英文互译镜像站

United States v. Kane

Last updated
United States v. Kane
UnitedStatesDistrictCourtDistrictNevada.png
CourtUnited States District Court for the District of Nevada
Full case nameUnited States of America v. John Kane and Andre Nestor
DecidedNovember 2013
Citation(s)11-mj-00001
Holding
Defendants’ Motion to Dismiss charges under Title 18 U.S.C. § 1030(a)(4) should be granted

United States v. Kane, No 11-mj-00001 (D. Nev. filed Jan. 19, 2011), is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss. [1] [2]

Contents

This case is noteworthy because it followed the precedent established by the Ninth Circuit’s decision in United States v. Nosal , 676 F.3d 854 (9th Cir.2012) (en banc), with the magistrate calling the government’s argument directly analogous to the government’s argument in Nosal, further asserting that the CFAA does not regulate the way individuals use the information they are otherwise authorized to access. [3]

Background

In early April 2009, John Kane discovered a software bug in a video poker game which, following a “complex combination of game changes, bill insertions and cash outs”, would allow him to access previous winning hands and trigger a jackpot. [4] Following this discovery, Kane then contacted Andre Nestor who flew out to meet Kane and joined him in exploiting this bug for profit. The two continued this for nearly five months, from April 2009 to September 2009. [5]

Suspicions were raised on July 3, 2009, when Kane won five jackpots, each with 820-1 odds, in under an hour at the Silverton Casino Lodge. Following this, two engineers from Nevada’s Gaming Control Board were called in to inspect the machine for foul play. Here, having analyzed the machine’s logic tray and EEPROM, the engineers discovered the previously unknown firmware bug which Kane had been exploiting to win the jackpot payouts. [5] Subsequently, both Kane and Nestor were later arrested and charged with conspiracy to commit wire fraud and violating Title 18 U.S.C. § 1030(a)(4) of the CFAA on allegations that they exceeded authorized access to a protected computer in furtherance of fraud. [4]

Court findings

Following their Indictment, the Defendants filed a Motion to Dismiss, moving the Court to dismiss the charges alleging violations under Title 18 U.S.C. § 1030(a)(4), arguing that “even accepting all of the Government’s factual allegations as true, the Government has failed to state a cognizable offense under the law.” [2] The Court sided with this Motion to Dismiss, concluding that the Defendants had not violated Title 18 U.S.C. § 1030(a)(4), for a video poker game does not constitute a protected computer under 18 U.S.C. § 1030(e)(2)(B) nor did their actions exceed authorized access under 18 U.S.C. § 1030(e)(6). [2]

Protected computer

Computer

Addressing the Defendants claim that video poker machines are not “protected computers”, the Court first defined a computer to having the meaning given by 18 U.S.C. § 1030(e)(1) (the Computer Fraud and Abuse Act), which states a computer is an:

“electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” [1]

Kane, in his reply, argued that due to their lack of keyboards, network connection, and ability to read or accept new information, video poker machines should thereby be excluded from this provision, [2] highlighting 18 U.S.C. § 1030(e)(1) which continued to state that:

“such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.” [1]

However, whilst the Court acknowledged the exceptions listed in this provision, the Court argued that video poker machines are not “sufficiently similar” to an automated typewriter or typesetter or a portable hand held calculator to qualify for exclusion. [2] Consequently, the Court held that the video poker machines perform functions that directly align it with what constitutes a computer under 18 U.S.C. § 1030(e)(1).

Protected computer

Having concluded that video poker machines are computers, the Court then sought to address the Defendants claim that such machines are not “protected computers”.

Row of video poker machines inside Harrah's New Orleans similar to the ones used by Kane. Video Poker Machines.jpg
Row of video poker machines inside Harrah's New Orleans similar to the ones used by Kane.

To do this, the Court called upon 18 U.S.C. § 1030(e)(2)(B), which defined a protected computer as:

“[a computer] which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States” [1]

The arguments were as follows: [2]

  1. The Defendants, citing National City bank, N.A. v. Prime lending, Inc., argued that because the video poker machines lacked the ability to connect to the internet, they are not protected computers. However, the Government, citing U.S. v. Mitra, 405 F.3d 492 (7th Cir. 2005), reasoned that while internet connectivity is sufficient in establishing a computer as a protected computer, it is not required. [6]
  2. Addressing this, Kane noted how critical to the Seventh Circuit’s holding in Mitra was the issue of having operated in a medium of interstate commerce that was within a federally regulated domain. Thus, he argued, Mitra is not applicable to this case, for video poker machines are not subject to federal regulation. [6] The Government refuted this claim, arguing that the Gambling Devices Act of 1962 (15 U.S.C. § 1171-78) subjugated these devices to federal regulation, therefore they operate within the same regulated domain. [7]
  3. The Government argued that, due to the video poker machines “attracting customers from all over the country to Las Vegas” to play them, they thereby affect interstate commerce.

In its ruling, the Court held the following: [2]

  1. The Court sided with the Government in that internet access is not the only way to constitute a computer as a protected computer.
  2. The Court sided with the Defendant for, unlike the radio system in Mitra, a video poker machine has no such capability to transmit, receive, or otherwise communicate information across state lines.
    1. Additionally, the Court rejected the Government’s Gambling Devices Act applicability argument, declaring it invalid as this act functioned to merely regulated the shipping and transportation of these devices. [7] Thus, “the machines themselves do not function within those channels as anything more than cargo”.
  3. The Court held that the Government’s argument of affecting interstate commerce through the attraction of customers fails for two reasons:
    1. This proposed effect only holds in the aggregate, as the Government cannot show an individual video poker machine to have such an effect on interstate commerce.
    2. The basis of this argument derives from having “divorce[d] the function of the device, i.e. logical, arithmetic, or storage functions, from its supposed effects in interstate commerce.” [1]

Emphasizing the need for a more “tangential relationship to interstate commerce”, the Court concluded that the video poker machines failed to constitute protected computers as doing so would “result in an unacceptably broad application of the term”. [2]

Exceeds authorized access

Access

To address the Defendant’s claim of not having exceeded authorized access the Court first held that the Defendants, due to them having physically "interacted with the video poker machines in the manner for which they were designed", [2] had accessed the video poker machine.

Exceeds authorized access

Subsequently, the Court defined the term exceeds authorized access using 18 U.S.C. § 1030(e)(6) which defines the term as:

“[accessing] a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter”. [1]

With the Defendants actions allowing them to obtain previously played hands, the Government argued that they had subsequently “obtain[ed] or altered information” that they were not authorized to access, thereby exceeding their authorized access. [2]

However, with the Government having conceded that the Defendants were authorized to play video poker, the Court disagreed with the Government’s claim, as it effectively sought to criminalize the way the Defendants played the game.

Citing the Ninth Circuit’s opinion in United States v. Nosal , 676 F.3d 854 (9th Cir. 2012), the Court ruled that the “CFAA does not regulate the way individuals use the information which they are otherwise authorized to access” [2] as such an application of CFAA would “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer was involved”. [3] Resultantly, the Court held that the Defendants did not exceed their authorized access.

Ruling

Having affirmed that the video poker machines failed to constitute protected computers and that the Defendants actions failed to constitute exceeding authorized access, the Court concluded that the Defendants’ Motion to Dismiss charges under Title 18 U.S.C. § 1030(a)(4) should be granted. [2]

See also

Related Research Articles

<span class="mw-page-title-main">Computer Fraud and Abuse Act</span> 1986 United States cybersecurity law

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

<span class="mw-page-title-main">Section summary of Title II of the Patriot Act</span>

The following is a section summary of the USA PATRIOT Act, Title II. The USA PATRIOT Act was passed by the United States Congress in 2001 as a response to the September 11, 2001 attacks. Title II: Enhanced Surveillance Procedures gave increased powers of surveillance to various government agencies and bodies. This title has 25 sections, with one of the sections containing a sunset clause which sets an expiration date, 31 December 2005, for most of the title's provisions. On 22 December 2005, the sunset clause expiration date was extended to 3 February 2006.

Title VIII: Strengthening the criminal laws against terrorism is the eighth of ten titles which comprise the USA PATRIOT Act, an anti-terrorism bill passed in the United States one month after the September 11, 2001 attacks. Title VIII contains 17 sections and creates definitions of terrorism, and establishes or re-defines rules with which to deal with it.

Protected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers". The statute, as amended by the National Information Infrastructure Protection Act of 1996, defines "protected computers" as:

a computer—

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

The National Information Infrastructure Protection Act was Title II of the Economic Espionage Act of 1996, as an amendment to the Computer Fraud and Abuse Act.

United States v. Drew, 259 F.R.D. 449, was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-year-old neighbor, Megan Meier, who had committed suicide. The jury deadlocked on a felony conspiracy count and acquitted Drew of three felony CFAA violations, but found her guilty of lesser included misdemeanor violations; the judge overturned these convictions in response to a subsequent motion for acquittal by Drew.

<i>In re DoubleClick</i>

In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.

<i>Facebook, Inc. v. Power Ventures, Inc.</i> Lawsuit brought by Facebook in the United States

Facebook, Inc. v. Power Ventures, Inc. is a lawsuit brought by Facebook in the United States District Court for the Northern District of California alleging that Power Ventures Inc., a third-party platform, collected user information from Facebook and displayed it on their own website. Facebook claimed violations of the CAN-SPAM Act, the Computer Fraud and Abuse Act ("CFAA"), and the California Comprehensive Computer Data Access and Fraud Act. According to Facebook, Power Ventures Inc. made copies of Facebook's website during the process of extracting user information. Facebook argued that this process causes both direct and indirect copyright infringement. In addition, Facebook alleged this process constitutes a violation of the Digital Millennium Copyright Act ("DMCA"). Finally, Facebook also asserted claims of both state and federal trademark infringement, as well as a claim under California's Unfair Competition Law ("UCL").

<i>United States v. Morris</i> (1991) American legal case

United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws. The decision was the first by a U.S. court to refer to "the Internet", which it described simply as "a national computer network."

<i>LVRC Holdings LLC v. Brekka</i>

LVRC Holdings v. Brekka 581 F.3d 1127, 1135 is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 and are the current law in this circuit.

<i>United States v. Riggs</i>

In United States v. Riggs, the government of the United States prosecuted Robert Riggs and Craig Neidorf for obtaining unauthorized access to and subsequently disseminating a file held on BellSouth's computers. The file, referred to as the E911 file, gave information regarding BellSouth's products implementing 911 emergency telephone services. Riggs and Neidorf were both indicted in the District Court of the Northern District of Illinois on numerous charges relating to the dissemination of the E911 text file. As Riggs had previously been indicted in the Northern District of Georgia in relation to the same incident, his charges from Illinois were transferred to Georgia. Riggs ultimately pleaded guilty in Georgia and was sentenced to 21 months in prison and two years' supervised release. Neidorf pleaded not guilty in Illinois and the government dropped all charges against Neidorf four days after the trial began.

<i>United States v. Kramer</i>

United States v. Neil Scott Kramer, 631 F.3d 900, is a court case where a cellphone was used to coerce a minor into engaging in sex with an adult. Central to the case was whether a cellphone constituted a computer device. Under United States law, specifically U.S.S.G.§ 2G1.3(b)(3), the use of computers to persuade minors for illicit ends carriers extra legal ramifications. The opinion written by the United States Court of Appeals for the Eighth Circuit begins by citing Apple co-founder Steve Wozniak's musing that "Everything has a computer in it nowadays." Ultimately, the court found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions," paving the way for harsher consequences for criminals engaging with minors over cellphones.

<i>United States v. Nosal</i> United States Court of Appeals for the Ninth Circuit decision

United States v. Nosal, 676 F.3d 854 was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

United States of America v. Ancheta is the name of a lawsuit against Jeanson James Ancheta of Downey, California by the U.S. Government and was handled by the United States District Court for the Central District of California. This is the first botnet related prosecution in U.S history.

<i>United States v. John</i> (2010)

In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.

<i>International Airport Centers, L.L.C. v. Citrin</i>

In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.

<i>United States v. Ivanov</i>

United States v. Ivanov was an American court case addressing subject-matter jurisdiction for computer crimes performed by Internet users outside of the United States against American businesses and infrastructure. In trial court, Aleksey Vladimirovich Ivanov of Chelyabinsk, Russia was indicted for conspiracy, computer fraud, extortion, and possession of illegal access devices; all crimes committed against the Online Information Bureau (OIB) whose business and infrastructure were based in Vernon, Connecticut.

Lee v. PMSI, Inc., No. 10-2094, was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

<i>Pulte Homes, Inc. v. Laborers International Union</i>

Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295, is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.

Van Buren v. United States, 593 U.S. ___ (2021), was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.

References

  1. 1 2 3 4 5 6 "18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers". Legal Information Institute.
  2. 1 2 3 4 5 6 7 8 9 10 11 12 "United States v Kane - Oct. 2012 Magistrate Report". Scribd.
  3. 1 2 "United States v. Nosal (Nosal II)". Harvard Law Review.
  4. 1 2 "No Expansion of CFAA Liability for Monetary Exploit of Software Bug". New Media and Technology Law Blog.
  5. 1 2 Poulsen, Kevin. "Use a Software Bug to Win Video Poker? That's a Federal Hacking Case". Wired.{{cite magazine}}: CS1 maint: url-status (link)
  6. "UNITED STATES v. MITRA United States Seventh Circuit Case and Opinions". Findlaw.
  7. 1 2 "Gambling Device Registration". The United States Department of Justice.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.
蚂蚁镜像站群 网站克隆 镜像网站程序 镜像程序 YES镜站站群引擎