05/13/2026
18 U.S.C. § 241
From Reconstruction to Ransomware: 18 U.S.C. § 241 as a Cybersecurity Weapon
How a 154-Year-Old Civil Rights Statute Became One of the Federal Government’s Most Powerful Tools Against Cyber-Enabled Conspiracies
I. Introduction: The Klan’s Digital Heirs
In the spring of 2023, a federal jury in Brooklyn delivered a verdict that bridged two centuries of American history. Douglass Mackey — known to his approximately 58,000 Twitter followers as “Ricky Vaughn” — was convicted under a statute born from the ashes of the Civil War for conspiring to deprive American citizens of their constitutional right to vote. His weapon was not a burning cross or a mob of hooded riders, but something far more modern: memes. Specifically, memes falsely telling Hillary Clinton supporters they could vote by text message.
Mackey’s prosecution under 18 U.S.C. § 241 — the Conspiracy Against Rights statute — represented a watershed moment. For the first time, the Department of Justice had successfully deployed a Reconstruction-era civil rights law to combat cyber-enabled disinformation. The case demonstrated what legal scholars had been arguing for years: that § 241, originally drafted to prosecute Ku Klux Klan violence against newly freed Black voters, possesses a remarkable structural adaptability that makes it suited to addressing certain categories of cyber-enabled conduct.
This is not merely a story about election interference. It is the story of how one of the most powerful yet underutilized statutes in the federal criminal code has evolved from a tool against night riders into a potent weapon against digital conspiracies — and why it may be among the most important cybersecurity statutes you’ve never heard of.
II. The Statute: Origins and Architecture
A. Birth in Reconstruction
Section 241 traces its lineage to Section 6 of the Enforcement Act of 1870, passed by the 41st Congress in response to an epidemic of white supremacist terrorism across the former Confederacy. The statute was designed to accomplish something revolutionary: to extend federal criminal jurisdiction over private actors who conspired to violate the constitutional rights of American citizens, particularly the right of Black Americans to participate in the political process.
The modern text of § 241 provides, in relevant part:
If two or more persons conspire to injure, oppress, threaten, or intimidate any person in any State, Territory, Commonwealth, Possession, or District in the free exercise or enjoyment of any right or privilege secured to him by the Constitution or laws of the United States, or because of his having so exercised the same… They shall be fined under this title or imprisoned not more than ten years, or both; and if death results from the acts committed in violation of this section or if such acts include kidnapping or an attempt to kidnap, aggravated sexual abuse or an attempt to commit aggravated sexual abuse, or an attempt to kill, they shall be fined under this title or imprisoned for any term of years or for life, or both, or may be sentenced to death.
What makes this language potent — and relevant to cybersecurity — is its architectural design. The statute criminalizes the conspiracy itself, not merely its successful ex*****on. It reaches agreements to interfere with constitutional rights, regardless of whether those agreements produce their intended harmful effect. And critically, the statute lacks any overt act requirement: the agreement alone constitutes the offense.
B. Structural Advantages Over Conventional Cybercrime Statutes
Section 241 possesses three structural features that distinguish it from conventional cybercrime statutes like the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030:
1. No Overt Act Requirement. Unlike the general federal conspiracy statute (18 U.S.C. § 371), § 241 does not require prosecutors to prove that any conspirator committed an overt act in furtherance of the conspiracy. The agreement itself is the crime. In Whitfield v. United States, 543 U.S. 209 (2005), the Supreme Court distilled the governing rule for conspiracy statutes: Congress gets an overt-act requirement when it chooses text modeled on § 371, but dispenses with such a requirement when it chooses text modeled on the Sherman Act. Because § 241’s text does not expressly make the commission of an overt act an element, the government need not prove one. This feature eliminates a significant evidentiary burden that often frustrates cybercrime prosecutions, where digital footprints may be ephemeral and jurisdictional challenges formidable.
2. Felony Status Regardless of Underlying Conduct. The offense carries a maximum penalty of ten years imprisonment and a fine — even if the underlying conduct would not, standing alone, constitute a felony under any other statute. And if death results, the penalty escalates to life imprisonment or death. This gives prosecutors significant charging discretion and ensures proportionate punishment for attacks that endanger lives.
3. Coverage of Constitutional and Statutory Rights. The statute protects any “right or privilege secured… by the Constitution or laws of the United States.” This is breathtakingly broad. It encompasses not only explicitly constitutional rights like voting, but also rights created by federal statute that might be implicated by cyber-enabled attacks.
III. The Mackey Prosecution: § 241 Enters the Digital Age
A. The Case
The government’s theory in United States v. Mackey, No. 21-cr-00080 (E.D.N.Y.), was elegant in its simplicity. Beginning in September 2016, Mackey and his co-conspirators allegedly participated in private Twitter direct message groups — including “Fed Free Hatechat,” the “War Room,” and “Infowars Madman” — to discuss “how best to influence the Election” through disinformation.
On November 1, 2016, Mackey tweeted a deceptive image featuring an African American woman standing before an “African Americans for Hillary” sign, with text reading: “Avoid the Line. Vote from Home. Text ‘Hillary’ to 59925. Vote for Hillary and be a part of history.” The image included fine print mimicking official campaign materials. At least 4,900 unique telephone numbers texted the fictitious number. Several hours later, Mackey tweeted a similar image written in Spanish with a photo of a Latina woman.
The DOJ charged Mackey with a single count of violating § 241 — conspiring to injure citizens in the exercise of their right to vote. A February 2016 analysis by the MIT Media Lab had ranked Mackey as the 107th most important influencer of the upcoming presidential election. On March 31, 2023, a jury convicted him. On October 17, 2023, Judge Ann M. Donnelly sentenced him to seven months in prison.
B. Significance for Cybersecurity Law
The Mackey prosecution established several precedents:
First, it confirmed that § 241 reaches purely nonviolent cyber-enabled conduct. Courts had long held that violence is not a prerequisite for § 241 liability. In United States v. Mosley, 238 U.S. 383 (1915), the Supreme Court upheld § 241 charges against election officials who conspired to submit false returns to the state election board, noting that the statute “did not confine itself to conspiracies contemplating violence.” In United States v. Classic, 313 U.S. 299 (1941), the Court approved its use against officials who altered and falsely counted ballots in a primary election. The Supreme Court has signed off on § 241 prosecutions for nonviolent conduct in at least four other cases: Guinn v. United States (1915) (disenfranchising Black voters through a grandfather clause), United States v. Saylor (1944) (stuffing ballot boxes), and Anderson v. United States (1974) (casting fake ballots). Mackey extended this logic to digital deception.
Second, the case demonstrated that social media platforms can serve as the instrumentalities of § 241 conspiracies. The district court rejected Mackey’s argument that venue was improper, holding that “as more and more Americans choose to communicate via Twitter… the judiciary’s understanding of how continuing crimes can be committed through electronic communications must keep pace and evolve.”
Third, Mackey illustrated how § 241 can address conduct that falls through the gaps of more conventional cybercrime statutes. Mackey’s conduct — spreading disinformation to suppress voter turnout — did not obviously violate the CFAA. He did not hack any computer systems. He did not exceed authorized access. He engaged in deceptive speech. Yet the injury — to the constitutional right to vote — was profound. § 241 provided the doctrinal bridge between his digital conduct and the constitutional harm.
C. The Second Circuit’s Reversal
On July 9, 2025, the U.S. Court of Appeals for the Second Circuit reversed Mackey’s conviction in United States v. Mackey, No. 23-7577, ordering the district court to enter a judgment of acquittal. The panel — Chief Judge Debra Ann Livingston and Judges Reena Raggi and Beth Robinson — held that the government had failed to present sufficient evidence that Mackey knowingly agreed to join the specific conspiracy charged. The court emphasized that mere association with individuals involved in an unlawful undertaking is insufficient to prove knowing involvement in a conspiracy, and that the government had failed to prove Mackey even viewed — let alone participated in — the private message group exchanges.
The reversal was procedural, not substantive. The Second Circuit did not hold that § 241 cannot reach Mackey’s conduct as a matter of law. It held only that the evidentiary record was inadequate to prove an agreement. The statute’s applicability to cyber-enabled voter suppression remains an open question of law.
IV. The Cyber Civil Rights Theory: § 241 as an Anti-Mob Weapon
A. Danielle Citron’s Foundational Scholarship
In 2009, Danielle Keats Citron — then a professor at the University of Maryland School of Law — published “Cyber Civil Rights” in the Boston University Law Review (89 B.U. L. Rev. 61). The article fundamentally reframed how scholars and practitioners understand the relationship between civil rights law and cyber-enabled abuse.
Citron documented how anonymous online mobs — what she termed “destructive online groups” — increasingly targeted women, people of color, and members of other traditionally disadvantaged groups with campaigns of defamation, threats of violence, and technology-based attacks designed to silence victims and destroy their privacy. These attacks, Citron argued, were not merely individual torts or isolated criminal acts. They were civil rights violations — systemic efforts to deprive vulnerable individuals of their equal right to participate in social, economic, and political life. The article specifically identified § 241 as a potential tool against coordinated online mobs that “go in disguise on the Internet for the admitted purpose of suppressing the free speech of victims expressly targeted because they are women, people of color, members of religious minorities, or g**s or lesbians.”
Citron is now the Jefferson Scholars Foundation Schenck Distinguished Professor of Law at the University of Virginia School of Law. In 2019, she was named a MacArthur Fellow for her work on cyberstalking and intimate privacy.
B. § 241’s Direct Application to Online Mobs
The statutory language — particularly the provision criminalizing conspiracies by persons who “go in disguise on the highway, or on the premises of another” — resonates with the architecture of the Internet. Pseudonymous online coordination is, in a meaningful sense, going “in disguise on the premises of another” — the platforms that host these interactions.
The theory faces doctrinal obstacles. In United States v. Cruikshank, 92 U.S. 542 (1876), the Supreme Court reversed the convictions of white insurrectionists for their roles in the Colfax Massacre — the bloodiest single instance of racial carnage in the Reconstruction era, in which an armed white mob killed approximately sixty to one hundred and fifty Black citizens and three white Republicans at the Grant Parish courthouse in Louisiana. The Court’s decision rested on the state action doctrine: the Fourteenth and Fifteenth Amendments did not authorize federal prosecution of purely private actors. More recently, the Court has held that § 241 covers only private conspiracies “aimed at interfering with rights that are protected against private, as well as official, encroachment.”
But Citron’s framework identifies rights that are protected against private encroachment and that are directly implicated by cyberattacks: the right to equal employment opportunity under 42 U.S.C. § 1981; the right to be free from racially motivated interference with employment under 18 U.S.C. § 245; and most critically, the right to vote and to have one’s vote counted — the right at issue in both the Mackey prosecution and the Trump indictment.
C. The National Security Dimension
The DOJ’s National Security Division has increasingly embraced the framing of cyber-enabled threats as attacks on constitutional rights. The Division’s National Security Cyber Section has spearheaded court-authorized takedowns of foreign botnets and cyber-enabled malign influence operations. In September 2024, the DOJ announced a “Doppelganger” takedown operation seizing 32 internet domains used by Russian government actors to interfere in the 2024 U.S. presidential election — following an earlier takedown of a Russian AI-enhanced bot farm. These actions reflect a growing recognition that cyberattacks targeting elections are not merely technical violations. They are attacks on constitutional rights.
V. § 241 and Critical Infrastructure: The Next Frontier
A. Beyond Elections
While the Mackey case and election interference have dominated recent discussions, § 241’s potential application to cybersecurity extends beyond the ballot box:
Cyberattacks on Healthcare Systems. A ransomware attack on a hospital network that deprives patients of emergency medical care could potentially be charged under § 241 as a conspiracy to interfere with rights secured by federal healthcare laws. The conspiratorial agreement to deploy the ransomware — particularly if motivated by bias or targeting a specific community — could satisfy the statute’s elements.
Attacks on Financial Infrastructure. A coordinated cyberattack designed to deny communities access to banking services — particularly if targeting minority-serving financial institutions — could implicate § 241 through interference with rights secured by federal banking and civil rights laws.
Doxxing and Swatting Campaigns. Coordinated online campaigns to publish private information or make false emergency reports targeting individuals because of their race, religion, or participation in federal programs could potentially be prosecuted under § 241 as conspiracies to interfere with constitutional rights.
B. The CFAA Comparison
The CFAA remains the workhorse of federal cybercrime prosecution. It criminalizes unauthorized access to “protected computers,” damage to computer systems, and related conduct. But the CFAA has limitations that § 241 does not share:
Feature 18 U.S.C. § 1030 (CFAA) 18 U.S.C. § 241
Primary Harm Addressed Computer system integrity Constitutional/federally protected rights
Overt Act Requirement § 1030(b) requires overt act No overt act required
Penalty Structure Varies by offense type (1-20 years) Up to 10 years; life/death if kidnapping or death results
Coverage of Non-Technical Conduct Limited Broad
Mens Rea Varies by subsection Specific intent to interfere with rights
The CFAA and § 241 are not competitors — they are complements. The CFAA addresses the technical violation: the unauthorized access, the data exfiltration, the system damage. § 241 addresses the constitutional violation: the deprivation of rights, the interference with democratic participation, the systemic subordination of vulnerable communities. A single course of conduct may violate both statutes.
VI. Constitutional Constraints and First Amendment Concerns
A. The State Action Doctrine
The most significant doctrinal constraint on § 241’s application to cybercrime is the state action doctrine. As interpreted in Cruikshank and subsequent cases, § 241 cannot be used to prosecute purely private conspiracies that interfere with rights protected only against state action — such as pure speech rights under the First Amendment, which restricts only government actors.
But this constraint is less limiting than it appears. Many constitutional rights are protected against private encroachment. The Fifteenth Amendment’s guarantee of the right to vote free from racial discrimination reaches private conspiracies, as the Mackey prosecution and subsequent cases have confirmed. The Thirteenth Amendment empowers Congress to prohibit private racial discrimination that constitutes a “badge or incident of slavery.” Rights secured by federal statute — such as the right to equal employment opportunity — are protected against private interference by definition.
B. The First Amendment and Deceptive Speech
Mackey’s defense team argued that his prosecution violated the First Amendment because his memes were satirical expression protected by the Constitution. The district court rejected this argument, holding that Mackey was not being prosecuted for his speech, but for the injury he caused by engaging in a conspiracy to deprive people of their right to vote. As the Supreme Court recognized in United States v. Alvarez (the Stolen Valor Act case), intentionally false statements are not automatically protected — particularly where they cause legally cognizable harm to fundamental constitutional rights.
The Second Circuit’s reversal did not reach these First Amendment questions, leaving them open for future cases. The district court’s reasoning suggests a framework: § 241 does not criminalize opinions or political speech; it criminalizes conspiracies to injure constitutional rights. When deceptive speech is the instrument of that injury — particularly when it targets the right to vote — § 241 provides a constitutionally sound basis for prosecution.
VII. The 2020 Election and Beyond: § 241 in the National Spotlight
A. The Trump Indictment
On August 1, 2023, a grand jury convened by Special Counsel Jack Smith indicted former President Donald Trump on four federal charges arising from his conduct following the 2020 presidential election. Count Four charged Trump with violating § 241 — conspiring to interfere with “the right to vote, and to have one’s vote counted.” The indictment alleged that Trump and six co-conspirators engaged in a multi-scheme effort to overturn the election results, including organizing false slates of presidential electors in seven states, attempting to use the DOJ to conduct sham election investigations, and pressuring Vice President Pence to fraudulently alter the January 6 certification proceeding.
The indictment illustrated § 241’s extraordinary reach. It alleged that Trump conspired against the rights of “one or more persons” — without needing to identify specific victims. Courts have long held that § 241 reaches conduct affecting “the integrity of the federal election process as a whole,” not merely fraud directed at particular voters. The case also demonstrated § 241’s applicability to sophisticated conspiracies involving lawyers, government officials, and complex legal strategies — not merely the crude disinformation of the Mackey variety.
B. The New Hampshire AI Robocall Incident
The emergence of generative AI tools capable of producing convincing synthetic media presents a challenge to election security. In January 2024, voters in New Hampshire received robocalls featuring an AI-generated voice mimicking President Biden, urging them not to vote in the state’s Democratic primary and to “save your vote for the November election.” The calls reached an estimated 5,000 to 25,000 people and spoofed the phone number of a former state Democratic Party chair. Political consultant Steve Kramer later admitted orchestrating the calls, claiming he intended to sound a warning about the dangers of AI in elections. Kramer was indicted on criminal charges in multiple New Hampshire counties.
Section 241 is positioned to address this evolving threat. The Mackey prosecution established that § 241 reaches deceptive digital communications intended to interfere with voting rights. AI-generated disinformation is a more technologically sophisticated form of the same harm. The statute’s focus on intent and agreement rather than methodology ensures its continued relevance as technology evolves.
VIII. Practical Implications for Cybersecurity Professionals and Legal Practitioners
A. For Prosecutors
Section 241 offers prosecutors tactical advantages in cybercrime cases:
Charging Flexibility. When technical CFAA violations are difficult to prove — because attribution is uncertain, because conduct falls outside the CFAA’s scope, or because the harm is primarily constitutional rather than technical — § 241 provides an alternative charging path.
Conspiracy Theory. The absence of an overt act requirement simplifies conspiracy prosecutions. In cases involving encrypted communications, anonymous online coordination, and multi-jurisdictional actors, proving the agreement may be more straightforward than proving specific technical violations.
Sentence Enhancement. The ten-year baseline penalty — and the potential for life imprisonment if death results — provides leverage in plea negotiations and ensures proportionate punishment for attacks on critical infrastructure that endangers lives.
B. For Defense Counsel
Specific Intent Requirement. The Supreme Court has read a specific intent requirement into § 241 to avoid vagueness concerns. Prosecutors must prove that the defendant willfully conspired to interfere with a known federal right — a formidable mens rea requirement that provides room for defense.
First Amendment Defenses. Where the alleged § 241 violation involves speech-related conduct — disinformation campaigns, expressive advocacy, journalistic activity — defense counsel should carefully evaluate First Amendment challenges, particularly as applied to satire, parody, and political hyperbole.
State Action Limitations. Where the alleged interference is with a right protected only against state action — such as pure speech rights — defense counsel should consider motions to dismiss on Cruikshank grounds.
C. For the Cybersecurity Industry
Security professionals should understand § 241’s scope because it affects incident response. When an organization suffers a cyberattack that implicates constitutional rights — such as an attack on election infrastructure, healthcare systems, or financial networks — the attack may constitute not merely a technical breach but a federal civil rights conspiracy. This framing affects reporting decisions, threat intelligence priorities, and cooperation with federal law enforcement.
IX. The Broader Vision: Cybersecurity as Civil Rights
The most profound implication of § 241’s application to cybersecurity is conceptual. It reframes cybersecurity not merely as a technical discipline concerned with protecting systems and data, but as a civil rights imperative concerned with protecting the constitutional foundation of democratic self-governance.
When hackers target election infrastructure, they are not merely violating the CFAA. They are conspiring against the constitutional right to vote. When ransomware attackers shut down hospitals, they are not merely damaging computer systems. They are interfering with the statutory and constitutional rights of patients. When online mobs coordinate to drive women and minorities off the Internet through harassment and doxxing, they are not merely committing isolated torts. They are conspiring to deprive citizens of their equal right to participate in digital civic life.
This framing elevates cybersecurity from a technical specialty to a constitutional duty. It justifies the allocation of federal resources to cyber threats that might otherwise be dismissed as property crimes. And it provides a doctrinal foundation for prosecuting the full harm of cyberattacks — not merely the technical intrusion, but the constitutional injury.
X. Conclusion: The Enforcement Act’s Enduring Legacy
On March 27, 1876, the Supreme Court decided United States v. Cruikshank, reversing the convictions of white insurrectionists who had massacred approximately sixty to one hundred and fifty citizens — overwhelmingly Black freedmen — exercising their right to vote at the Grant Parish courthouse in Colfax, Louisiana. The Court’s reasoning — grounded in a narrow interpretation of federal power — crippled Reconstruction-era civil rights enforcement for decades.
Yet Section 6 of the Enforcement Act of 1870 — now codified as 18 U.S.C. § 241 — survived. It was invoked against ballot-box stuffers in 1915, against grandfather clauses in 1915, against election officials who altered ballots in 1941, and against conspirators who cast fake ballots in 1974. It was used to prosecute Klansmen, corrupt politicians, and voter intimidators. And in 2023, it was used to prosecute a social media influencer who spread disinformation from a keyboard instead of a horseback.
The statute’s endurance is a testament to the foresight of its drafters, who understood that constitutional rights would face evolving threats from new technologies and new forms of social organization. They crafted a statute that criminalized the agreement to interfere with rights, not merely any particular method of interference.
In the digital age, this structural choice has proven prescient. The digital heirs of the Klan do not wear hoods or burn crosses. They coordinate in encrypted chat channels, deploy AI-generated disinformation, and launch ransomware attacks from jurisdictions beyond traditional extradition reach. But the harm they inflict is the same: the systemic deprivation of constitutional rights.
And the statute that was written to stop them remains — one hundred and fifty-six years later — calibrated to the task.
This article examines the evolving application of 18 U.S.C. § 241 to cyber-enabled threats. It is not legal advice. The analysis is informed by the scholarship of Professor Danielle Citron, whose “Cyber Civil Rights” framework (89 B.U. L. Rev. 61 (2009)) provides important theoretical foundations.
Verified Sources Referenced:
1. 18 U.S.C. § 241 (full statutory text via FindLaw, verified against 2024 USC)
2. United States v. Mackey, No. 21-cr-00080 (E.D.N.Y.) — DOJ press releases, conviction (March 31, 2023), sentence (October 17, 2023)
3. United States v. Mackey, No. 23-7577 (2d Cir. July 9, 2025) — reversal and judgment of acquittal
4. Whitfield v. United States, 543 U.S. 209 (2005) — overt act requirement rule
5. United States v. Mosley, 238 U.S. 383 (1915) — nonviolent § 241 conduct
6. United States v. Classic, 313 U.S. 299 (1941) — altering ballots under § 241
7. United States v. Cruikshank, 92 U.S. 542 (1876) — state action doctrine
8. Jack Smith Indictment, United States v. Trump, Cr. No. 23-257 (D.D.C. Aug. 1, 2023) — Count Four, § 241
9. Danielle K. Citron, “Cyber Civil Rights,” 89 Boston University Law Review 61 (2009)
10. DOJ National Security Division remarks, September 2024 — cyber-enabled malign influence
11. New Hampshire Attorney General — AI robocall investigation, January 2024
12. AP News, July 9, 2025 — Second Circuit reversal coverage
