United States v. Yucel
97 F. Supp. 3d 413
S.D.N.Y.2015Background
- Defendant Alex Yücel is accused founder/developer of the Blackshades organization and author/operator of a Remote Access Tool (RAT) that logged keystrokes, turned on webcams, scanned for credit-card numbers, and enabled remote control of victims’ internet-connected computers.
- Government alleges thousands of stolen usernames/passwords on a server Yücel controlled and at least 6,000 customer accounts for Blackshades; Yücel allegedly sold the RAT and used it himself.
- Yücel was extradited from Moldova and indicted in the Southern District of New York; Superseding Indictment Count II charges distribution of malicious software in violation of 18 U.S.C. § 1030(a)(5)(A).
- Yücel moved to dismiss Count II on the ground that § 1030(a)(5)(A) is unconstitutionally vague as applied to him, challenging the statutory terms “protected computer,” “damage,” and “without authorization.”
- The government disputes vagueness and supplies factual detail (Pastore affidavit) describing the alleged unauthorized installations, exfiltration of credentials, and ongoing compromise of victims’ systems.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Meaning of “protected computer” under § 1030(e)(2) | Statute is vague; term could be limitless and invite arbitrary enforcement | Government: covers computers that affect interstate/foreign commerce — effectively internet‑connected machines | Court: Not vague as applied; ordinary internet‑connected computers are “protected” and precedent supports this understanding |
| Meaning of “damage” under § 1030(e)(8) | Definition is elusive; case law conflicts (e.g., copying vs impairing) | Government: “damage” includes impairment of integrity/availability; RAT that compromises security and enables ongoing control fits the definition | Court: “Damage” includes impairment to integrity/availability; alleged RAT installation impairs system integrity and satisfies statute |
| Meaning of “without authorization” | Ambiguity in CFAA authorization jurisprudence generally | Government: ordinary meaning — not permitted by the victim; here victims did not consent to installations | Court: Phrase is unambiguous as applied; installing RATs without victim permission is “without authorization” |
| Sufficiency of the indictment | Suggests vagueness/specificity problems with details about type of damage, how computers are “protected,” and authorization | Government: indictment tracks statutory language, provides time/place, and provided detailed discovery (Pastore aff.) | Court: Indictment is sufficient; tracks statute, contains a “to‑wit” description, and Yücel has not shown prejudice |
Key Cases Cited
- United States v. Morrison, 686 F.3d 94 (2d Cir. 2012) (void‑for‑vagueness standards under Due Process)
- Kolender v. Lawson, 461 U.S. 352 (1983) (vagueness test: fair notice and arbitrary enforcement)
- United States v. Lanier, 520 U.S. 259 (1997) (requirement that statute or prior decisions fairly disclose criminality)
- United States v. Coppola, 671 F.3d 220 (2d Cir. 2012) (as‑applied vagueness review for non‑First Amendment statutes)
- United States v. Nadirashvili, 655 F.3d 114 (2d Cir. 2011) (defendant cannot prevail on vagueness claim if his conduct is clearly prohibited)
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (discussion of “protected computer” as effectively all internet‑connected machines)
- United States v. Trotter, 478 F.3d 918 (8th Cir. 2007) (upholding CFAA application to internet‑connected computers)
- United States v. Ulbricht, 31 F. Supp. 3d 540 (S.D.N.Y. 2014) (installing malware without consent is plainly illegal)