Imagine a poker player who played an extraordinary amount of video poker and in doing so discovered a software bug that would allow him to achieve significant payouts through a series of unusual moves. These moves would actually manipulate in his favor the games he played and the amount he wagered on those games, but involved nothing more than deciding to play the game in a particular manner, and not anything involving tampering with the video poker machine or its programming. Now imagine being named in a federal indictment for computer fraud because of this seemingly innocent conduct. This is the story currently unfolding in a closely watched case in the U.S. District Court for the District of Nevada.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer. The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities, and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorization or it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to go so far as to charge individuals who have violated a website’s terms of service.
The indictment against Kane and Nestor alleges that they exploited an arcane bug in certain video poker machines to defraud casinos and win money to which they were not entitled and that their actions “exceeded their authorized access” on the machines in violation of the CFAA. As we see it, there is nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access within the meaning of the CFAA. Fortunately for Kane and Nestor, the court agreed with the defendants that this was an example of prosecutorial overreaching and dismissed the CFAA count in the indictment on the ground that the statute did not encompass this innocent conduct.
Kane and Nestor would play video poker machines until they won, at which point a “double up” feature would become available for selection that would allow the player to insert more money and make larger bets. After more money is inserted, the game can be exited and the money value of the best changed to a value that will cause the targeted win to increase to whatever the player desired.
Most prosecutions for this type of fraud involve the use of magnets, or electrical shocks, or some external device, but what makes this case so unique is that this was a software flaw discovered by Kane. There was no external device or manipulation of the machine. The machines were played exactly the way they were intendedto be played and exactly the way the approved software allowed the machine to be played.The conspiracy to commit wire fraud charges are still pending against both Kane and Nestor. In July, the government and the defendants filed a stipulation to continue the trial dates, the ninth such request, which was granted by the court. The defendants are due back in court on November 25, 2013. The filing of the stipulations of continuance may mean that the defendants are cooperating in the investigation, or that they are otherwise attempting to resolve the case without a trial.
The dismissal of the CFAA charges in this case was, in our view, the correct result – a decision that will hopefully check the increasingly aggressive use of this statute by prosecutors to punish conduct that clearly does not fall with its proscriptions. This is a case that could have, and should have, been brought by the casino. There is no doubt that there is a proper place for criminal sanctions to punish and deter those who hack into computers and commit other types of wrongdoing by illegally gaining access to computers. But prosecutors must learn that the statute has its limits, and the courts must remain vigilant to protect those individuals whose conduct simply does not rise to the level of the crimes that the CFAA was designed to cover.