United States v. Yücel

• Decision Date: 02 February 2015
• Docket Number: No. S1 13–cr–834 PKC.,S1 13–cr–834 PKC.
• Citation: 97 F.Supp.3d 413
• Parties: UNITED STATES of America v. Alex YÜCEL, Defendant.
• Court: U.S. District Court — Southern District of New York

97 F.Supp.3d 413

UNITED STATES of America

v.Alex YÜCEL, Defendant.

No. S1 13–cr–834 PKC.

United States District Court, S.D. New York.

Signed Feb. 2, 2015.

James J. Pastore, Jr., U.S. Attorney's Office, New York, NY, for United States of America.

MEMORANDUM AND ORDER

CASTEL, District Judge.

Defendant Alex Yücel moves to dismiss Count II of the Superseding Indictment (the “S1 Indictment,” Dkt. No. 9) on the grounds that the statute under which he is charged, 18 U.S.C. § 1030(a)(5)(A), is void for vagueness as applied to him.¹ For the following reasons, the motion is denied.

BACKGROUND

Yücel is alleged to be one of the founders of an organization that distributed malicious software (“malware”) under the brand name “Blackshades.” (Pastore Aff. ¶ 17.) The malware included a remote access tool (“RAT”), which enabled users “to remotely control victims' computers, including [by] captur[ing] the victims' keystrokes as they type”—the “keylogger” function—“turn[ing] on their webcams, and search[ing] through their personal files.” (Id. ¶ 17–a.) Keyloggers are frequently used to steal login information for online financial accounts. (Id. ) The RAT also had a functionality that scanned victims' hard drives for 16–digit numbers, which were expected to be credit card numbers. (Id. ) Blackshades also provided malware designed to launch distributed denial of service attacks. (Id. ) To use the malware, customers were required to set up an account with the organization, typically through the Blackshades website. (Id. ¶ 17–c.) There were at least 6,000 customer accounts created with the Blackshades organization. (Id. ¶ 17–b.)

Yücel is alleged to be the original developer of the Blackshades RAT (id. ¶ 20–a), and controlled the server that hosted the Blackshades website. (Id. ¶ 37.) That server, according to the government, contained thousands of stolen usernames and passwords. (Id. ¶ 29). This, together with email correspondence in which Yücel told a business partner that he had stolen credit card numbers (id. ¶ 27), supports, in the government's view, its assertion that Yücel not only sold malware but made use of it himself.

Yücel was indicted by a grand jury in this District on October 23, 2013, and charged with one count of conspiracy to commit computer hacking. On or about November 25, 2013, a different grand jury returned the S1 Indictment against Yücel, charging him with five counts, including the conspiracy count from the original indictment, and the count at issue on this motion, distribution of malicious software and aiding and abetting the same. Yücel is a citizen of Sweden (id. ¶ 34), and was extradited from the Republic of Moldova to the United States in May 2014.

DISCUSSION

I. Vagueness Challenge

The void-for-vagueness doctrine, rooted in the Due Process Clause of the Fifth Amendment, “requires that a penal statute define the criminal offense [1] with sufficient definiteness that ordinary people can understand what conduct is prohibited and [2] in a manner that does not encourage arbitrary and discriminatory enforcement.”United States v. Morrison, 686 F.3d 94, 103 (2d Cir.2012) (quoting Kolender v. Lawson, 461 U.S. 352, 357, 103 S.Ct. 1855, 75 L.Ed.2d 903 (1983) ). The first prong requires a court to determine “whether the statute, either standing alone or as construed, made it reasonably clear at the relevant time that the defendant's conduct was criminal.” United States v. Roberts, 363 F.3d 118, 123 (2d Cir.2004) (quoting United States v. Lanier, 520 U.S. 259, 267, 117 S.Ct. 1219, 137 L.Ed.2d 432 (1997) ). “[A]lthough clarity at the requisite level may be supplied by judicial gloss on an otherwise uncertain statute, due process bars courts from applying a novel construction of a criminal statute to conduct that neither the statute nor any prior judicial decision has fairly disclosed to be within its scope.” Id. (quoting Lanier, 520 U.S. at 266, 117 S.Ct. 1219 ). Under the second, “more important,” prong, Kolender, 461 U.S. at 358, 103 S.Ct. 1855, the inquiry is “whether the statutory language is of such a standardless sweep that it allows policemen, prosecutors, and juries to pursue their personal predilections.” Arriaga v. Mukasey, 521 F.3d 219, 228 (2d Cir.2008) (quoting Smith v. Goguen, 415 U.S. 566, 575, 94 S.Ct. 1242, 39 L.Ed.2d 605 (1974) (internal quotation marks and alterations omitted)). “A statute that reaches ‘a substantial amount of innocent conduct’ confers an impermissible degree of discretion on law enforcement authorities to determine who is subject to the law.” Id. (quoting City of Chicago v. Morales, 527 U.S. 41, 60–61, 119 S.Ct. 1849, 144 L.Ed.2d 67 (1999) ).

“Vagueness challenges to statutes not threatening First Amendment interests are examined in light of the facts of the case at hand; the statute is judged on an as-applied basis.” United States v. Coppola, 671 F.3d 220, 235 (2d Cir.2012) (quoting Maynard v. Cartwright, 486 U.S. 356, 361, 108 S.Ct. 1853, 100 L.Ed.2d 372 (1988) ). In such cases, regardless of whatever ambiguities may exist at the outer edges of the statute, a defendant cannot successfully challenge its vagueness if his own conduct, as alleged, is clearly prohibited by the statute. United States v. Nadirashvili, 655 F.3d 114, 122 (2d Cir.2011).

Count II of the S1 Indictment charges Yücel with violating 18 U.S.C. § 1030(a)(5)(A), a provision of the Computer Fraud and Abuse Act (“CFAA”), which prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.”² Yücel argues that the terms “protected computer,” “damage,” and “without authorization” render the statute unconstitutionally vague as applied to him.

A. “Protected Computer”

The CFAA defines “protected computer,” in relevant part, as a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” 18 U.S.C. § 1030(e)(2)(B). The government contends that this definition encompasses any computer with an internet connection, and a number of courts have so held. See Freedom Banc Mortg. Servs., Inc. v. O'Harra, No. 2:11–cv–01073, 2012 WL 3862209, at *6 (S.D.Ohio Sept. 5, 2012) (holding that “[a] computer that is connected to the internet ... satisfies § 1030(e)(2)'s interstate commerce requirement even if the plaintiff used that connection to engage in only intrastate communications”); United States v. Fowler, No. 8:10–cr–65–T–24 AEP, 2010 WL 4269618, at *2 (M.D.Fla. Oct. 25, 2010) (holding that evidence that computers were connected to the internet and were used to send emails was sufficient to show that they were “protected”); Multiven, Inc. v. Cisco Systems, Inc., 725 F.Supp.2d 887, 891–92 (N.D.Cal.2010) (holding that the parties' agreement that the defendant's network was connected to the internet was sufficient to establish that the computers using the network were “protected”); Expert Janitorial, LLC v. Williams, No. 3:09–CV–283, 2010 WL 908740, at *8 (E.D.Tenn. Mar. 12, 2010) (holding that the allegation that a computer was used to access email accounts, and thus was connected to the internet, was sufficient to satisfy the “protected computer” requirement). Many other courts have adopted this definition of “protected computer,” although their cases also involved allegations or proof of actual involvement in interstate commerce, or addressed different questions. See, e.g., United States v. Nosal, 676 F.3d 854, 859 (9th Cir.2012) (stating that “ ‘protected computer’ is defined as a computer affected by or involved in interstate commerce—effectively all computers with Internet access”); United States v. Trotter, 478 F.3d 918, 921 (8th Cir.2007) (upholding the constitutionality of the CFAA as applied to a defendant who admitted that the relevant computers were connected to the internet); Dedalus Foundation v. Banach, No. 09 Civ. 2842(LAP), 2009 WL 3398595, at *2 (S.D.N.Y. Oct. 16, 2009) (noting that “[c]ourts have also found that computers that access the Internet through programs such as email qualify as protected computers”).³

This understanding of “protected computer” derives from the text of the definition itself. See O'Harra, 2012 WL 3862209, at *5–6. As the Supreme Court has recognized, the phrase “affecting interstate or foreign commerce” is a term of art used by Congress to signal that it is exercising its full power under the Commerce Clause. See Russell v. United States, 471 U.S. 858, 859, 105 S.Ct. 2455, 85 L.Ed.2d 829 (1985) (construing 18 U.S.C. § 844(i), a federal arson statute). The Commerce Clause allows Congress to regulate instrumentalities of interstate commerce. Pierce Cnty., Wash. v. Guillen, 537 U.S. 129, 147, 123 S.Ct. 720, 154 L.Ed.2d 610 (2003). The internet is an instrumentality of interstate commerce. United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir.2007) ; Trotter, 478 F.3d at 921 (discussing the CFAA) ; S.E.C. v. Straub, 921 F.Supp.2d 244, 262 (S.D.N.Y.2013). Any computer that is connected to the internet is thus “part of ‘a system that is inexorably intertwined with interstate commerce’ and thus properly within the realm of Congress's Commerce Clause Power.” Trotter, 478 F.3d at 921 (quoting United States v. MacEwan, 445 F.3d 237, 245 (3d Cir.2006) ). Much as Commerce Clause authority permits Congress to regulate the intrastate activities of railroad cars, S. Ry. Co. v. United States, 222 U.S. 20, 26–27, 32 S.Ct. 2, 56 L.Ed. 72 (1911), it now permits Congress to regulate computers connected to the internet, even in the unlikely event that those computers made only intrastate communications. See United States v. Roque, Crim. No. 12–540(KM), 2013 WL 2474686, at *2 (D.N.J. June 6, 2013).

The widespread agreement in the case law on the meaning of “protected computer,” which is...