Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation

from the about-time dept

For years, we've talked about how casinos were able to get away with not paying people who won jackpots from electronic gambling machines, by claiming that their wins were really because of software glitches. That always seemed like a highly questionable practice, but even more questionable was filing criminal charges against winners who won because of those glitches. We talked about one such case back in 2007, and then another one in early 2011. That 2011 case involved two guys, John Kane and Andre Nestor, who had figured out a bug in some video poker software from International Game Technology, a gaming giant.

The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x.

Apparently Kane discovered this bug by accident from playing a ridiculous amount of video poker. His lawyer claims that Kane was obsessed with video poker and probably played it more than anyone. He also insists that there was no research or effort that went into this. It was just a fluke from playing so often that Kane found the bug -- and then got his buddy Nestor (and a few others) involved in using this bug to win an awful lot of money. When Nestor was arrested, he was reasonably angry about the whole thing:
“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”
The feds, of course, hit them with CFAA (Computer Fraud and Abuse Act) charges, the same highly questionable hacking law we've been writing so much about lately. The feds argued that Kane and Nestor "exceeded authorized access" -- one of the most troubling parts of the CFAA. The DOJ argued that:
In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.
However, the court was skeptical of this argument, and after the 9th Circuit's ruling in last year's case against David Nosal, where they said that merely violating an employer's computer use policy did not mean you had exceeded authorized access, the court asked the DOJ to explain how the CFAA still applied in light of the Nosal ruling.

Apparently, the DOJ realized that the CFAA charges no longer made sense and, yesterday afternoon dropped those charges. In a simple filing with no explanation, the DOJ asks the court to dismiss the two CFAA-related charges in the indictment. Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges. At the very least, it's good to see increasing pushback on the DOJ for its regular abuse of the CFAA to pile on charges.

Filed Under: andre nestor, casinos, cfaa, doj, exceed authorized access, hacking, john kane, las vegas, video poker
Companies: international game technology


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 8 May 2013 @ 12:53pm

    Were the machines inspected?

    If he stumbled across the bug is one thing. Now if a software developer intentially placed it there to be exploited is another. Hopefully, the gaming board inspected this and several of these machine types to detetmine if there was tampering before charges were filed.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.