Summary
concluding that damage occurs when "the system no longer operates as it did when it first came into the owner's possession and has an unwanted characteristic"
Summary of this case from United States v. ThomasOpinion
No. S1 13–cr–834 PKC.
2015-02-02
James J. Pastore, Jr., U.S. Attorney's Office, New York, NY, for United States of America.
James J. Pastore, Jr., U.S. Attorney's Office, New York, NY, for United States of America.
MEMORANDUM AND ORDER
CASTEL, District Judge.
Defendant Alex Yücel moves to dismiss Count II of the Superseding Indictment (the “S1 Indictment,” Dkt. No. 9) on the grounds that the statute under which he is charged, 18 U.S.C. § 1030(a)(5)(A), is void for vagueness as applied to him. For the following reasons, the motion is denied.
Yücel also moved to dismiss Counts I, III and V of the S1 Indictment under the rule of specialty. (Dkt. No. 27.) In light of the government's representation that it would not prosecute Yücel on those counts, the Court denied that motion as moot at a conference held before the Court on January 12, 2015.
BACKGROUND
Yücel is alleged to be one of the founders of an organization that distributed malicious software (“malware”) under the brand name “Blackshades.” (Pastore Aff. ¶ 17.) The malware included a remote access tool (“RAT”), which enabled users “to remotely control victims' computers, including [by] captur[ing] the victims' keystrokes as they type”—the “keylogger” function—“turn[ing] on their webcams, and search[ing] through their personal files.” (Id. ¶ 17–a.) Keyloggers are frequently used to steal login information for online financial accounts. (Id. ) The RAT also had a functionality that scanned victims' hard drives for 16–digit numbers, which were expected to be credit card numbers. (Id. ) Blackshades also provided malware designed to launch distributed denial of service attacks. (Id. ) To use the malware, customers were required to set up an account with the organization, typically through the Blackshades website. (Id. ¶ 17–c.) There were at least 6,000 customer accounts created with the Blackshades organization. (Id. ¶ 17–b.)
Yücel is alleged to be the original developer of the Blackshades RAT (id. ¶ 20–a), and controlled the server that hosted the Blackshades website. (Id. ¶ 37.) That server, according to the government, contained thousands of stolen usernames and passwords. (Id. ¶ 29). This, together with email correspondence in which Yücel told a business partner that he had stolen credit card numbers (id. ¶ 27), supports, in the government's view, its assertion that Yücel not only sold malware but made use of it himself.
Yücel was indicted by a grand jury in this District on October 23, 2013, and charged with one count of conspiracy to commit computer hacking. On or about November 25, 2013, a different grand jury returned the S1 Indictment against Yücel, charging him with five counts, including the conspiracy count from the original indictment, and the count at issue on this motion, distribution of malicious software and aiding and abetting the same. Yücel is a citizen of Sweden (id. ¶ 34), and was extradited from the Republic of Moldova to the United States in May 2014.
DISCUSSION
I. Vagueness Challenge
The void-for-vagueness doctrine, rooted in the Due Process Clause of the Fifth Amendment, “requires that a penal statute define the criminal offense [1] with sufficient definiteness that ordinary people can understand what conduct is prohibited and [2] in a manner that does not encourage arbitrary and discriminatory enforcement.”United States v. Morrison, 686 F.3d 94, 103 (2d Cir.2012) (quoting Kolender v. Lawson, 461 U.S. 352, 357, 103 S.Ct. 1855, 75 L.Ed.2d 903 (1983) ). The first prong requires a court to determine “whether the statute, either standing alone or as construed, made it reasonably clear at the relevant time that the defendant's conduct was criminal.” United States v. Roberts, 363 F.3d 118, 123 (2d Cir.2004) (quoting United States v. Lanier, 520 U.S. 259, 267, 117 S.Ct. 1219, 137 L.Ed.2d 432 (1997) ). “[A]lthough clarity at the requisite level may be supplied by judicial gloss on an otherwise uncertain statute, due process bars courts from applying a novel construction of a criminal statute to conduct that neither the statute nor any prior judicial decision has fairly disclosed to be within its scope.” Id. (quoting Lanier, 520 U.S. at 266, 117 S.Ct. 1219 ). Under the second, “more important,” prong, Kolender, 461 U.S. at 358, 103 S.Ct. 1855, the inquiry is “whether the statutory language is of such a standardless sweep that it allows policemen, prosecutors, and juries to pursue their personal predilections.” Arriaga v. Mukasey, 521 F.3d 219, 228 (2d Cir.2008) (quoting Smith v. Goguen, 415 U.S. 566, 575, 94 S.Ct. 1242, 39 L.Ed.2d 605 (1974) (internal quotation marks and alterations omitted)). “A statute that reaches ‘a substantial amount of innocent conduct’ confers an impermissible degree of discretion on law enforcement authorities to determine who is subject to the law.” Id. (quoting City of Chicago v. Morales, 527 U.S. 41, 60–61, 119 S.Ct. 1849, 144 L.Ed.2d 67 (1999) ).
“Vagueness challenges to statutes not threatening First Amendment interests are examined in light of the facts of the case at hand; the statute is judged on an as-applied basis.” United States v. Coppola, 671 F.3d 220, 235 (2d Cir.2012) (quoting Maynard v. Cartwright, 486 U.S. 356, 361, 108 S.Ct. 1853, 100 L.Ed.2d 372 (1988) ). In such cases, regardless of whatever ambiguities may exist at the outer edges of the statute, a defendant cannot successfully challenge its vagueness if his own conduct, as alleged, is clearly prohibited by the statute. United States v. Nadirashvili, 655 F.3d 114, 122 (2d Cir.2011).
Count II of the S1 Indictment charges Yücel with violating 18 U.S.C. § 1030(a)(5)(A), a provision of the Computer Fraud and Abuse Act (“CFAA”), which prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” Yücel argues that the terms “protected computer,” “damage,” and “without authorization” render the statute unconstitutionally vague as applied to him.
Count II also cites 18 U.S.C. §§ 1030(c)(4)(B)(i) and (c)(4)(A)(i)(VI), which relate to punishment, and 18 U.S.C. § 2, which provides, in relevant part: “Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal.”
A. “Protected Computer”
The CFAA defines “protected computer,” in relevant part, as a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” 18 U.S.C. § 1030(e)(2)(B). The government contends that this definition encompasses any computer with an internet connection, and a number of courts have so held. See Freedom Banc Mortg. Servs., Inc. v. O'Harra, No. 2:11–cv–01073, 2012 WL 3862209, at *6 (S.D.Ohio Sept. 5, 2012) (holding that “[a] computer that is connected to the internet ... satisfies § 1030(e)(2)'s interstate commerce requirement even if the plaintiff used that connection to engage in only intrastate communications”); United States v. Fowler, No. 8:10–cr–65–T–24 AEP, 2010 WL 4269618, at *2 (M.D.Fla. Oct. 25, 2010) (holding that evidence that computers were connected to the internet and were used to send emails was sufficient to show that they were “protected”); Multiven, Inc. v. Cisco Systems, Inc., 725 F.Supp.2d 887, 891–92 (N.D.Cal.2010) (holding that the parties' agreement that the defendant's network was connected to the internet was sufficient to establish that the computers using the network were “protected”); Expert Janitorial, LLC v. Williams, No. 3:09–CV–283, 2010 WL 908740, at *8 (E.D.Tenn. Mar. 12, 2010) (holding that the allegation that a computer was used to access email accounts, and thus was connected to the internet, was sufficient to satisfy the “protected computer” requirement). Many other courts have adopted this definition of “protected computer,” although their cases also involved allegations or proof of actual involvement in interstate commerce, or addressed different questions. See, e.g., United States v. Nosal, 676 F.3d 854, 859 (9th Cir.2012) (stating that “ ‘protected computer’ is defined as a computer affected by or involved in interstate commerce—effectively all computers with Internet access”); United States v. Trotter, 478 F.3d 918, 921 (8th Cir.2007) (upholding the constitutionality of the CFAA as applied to a defendant who admitted that the relevant computers were connected to the internet); Dedalus Foundation v. Banach, No. 09 Civ. 2842(LAP), 2009 WL 3398595, at *2 (S.D.N.Y. Oct. 16, 2009) (noting that “[c]ourts have also found that computers that access the Internet through programs such as email qualify as protected computers”).
For other cases in this category, see Merritt Hawkins & Assocs., LLC v. Gresham, 948 F.Supp.2d 671, 674 (N.D.Tex.2013) (stating that “[p]leading specific facts that the defendant accessed a computer connected to the internet is sufficient to establish that the accessed computer was ‘protected’ ”); United States v. Roque, Crim. No. 12–540(KM), 2013 WL 2474686, at *2–3 (D.N.J. June 6, 2013) (construing the CFAA and holding that the Commerce Clause allows Congress to regulate any computer connected to the internet); Jole v. Apple, No. 3–11–0882, 2011 WL 6101553, at *3 (M.D.Tenn. Dec. 8, 2011) (agreeing “with those cases which have found that a connection to the internet is affecting interstate commerce or communication”); Nat'l City Bank, N.A. v. Prime Lending, Inc., 2010 WL 2854247, at *4 n. 2 (E.D.Wash. July 19, 2010) (stating that “any computer connected to the internet is a protected computer”); NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042, 1060 (S.D.Iowa 2009) (stating that the “protected computer” element was established where the computers at issue were connected to the internet); Continental Grp., Inc. v. KW Property Mgmt., LLC, 622 F.Supp.2d 1357, 1370 (S.D.Fla.2009) (stating that “the greater weight of authority favors” the view that a protected computer is any computer with an internet connection); Paradigm Alliance, Inc. v. Celeritas Techs., LLC, 248 F.R.D. 598, 602 n. 5 (D.Kan.2008) (“A computer that provides access to worldwide communications would satisfy the element of interstate communications.” (emphasis in original)).
This understanding of “protected computer” derives from the text of the definition itself. See O'Harra, 2012 WL 3862209, at *5–6. As the Supreme Court has recognized, the phrase “affecting interstate or foreign commerce” is a term of art used by Congress to signal that it is exercising its full power under the Commerce Clause. See Russell v. United States, 471 U.S. 858, 859, 105 S.Ct. 2455, 85 L.Ed.2d 829 (1985) (construing 18 U.S.C. § 844(i), a federal arson statute). The Commerce Clause allows Congress to regulate instrumentalities of interstate commerce. Pierce Cnty., Wash. v. Guillen, 537 U.S. 129, 147, 123 S.Ct. 720, 154 L.Ed.2d 610 (2003). The internet is an instrumentality of interstate commerce. United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir.2007) ; Trotter, 478 F.3d at 921 (discussing the CFAA) ; S.E.C. v. Straub, 921 F.Supp.2d 244, 262 (S.D.N.Y.2013). Any computer that is connected to the internet is thus “part of ‘a system that is inexorably intertwined with interstate commerce’ and thus properly within the realm of Congress's Commerce Clause Power.” Trotter, 478 F.3d at 921 (quoting United States v. MacEwan, 445 F.3d 237, 245 (3d Cir.2006) ). Much as Commerce Clause authority permits Congress to regulate the intrastate activities of railroad cars, S. Ry. Co. v. United States, 222 U.S. 20, 26–27, 32 S.Ct. 2, 56 L.Ed. 72 (1911), it now permits Congress to regulate computers connected to the internet, even in the unlikely event that those computers made only intrastate communications. See United States v. Roque, Crim. No. 12–540(KM), 2013 WL 2474686, at *2 (D.N.J. June 6, 2013).
The widespread agreement in the case law on the meaning of “protected computer,” which is derivable using accepted principles of statutory construction, gives adequate notice to potential wrongdoers of what computers are covered by the statute, under the first prong of the vagueness analysis. This is especially true as applied to Yücel, because the government appears to charge that he and Blackshades users targeted internet-connected computers indiscriminately, rather than targeting a subset of computers that might not qualify as “protected” under a narrow reading of the term.
Yücel contends that this broad definition of “protected computer” “would make the computers protected under the statute limitless,” (Yücel Br. 5), an argument that relates to the second prong—the potential for arbitrary and discriminatory enforcement. A statute that sweeps broadly, however, is not necessarily unconstitutionally vague. See, e.g., Wiemerslage ex rel. Wiemerslage v. Maine Twp. High School Dist. 207, 29 F.3d 1149, 1151 (7th Cir.1994) (“flexibility or breadth should not necessarily be confused for vagueness”); United States v. Ali, No. 06–CR–200(ENV), 2008 WL 4773422, at *6 (E.D.N.Y. Oct. 27, 2008) (“breadth should not be confused with constitutionally impermissible vagueness”). Rather, the question is whether the outer limits of the statute's broad reach are ill-defined, such that a substantial amount of innocent conduct is potentially prohibited. Reading “protected computer” to cover all computers connected to the internet causes no such problems. And although the “protected computer” element does not serve as the CFAA's main limiting principle, prosecutorial discretion is reined in by the other elements of the offense: to obtain a conviction under section 1030(a)(5)(A), the prosecution must also prove that the defendant intentionally caused damage without authorization to the target computer.
B. “Damage”
The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). There are no Second Circuit opinions construing this definition, and thus the Court's analysis begins with the definition's terms, giving them their ordinary meaning. See United States v. Peters, 732 F.3d 93, 99 (2d Cir.2013) (“When a term in a statute is undefined, we are to give it its ordinary meaning.”). “Integrity,” as relevant here, means “[t]he condition of not being marred or violated; unimpaired or uncorrupted condition; original perfect state; soundness.” Oxford English Dictionary (“OED”) (2d ed. online version Sept. 2014). “Impairment” means “deterioration; injurious lessening or weakening.” OED (2d ed. online version June 2012).
Using these definitions, the Blackshades RAT, as alleged, caused “damage” under the statute, by “impairing the integrity” of the victims' computer systems. When taken out of the box, an individual's new computer device operates only in response to the commands of the owner. Indeed, the technological revolution that spawned laptops, tablets and smartphones originated with the PC which, of course, stands for “personal computer.” At trial, the government is expected to offer evidence that computers on which the Blackshades RAT has been installed are commonly used to store sensitive personal data, including income tax returns, banking information, credit card information, medical records and other confidential information. The government is expected to offer evidence that when the Blackshades RAT is surreptitiously loaded onto a computer, the computer no longer operates only in response to the commands of the owner. It now may be operated by unauthorized users who have the capability of extracting confidential information from the computer's hard drive. This, if proven, would “impair” the “uncorrupted condition” of the computer system, and thus constitute “damage,” because the system no longer operates as it did when it first came into the owner's possession and has an unwanted characteristic, which, if known, would negatively impact the economic value of the computer system, unless time and money are expended to remove it.
The ordinary meaning of the word “damage” as used in the statute is dispositive in this case. Nevertheless, the legislative history also shows that Congress intended “damage” to cover malware such as the Blackshades RAT. The definition of “damage” was first added to the statute in 1996. Pub.L. No. 104–294, § 201(4)(D). The Senate Report explains that the definition was intended to cover situations such as the following:
In this first version, an “impairment” only constituted “damage” if it satisfied one of four conditions: it caused monetary loss above a certain threshold, affected medical care, caused physical injury, or threatened public health or safety. 18 U.S.C. § 1030(e)(8) (2000). Those four conditions were eliminated from the definition of “damage” in 2001 by the USA PATRIOT Act, Pub.L. 107–56, § 814(d)(3). If anything, then, “damage” under the CFAA is now broader than it was after the 1996 amendment.
[I]ntruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information is damaged. Nonetheless, this conduct allows the intruder to accumulate valid user passwords to the system, requires all system users to change their passwords, and requires the system administrator to devote resources to resecuring the system.... Thus, the definition of “damage” is amended to be sufficiently broad to encompass the types of harm against which people should be protected.
S.Rep. No. 104–357, at 11 (1996). The Report's example is strikingly similar to the RAT's keylogger function, which also copied passwords to Blackshades users' computers. Moreover, the Report suggests that the Blackshades RAT caused “damage” even if Blackshades users covered their tracks by subsequently erasing any files associated with the RAT from the target computer.
Yücel points out that remote access tools are perfectly legal and are used by system administrators to manage and test computer systems everywhere. In many workplaces, for instance, an employee experiencing trouble with his work computer can call a support hotline and allow a computer systems expert to take control of the computer and solve the problem. That situation, however, is vastly different. Here, if the proof at trial is as described by the government, the “damage” takes place when the Blackshades RAT is installed “without authorization,” even though one manifestation of the “damage” occurs at a later point in time, when and if an unauthorized person gains access and control of the computer. An authorized remote access tool does not cause “damage” within the meaning of the statute, because only the owner and those persons who he has authorized, including other users and technical support staff, can access the computer. The authorized remote access tool does not corrupt or impair the computer, but modifies it in an open and intended manner that benefits the owner or user.
Yücel further argues that the meaning of “damage” under the CFAA remains “elusive,” and cites cases disagreeing on the question whether merely copying files from a computer constitutes damage. (Yücel Br. 6.) This argument is unavailing. First, a statute is not unconstitutionally vague simply because courts have disagreed on its meaning. If that were the case, “there [would be] a frightful number of fatally vague statutes lurking about.” United States v. Rybicki, 354 F.3d 124, 143 (2d Cir.2003) (en banc). Second, the disagreement identified by Yücel is irrelevant to the charges against him. The cases holding that copying files does not constitute damage under the CFAA involve disloyal employees who misappropriated customer lists or trade secrets upon leaving their employer. See, e.g., New S. Equip. Mats, LLC v. Keener, 989 F.Supp.2d 522 (S.D.Miss.2013) (defendant alleged to have breached confidentiality agreement with employer); Farmers Ins. Exch. v. Auto Club Grp., 823 F.Supp.2d 847 (N.D.Ill.2011) (agents of plaintiff alleged to have supplied defendant with access to plaintiff's confidential policyholder information); Condux Int'l, Inc. v. Haugum, Civ. No. 08–4824 ADM/JSM, 2008 WL 5244818 (D.Minn. Dec. 15, 2008) (former vice-president of plaintiff alleged to have downloaded consumer lists and confidential engineering drawings). In none of these cases did the defendant install a program on the target computer that compromised the computer's security on an ongoing basis.
Construing section 1030(a)(5)(A) to cover Yücel's alleged conduct poses no notice problems, under the first prong of the vagueness analysis. On a basic level, “[n]o person of ordinary intelligence could believe that [it was] somehow legal” to install the Blackshades RAT on victims' computers without their consent and harvest their financial information. United States v. Ulbricht, 31 F.Supp.3d 540, 568–69 (S.D.N.Y.2014). Furthermore, as explained, installing the Blackshades RAT falls comfortably within the statutory definition of “damage.” The statute's mens rea requirement (the damage must be caused “intentionally”) acts to blunt any remaining notice concerns. See Skilling v. United States, 561 U.S. 358, 412, 130 S.Ct. 2896, 177 L.Ed.2d 619 (2010). With respect to the second prong, the Court notes that the terms of the statute's definition of “damage” (“impairment,” “integrity,” and “availability”) are strikingly dissimilar to the sorts of terms, like “annoying,” “indecent,” see United States v. Williams, 553 U.S. 285, 306, 128 S.Ct. 1830, 170 L.Ed.2d 650 (2008), or “rogues and vagabonds,” see Papachristou v. Jacksonville, 405 U.S. 156, 156 n. 1, 92 S.Ct. 839, 31 L.Ed.2d 110 (1972), that have been held to be vague. They do not require “wholly subjective judgments without statutory definitions, narrowing context, or settled legal meanings.” Williams, 553 U.S. at 306, 128 S.Ct. 1830. Additionally, “damage” under the CFAA is limited by the fact that it must be to “data, a program, a system, or information.” Finally, prosecutorial discretion is further cabined by the other elements of the offense under section 1030(a)(5)(A), including the mens rea requirement, which help to ensure that the statute does not sweep in innocent conduct.
C. “Without Authorization”
“Without authorization” is not defined in the CFAA, and Yücel is correct in asserting that the concept of “authorization” under the CFAA has divided courts. See generally Orin S. Kerr, Cybercrime's Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L.Rev. 1596 (2003) ; Audra A. Dial & John M. Moye, The Computer Fraud and Abuse Act and Disloyal Employees: How Far Should the Statute Go to Protect Employers from Trade Secret Theft?, 64 Hastings L.J. 1447 (2013) (describing the circuit split on the meaning of “accesses without authorization” and “exceeds authorized access”). That divide, however, has arisen in cases construing subsections of the CFAA that prohibit accessing a computer without authorization, not causing damage without authorization. See, e.g., JBCHoldings NY, LLC v. Pakter, 931 F.Supp.2d 514, 521–25 (S.D.N.Y.2013) (discussing claims under 18 U.S.C. §§ 1030(a)(2)(C), (a)(4) and (a)(5)(C), all of which require showing that the defendant accessed a computer without authorization or exceeded authorized access); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581–84 & n. 10 (1st Cir.2001) (discussing a claim under 18 U.S.C. § 1030(a)(4) ). Those cases all involve employees who used their workplace computers in an unapproved manner or former employees who transmitted proprietary information to their former employers' competitors. This Court is faced here with a vastly different factual situation.
As applied to Yücel, there is nothing ambiguous about the phrase “without authorization.” “Authorization” is defined by reference to the verb “to authorize,” which means “to ... permit by or as if by some recognized or proper authority.” Webster's Third International Dictionary 146 (1993). A defendant thus causes damage without authorization when he has not been permitted by the victim to cause that damage. This straightforward reading of the phrase easily satisfies both prongs of the vagueness test.
II. Sufficiency of the Indictment
Although Yücel frames his motion purely in void-for-vagueness terms, his brief also suggests that he is challenging the sufficiency of the S1 Indictment. An indictment is constitutionally sufficient if it “contains the elements of the offense charged and fairly informs a defendant of the charge against which he must defend, and [if it] enables him to plead an acquittal or conviction in bar of future prosecutions for the same offense.” United States v. Resendiz–Ponce, 549 U.S. 102, 108, 127 S.Ct. 782, 166 L.Ed.2d 591 (2007) (quoting Hamling v. United States, 418 U.S. 87, 117, 94 S.Ct. 2887, 41 L.Ed.2d 590 (1974) ). The standard is not particularly demanding, however. The Second Circuit has “consistently upheld indictments that ‘do little more than to track the language of the statute charged and state the time and place (in approximate terms) of the alleged crime.’ ” United States v. Walsh, 194 F.3d 37, 44 (2d Cir.1999) (quoting United States v. Tramunti, 513 F.2d 1087, 1113 (2d Cir.1975) ). It has also “repeatedly refused, in the absence of any showing of prejudice, to dismiss charges for lack of specificity.” Id. at 45 (quoting United States v. McClean, 528 F.2d 1250, 1257 (2d Cir.1976) (ellipsis omitted)).
The S1 Indictment reads (in relevant part) as follows:
COUNT TWO (Distribution of Malicious Software)
The Grand Jury further charges:
4. From at least in or about June 2010, up to and including in or about October 2013, in the Southern District of New York and elsewhere, ALEX YÜCEL, a/k/a “Alex Yucel,” a/k/a “Alex Yucle,” a/k/a “Alex Yuecel,” a/k/a “marjinz,” a/k/a “Victor Soltan,” the defendant, knowingly caused the transmission of a program, information, code and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer, and thereby caused damage affecting 10 and [sic ] more protected computers during a one-year period, to wit, YÜCEL used malicious software to infect computers and sold that malicious software to others, enabling them to infect and remotely control victims' computers. (Title 18, United States Code, Sections 1030(a)(5)(A), 1030(c)(4)(B)(i) and (c)(4)(A)(i)(VI), and 2.)
(S1 Indictment, at 3.) The charge thus meets the minimum requirements for an indictment under Walsh, by tracking the language of the statute and giving a time and place for the alleged wrongdoing. It goes beyond those requirements by describing, in general terms, Yücel's alleged conduct in the “to wit” clause.
Yücel complains that the S1 Indictment gives insufficient detail about the type of damage his actions are alleged to have caused. He does not, however, attempt to show how this lack of detail has prejudiced his defense. The materials submitted by the government in opposition to this motion, and particularly the affidavit of Assistant U.S. Attorney James Pastore (Opp'n Ex. 2), lay out in detail the damage alleged to have been caused by Yücel and the Blackshades organization. Yücel thus cannot plausibly argue that he was not “sufficiently informed to defend against the charges and to be protected against the risk of double jeopardy.” United States v. Stringer, 730 F.3d 120, 124 (2d Cir.2013) (rejecting the defendant's argument that the indictment was insufficient for failure to name his victims, because the government disclosed those names well in advance of trial).
Yücel also complains that the S1 Indictment does not explain how the allegedly infected computers were “protected” and fails to set forth how the damage was unauthorized. But, as previously discussed, additional detail on these points is unnecessary. As charged, the computers were “protected” because they were connected to the internet. And because “without authorization” is unambiguous as applied to Yücel's alleged conduct, Yücel cannot (and does not attempt to) identify any lack of clarity in that term as used in the indictment that would prejudice his defense. “An indictment must be read to include facts which are necessarily implied by the specific allegations made.” United States v. Stavroulakis, 952 F.2d 686, 693 (2d Cir.1992). In the S1 Indictment, “without authorization” necessarily implies that none of the victims gave permission for the Blackshades software to be installed on their computers. Accordingly, Yücel's challenge to the sufficiency of the indictment fails.
CONCLUSION
For the foregoing reasons, Yücel's motion to dismiss Count II of the S1 Indictment is DENIED.
SO ORDERED.