Criminal accomplice liability for “PhaaS” providers?

Wired Magazine‘s “Jargon Watch” this month had an interesting new term, “PhaaS,” defined as follows:

Based on software-as-a-service (SaaS) business models, PhaaS packages, sold on the dark web, provide everything a newbie cyber-criminal needs to run a phishing con, including templates for scams, fake web pages, and access to servers. One even offers tech support and tutorials.

This new “service” dovetails with a category of technology discussed in my 2015 article on accomplice liability for technology providers:  technology designed for illegal use. There, the example was email spam software, but the principle is the same for Phaas providers.

You see, there are varied levels of involvement a software developer may have with a criminal organization. In particular, there are different considerations for the programmer who sells software knowing but not caring that a person will use it to violate the law, versus the programmer who designs software for criminal purposes.

As an example of the latter, consider Jerome O’Hara and George Perez, programmers for Bernie Madoff. I argued that this is the easiest case, because “[d]esigning a tool for use in a particular crime and giving it to a known purveyor of that crime” almost certainly subjects a person to liability as an accomplice. “The act of design for indictable use implies purposive attitude and a desire to aid the crime’s commission, and the provision to the known criminal is an act of association with the venture. It was likely similar reasoning that, in March 2014, led the jury in the case of Madoff’s programmers, who had worked for him for more than a decade, to find them guilty of conspiring to commit securities fraud.”

I suspect most PhaaS providers would fall under this category.

On the other hand, the question of whether the knowing sale of software capable of both legal and illegal use to a criminal is a criminal offense is harder. The Supreme Court, in Rosemond v. United States, expressly left open the question of accomplice liability for “defendants who incidentally facilitate a criminal venture rather than actively participate in it.” The Court added:

A hypothetical case is the owner of a gun store who sells a firearm to a criminal, knowing but not caring how the gun will be used. We express no view about what sort of facts, if any, would suffice to show that such a third party has the intent necessary to be convicted of aiding and abetting.

For such a PhaaS provider, one who knowingly sells to criminals but doesn’t care, to determine guilt, the court or jury would need to examine the range of the software’s legitimate uses and what exactly the provider knew about the purchaser. If the software is broadly sold for legitimate uses–say, sales to companies that test for cyber-security–then even if the PhaaS provider somehow knew a purchaser’s nefarious purpose, the provider might be innocent.

To understand why, consider this hypothetical from Judge Richard Posner:

Suppose you own and operate a store that sells women’s clothing. Every month the same young woman buys a red dress from your store. You happen to know that she’s a prostitute and wears the dress to signal her occupation to prospective customers. By selling her the dress at your normal price you assist her illegal activity, and probably you want the activity to succeed since if it fails she’ll stop buying the dress and your income will be less. But you are not an aider and abettor of prostitution because if you refused to sell to her she would buy her red dress from another clothing store, one whose proprietor and staff didn’t know her profession. So you’re not really helping her or promoting prostitution, as you would be if you recommended customers to her in exchange for a commission.

In the same way, if the PhaaS software had  “substantial unoffending uses,” then the provider shouldn’t be expected to police the use of the software. But if, as I suspect is the case, the software is capable of chiefly one use, and that use is criminal, then the PhaaS provider risks criminal punishment as an accomplice.