Imagine a poker player who played an extraordinary amount of video poker and in doing so discovered a software bug that would allow him to achieve significant payouts through a series of unusual moves. These moves would actually manipulate in his favor the games he played and the amount he wagered on those games, but involved nothing more than deciding to play the game in a particular manner, and not anything involving tampering with the video poker machine or its programming. Now imagine being named in a federal indictment for computer fraud because of this seemingly innocent conduct. This is the story currently unfolding in a closely watched case in the U.S. District Court for the District of Nevada.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer. The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities, and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorization or it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to go so far as to charge individuals who have violated a website’s terms of service.
The indictment against Kane and Nestor alleges that they exploited an arcane bug in certain video poker machines to defraud casinos and win money to which they were not entitled and that their actions “exceeded their authorized access” on the machines in violation of the CFAA. As we see it, there is nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access within the meaning of the CFAA. Fortunately for Kane and Nestor, the court agreed with the defendants that this was an example of prosecutorial overreaching and dismissed the CFAA count in the indictment on the ground that the statute did not encompass this innocent conduct.
Kane and Nestor would play video poker machines until they won, at which point a “double up” feature would become available for selection that would allow the player to insert more money and make larger bets. After more money is inserted, the game can be exited and the money value of the best changed to a value that will cause the targeted win to increase to whatever the player desired.
Most prosecutions for this type of fraud involve the use of magnets, or electrical shocks, or some external device, but what makes this case so unique is that this was a software flaw discovered by Kane. There was no external device or manipulation of the machine. The machines were played exactly the way they were intendedto be played and exactly the way the approved software allowed the machine to be played.The conspiracy to commit wire fraud charges are still pending against both Kane and Nestor. In July, the government and the defendants filed a stipulation to continue the trial dates, the ninth such request, which was granted by the court. The defendants are due back in court on November 25, 2013. The filing of the stipulations of continuance may mean that the defendants are cooperating in the investigation, or that they are otherwise attempting to resolve the case without a trial.
The dismissal of the CFAA charges in this case was, in our view, the correct result – a decision that will hopefully check the increasingly aggressive use of this statute by prosecutors to punish conduct that clearly does not fall with its proscriptions. This is a case that could have, and should have, been brought by the casino. There is no doubt that there is a proper place for criminal sanctions to punish and deter those who hack into computers and commit other types of wrongdoing by illegally gaining access to computers. But prosecutors must learn that the statute has its limits, and the courts must remain vigilant to protect those individuals whose conduct simply does not rise to the level of the crimes that the CFAA was designed to cover.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime
The Obama administration has issued a road map to combat intellectual property theft over the next three years.
The “2013 Intellectual Property Enforcement Coordinator Joint Strategic Plan” follows up on the more narrowly tailored “Administration Strategy on Mitigating the Theft of Trade Secrets” that we wrote about earlier this year, and reviews progress made on intellectual property issues in general since the administration’s first general IP strategic plan was issued in 2010.
While this year’s plan rightfully highlights the administration’s achievements in trade secret protection, it sheds little light on the concrete steps necessary to achieve its future goals in that area.
The strategic plan reveals progress made on the trade secret legislation, investigation, prosecution, and sentencing fronts. The enactment of Public Law 112-236, the “Theft of Trade Secrets Clarification Act of 2012,” closed a loophole by clarifying that the Economic Espionage Act protects trade secrets related to “a product or service used in or intended for use in” interstate or foreign commerce. The FBI unveiled a public education campaign to raise awareness of trade secret theft, and FBI trade secret theft cases are up 39 percent.
The Department of Justice has provided federal prosecutors with special training in computer crimes in order to support law enforcement agencies in the investigation of trade secret theft perpetrated by persons who pose a national security threat. Over the past three years the administration has also bolstered criminal penalties for economic espionage and directed the U.S. Sentencing Commission to consider increasing offense levels for trade secret crimes.
Despite these accomplishments, there is much more to achieve. The plan aims to press for protection of trade secrets overseas and enforcement actions to address their theft or misappropriation, and expresses concern about “forced technology transfer,” that is, efforts by foreign governments to condition market access or the ability to do business on the transfer of trade secrets or proprietary information.
While this document is high on aspirational talk regarding international coordination, it is notably low on concrete proposals for domestic trade secrets legislation. The lack of momentum on this front may be understandable considering that the administration received only 13 comments in response to the “Administration Strategy on Mitigating the Theft of Trade Secrets” that it released in February. However, there is a general consensus in the IP community that the law needs to provide a federal civil cause of action for trade secret theft that provides for broad civil remedies, similar to the Copyright Act or the Patent Act. Until such an act is implemented, trade secrets will not have a level of protection commensurate with their importance.
Earlier this week, attorneys for convicted computer hacker Andrew “Weev” Auernheimer filed their opening brief in their appeal to the U.S. Court of Appeals for the Third Circuit to have his conviction overturned.
In 2010, Auernheimer’s co-defendant Daniel Spitler, who agreed to plead guilty in 2011, discovered a flaw in AT&T’s iPad user database, that he used to collect 114,000 email addresses. Auernheimer then disclosed those email addresses to Gawker, who published a redacted form of some of the account information. The disclosure of the email addresses attracted significant media attention and ultimately forced AT&T to change their security protocols.
Last November, Auernheimer was found guilty by a jury after a five day trial of violating the Computer Fraud and Abuse Act (CFAA) and conspiracy to gain unauthorized access to a computer without authorization. He was sentenced in March to 41 months imprisonment to be followed by three years of supervised release.
The CFAA prohibits accessing a computer without proper authorization, which is the same statute that Internet activist Aaron Swartz was convicted of violating. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service. Last month “Aaron’s Law” was introduced in Congress, which would amend the CFAA to prevent prosecutors from charging an individual with violation a company’s terms of service and from bringing multiple charges against an individual for the same act.
The government’s brief is due on July 22 and Auernheimer will then have the opportunity to file a reply brief by August 5.
We will know in a matter of months how the Third Circuit will rule on Auernheimer’s appeal and whether his conviction and sentence will be upheld. This case raises some very interesting issues on the scope of computer crime laws and prosecutorial discretion. Is the conduct of Auernheimer the type that we need to devote government resources to send a person with no criminal record to prison for a significant period of time?
April 30 was an historic day for online poker players in the United States. Just a bit more than two years after the indictment and civil cases that were termed “Black Friday” shut down the industry, Ultimate Poker became the first live real-money online poker site in the United States after Black Friday.
Nevada became the first state to legalize online poker in June 2011, and the regulations governing online gaming were issued in December 2011. Nevada gaming authorities granted Ultimate Poker a license in October and last week signed off last week on Ultimate Poker’s technology, which allowed them to launch.
Ultimate Gaming, a majority-owned subsidiary of Station Casinos, LLC, is operating UltimatePoker.com. Station Casinos owns sixteen casinos in Las Vegas. Ultimate Poker is the exclusive online gaming partner of the Ultimate Fighting Championship.
Right now, Ultimate Poker is only available to people who are over the age of 21 and are located in Nevada, though you do not have to be a Nevada resident to participate. Players can register and deposit money into their accounts from anywhere in the world, but can only play when they are physically in Nevada. Players can also make deposits and withdrawals at any of Station Casinos’ locations in Las Vegas.
To verify location, Ultimate Poker will triangulate a customers’ cell phone signal, though some cell phone carriers are not participating in the plan yet. Some players reported difficulty when they tried to play on Ultimate Poker on the first day, including issues with the geo-location services and players being unaware that their cell phone carrier was not participating.
Nevada recently passed a bill that would authorize the state to enter into interstate gaming compacts with other states, a reality that became possible after the U.S. Department of Justice released an opinion in December 2011 stating that the Wire Act applied only to sports betting. Liquidity could become an issue for a state with a relatively small population such as Nevada, so interstate compacts could become vital to the long term success of the state’s online gaming industry.
Online gaming is legal in both New Jersey and Delaware, though those states have yet to go live. Nearly a dozen other states have at least considered some form of online gaming legislation in the past year.
We are very happy to see online poker back online again. Some hurdles remain for companies to assure that their products operate smoothly and efficiently, but it is a good day for the industry and players that real money poker is back online.
Earlier this year, the Department of Justice announced an initiative to step up its enforcement of trade secret theft. In a February 20 press conference, Attorney General Eric Holder announced that the Obama administration aimed to make it a top priority to prosecute intellectual property crimes. At the press conference, the DOJ unveiled a report titled, “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets,” which focuses largely on how to prevent and remedy trade secret theft by foreign governments and foreign corporations.
Only two days later, however, a development in one of the DOJ’s highest-profile trade secrets cases demonstrated the difficulties of prosecuting foreign defendants. On February 22, a federal judge in the Eastern District of Virginia determined that, despite eight attempts, the DOJ had not properly served Kolon Industries Inc, a South Korean company accused of stealing trade secrets from duPont, a U.S. company. The DOJ’s criminal case follows a civil trial that returned a $919.9 million judgment against Kolon for stealing 149 trade secrets related to Kevlar, a synthetic fiber used in body armor. Kolon used those trade secrets to create its own competing fabric, Heracron.
The difficulties the DOJ encountered in bringing the overseas perpetrators to justice is especially relevant because the report indicates that most secret theft is committed by foreign nationals, especially in China. According to the report, “Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the [intelligence community] cannot confirm who was responsible.” The vast majority of cases highlighted in the report involve Chinese nationals or Chinese firms.
The difficulties in bringing foreign nationals to justice only emphasize the need for corporations to take stronger precautions to prevent their trade secrets from being stolen in the first place. The “Administration Strategy” document recognized this need and proposed that companies work cooperatively to develop best practices for trade secret protection in areas such as research and development compartmentalization, information security policies, physical security policies, and human resources policies.
The “Administration Strategy” document notes that companies suffering from trade secret theft may be hesitant to come forward for fear of how it could affect the company and its stakeholders. However, the document encourages them to do so, both in order to bring the perpetrator to justice and to allow the government to collect information that could help to identify patterns in trade theft and prevent similar events in the future.
The DOJ has demonstrated its commitment to trade secret enforcement by continuing to pursue the Kolon case despite the February setback. The DOJ filed a superseding indictment on March 19 and must now serve Kolon in accordance with the judge’s February 22 order. Given the fanfare with which the DOJ announced its trade secret agenda, there is no doubt that the government will continue to doggedly pursue this and other trade secret cases.
We support the DOJ’s effort to protect corporate trade secrets so that companies can benefit from the innovation that they work so hard to develop. As always, we also remain on the lookout for indications of overzealous prosecution in instances where it does not appear that confidential proprietary information has been stolen.
Reuters recently quoted Tian Lipu, head of China’s State Intellectual Office, complaining about China’s reputation for rampant software piracy. According to Tian, “China is the world’s largest payer for patent rights, for trademark rights, for royalties, and one of the largest for buying real software . . . We pay the most. People rarely talk about this, but it really is a fact.”
Tian’s protestations are akin to the shoplifter who defends his theft of a coat by pointing out that he also bought two shirts from the same store. China, as well as other countries worldwide, needs to stop looking the other way at copyright and trademark piracy, and to crack down on this form of theft.
According to the Business Software Alliance’s (BSA) 2011 Global Software Piracy Study, 42% of PC software worldwide – with a commercial value of more than $63 billion — is pirated. The rate of software piracy in China is an astounding 77%. By comparison, the percentage in the United States is 19%, while it is 26% in the UK, 21% in Japan, and 27% in Canada. In fairness, while the value of pirated software in China eclipses all other countries (excepting, ironically, the United States, where the relatively low piracy rate still results in almost $10 billion worth of pirated software), China is not the only, nor is it the worst, offender. Among the world’s 20 largest economies, Indonesia and Venezuela have higher piracy rates than China (86% and 88%, respectively), and Russia, India, Mexico, Thailand, Malaysia and Argentina all clock in with piracy rates over 50%.
Technical means of quashing or impairing the performance of pirated software (for instance, the Microsoft Genuine Advantage program) can help. But they are not a cure-all, nor can they put a dent in the pervasive levels of piracy. A multifaceted approach is needed to protect software and application developers from this pervasive form of theft. To start, developers must incorporate anti-copying mechanisms into their software and applications and must have strong and enforceable license agreements with users. From there, it is up to the developers to take a firm stand against theft of their product. However, it is equally important that governments, starting with China, bring their intellectual property laws into the 21st century, adapting them to encompass apps and other new and emerging technologies; enforce those laws; and make clear that software and application piracy will not be permitted. Until China and other nations do this, software and app developers will continue to be the constant victims of theft and the forward march of innovation will be stunted.
We have previously advocated for the Department of Justice to employ a more narrow reading of the term “foreign official” in the Foreign Corrupt Practices Act. Therefore, we were pleased to see that the DOJ recently issued an opinion that parsed the definition and came to the conclusion that a member of a foreign royal family was not a “foreign official” under the FCPA. Although this is a positive development, it somewhat conflicts with the DOJ’s prior opinions and accordingly will probably serve to further muddy the FCPA waters.
In February 2012, an American lobbying firm approached the DOJ to request an opinion regarding the FCPA implications of its proposed partnership with a foreign consulting group. The consulting group was to act as its sponsor in providing lobbying services for the unspecified foreign country’s embassy in the U.S. The lobbying firm was concerned that this arrangement might implicate the FCPA because the foreign consulting group was owned, in part, by a member of the foreign royal family.
On September 18, the DOJ issued a statement finding that the royal family member was not considered a “foreign official” under the FCPA. The DOJ stated that, “[W]hether a member of a royal family is a ‘foreign official’ turns on such factors as (i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”
As the DOJ explained, in this instance the “Royal Family Member holds no title or position in the government, has no governmental duties or responsibilities, is a member of the royal family through custom and tradition rather than blood relation, and has no privileges or benefits because of his status.” The DOJ concluded that, “the Royal Family Member does not qualify as a foreign official under [the FCPA] so long as the Royal Family Member does not directly or indirectly represent that he is acting on behalf of the royal family or in his capacity as a member of the royal family.”
The DOJ surprised us by undertaking a reasonable, thoughtful, and fact-intensive analysis in finding that the royal family member was not a foreign official. However, the new standard invoked by the DOJ conflicts with the broad reading of “foreign official” that the DOJ has previously applied, which encompasses even employees of state-owned communications companies. Surely a telecom employee does not exert much control or influence “over the levers of governmental power,” nor would his government characterize him as having “governmental power.” Yet the DOJ found telecom employees to be foreign officials.
We applaud the DOJ for taking a reasonable approach in determining whether the royal family member is a “foreign official.” We encourage the DOJ to apply the same three factors every time it analyzes who is, and is not, a foreign official.
When online gaming is successful, Ifrah says, players participate in all aspects of the industry – including in the casinos. This is a great development for the gaming industry and great for business and for the nation’s economy.
In electing to testify in his own defense at his federal criminal trial for insider trading, hedge fund operator Doug Whitman made a decision that no other defendants in similar recent prosecutions had chosen. He was still convicted on all counts by a jury, just as were the other defendants who did not take the stand in similar cases.
Whitman operated Whitman Capital, a hedge fund based in Menlo Park, Calif., with about $100 million in assets under management. Prosecutors in the Southern District of New York alleged that Whitman made about $1 million for the hedge fund based on tips from insiders at various technology companies, including Polycom, Marvell Technology Group, and Google.
Whitman was found guilty of two counts of securities fraud and two counts of conspiracy to commit securities fraud. He faces a maximum of 20 years in prison for each charge and sentencing is schedule for December 20.
Five years ago, the Federal Bureau of Investigation launched an initiative known as “Operation Perfect Hedge,” aimed at prosecuting insider trading. The initiative has led to over 65 convictions over the past three years in cases brought by federal prosecutors in New York City. All eight defendants who have taken their cases to trial have been convicted by juries.
Among those convicted was Raj Rajaratnam, a fund manager for Galleon Group LLC, who was found guilty by a jury last year of 14 counts of conspiracy and securities fraud and sentenced to 11 years in prison.
The defense used by Whitman was that all trades that he made were in good faith and were backed by legitimate research. It is a defense similar to the one used by Rajaratnam, though Rajaratnam elected not to testify.
Whitman’s trial was unique because he was the first defendant prosecuted for insider trading who chose to testify in his own defense. Whitman testified that he never intentionally traded on improper information. He contended that his trades were based on research that he did on the companies and were not based on any illegal information. Whitman testified that he did not think that any of his sources possessed secret information.
The government presented three witnesses who had all pleaded guilty to passing illegal information on to traders and agreed to testify in an effort to secure a more lenient sentence. Whitman testified that the three witnesses had falsely implicated him out of their own self-interest. The government also presented secretly recorded telephone conversations that prosecutors alleged proved that Whitman possessed confidential information.
The jury deliberated less than a day before deciding that Whitman was guilty. Some observers suggest that the quick deliberation suggests that the jury gave little credence to Whitman’s testimony.
Ultimately, Whitman was convicted just as other defendants who were charged with similar crimes who did not testify. Defense lawyers know that putting their client on the stand presents significant risks, but they also know that this tactic may also provide an opportunity to show the jury that the defendant did not possess the culpable mental state. We will see whether in the future more defendants charged in insider trading cases elect to testify.
The U.S. Securities and Exchange Commission has charged an executive at Bristol-Myers Squibb with insider trading, citing his Internet searches as support that he tried to cover up his illegal acts.
As a high-level executive in the treasury department at Bristol-Myers Squibb, Robert D. Ramnarine helped the company target, evaluate, and acquire other pharmaceutical companies. The SEC’s complaint, filed in U.S. District Court in New Jersey, alleges that Ramnarine used non-public information obtained in his professional capacity to buy and sell shares in the targeted pharmaceutical companies. According to the complaint, “Ramnarine traded in options of common stock of the soon to be acquired company. After the public announcement of each acquisition agreement, the price of the securities bought by Ramnarine went up and he sold at a profit.” These trades resulted in allegedly ill-gotten gains of at least $311,361.
In addition, Ramnarine was arrested and charged with three counts of securities fraud, each with a maximum sentence of 20 years in prison. He was released on a $250,000 bond.
This case is getting widespread attention not because of the nature of the crime or the amount of money involved, but because of the almost humorously transparent search terms that the SEC alleges Ramnarine entered into search engines regarding his activities, including “can stock option be traced to purchase inside trading,” “insider trading options trace illegal,” and “insider trading options.” According to the complaint, Ramnarine performed these searches the day before buying stock options in one of Bristol-Myers Squibb’s target companies.
Daniel M. Hawke, Chief of the SEC Enforcement Division’s Market Abuse Unit, explained these searches by saying, “Ramnarine tried to educate himself about how the SEC investigates insider trading so he could avoid detection, but apparently he ignored countless successful SEC enforcement actions against similarly ill-motivated individuals who paid a heavy price for their illegal trading.”
While we cannot jump to conclusions about why Ramnarine performed these searches, the timing in proximity to the trades is certainly suspect and will leave him with some explaining to do at trial. Ramnarine may not be the first person with an embarrassing search history, but he’s a reminder that it can come to light at any time. With that in mind, for the next time you’re researching a sensitive topic, here’s a link to encrypted Google to use on a public computer.