleges various acts in furtherance of a conspiracy resulting in the sale of UPAS Kit and Kronos to individuals in the Eastern District of Wisconsin.

Of course, Hutchins is correct that an offense cannot be prosecuted anywhere in the world just because it involves the Internet. (Docket # 105 at 5.) But the indictment does not do that. On the contrary, it alleges that relevant events occurred in the state and Eastern District of Wisconsin. Whether the government will be able to prove that is a question for another day. At this juncture, it is sufficient that the indictment alleges that the violations occurred within the state and Eastern District of Wisconsin.

Dodging the issue of the informant who is the only one who has damaged or wiretapped computers

Joseph effectively dodges the entirety of Hutchins’ renewed demand for the identity of “Randy,” the informant whom the government describes as the only one who actually damaged (if malware damages computers) or wiretapped anything, which is that Randy is an unindicted co-conspirator, not an informant. She just says 30 days notice of Randy’s identity is sufficient.

The hyper-technical problems with treating malware as a device

It’s in the Wiretap Act where this ruling is most alarming. Joseph twice appears to misunderstand that Hutchins is not alleged to have wiretapped anything himself, but instead coded malware that his alleged co-conspirator sold, which other then people used to collect data (as noted, the government’s informant is the only one alleged to have illegally collected any data here).

In the absence of more details, it is unwarranted at this stage to evaluate whether they alone qualify as “devices” or to assume that the government could not produce evidence that Hutchins did in fact use an indisputable “device” of some kind, if not the software itself than a computer or some other device.

[snip]

There is simply no authority for the argument that software cannot constitute a “device” within the meaning of the Wiretap Act, and even if there were, there are simply not sufficient facts before the court to determine that Hutchins did not violate the Wiretap Act using some “device” in connection with Kronos and UPAS Kit. [my emphasis]

More troubling still, in adopting the government’s expansive definition of wiretapping, she suggests doing otherwise is “hyper-technical.”

[T]here are reasons to doubt such a strict interpretation of the Wiretap Act would be warranted even if this court were to undertake such an interpretation. Determining that the Wiretap Act could never apply to software would require the court to overlook the notably broad language of the Wiretap Act, which was to generally prohibit unauthorized artificial interception of communication in an era of changing technologies, in favor of a hyper-technical reading of the statute. It would also require the court to adopt a very restrictive definition of “electronic, mechanical, or other device” that may not comport with legislative intent, the ordinary meaning of those words, or the (scant) existing case law. Cf. Luis v. Zang, 833 F.3d 619 (6th Cir. 2016); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051 (N.D. Cal. 2015).

Most charitably, this should be taken as a punt. Because Joseph doesn’t realize that the facts are almost undisputed (because the government admitted that in this case a computer would be the device doing any wiretapping, not the malware itself), she dodges the issue of law that, she says, could be the appropriate standard for dismissal.

But in fact, it reverses the burden, permitting prosecutors to invent new readings of law, and permitting that reading until such time as Hutchins demonstrates at trial that’s explicitly not what Congress intended.

Ultimately, though, it seems that Joseph has been staring at several well-substantiated technical arguments about how the law is written and, having despaired of understanding that, simply declared treating the law as it was either written or has been interpreted by the Courts amounts to being “hyper-technical” and punted that job to the jury. That’s not surprising. Indeed, that’s one of the grave risks of defending against a hacking charge in a place that sees little of it. But everywhere where Hutchins made a legal careful argument, Joseph either let the government invent different meanings willy nilly or just deferred all treatment of the technical issues to trial.

To Pre-empt an Ass-Handing, the Government Lards on Problematic New Charges against MalwareTech

When last we checked in on the MalwareTech (Marcus Hutchins) case, both FBI agents involved in his arrest had shown different kinds of unreliability on the stand and in their written assertions, and Hutchins’ defense had raised a slew of legal challenges that, together, showed the government stretching to use wiretapping and CFAA statutes to encompass writing code so as to include Hutchins in the charges. It looked like the magistrate in the case, Nancy Joseph, might start throwing out some of the government’s more expansive legal theories.

That is, it looked like the government’s ill-advised decision to prosecute Hutchins in the first place might be mercifully put out of its misery with some kind of dismissal.

But the government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment. [See update below — I actually think what they’re doing is even crazier and more dangerous.]

The false statements charge is the best of all, because for it to be true a Nevada prosecutor would have to be named as Hutchins’ co-conspirator, because his representations in court last summer directly contradict the claims in this new indictment.

Wherein financial criminals VinnyK and Randy become bit players in criminal mastermind Marcus Hutchins’ drama

To understand how they’re doing this, first understand there are two criminals Hutchins is alleged to have had interactions with three-plus years ago:

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With this superseding indictment, the government has turned these two criminals into the bit players in a scheme in which Hutchins is now the targeted criminal.

Interestingly, unlike in the original indictment, VinnyK is not charged in this superseding indictment. I’m not sure what that means — whether the government has decided they like him now, they’ll never get him extradited and he won’t show up at DefCon because he’s learned Hutchins’ lesson, or maybe even they’ve gotten him to flip in a bid to avoid embarrassment with Hutchins. So there’s one guy the government admits is a criminal — Randy — and another guy they believed was a serious enough criminal they had to arrest the guy who saved the world from WannaCry to help find, VinnyK. Neither is charged in this indictment. Hutchins is.

Conspiracy to violate minors outside the statute of limitations

As I said, one way the government gets from 6 to 10 counts is by identifying a second piece of software — allegedly written by Hutchins — that VinnyK sold, so as to charge the same legally suspect crimes twice.

This is a comparison of the old versus new indictment.

As I understand it (though the indictment is damned vague on this point) the additional wiretapping and CFAA charges come from a second piece of software.

Here’s what that second alleged crime looks like:

a. Defendant MARCUS HUTCHINS developed UPAS Kit and provided it to [VinnyK], who was using alias “Aurora123” at the time.

b. On or about July 3, 2012, [VinnyK], sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 in digital currency.

c. On or about July 20, 2012, [VinnyK], distributed an updated version of UPAS Kit to an individual in the Eastern District of Wisconsin.

First of all, notice how Hutchins’ activities in this second crime aren’t listed with any date? Wikipedia says Hutchins was born in June 1994 and I’ve confirmed that was when he was born. Which means either he coded UPAS Kit in a few weeks or less, or the actions he’s accused of here happened when he was a minor.

Now look at your calendar. July 2012 was 6 years ago, so outside a 5  year statute of limitations; for some reason the government didn’t even try to include the July 20, 2012 action when they first charged this last year. One way or another, the SOL has tolled on these actions.

The time periods for this new alleged crime, though, is listed as July 2014 to August 2014. Except all new actions listed in that time period are tied to Kronos, not UPAS. In other words, unless I’m missing something, the government has tried to confuse the jury by charging Kronos twice, all while introducing UPAS, which is both tolled and on which Hutchins’ alleged role occurred while he was a minor.

[See update below,]

Criminalizing malware research

The effort against Hutchins always threatened to criminalize malware research. But the government (perhaps in an effort to substantiate a second crime associated with Kronos) has gone one step further with this claim:

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government doesn’t explain this (and I guarantee you they didn’t explain this to the grand jury — I mean they put the word “hacked” right there so it must be EVIL), but they’re claiming this article talking about how to thwart Phase Bot malware via vulnerabilities in its command and control module — that is, a post about how to defeat malware!!!! — is really a devious plot to undercut the competition.

Again, the original indictment was dangerous enough. But now the government is claiming that if you write about how to thwart malware, you might be doing it for criminal purposes.

Charging the other bad guys with wire fraud conspiracy

As a reminder, the charges in the original indictment (which remain largely intact here) were problematic because selling Kronos fit neither the definition of wiretapping nor CFAA (the latter because it doesn’t damage computers). In an apparent attempt to get out of that problem (though not the venue one, which best as I can tell remains a glaring problem here), they’ve added a conspiracy to commit wire fraud, arguing that Hutchins “knowingly conspired and agreed with [VinnyK] and others unknown to the Grand Jury, to devise and participate in a scheme to defraud and obtain money by means of false and fraudulent pretenses and transmit by wire in interstate and foreign commerce any writing, signs, and signals for the purpose of executing the scheme.”

I’ll let the lawyers explain whether this charge will hold up better than the wiretapping and CFAA ones. But at least as alleged, all VinnyK has ever done (even assuming Hutchins can be shown to have agreed with this) is to sell Kronos to an FBI agent in Wisconsin.

The only one in this entire indictment described as actually making money off using Kronos is Randy, the guy the US government isn’t prosecuting because he narced out Hutchins. Meaning the guy with whom Hutchins would most credibly be claimed to have conspired to commit wire fraud is the one guy not mentioned in the charge.

But for some reason the government decided the just thing to do when faced with these facts was charge only the guy who saved the world from WannaCry.

Charging false statements after both FBI agents have been shown to be unreliable

Which brings us, finally, to what is probably the point of this superseding indictment, the government’s effort to salvage their authority. They’ve charged Hutchins with lying to the FBI about knowing that his code was part of Kronos.

On August 2, 2017, the Federal Bureau of Investigation was conducting an investigation related to Kronos, which was a matter within the jurisdiction of the Federal Bureau of Investigation.

On or about August 2, 2017, in the state of Eastern District of Wisconsin and elsewhere,

[Hutchins]

knowingly and willfully made a materially false, fictitious, and fraudulent statement and represented in a matter within the jurisdiction of the Federal Bureau of Investigation when he stated in sum and substance that he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016, when in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHINS made multiple statements to Individual B in which HUTCHINS acknowledged his role in developing Kronos and his partnership with Individual A.

Whoo boy.

First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.

So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.

Oh wait! It gets better. See how they describe that Hutchins lied in Wisconsin?

The interrogation happened in Las Vegas, which last I checked was not anywhere near Eastern District of Wisconsin. I mean, I’m sure there’s a way to finesse these things wit that “and elsewhere” language, but this indictment simply asserts that an interrogation room in the Las Vegas airport was in Milwaukee.

And there’s more!!!

On top of the fact that one or another agent who themselves have credibility problems would have to go on the stand to accuse Hutchins of lying, and on top of the fact that they say this thing that happened in Las Vegas didn’t stay in Las Vegas but was actually in Milwaukee, there’s the fact that AUSA Dan Cowhig, on August 4, 2017, in a bid to deny Hutchins bail, represented to a judge that,

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he sold that code to another.

We don’t have the full transcript of Hutchins’ interrogation yet (parts released by the defense show him admitting to underlying code, which may be what this UPAS stuff is about, though denying Kronos itself). But for it to be true that Hutchins lied about knowing that “his computer code was part of Kronos until he reverse engineered the malware,” then Cowhig would have had to be lying last year.

So to sum up: the government’s bid to save face, on top of some jimmying with dates and using Randy to accuse Hutchins of something that Randy is far more guilty of, is to put two agents who have real credibility problems on the stand to argue that their colleague in Nevada, which apparently spends its summers in Wisconsin, lied last year when he claimed that Marcus admitted “he was the author of the code that became the Kronos malware.”

Update: It has been suggested those 2012 UPAS Kit actions got included because they are part of the conspiracy, which is how they get beyond tolling (though not Hutchins’ age). If the government is arguing that UPAS is the underlying code that Hutchins contributed to Kronos, then that might make sense. Except that then the false statements charge becomes even more ridiculous, because we know that Hutchins admitted to that bit.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Also note, at least according to Hutchins’ jail call to his boss, GCHQ vetted this earlier activity and found it to be unproblematic.

Update: On fourth read (this indictment makes no sense), I think the new charges are not the 2012 sales, but a vague crime based on the marketing, but no sale, of malware in 2014. In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube. Note, the YouTube in question has already been litigated, as the government is trying hard to get venue because of that — because YouTube is based in the US.

This is such an unbelievably dangerous argument; it’s a real testament to the sheer arrogance of this prosecution at this point, that they’ll stop at nothing to avoid the embarrassment of admitting how badly they fucked up.

The MalwareTech Poker Hand: Calling DOJ’s Bluff

With a full poker hand’s worth of filings on Friday, MalwareTech’s (AKA Marcus Hutchins) lawyers are finally revealing the main thrust of their defense. The five filings are:

  1. A motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
  2. A motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
  3. A motion to dismiss the indictment, arguing on three different grounds that,
    • The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
    • The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
    • The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
  4. A motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
  5. A motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Effectively, these five motions (which are likely to meet with mixed success, but even where they’re likely to fail, will lay the groundwork for trial) work together to sustain an argument that Hutchins should never have been charged with these crimes in the US, and that FBI may have cheated a bit to get the incriminatory statements that might let them sustain the prosecution.

I laid out the general oddity of these charges here, and the background to the Miranda challenge and grand jury instructions here, here, and here.

Hutchins was high and tired, not drunk, for his one minute Miranda warning

While I don’t expect the Miranda challenge (item 2) to be effective on its face, I do expect it to serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial. This motion provides more detail about why his defense thinks it will be an effective tactic. It’s not just that Hutchins is a foreigner and couldn’t be expected to know how US Miranda works, or that the FBI only documented that they asked Hutchins if he had drinking alcohol four months after the arrest (as I laid out here). But as the motion notes, the FBI doesn’t claim to have asked whether he was exhausted or otherwise intoxicated.

According to an FBI memorandum, before “initiating a post arrest interview,” an agent asked Mr. Hutchins if he had been drinking that day, and he responded that he had not. That memorandum, written over four months after the arrest, then states that the agent asked Mr. Hutchins “if has [sic] in a good state of mind to speak to the FBI Hutchins agreed.” Mr. Hutchins did not understand it to be an inquiry as to whether he had used drugs or was exhausted.

The initial 302 of the interrogation records Hutchins telling the agents that he had been partying and not sleeping.

Mr. Hutchins discussed his partying while in Las Vegas, as well as his lack of sleep, during the interrogation.

The motion admits that he had been using drugs (of unspecified type) the night before.

As Mr. Hutchins sat in the airport lounge, he was not drinking, but he was exhausted from partying all week and staying up the night before until the wee hours. He had also used drugs.

Nevada legalized the recreational use of marijuana effective July 2017, so if he was still high during this interview, he might have been legally intoxicated under state (but not federal) law. And there’s not a lick of evidence that the FBI asked him about that.

After laying out that the FBI has no record of asking Hutchins whether he was sober (rather than just not drunk), the motion reveals that the FBI couldn’t decide at what time it gave Hutchins his Miranda warning.

An FBI Advice of Rights form sets forth Miranda warnings and reflects Mr. Hutchins’ signature. It is dated August 2, 2017, but the time it was completed includes two crossed out times, 11:08 a.m. and 2:08 p.m., and one uncrossed out time, 1:18 p.m. (which is one minute after the FBI log reflects Mr. Hutchins’ arrest, as noted above).

And as noted before, and reiterated here, the FBI didn’t record that part of his interview.

The motion notes that if the final, current record of the time of warning is correct, then the Miranda warning, including any discussion of how US law differs from British law, took place in the minute after he was whisked away from this gate.

Hutchins recently tweeted that he “slept the entire time I was in prison,” which while not accurate (he was neither in prison nor in real solitary), would otherwise corroborate the claim he was exhausted.

The government’s cobbled case on intentionality and computer law

Items 3 and 5, arguing the law is inappropriately applied and specifically not instructed correctly with regards to two charges, work together to argue that the government has cobbled together charges against Hutchins via misapplying both CFAA and Wiretap law, and in turn using conspiracy charges and misstating requisite intentionality to be able to get at Hutchins.

As I’ve noted, Hutchins’ lawyers have been arguing for some time that the government may not have properly instructed the grand jury on the intentionality required under charges 2 and 6. At a hearing in February, Magistrate Nancy Joseph showed some sympathy to this argument (though is still reviewing whether the defense should get the grand jury instructions). As I noted in that post, whereas the government once claimed it would easily fix this problem by getting a superseding indictment (possibly larding on new charges), they seem to have lost their enthusiasm for doing so.

It’s the combination of the rest of the legal challenge that I find more interesting. The challenge will interact with recent innovations in charging other foreign hackers, especially a bunch of Russians that will make DOJ especially defensive of this challenge. But the motions all cite Seventh Circuit precedent closely, so I’m not sure whether that matters.

Ultimately, this motion makes roughly the same arguments that Orin Kerr made as soon as the indictment came out. As he introduced his more thorough explanation in August,

This raises an interesting legal question: Is it a crime to create and sell malware?

The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability — basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

Kerr is not flaming hippie, so I assume that these arguments will be rather serious challenges for the government and I await the analysis of this challenge by more Fourth Amendment lawyers. But as he suggested back in August, Hutchins’ team may well be right that this indictment is an overreach.

DOJ still hasn’t explained why it charged Hutchins for a crime with no known US victims

While requests for Bill of Particulars (basically, a request for more details about what the government is claiming broke the law) are usually unsuccessful, this one does two interesting things. It asks the government for proof of damage, including proof of which ten computers got damaged.

Mr. Hutchins asks that the government be required to particularize the “damage” it intends to offer into evidence at trial in connection with the alleged violations of the Computer Fraud and Abuse Act by the two defendants. Mr. Hutchins also asks that the government be required to particularize the “10 or more protected computers” to which it contends the defendants conspired and attempted to cause “damage.”

Whether the motion itself is successful or not, demanding proof that ten computers were damaged helps support the challenge to the two CFAA charges based on whether stealing credentials amounts to damage. It also lays the groundwork for the motion made explicitly in item 4 — that Hutchins should never have been charged in the US, much less Wisconsin.

As I laid out in this piece, it appears likely that charges against Hutchins arose out of back door searches done as part of the investigation into who “MalwareTech” was after he sinkholed WannaCry. For whatever reason (probably because the government thought Hutchins could inform on someone, possibly related to either WannaCry itself or Kelihos), the government decided to cobble together a case against Hutchins consisting — by all appearances — entirely of incidental collection so as to coerce him into a plea deal. When he got a team of very good lawyers and then bail, that put a lot more pressure on the appropriateness of the charges in the first place.

So now, eight months after Hutchins was arrested, we’re finally getting to that question of why the US government decided to charge him for a crime that even DOJ didn’t claim had significant US victims.

The motion starts by noting that Hutchins didn’t do most of the acts alleged, his co-defendant Tran (whom the government has shown little urgency in extraditing) did. But even for Tran’s acts (basically marketing and selling the malware), there’s no affirmative tie made to Wisconsin.

As part of the purported conspiracy, the indictment alleges that Mr. Hutchins created the Kronos software, described as “a particular type of malware that recorded and exfiltrated user credentials and personal identifying information from protected computers.” (Id. ¶¶ 3(e), 4(a).) It also alleges that Mr. Hutchins and his co-defendant later updated Kronos. (Id. ¶ 4(d).)

All other alleged overt acts in furtherance of the purported conspiracy pertain solely to Mr. Hutchins’ co-defendant. Per the indictment, the codefendant (1) used a video posted to YouTube to demonstrate how Kronos worked, (2) advertised Kronos on internet forums, (3) sold a version of Kronos, and (4) offered crypting services for Kronos. (Id. ¶¶ 4(b), (c), (e), (f), (g).)

Aside from a bare allegation that each offense was committed “in the state and Eastern District of Wisconsin and elsewhere,” the indictment does not describe any connection to this District.

While the government has long suggested that the case is in EDWI because an FBI agent located there bought a copy of Kronos, the motion suggests Hutchins’ team hasn’t even seen good evidence of that yet.

Here, the indictment reflects that Mr. Hutchins was on foreign soil, and any acts he performed occurred there. There is no indication that damage was caused in the Eastern District of Wisconsin—or, indeed, that any damage occurred at all. At best, a buyer was present in this District. But the buyer would then need to use Kronos to cause damage in the District for venue to lie. Nothing [i]n the indictment supports that conclusion.

The charging of two foreigners is all the more problematic on the four wiretapping charges, given that (unlike CFAA), Congress did not mean to apply it to foreigners.

There is evidence that Congress intended the CFAA—the legal basis of Counts One and Six—to have extraterritorial application. The CFAA prohibits certain conduct with respect to “protected computers,” 18 U.S.C. § 1030(e)(2)(B), and the legislative history shows that Congress crafted the definition of that term with foreign-based attackers in mind. S. Rep. 104-357, at 4-5 (1996).

The Wiretap Act—at issue in Counts Two through Five—is different, though. That law does not reflect a clear congressional mandate that it should apply extraterritorially. Accordingly, courts have repeatedly found that it “has no extraterritorial force.” Huff v. Spaw, 794 F.3d 543, 547 (6th Cir. 2015) (quoting United States v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987)).

There is a great deal of precedent to establish venue based on where a federal agent bought something. Indeed, the main AlphaBay case against Alexandre Cazes consisted of that (remember that Kronos was ultimately sold on AlphaBay). But that case was based on the illegal sale of drugs and ATM skimmers, not software, which given the challenge to the CFAA and Wiretapping application here, might make the EDWI purchase of Kronos insufficient to justify venue here.

I’m not sure whether this motion will succeed or not. But one way or another, given that the defense appears to have seen no real basis for venue here, this motion may serve as critical groundwork for what appears to be a justifiable argument that this case should never have been charged in the US.

I keep waiting for DOJ to give up this case in the face of having to argue that the guy who sinkholed WannaCry should be prosecuted because he refused to accept a plea deal on charges with no known US victims. But they’re probably too stubborn to do that.

Update: Corrected Joseph’s name. h/t GM.