Jump to content

United States v. Kane

From Wikipedia, the free encyclopedia
United States v. Kane
CourtUnited States District Court for the District of Nevada
Full case name United States of America v. John Kane and Andre Nestor
DecidedNovember 2013
Citation11-mj-00001 [1]
Holding
Defendants’ Motion to Dismiss charges under Title 18 U.S.C. § 1030(a)(4) should be granted

United States v. Kane, No 11-mj-00001 (D. Nev. filed Jan. 19, 2011), is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss.[1][2]

This case is noteworthy because it followed the precedent established by the Ninth Circuit’s decision in United States v. Nosal, 676 F.3d 854 (9th Cir.2012) (en banc), with the magistrate calling the government’s argument directly analogous to the government’s argument in Nosal, further asserting that the CFAA does not regulate the way individuals use the information they are otherwise authorized to access.[3]

Background

[edit]

In early April 2009, John Kane discovered a software bug in a video poker game which, following a “complex combination of game changes, bill insertions and cash outs”, would allow him to access previous winning hands and trigger a jackpot.[4] Following this discovery, Kane then contacted Andre Nestor who flew out to meet Kane and joined him in exploiting this bug for profit. The two continued this for nearly five months, from April 2009 to September 2009.[5]

Suspicions were raised on July 3, 2009, when Kane won five jackpots, each with 820-1 odds, in under an hour at the Silverton Casino Lodge. Following this, two engineers from Nevada’s Gaming Control Board were called in to inspect the machine for foul play. Here, having analyzed the machine’s logic tray and EEPROM, the engineers discovered the previously unknown firmware bug which Kane had been exploiting to win the jackpot payouts.[5] Subsequently, both Kane and Nestor were later arrested and charged with conspiracy to commit wire fraud and violating Title 18 U.S.C. § 1030(a)(4) of the CFAA on allegations that they exceeded authorized access to a protected computer in furtherance of fraud.[4]

Court findings

[edit]

Following their Indictment, the Defendants filed a Motion to Dismiss, moving the Court to dismiss the charges alleging violations under Title 18 U.S.C. § 1030(a)(4), arguing that “even accepting all of the Government’s factual allegations as true, the Government has failed to state a cognizable offense under the law.”[2] The Court sided with this Motion to Dismiss, concluding that the Defendants had not violated Title 18 U.S.C. § 1030(a)(4), for a video poker game does not constitute a protected computer under 18 U.S.C. § 1030(e)(2)(B) nor did their actions exceed authorized access under 18 U.S.C. § 1030(e)(6).[2]

Protected computer

[edit]

Computer

[edit]

Addressing the Defendants claim that video poker machines are not “protected computers”, the Court first defined a computer to having the meaning given by 18 U.S.C. § 1030(e)(1) (the Computer Fraud and Abuse Act), which states a computer is an:

“electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” [1]

Kane, in his reply, argued that due to their lack of keyboards, network connection, and ability to read or accept new information, video poker machines should thereby be excluded from this provision,[2] highlighting 18 U.S.C. § 1030(e)(1) which continued to state that:

“such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.” [1]

However, whilst the Court acknowledged the exceptions listed in this provision, the Court argued that video poker machines are not “sufficiently similar” to an automated typewriter or typesetter or a portable hand held calculator to qualify for exclusion.[2] Consequently, the Court held that the video poker machines perform functions that directly align it with what constitutes a computer under 18 U.S.C. § 1030(e)(1).

Protected computer

[edit]

Having concluded that video poker machines are computers, the Court then sought to address the Defendants claim that such machines are not “protected computers”.

antifa
Row of video poker machines inside Harrah's New Orleans similar to the ones used by Kane.

To do this, the Court called upon 18 U.S.C. § 1030(e)(2)(B), which defined a protected computer as:

“[a computer] which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”[1]

The arguments were as follows:[2]

  1. The Defendants, citing National City bank, N.A. v. Prime lending, Inc., argued that because the video poker machines lacked the ability to connect to the internet, they are not protected computers. However, the Government, citing U.S. v. Mitra, 405 F.3d 492 (7th Cir. 2005), reasoned that while internet connectivity is sufficient in establishing a computer as a protected computer, it is not required.[6]
  2. Addressing this, Kane noted how critical to the Seventh Circuit’s holding in Mitra was the issue of having operated in a medium of interstate commerce that was within a federally regulated domain. Thus, he argued, Mitra is not applicable to this case, for video poker machines are not subject to federal regulation. [6] The Government refuted this claim, arguing that the Gambling Devices Act of 1962 (15 U.S.C. § 1171-78) subjugated these devices to federal regulation, therefore they operate within the same regulated domain.[7]
  3. The Government argued that, due to the video poker machines “attracting customers from all over the country to Las Vegas” to play them, they thereby affect interstate commerce.

In its ruling, the Court held the following:[2]

  1. The Court sided with the Government in that internet access is not the only way to constitute a computer as a protected computer.
  2. The Court sided with the Defendant for, unlike the radio system in Mitra, a video poker machine has no such capability to transmit, receive, or otherwise communicate information across state lines.
    1. Additionally, the Court rejected the Government’s Gambling Devices Act applicability argument, declaring it invalid as this act functioned to merely regulated the shipping and transportation of these devices.[7] Thus, “the machines themselves do not function within those channels as anything more than cargo”.
  3. The Court held that the Government’s argument of affecting interstate commerce through the attraction of customers fails for two reasons:
    1. This proposed effect only holds in the aggregate, as the Government cannot show an individual video poker machine to have such an effect on interstate commerce.
    2. The basis of this argument derives from having “divorce[d] the function of the device, i.e. logical, arithmetic, or storage functions, from its supposed effects in interstate commerce.”[1]

Emphasizing the need for a more “tangential relationship to interstate commerce”, the Court concluded that the video poker machines failed to constitute protected computers as doing so would “result in an unacceptably broad application of the term”.[2]

Exceeds authorized access

[edit]

Access

[edit]

To address the Defendant’s claim of not having exceeded authorized access the Court first held that the Defendants, due to them having physically "interacted with the video poker machines in the manner for which they were designed",[2] had accessed the video poker machine.

Exceeds authorized access

[edit]

Subsequently, the Court defined the term exceeds authorized access using 18 U.S.C. § 1030(e)(6) which defines the term as:

“[accessing] a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter”.[1]

With the Defendants actions allowing them to obtain previously played hands, the Government argued that they had subsequently “obtain[ed] or altered information” that they were not authorized to access, thereby exceeding their authorized access.[2]

However, with the Government having conceded that the Defendants were authorized to play video poker, the Court disagreed with the Government’s claim, as it effectively sought to criminalize the way the Defendants played the game.

Citing the Ninth Circuit’s opinion in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Court ruled that the “CFAA does not regulate the way individuals use the information which they are otherwise authorized to access”[2] as such an application of CFAA would “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer was involved”.[3] Resultantly, the Court held that the Defendants did not exceed their authorized access.

Ruling

[edit]

Having affirmed that the video poker machines failed to constitute protected computers and that the Defendants actions failed to constitute exceeding authorized access, the Court concluded that the Defendants’ Motion to Dismiss charges under Title 18 U.S.C. § 1030(a)(4) should be granted.[2]

See also

[edit]

References

[edit]
  1. ^ a b c d e f "18 U.S. Code § 1030 - Fraud and Related Activity in Connection with Computers". Legal Information Institute.
  2. ^ a b c d e f g h i j k l "United States v Kane - Oct. 2012 Magistrate Report". Scribd.
  3. ^ a b "United States v. Nosal (Nosal II)". Harvard Law Review.
  4. ^ a b "No Expansion of CFAA Liability for Monetary Exploit of Software Bug". New Media and Technology Law Blog.
  5. ^ a b Poulsen, Kevin. "Use a Software Bug to Win Video Poker? That's a Federal Hacking Case". Wired.
  6. ^ "UNITED STATES v. MITRA United States Seventh Circuit Case and Opinions". Findlaw.
  7. ^ a b "Gambling Device Registration". The United States Department of Justice.