In February 2012, following oral argument, the U.S. Court of Appeals for the Second Circuit issued a brief order reversing Sergey Aleynikov’s convictions for violating the National Stolen Property Act, 18 U.S.C. § 2314 (“NSPA”), and the Economic Espionage Act, 18 U.S.C. § 1832(b) (“EEA”), and stating a longer opinion would follow. In that promised opinion, which was issued earlier this month, see United States v. Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012), the appeals court explained why Aleynikov did not commit the charged federal crimes, and more importantly, it established significant limits on future federal prosecutions concerning the theft of intangible intellectual property.
Before his troubles began, Aleynikov worked for two years as a computer programmer at Goldman Sachs & Co. There, he helped to write the source code for Goldman’s proprietary high-frequency trading (“HFT”) system, which makes large volume trades based on algorithms that incorporate rapid market developments and past trading data. Kept highly confidential and never licensed to any other parties, the HFT system was akin to the Wall Street bank’s own secret formula for Coke. As an employee, Aleynikov was subject to strict confidentiality provisions that prohibited him from divulging this valuable trade secret.
Aleynikov had other plans, however. He decided to leave Goldman and join Teza Technologies, LLC, a financial firm in Chicago with plans to develop its own HFT system. (The government did not accuse Teza of any wrongdoing.) On his last day at Goldman, Aleynikov encrypted and uploaded source code from the HFT system to a server in Germany. After returning home that night, Aleynikov downloaded the data to his personal computer. He later made additional copies of the computer program on other devices, including a thumb drive and laptop, and also took steps to cover his electronic tracks. Aleynikov then traveled to Chicago to meet with representatives of Teza, and he brought the purloined source code with him. When he returned to New Jersey, he was arrested by the FBI at Newark airport.
At trial, Aleynikov argued that he only copied open source materials and never intended to harm Goldman. The jury was unconvinced and found him guilty. The trial court sentenced him to 97 months in prison. In its recent opinion reversing Aleynikov’s convictions, the Second Circuit certainly did not condone his behavior — repeatedly calling him a corporate thief and noting that his dishonest conduct breached his confidentiality obligations to his employer. But the court concluded, after closely analyzing the text of the criminal statutes and the relevant case law, that Aleynikov had not violated the NSPA or EEA. (The appeal related only to the criminal prosecution, and it did not address whether or how Goldman might sue Aleynikov for money damages.)
Computer Fraud and Abuse Act
Although not part of the appeal, Aleynikov was also charged with violating the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, which prohibits accessing computers without authorization in certain specified situations that the statute describes (for example, protected computers containing national security information). Aleynikov moved to dismiss that charge, and the trial court granted his motion. As the Second Circuit recounted, the trial court concluded that, as an employee, Aleynikov was authorized to access Goldman’s network; that as a programmer who worked on the HFT system in particular, his access to that source code did not exceed his authorization; and perhaps most critically, that his “authorized use of a computer in a manner that misappropriates information is not an offense under the CFAA.”
Because this count was dismissed, and the government did not appeal from that decision, the Second Circuit had no reason to address the issue. As it stands, therefore, it may be a crime under the CFAA for an outsider – say, an ill-intentioned hacker – to access a computer network and misappropriate source code or other intellectual property, but it is not illegal for an insider – such as an authorized employee – to do the very same thing. When considering the parameters of the CFAA, it is important to distinguish (a) whether a person is authorized to access a computer from (b) how the person uses information from the computer (e.g., in violation of application confidentiality or non-compete agreements). The CFAA addresses unauthorized access to certain computers, not the improper use of information stored within.
National Stolen Property Act
Aleynikov was charged with, and convicted of, violating the NSPA which prohibits as a federal crime “transporting, transmitting or transferring in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.” As the Second Circuit explained, the “decisive question” was whether the source code that Aleynikov stole from Goldman constituted “goods, wares [or] merchandise” within the meaning of the NPSA.
To answer that question, the appeals court looked back almost 50-years – long before the computer, much less complex HFT systems – to its decision in United States v. Bottone, 365 F.2d 389 (2d Cir. 1966). In that case, the Second Circuit affirmed the conviction of Caesar Bottone who had photocopied documents outlining proprietary manufacturing procedures for certain pharmaceuticals and transported those documents across state lines. But the law would not have ensnared Bottone, the court explained, if he had memorized the same manufacturing information and taken it, in his mind, across the Hudson River. Based on this prior precedent, the Second Circuit concluded, in Aleynikov, that the NSPA is not “endlessly elastic,” rather “some tangible property must be taken from the owner for there to be deemed a ‘good’ that is ‘stolen’ for the purposes of the NSPA.” Stated another way, the Second Circuit joined other federal appeals courts including the First Circuit in holding that stealing “purely intangible properly” is not a crime under the NSPA.
Wary of declaring open season on intellectual property, federal courts have been careful to emphasize a critical qualification: although the NSPA does not apply to “purely intangible information,” “it does apply when there has been ‘some tangible item taken, however insignificant or valueless it may be, absent the intangible component.’” United States v. Martin, 228 F.2d 1, 14-15 (1st Cir. 2000) (quoting United States v. Brown, 925 F.2d at 1037, 1308 n.14 (10th Cir. 1991)). But what does that mean exactly? The Second Circuit did not have to answer that question, because there was no allegation that Aleynikov took anything tangible from Goldman, such as a compact disc or thumb drive containing source code. If Aleynikov had copied data onto a Goldman disc, he would have violated the NSPA, but instead he uploaded it to a server, so he did not. That distinction makes the critical question of criminal liability turn on whether a defendant steals a five-cent CD, not a five-million-dollar computer program. That seems somewhat silly, as the Second Circuit acknowledged, noting “there is no doubt that in virtually every case involving proprietary computer code worth stealing, the value of the intangible code will vastly exceed the value of any physical item on which it might be stored.” Read this way, the NSPA does a better job protecting thumb drives than the trade secrets stored on them.
To its credit, the Second Circuit did not ignore these oddities. Rather, following the well-settled principle that federal crimes are “solely creatures of statute,” Dowling v. United States, 473 U.S. 207, 213 (1985), which must be narrowly construed to avoid due process concerns, the appeals court appropriately refused “to stretch or update statutory words of plain and ordinary meaning” – such as “goods” – “to better accommodate the digital age.” Amending and expanding federal criminal statutes is a job reserved for Congress. And the legislature, like the courts, must keep up with rapid technological change. Indeed, re-reading the First Circuit’s 2000 decision in Martin, one gets the sense that it, too, may already be out of date. The First Circuit appeared to equate stolen “software,” which the defendant had mailed to her co-conspirator, with other “physical goods,” such as “test kits” for animal vaccines. Today, however, software is more often downloaded from the internet, or accessed in a cloud, than delivered on a disc or any other physical media. That evolution may have significant consequences for how the NSPA applies to the misappropriation of software, like the source code at issue in Aleynikov. If the NSPA retains its focus on the theft of physical items, then at least with regard to purely intellectual property, it may fade into obscurity like the floppy disk.
Economic Espionage Act
Aleynikov was also charged with, and convicted of, violating the domestic provision of the EEA which exposes to a 10-year prison sentence any person who, “with the intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly . . . without authorization . . . downloads, uploads, . . . transmits, . . . or conveys such information.” This federal criminal statute presented the Second Circuit with an entirely different problem, one that resonates more with the current debate over the Affordable Care Act and the Commerce Clause than the legal challenges of the digital age.
The domestic provision of the EEA applies, by its terms, only to those trade secrets that are “related to or included in a product that is produced for or placed in interstate or foreign commerce.” To use an example mentioned earlier, the secret formula for Coca-Cola has qualified for almost 100 years (since 1920) as such a trade secret because it is used in manufacturing soda which is itself a product placed in interstate and foreign commerce. But Goldman did not sell or license its HFT system like cans of Coke. Quite the opposite. Goldman aggressively protected the confidentiality of its computer program, and in large part, the system’s substantial value flowed from the fact that others did not know how it worked and, thus, could not design a competing system to affect even more rapid trades. For that reason, the Second Circuit concluded: “Because the HFT system was not designed to enter or pass into commerce, or to make something that does, Aleynikov’s theft of source code relating to that system was not an offense under the EEA.”
Further, in reaching that conclusion, the Second Circuit rejected the broader reading that the trial court had endorsed – a product is “produced for” interstate or foreign commerce if its purpose is to “facilitate or engage” in such commerce. That interpretation covered Goldman’s HFT system, which clearly existed to facilitate and engage in securities transactions on domestic and foreign exchanges. But the Second Circuit ruled that understanding was too broad and inconsistent with the statutory text.
Thus, as with the NSPA, the decision in Aleynikov established an important, new limit for federal criminal liability under the EEA. A person who steals proprietary intellectual property from an owner who uses that information solely for internal, commercial purposes does not violate the domestic provisions of the EEA. (The foreign provisions of the EEA, which are more expansive, were not at issue in Aleynikov.) Yet if the same person takes intellectual property that the owner uses in a product that it produces for or makes available on domestic or foreign markets, then the thief runs afoul of the federal criminal law. While logical, this internal/external or private/public distinction would seem to leave unprotected, at least under the domestic provisions of the EEA, some extremely valuable intellectual property that is critical to how owners operate their businesses and obtain competitive advantages. Stealing the source code for Goldman’s HFT system to aid a competitor company seems like a quintessential act of economic espionage, but according to the Second Circuit, it did not violate the EEA. Ironically, it was precisely because Goldman closely guarded its computer program that the source code fell beyond the EEA’s scope.
Wire and mail fraud
Finally, it merits mention that Aleynikov was not charged with wire or mail fraud in violation of 18 U.S.C. §§ 1341 and 1343. The mail and wire fraud statutes prohibit using the mail or “wires,” meaning telephones, e-mail, or other electronic communications, to conduct a “scheme to defraud” or “to obtain money or property by means of false or fraudulent pretenses.” Both federal criminal statutes require the government to prove beyond a reasonable doubt that the defendant engaged in some intentional deception. On its face, Aleynikov’s conduct did not necessarily involve any deceit or trickery. He did not tell anyone at Goldman what he had done, but he also did not lie about it. He did not masquerade as someone else to gain access to the HFT system, nor did he dupe Goldman into sharing its source code with him.
That is not to say Aleynikov may not have been convicted of wire or mail fraud, if he had been charged with those offenses. In contrast to the NSPA which limits “goods, wares [and] merchandise” to physical items, the mail and wire fraud statutes broadly define “property” to include purely intellectual property, such as computer programs or other confidential business information. See Carpenter v. United States, 484 U.S. 19, 25-26 (1987); United States v. Czubinski, 106 F.3d 1069, 1074 (1st Cir. 1997). Thus, in United States v. Martin, a somewhat similar case involving an employee who shared trade secrets with a competitor company, the First Circuit ruled that, by relaying confidential information in violation of her fiduciary duty to her employer and her signed non-disclosure and non-compete agreements, the defendant engaged in “false pretenses.” On that basis, the appeals court affirmed the defendant’s convictions for mail and wire fraud. See also United States v. Wang, 898 F. Supp. 758 (D. Colo. 2005) (denying the defendant’s motion to dismiss the indictment in a wire fraud prosecution where the defendant had transmitted by wires, without proper authorization, confidential source code that belonged to his employer). Now that the Second Circuit has closed certain doors to federal criminal prosecutions in intellectual property cases, the Justice Department may opt to proceed through a door that other courts have left open, charging defendants like Aleynikov with mail and wire fraud and arguing that, by violating agreements with their employers, they engaged in prohibited deceit.
If asked, most people would probably think that, if an employee brazenly steals valuable intellectual property from his or her employer to give to a competitor company (where the employee has accepted a new job), then that employee has committed a federal crime. Not necessarily. As the Second Circuit decision in Aleynikov makes clear, federal criminal liability under the NSPA, EEA and CFAA will turn on specific, and somewhat surprising, factual questions. For example, did the employee take the intangible intellectual property on a tangible device, like a disc, that belonged to his or her employer? Was the intellectual property used internally or as part of a product that the company produced for sale? Did the company authorize the employee to access the computer system in the first place? Depending on the answers to these types of factual questions, conduct that is dishonest, unethical and inappropriate may, nevertheless, not be criminal.
As much as things change, some things will remain the same: the government will continue to prosecute the theft of intellectual property; defendants will continue to raise creative challenges to the criminal laws, and the courts will continue to wrestle with these issues, all as technology continues to evolve. For Aleynikov, that legal process unfolded over the past three years since his arrest in July 2009, and it took a heavy personal toll. Because he is a dual Russian and U.S. citizen, Aleynikov was deemed a “flight risk” and denied bail pending his appeal. As a result, Aleynikov — the father of three young children — served more than two years in federal prison before the Second Circuit decided that he had not, in fact, broken the law.