Programmer’s Espionage Conviction Reversed: Code is not Physical Property

On Wednesday, a court opinion on the trial of former Goldman Sachs programmer Sergey Aleynikov stated that their decision not to convict him is based on the fact that “stealing” code isn’t really stealing. It states: “Because Aleynikov did not ‘assume physical control’ over anything when he took the source code, and because he did not thereby ‘deprive [Goldman] of its use,’ Aleynikov did not violate the [National Stolen Property Act].”

What Aleynikov did was download source code for Goldman Sachs’ high-speed trading system, stealing “hundreds of thousands of lines” of source code before he left the company. According to Wired, he, “stole 32 megabytes of data over four days in June and transferred it to a website hosted in Germany before trying to erase his tracks from Goldman Sach’s network.” He was caught when the company began monitoring HTTPS transfers and, “saw a large volume of data leaving its network.”

He was arrested on July 3, 2009 and convicted in December 2010 under the Economic Espionage Act of 1996 (EEA). In March 2011, he was sentenced to eight years in prison. Aleynikov argued that he took the code by accident, he, “only intended to collect open source software files on which he had worked.” His attorneys further argued that, “the portion of proprietary code he took inadvertently was miniscule — just 32 of about 1,224 megabytes of code — and hardly constituted the company’s ‘entire platform.’”

In February 2012, a three-judge panel ruled that Aleynikov was wrongly charged of espionage and reversed the conviction. They did so without an explanation for why, but on Wednesday they released an opinion explaining their decision. In addition to the fact that it doesn’t constitute theft since he didn’t assume physical control over it, and he didn’t deprive the company of its use, the judges also ruled that it didn’t constitute espionage because the coding he took was, “neither ‘produced for’ nor ‘placed in’ interstate or foreign commerce, nor did the company have any intention of selling its system or licensing it to anyone.” The opinion reads, “Because the HFT system was not designed to enter or pass in commerce, or to make something that does, Aleynikov’s theft of source code relating to that system was not an offense under the EEA.”

It seems like it came down to the fact that the EEA isn’t written very well. The prosecutors cited a 1988 amendment to the NSPA in attempt to argue that code was physical property, but the judges rejected their claim, saying, “the 20-year-old amendment clearly had been meant to cover the transfer and transmission of money, not the theft of source code in the computer age,” and further wrote, “We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.”

Prosecutors also tried to accuse Aleynikov of making multiple copies of the code, but came up with no proof after searching the computers at Aleynikov’s post-Goldman Sachs employer.

The argument on your mind might be, “If code doesn’t constitute physical property, then why is downloading music punishable by law?” In this case, the key is the fact that Goldman Sachs was looking to make money off of the program. They weren’t planning on releasing it in any sort of market nor do anything commercial with it, so there was no attached or existing monetary value to the system. Aleynikov wasn’t “taking money” from them by taking the code, whereas music companies argue that by downloading their products without paying for them, you are taking money or potential revenue from them.

The fact remains, however, that law makers have not, and potentially cannot, keep up with the modern digital age of the Internet and information sharing. This is why they want to limit potential growth with bills like SOPA, PIPA, and now CISPA. Otherwise, they’re going to continue running into gray areas like this where they find there are no laws in place to prevent actions like Aleynikov’s, whether accidental or intentional.