Header graphic for print
New Media and Technology Law Blog

No Expansion of CFAA Liability for Monetary Exploit of Software Bug

Posted in Computer Fraud and Abuse Act, Software, Videogames

In the game Monopoly, lucky players landing on Community Chest might turn over the highly desirable “Bank Error in Your Favor, Collect $200″ card.  By the next turn, the proceeds are usually invested in properties and houses, yet, some might wonder whether accepting such a windfall was proper in the first place…or could lead to criminal charges.

This concept was tested when police arrested two video poker players who were exploiting a software bug that allowed them to multiply jackpots with just a sequence of pushed buttons.  See United States v. Kane, No 11-mj-00001 (D. Nev. filed Jan. 19, 2011).  The defendants were charged with violations of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that prohibits computer hacking and unauthorized access into computer networks.  The question was whether the defendants “exceeded authorized access” when they took advantage of an exploit in a video poker machine to win hundreds of thousands of dollars.

The CFAA was enacted in 1984 and provides, in pertinent part, that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains. . . information from any protected computer” commits a crime. 18 U.S.C. § 1030(a)(2)(C). It defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).

The Kane prosecution is a recent example of a “technology statute” being aggressively applied to issues or disputes that were not even conceived of when the statute was enacted. The CFAA was directed at classic computer “hacking” activities where it was easier to determine when an outsider lacked “authorized access” to a network.  But the language of the Act is susceptible to broader application, and it has been brought to bear in many contexts beyond the hacking scenario, including employee misappropriation of company data, unwanted copying or misuse of website data, and now, the “gaming” of video poker machines.

In Kane, the Government alleged that the defendants discovered an exploit in certain video poker machines that allowed the players, over the course of two years at different casinos, to falsely maximize the payouts for a winning hand.  Apparently, the defendant Kane uncovered the glitch in the machine after hours and hours of playing.  In short, once the “double up” feature of the poker machine was activated (i.e., an option that allowed players to make double-or-nothing bets), the defendants then legitimately played until they obtained a winning hand.  Then, after using a complex combination of game changes, bill insertions and cash outs — a sequence of pushed buttons — they would use the “double up” feature to change the stakes in the middle of the game to the highest denomination, and trigger a second jackpot. Because of a series of programming errors, the machine re-evaluated the original game at the new, higher denomination, paying a jackpot which paid out at a higher denomination than the defendants had initially wagered. [click here for Wired's excellent account of the entire caper].  The Government did not allege that the defendants physically tampered with the video poker machines.

After winning several large jackpots at a Las Vegas casino in one afternoon, the management became suspicious and summoned Nevada Gaming Control Board engineers who discovered the software anomaly in the machine.  The defendants were later arrested and charged with conspiracy to commit wire fraud and violations of the CFAA based upon allegations that they exceeded authorized access to a protected computer in furtherance of fraud.

The defendants had moved to dismiss the CFAA claims and last year the magistrate issued a report recommending that the district court dismiss those charges.  See United States v. Kane, No. 11-cr-00022 (D. Nev. Report and Recommendation Oct. 15, 2012).  The defendants asserted that the CFAA claim should be dismissed because: (1) a video poker machine is not a “protected computer” under the statute (i.e., a computer “which is used in or affecting interstate or foreign commerce or communication”); and (2) the defendants did not “exceed [their] authorized access” to the video poker machines.

In recommending dismissal, the magistrate first found that a video poker machine was not a “protected computer” under the statute because, unlike a computer network or online database connected to the internet, a video poker machine was a standalone computerized machine unconnected to interstate commerce. The magistrate also found that the defendants did not exceed authorized access to the video poker machine.  The court rejected the Government’s argument that while the defendants were authorized to play video poker, the defendants were not authorized to configure play in a manner that produced false payouts not intended by the casino.  Unlike the employer-employee situation, where the use of computer use policies, password protection, encryption and system monitoring defines the level of “access,” gamblers do not agree to any terms of use and the bounds of play are enforced by the video poker software itself.

The magistrate cited United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where an en banc Ninth Circuit upheld the lower court’s dismissal of CFAA charges stemming from an ex-employee’s misappropriation of proprietary documents in violation of his employer’s computer use policy. [For additional information about the case, see our prior post].

In recommending dismissal of the CFAA charges, the magistrate stated that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions:

Here, the Government has asserted that, although the Defendants were authorized to play the video poker machines and access information for that purpose, the way that they used the information exceeded their authorization. This argument is directly analogous to the government’s argument in Nosal and it fares no better here. As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the Defendants’ alleged actions did not exceed their authorized access.

Following the magistrate’s report, the district court ordered supplemental briefing from the parties regarding whether the defendants exceeded authorized access under the CFAA in light of the Nosal ruling and whether the defendants’ conduct could be comparable to hacking or misuse under the statute.  This past spring, the Government voluntarily dismissed the CFAA charges, leaving the defendants to face the wire fraud claims.  After several continuances, the trial is currently set for December 3, 2013 on the remaining counts.

As evidenced in Kane, the Ninth Circuit’s Nosal ruling continues to have important implications for the availability of a federal cause of action for misappropriation of data, as well as cases involving unauthorized access to websites and other computerized services.