Two interesting U.S. court rulings handed down a day apart this month have apparently left the U.S. Congress with some work to do in regard to what constitutes illegal activity when it comes to information technology.
The first was a 9-2 ruling (pdf) by the United States Court of Appeals for the Ninth Circuit in the case of a person named David Nosal, who, in the fall of 2004, decided to end his employment at the executive search firm Korn/Ferry and start up a competing firm. After he left the company, Nosal convinced a number of his colleagues to join him in his new venture. According to the court documents, Nosal also convinced his colleagues to use “their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer" before they left Korn/Ferry. They then transferred the information to Nosal, the court documents state.
The court noted that Korn/Ferry had a policy “that forbade disclosing confidential information” including a warning that appeared upon the first screen of the database when accessed: 'This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.' ”
In 2008, the government indicted Nosal on 20 counts, including trade secret theft, mail fraud, conspiracy, and violations of the Computer Fraud and Abuse Act (CFAA). Nosal's lawyers appealed the indictment to the Ninth Court of Appeals stating (according to these previously filed court documents (pdf)) that the CFAA “ ‘was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements.’ In other words, the Korn/Ferry employees could not have acted ‘without authorization,’ nor could they have ‘exceed[ed] authorized access,’ because they had permission to access the computer and its information under certain circumstances.’ ”
Initially, the court rejected Nosal’s lawyers' appeal. However, the same court issued a decision soon afterwards, in another case (pdf) involving the CFAA, that seemed to agree with Nosal’s primary argument about the inability to exceed authority. So the court reversed its own rejection of his appeal. The U.S. government thereupon appealed that reversal, at which point the full the Ninth Circuit Court of Appeals decided to hear the case anew. It is a bit confusing, but you can go through all the court rulings or read over a good summary here at Wikipedia.
In essence, the Ninth Circuit Court ruled (again) that the wording of the CFAA is related specifically to hacking into computer systems (“the circumvention of technological access barriers”) and not merely the misappropriation of information residing there (i.e., the case of having permission to access a computer system but using the information for non-business-related purposes). The majority of the court noted the problem it had with the term “misappropriation of information”; it could be interpreted in an extremely broad manner, possibly including innocuous activities such as accessing the Internet to check ball scores and the weather, or to chat with friends. If misappropriation of computer information was covered by the CFAA, they reasoned, nearly every employee of every company in the country could be facing federal criminal indictment.
Therefore, the court ruled, the government couldn’t use the CFAA to pursue Nolan, as the facts of the case didn’t fit the wording of the statute. Well, what about Nolan and his colleagues’ actions, which seemed to be unethical if not illegal? The court noted that the government has other legal avenues for pursuing Nolan at its disposal. Among them is the Federal Trade Secrets Act (which the government also accused Nolan of violating). The court also nudged Congress, reminding it to write clearer laws. If it really intended for any and all misappropriation of computer information to be covered by the CFAA, the statute should have spelled that out.
The other court ruling, this time by the Second Circuit Court of Appeals, involves Sergey Aleynikov, accused of stealing and transferring some of the proprietary computer source code his former employer, Goldman Sachs, uses for high frequency trading (HFT). The court, which unanimously overturned Aleynikov's conviction, actually released him in February. The appeals court only released its opinion (pdf) detailing its reasoning on 11 April.
According to court documents, Aleynikov worked as a programmer for Goldman Sachs from May 2007 through June 2009, developing source code for its HFT system. Goldman views the system as proprietary (it doesn’t license the HFT system to anyone else) and a major competitive advantage. Goldman requires everyone working on the HFT system to keep all of its proprietary information, including any intellectual property created by its programmers, strictly confidential. Goldman also bars programmers from taking any of the code they produce or use while working for Goldman when they leave, the court stated.
In April 2009, Aleynikov accepted a US $1 million a year offer to become an executive vice president at Teza Technologies LLC, a Chicago-based HFT system startup. The court stated that Teza made it very clear that it expected Aleynikov and others being hired to “develop a functional trading system within six months. It usually takes years for a team of programmers to develop an HFT system from scratch.”
The court document goes on to state that:
“Aleynikov’s last day at Goldman was June 5, 2009. At approximately 5:20 p.m., just before his going-away party, Aleynikov encrypted and uploaded to a server in Germany more than 500,000 lines of source code for Goldman’s HFT system, including code for a substantial part of the infrastructure, and some of the algorithms and market data connectivity programs. Some of the code pertained to programs that could operate independently of the rest of the Goldman system and could be integrated into a competitor’s system. After uploading the source code, Aleynikov deleted the encryption program as well as the history of his computer commands. When he returned to his home in New Jersey, Aleynikov downloaded the source code from the server in Germany to his home computer, and copied some of the files to other computer devices he owned.”
In July, Aleynikov flew from New Jersey to Chicago to attend meetings with his new employer carrying a flash drive and a lap top with portions of the code he downloaded. When he flew back to New Jersey, he was arrested by the FBI and charged with violating the National Stolen Property Act (NSPA) (pdf), the Economic Espionage Act (EEA) of 1996, along with the CFAA.
At trial, Aleynikov’s lawyers moved to have all the charges dropped because they argued that their client did not violate any of them (“failure to state an offense”). The U.S. District Court, Southern District of New York agreed to dismiss the CFAA charge (basically for the same reasons the Ninth Circuit Court did in the Nolan case), but let the other two stand. The government didn't appeal the CFAA dismissal.
Aleynikov was convicted of both charges in December 2010 and sentenced to 97 months in prison followed by a three-year term of supervised release; he was also ordered to pay a $12 500 fine. Aleynikov’s lawyers appealed the convictions, arguing again that the facts of the case didn’t fit the wording of the criminal statutes. In other words, the source code Aleynikov took was not “related to or included in a product that is produced for or placed in interstate or foreign commerce” as was meant by the EEA. Nor should the software—being purely intangible property—be considered as a “good” that was “stolen” in the sense of what was meant by the NSPA.
The appeals court immediately agreed with those arguments (hearing the case on 16 February of this year and acquitting Aleynikov on both counts later the same day). In its opinion, the appeals court first pointed out that the NSPA applies only to tangible goods (which source code is not). And since Goldman’s HFT system was not being used for interstate or foreign commerce, the appeals court pointed out that the EEA did not apply either.
The Second Circuit Court, like the Ninth Circuit Court, told Congress it needs to think and act quickly with regard to the theft of source code, since existing law is obviously ambiguous on this point—well, at least the Computer Fraud and Abuse Act, the National Stolen Property Act (NSPA), and the Economic Espionage Act (EEA) of 1996 are.
As far as I know, Aleynikov is not being pursued by Goldman Sachs or anyone else on any other civil or criminal offenses.
Given this track record, one can hardly wait to see what the courts will do with the controversial Cyber Intelligence Sharing and Protection Act (CISPA) if Congress votes it into law.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.