Before leaving Goldman Sachs to earn a millionaire’s salary with Chicago High Frequency Trading (HFT) startup Teza Technologies, Sergey Aleynikov made one last transaction. At 5:20pm on his last day, just before his going-away party, Aleynikov uploaded 500,000 lines of encrypted source code from the Wall Street firm’s proprietary HFT system to a server located in Germany. Following the clandestine upload, Aleynikov deleted the encryption program, wiped his command history, and headed to the party.
Although Aleynikov later managed to download the source code to his home computer in New Jersey before flying to Chicago, he was apprehended by the FBI while returning through Newark Liberty International Airport.
But after his conviction at trial and imprisonment during the appeals process (his dual US-Russian citizenship presented a flight risk), Aleynikov is now a free man.
The reasons why touch the entire software industry.
The appellate court for the Second Circuit released an opinion on Thursday finding that the HFT source code did not fit within the scope of the National Stolen Property Act (“NSPA”), which makes it a crime to transport or transmit stolen goods, wares, or merchandise. The court concluded that Aleynikov did not steal physical “goods” per se, but rather, software code which was “purely intangible property embodied in a purely intangible format.”
Because the statute was interpreted to apply only to physical goods, the court declined to “stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.”
Nor could Aleynikov be punished under the Economic Espionage Act (“EEA”), the court concluded, because the HFT source code was not a product that was “produced for” or “placed in” interstate commerce, as required under the EEA. Goldman Sachs planned to keep the HFT source code secret, having no intention to sell or license it to anyone in the market.
The appellate court’s decision overturns Aleynikov’s conviction, which had sentenced him to eight years in prison, followed by a three year supervised release, and a $12,500 fine.
Contrary to some previous coverage, the court’s decision is focused not on whether software code is property capable of being stolen, but instead, on the specific scope of the NSPA and the EEA as enacted by Congress. The impact is smaller than it might have first appeared.
In fact, the decision is based on a careful consideration of prior legal precedent, the precise language of each law, relevant legislative history, and the well-reasoned principle that courts should favor narrow interpretations of criminal laws that are ambiguous.
But the decision is nonetheless a setback for businesses hoping to protect intellectual property trade secrets. Since the court concluded that the NSPA does not apply to “intangible” intellectual property, insiders may now have less to fear by stealing proprietary software. This reality will not be lost on unscrupulous employees: although Aleynikov clearly stole valuable proprietary software from Goldman, he was able to escape conviction by uploading the information to a remote server (rather than downloading and storing the code on a physical device, such as a flash drive).
Moreover, as proprietary software is increasingly integrated into business methods, the incentives and opportunities for theft will grow. The impact could be especially large for technology companies that develop and market software as their primary product. In particular, software-based trade secrets that are not actually designed for licensing or sale in the open market (like Goldman’s HFT system) will be especially vulnerable. Companies concerned about intellectual property trade secrets should therefore begin monitoring HTTPS transfers on their servers, paying special attention to any instances of large amounts of data leaving their network.
The court recognizes this negative impact. As argued by Justice Calabresi, who concurred in the opinion (although somewhat reluctantly it seems), courts should consider the actual “mischief” that a law is designed to address when interpreting its context and meaning. As Calabresi acknowledges, “[I]t is hard for me to conclude that Congress, in this law, actually meant to exempt the kind of behavior in which Aleynikov engaged…I wish to express the hope that Congress will return to the issue and state, in appropriate language, what I believe they meant to make criminal in the EEA.”
Critics of the decision will also point out that regardless of the form in which the source code was taken, the substance and economic value of the software remained the same, so too then should the criminal nature of the act. Yet the court’s technical legal analysis resulted in a different outcome. It goes to show, small distinctions can make a big difference.
From a larger policy perspective, when courts justifiably refuse to broaden the reach of federal statutes, Congress must step in to state the law more clearly. That’s especially true in the area of software, where laws remain generally antiquated and unclear as a result. In the meantime, businesses will have to find concrete ways to protect their intangible property.
[Image via Dealbreaker.com]