Unauthorized access to computer systems, commonly known as “hacking,” undoubtedly causes significant damage to individuals and businesses around the country. As often happens, however, the law has had difficulty keeping up with new technology. Federal law prohibits a wide range of computer fraud-related activities, but most offenses require proof that a defendant acted with intent, which is the most difficult mental state for prosecutors to prove. Perhaps as a result, some prosecutors have developed creative strategies to pursue alleged hackers. In one recently filed case, federal prosecutors have charged an individual under the federal hacking statute with no allegations that he personally engaged in any hacking activities. Instead, they essentially allege that he developed software with the intent that it would be used by hackers. United States v. Huddleston, No. 1:17-cr-00034, indictment (E.D. Va., Feb. 16, 2017).
Congress first enacted a criminal statute related to computer fraud, found at 18 U.S.C. § 1030, in 1984. It has amended this section numerous times over the years, perhaps most notably in 1986 with the Computer Fraud and Abuse Act (CFAA). That bill significantly expanded the legal definition of “computer fraud.” The original 1984 law made it a federal crime to access computer systems of the federal government or a financial institution without authorization. The CFAA added provisions about unauthorized access, or access that exceeds granted authority, to any “protected computer,” which it defined to include nearly any computer whose use affects interstate commerce. 18 U.S.C. §§ 1030(a)(4) – (6), (e)(2)(B).
Federal prosecutors are not accusing the defendant in Huddleston of hacking anybody. Instead, the alleged conduct leading to the indictment consisted solely of developing a software tool reportedly used by hackers. According to the indictment, the defendant created a “remote administration tool,” or “remote access trojan” (RAT), a type of software that allows a user to take control of someone else’s computer without their knowledge or consent. This RAT has allegedly been used in multiple cyberattacks around the world. Prosecutors allege that the defendant created this software for the specific purpose of making it available to hackers.