Can Source Code be Considered Intellectual Property?
For a little over two years, Sergey Aleynikov was an employee of Goldman Sachs. While under Goldman's employ he worked, primarily, on programming their high-frequency trading (HFT) software. This software is both developed and used entirely in-house and is not sold or licensed to any other entity.
In June 2009, Aleynikov left his position with Goldman and joined a competitor. As he was preparing to leave, he uploaded a large portion of the HFT source code to a server where he could later retrieve it. Once the source code was uploaded, he was able to download the files to his own computer to take to his new company.
Aleynikov's actions did not go undetected and, after stepping off a plane in July 2009, found that FBI officers were waiting with a warrant for his arrest. He was charged with violating the National Stolen Property Act (NSPA), the Economic Espionage Act (EEA), and the Computer Fraud and Abuse Act (CFAA). Each of these would result, if convicted, in a prison sentence.
Aleynikov's attorneys argued that the CFAA did not apply because the law was enacted to prevent/punish computer crimes where the violator gained access to a system without permission. Aleynikov was authorized to access the source code as part of his job. What he did with that access was an issue between Aleynikov and his employer only and was not covered by the CFAA. As a result, this charge was (almost) immediately dropped. However Aleynikov was not as lucky with the other two charges, and he was convicted the following December. Aleynikov was sentenced to over 8 years in prison and ordered to pay a $12,500 fine.
Fourteen months later, Aleynikov walked out of an appeals court as a free man with his conviction quashed. The reason? Aleynikov's lawyers won an appeal to the second circuit court. They argued two points:
1. Source code is not a 'good' as defined under the National Stolen Property Act. In order to steal something you must deprive the victim of its use. For example, if I have a pen, and you take it from me, you have stolen it as you have deprived me the use of the pen. Items stored on a computer system (be it a computer, mobile phone, or other digital media) do not work in the same way. When Aleynikov uploaded the source code he was simply making a copy, not depriving Goldman Sachs of the use of their own work.
2. The Economic Espionage Act provides protection for companies that wish to distribute or sell their goods "in interstate of foreign commerce". Aleynikov copied source code that was only used internally at Goldman Sachs. The company had no intention of ever bringing the HFT software to market either at home or abroad. As a result, Aleynikov could not be held criminally responsible under this act.
These arguments were upheld.
Based on this successful appeal, many people were quick to jump to the conclusion that intellectual property is dead and that there are no protections for employers from rogue employees. This, simply, is not true. The Aleynikov decision came about through a very specific set of circumstances.
The case against Aleynikov failed because Goldman Sachs brought a flawed criminal case against him. As can be seen from the wording in the statutes, these laws were never meant to be bent and twisted to fit into the arena of intellectual property or digital 'goods'. Should such cases even be heard in a criminal court? With most entities now pursuing intellectual property cases in civil courts, does it make more sense to go with a civil case more than a criminal case?
It can be tempting to let emotion obscure our judgment. If someone has hurt us, we feel the need to hurt them back. This is human nature. I am, by no means, suggesting that this is what was said at Goldman Sachs, but it is easy to see how someone might fall into the trap of seeking revenge rather than seeking restitution, justice, and closure. Each of these can be found within the civil courts.
The key to possession of intellectual property is in the name - intellectual property. One or more articles that belong to you or your organization. You have all control and rights to that property whether tangible or otherwise. If someone copies, mimics, or displays your property without your consent, they are in the wrong and should be held accountable under civil law. The word copyright means exactly that, the right to copy. If an employee copies data without permission, there are several ways to prevent damage to your organization. Such an incident does not need to end up in court, but legal counsel should be sought as soon as possible.
If you create something, whether tangible or otherwise, you should be taking the necessary steps to ensure its safety. Employees should be trained, warned, and regularly reminded that company data does not belong to them, even if they were responsible for its creation. Many employees may not even realize that this is the case or be under the mistaken impression that "I created this, therefore it must be mine."
Consider a study from 2009. The Ponemon Institute and Symantec released a report stating that 59% of departing employees have admitted to taking confidential data when leaving the company. Are you one of the affected companies? How would you even know? This study also details the most common methods used to copy the data. The most common were copying the data to CD/DVD and USB drives, or emailing the data to a personal email account. Thankfully modern digital forensic techniques can usually find evidence of each of these scenarios and Digital Discovery is on hand to assist when required.
Lee Whitfield is the Director of Forensics for Digital Discovery www.digitaldiscoveryesi.com and serves as a computer forensics expert to corporate and law firm clients. He can be reached at firstname.lastname@example.org.