United States v. Yucel

District Court, S.D. New York
97 F. Supp. 3d 413 (2015)

ELI5:

Rule of Law:

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(5)(A), is not unconstitutionally vague as applied to a defendant who creates and distributes malware designed to surreptitiously infect computers, steal data, and allow remote control. Key terms such as "protected computer," "damage," and "without authorization" provide sufficiently clear notice of the prohibited conduct and do not encourage arbitrary enforcement in this context.

Facts:

Alex Yücel was a founder of an organization that distributed malicious software ('malware') under the brand name 'Blackshades.'
Yücel was the original developer of the Blackshades Remote Access Tool (RAT), a key component of the malware.
The Blackshades RAT enabled users to remotely control victims' computers, capture keystrokes using a 'keylogger' function, activate webcams, and search personal files.
The RAT also had a function to scan victims' hard drives for 16-digit numbers, which were expected to be credit card numbers.
Yücel controlled the server that hosted the Blackshades website, which was used to create at least 6,000 customer accounts for the malware.
The server Yücel controlled contained thousands of stolen usernames and passwords.
In an email to a business partner, Yücel stated that he had stolen credit card numbers.

Procedural Posture:

A grand jury in the U.S. District Court for the Southern District of New York indicted Alex Yücel on one count of conspiracy to commit computer hacking.
Subsequently, a different grand jury returned a Superseding Indictment charging Yücel with five counts, including the count at issue for distribution of malicious software under 18 U.S.C. § 1030(a)(5)(A).
Yücel, a citizen of Sweden, was extradited from the Republic of Moldova to the United States to face the charges.
In the U.S. District Court, Yücel filed a motion to dismiss Count II of the Superseding Indictment, arguing the statute is unconstitutionally void for vagueness as applied to him.

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Does the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(5)(A), violate the Due Process Clause of the Fifth Amendment by being unconstitutionally void for vagueness as applied to a defendant who created and distributed malware designed to remotely control victims' computers and steal their personal information?

Opinions:

Majority - Castel, District Judge

No. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A), is not unconstitutionally vague as applied to Yücel's conduct because its terms provide clear notice that his actions were prohibited and do not encourage arbitrary enforcement. The court reasoned that the challenged terms—'protected computer,' 'damage,' and 'without authorization'—are sufficiently clear in this context. A 'protected computer' is any computer connected to the internet, as the internet is an instrumentality of interstate commerce. 'Damage' is defined as 'any impairment to the integrity or availability' of a system; surreptitiously installing a RAT that allows an unauthorized user to control a computer and extract data impairs its 'uncorrupted condition' and thus constitutes damage. Finally, 'without authorization' is unambiguous as applied to Yücel, as it plainly means without the victim's permission, which was never given. The statute's intent requirement further limits its scope, ensuring that 'no person of ordinary intelligence could believe that [it was] somehow legal' to engage in this conduct.

Analysis:

This decision solidifies a broad interpretation of the Computer Fraud and Abuse Act (CFAA) in cases involving the creation and distribution of malware for external hacking. By defining 'protected computer' to include virtually any internet-connected device and 'damage' as any unauthorized modification impairing a system's integrity, the court ensures the CFAA remains a powerful prosecutorial tool against traditional cybercrime. The opinion strategically distinguishes these clear-cut criminal acts from more contentious applications of the CFAA, such as those involving employee misuse of workplace computers, thereby preserving the statute's core function while sidestepping ongoing circuit splits about the meaning of 'authorization' in other contexts. This provides federal prosecutors a stable legal footing for charging malware developers without needing to resolve the more ambiguous areas of the law.

🤖 Gunnerbot:

Query United States v. Yucel (2015) directly. You can ask questions about any aspect of the case. If it's in the case, Gunnerbot will know.

Subscribe to Lexplug to chat with the Gunnerbot about this case.

Unlock the full brief for United States v. Yucel

Get access to Issue, Opinions, Analysis, Gunnerbot & more for Lexplug's entire library of premium content

Premium Feature