Hollywood has given us many stories of casino capers, from mobsters skimming profits in Scorsese’s Casino to the card-counting savant in Rain Man. But a real-life caper recently played itself out in Nevada federal court, where two men were prosecuted under the Computer Fraud and Abuse Act (or CFAA) for taking advantage of a software bug in video poker gaming software.
In United States v. Kane, authorities arrested two casino players after discovering that they had been exploiting a software bug that allowed them to multiply jackpots on video poker machines. It didn’t take hours on end poring over lines of code to discover the bug — defendant John Kane discovered the bug simply by virtue of playing a lot of video poker. According to his defense attorney, Kane had played more video poker than anyone else in the United States: “I’m not exaggerating or embellishing …. In one year he played 12 million dollars worth of video poker.”
Kane’s motion to dismiss describes in detail the mechanics of the bug and how he exploited it, but the alleged misconduct boiled down to the following: Kane would play a game at the lowest denomination allowed by the machine ($1) and would keep playing until he earned a sizable payout (e.g., $820). Then he would switch to a different type of poker game on the same machine and play until he scored a win of any amount. Once that happened, machines with a “double-up” feature enabled would allow him to access and wager his win from the previous game — at which point he’d insert more cash and switch to the machine’s maximum denomination ($10). This multiplied his winnings by a factor of 10 (e.g., to $8,200), at which point he would simply cash out. After discovering this bug, Kane contacted Andre Nestor, who flew out to Vegas and began playing machines with him. Nestor returned to Pennsylvania where he assembled an entourage and began exploiting the bug at a local casino.
The government did not allege that the defendants physically tampered with the video poker machines. Rather, they charged Kane and Nestor under the CFAA. Originally enacted in 1984 to deal with the threat of computer hacking, the CFAA states that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer” commits a crime. 18 U.S.C. § 1030(a)(2)(C).
The defendants moved to dismiss the CFAA charges, and a U.S. Magistrate Judge issued a report recommending that the motions be granted. The court found that a video poker machine was not a “protected computer” under the CFAA because, unlike a computer connected to the Internet, a video poker machine was a stand-alone machine unconnected to interstate commerce. The court rejected the government’s argument that the fact that video poker was played by people who had traveled to Las Vegas from all over the country was enough to establish a connection to interstate commerce.
The court went on to find that the defendants had not exceeded authorized access by taking advantage of the bug in the video poker machine. Drawing an analogy to the employer-employee context in which many CFAA “exceeding authorized access” cases arise, the court observed that unlike an employer who set up barriers to access through computer use policies, password protection, or encryption, the casino had not set up any similar restrictions on patrons that could be used to show that defendants had exceeded authorized access.
The court cited United States v. Nosal, a Ninth Circuit decision from 2012 that took a narrow view of the CFAA’s access provisions. As Trade Secrets Watch has previously reported, there is a split of authority among the federal appellate courts on whether an individual has accessed a computer without or in excess of authorization within the meaning of the statute. The Kane court observed that the government’s argument was “directly analogous to the government’s argument in Nosal,” and held that “it fares no better here.” The court went on: “As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the defendants’ alleged actions did not exceed their authorized access.”