In a case that illustrates just how sticky it can be to prosecute insider crime, the US Supreme Court on Monday dismissed the second criminal conviction of a former Goldman Sachs programmer who copied 32MB of what he claimed was open-source code.
Before leaving to work for a high-speed trading startup in 2009, but while he still had access to the Goldman Sachs network, Sergey Aleynikov admitted to having logged in remotely to copy a tarball – a group of files collected together as one.
When Goldman Sachs got wind of the download, the FBI investigated.
According to Monday’s ruling, Aleynikov told FBI lead agent Michael McSwain that he “wanted to inspect the files much like a person in college would go back and read a paper.”
The courts didn’t buy his arguments – or, at least, they didn’t buy into whatever parts of his argument they could figure out, given the convoluted laws involved.
What ensued included a long-drawn-out legal battle, two criminal convictions, and a 97-month-long prison term, of which the programmer served one year before getting out when his convictions were overturned.
His second conviction came three months ago, when Aleynikov was convicted for stealing high-speed trading code from the bank and was acquitted on one count of unlawful duplication.
A confused New York state jury couldn’t come to a verdict on another count of unlawful use of “secret scientific material.”
Monday’s ruling, from Judge Daniel P. Conviser of New York’s State Supreme Court, says that the Penal Law defines the term to mean:
A sample, culture, micro-organism, specimen, record, recording, document, drawing or any other article, material, device or substance which constitutes, represents, evidences, reflects, or records a scientific or technical process, invention or formula or any part or phase thereof, and which is not, and is not intended to be, available to anyone other than the person or persons rightfully in possession thereof or selected persons having access thereto with his or their consent, and when it accords or may accord such rightful possessors an advantage over competitors or other persons who do not have knowledge or the benefit thereof.
The judge wrote in his ruling that Aleynikov acted wrongfully by taking the code, but his actions did not meet the standard under the law in which he was charged:
The evidence did not prove he intended to appropriate all or a major portion of the codes economic value.
Aleynikov had first been convicted by jury in federal court in 2010 on one count of stealing trade secrets and one count of transporting stolen property. The laws he was convicted of violating were the National Stolen Property Act (NSPA) and the Economic Espionage Act (EEA)
He was sentenced to 97 months in prison – 8 years and one month.
The United States Court of Appeals for the Second Circuit overturned the decision in 2012, writing that Aleynikov hadn’t stolen anything physical when copying the source code, because it was done over the internet, and thus didn’t violate the National Stolen Property Act.
But New York state prosecutors came after him again, charging him in August 2013 under different laws for the same actions: a way to get around Fifth Amendment protection against being tried twice for the same crime.
According to Monday’s ruling, Goldman Sachs didn’t lose competitive advantage from this code, which was never shared with Aleynikov’s new employer – or, rather, his intended new employer, Teza Technologies, which backed out of hiring him in light of the court action.
Multiple Goldman Sachs programmers testified that the code was valuable, particularly in starting up a new high-speed trading system.
But Teza’s policies forbid competitors’ code being brought in by competitors, and the company testified that in order to get a cutting-edge system up and running, it wouldn’t make sense to use old code anyway.
Readers, what do you think?
Is copying code before leaving a job standard practice, or is it blatant espionage? Did he get off on a technicality, or was the code up for grabs?
Please share your thoughts in the comments section below.
Image of stock trading courtesy of Shutterstock.
4caster
The crime is Theft of Intellectual Property. The fact that he didn’t deprive the owner of that property is immaterial. He is guilty of duplicating it.
But the fact that he didn’t make any financial gain from the copied information, before he destroyed it or was dispossessed of it, makes it a technical crime rather than a material one. He should have been given a conditional discharge (if they have such a thing in America), with a warning not to do it again.
Blake
It’s pretty clear (morally and legally) that the work one performs while being paid by your employer is the employer’s property. Additionally, any of this code/data that was made by others working for the employer is the employer’s property.
However, if one works as a contractor or works on his or her own time, what’s done off the clock or not under stipulation of the contract is your own IP – Not your employers.
There is room for a gray area here – for example, an employee is hired based on past development knowledge or work they bring in to a company or an employee works on a project both on and off the clock, but that evidence wasn’t really discussed in this article. I’m surprised that the court documents indicate that working from home was encouraged as this could be one of those gray areas – perhaps Goldman addressed this via a specific contract.
From the court documents, it certainly sounds like a crime was committed. However, I don’t feel that an 8 year sentence is justice. The stolen code should be returned and some penalty rendered.
Oh Captain! (@captfuzzbucket)
This case has always been about 18 U.S. Code § 1832 – Theft of trade secrets. Whether he profited or intended to profit is irrelevant. The question becomes about DAMAGES. Does GS have any real DAMAGES because this guy used their code. It appears that Goldman Sachs had a very difficult time proving there were any. On the other hand, if this guy hired better lawyers and experts for his defense, this would have been over before the first trial. He didn’t make it difficult for the FBI to bring him to trial in the first place. He lived an unbelievable nightmare for no reason. With that said, programmers do this all the time. They take or keep stuff from their old jobs. There are helpful libraries that don’t make it into Open Source that they work with every day. But with the complete corporate embrace of places like GitHub, this kind of thing should become less of a problem. Unless you’re going out of your way to steal really valuable stuff. If that’s the case, steal from an underfunded startup. Or Don’t get caught.
vineeth
So was it open-source or not? If it was open-source, I don’t think that it’s theft of intellectual property, otherwise, yes, it is.
Andrew Ludgate
Either way, this does serve as a good lesson: publish your code through proper channels (via company code review) to a public-facing repository, and pull it from there; this way, you can’t be at fault if some proprietary code slips in, as it was the company who published it, not you who copied it off of private servers.
Malcolm
I might be biased (I’ve been coding for a good part of my life) but taking code from one company gives almost zero gain, why?
1- You also take a big number of assumptions that might not be true anymore and might actually block the new business
2- You cannot copy the know-how of where to change the code, or how to change the code
3- It’s difficult to copy the infrastructure where the code needs to run
4- You cannot take easily the external integration points
The main reason why large organizations protect their code is to prevent being hacked to the ground. The real IP comes from their business proposition and culture.
Paul Ducklin
I think that’s a risky generalisation.
In some software applications, especially those that are based on specialised and complex algorithms, it may be not only the algorithms but also clever and efficient ways of implementing them, plus carefully-constructed data sets to drive them, that are the “secret sauce.” Getting a ready-to-run, debugged, field-tested implementation of something that goes to the heart of the service you plan to offer might, indeed, be a lot more than “almost zero gain.”
After all, stealing someone’s code is like licensing it without paying the bill, if you think about it. Sure, you don’t automatically get updates, but in the immediate term, you don’t need them.
I agree that you might shoot yourself in the foot by trying to copy a competitor’s software without understanding how to take what you copied to the next level to keep up the competition. Nevertheless, you’re likely to have some effect on the victim’s business, even if it’s only for a while, and anyway… if you don’t, that doesn’t make it right to rip stuff off :-)
As for “copying the infrastructure”…these days, you may not need to copy anything. Just rent an identical Compute Platform Cloud Whatsit Instance from the same provider as the company you’re rorting.