A Blog by Jonathan Low

 

May 9, 2019

When Is Coding Criminal?

More often than you might think.

With every enterprise now tech enabled - and dependent - programmers must take more responsibility for understanding the uses to which their code may be put, the context in which it is being applied - and the legal liabilities which may then ensue. JL

Stephen Obie reports in Wired:

The world is still wrestling with blockchain, cryptocurrencies, smart contracts, and other emerging technologies with too little guidance from regulators, who are similarly struggling to keep pace. Expect more enforcement actions, along with challenges, as governments modernize the rules to keep up with a reinvention of markets and exchanges. Programmers run the risk of ending up on the wrong side of the law for getting involved with projects that might seem just interesting but are, in fact, nefarious. It wouldn’t take much to place a programmer in jeopardy. You may not have to actually know you’re violating the law to be liable.
A federal district court in Illinois recently dismissed the US government’s case against Jitesh Thakkar, a computer programmer who was accused of writing code that someone else used to commit a crime. But programmers at large are hardly off the legal hook. Expect more cases against them in the not-too-distant future.
Thakkar was one of seven individuals whom the U.S. Justice Department last January charged with the crime of “spoofing”—that is, in this instance, using an algorithm to trick a market. Thakkar was accused of creating an algorithm that enabled a London trader to artificially overstate demand for stock market futures. Aided by another developer’s software, this tactic sparked the 2010 “flash crash” that saw the US stock market lose $1 trillion in value in just 36 minutes.
Consider Thakkar’s case a warning to programmers the world over. They might assume they’re protected by the First Amendment when writing code, but that might not be the case. Computer coders would also be wrong to think they face no potential liability if they’ve been employed by someone else making decisions about how a product is used.
Programmers, in fact, might very well be held liable for the products they write—a point underscored this past November, when the Securities and Exchange Commission hit the creator of a purported cryptocurrency trading platform with a $388,000 fine for contributing to the operation of an unregistered exchange. In response, the Electronic Frontier Foundation, a digital free speech group, expressed worry that the decision was written in a way that “could be read to imply that persons engaged in merely writing and publishing computer code could run afoul of US securities law.”
Well, there is no “could” about it. This is, without doubt, a new realm of legal exposure.
Traditionally, market manipulation cases have been filed against the person or people doing the actual buying and selling. That seemed to hold in the case of Michael Coscia, who was the first individual convicted of spoofing under the 2010 Dodd-Frank financial reform act. Testimony by the programmer whom Coscia had hired to write the code proved critical during a 2015 trial that ended with a three-year sentence in prison.
In that instance no charges were filed against the programmer.
In 2017, the SEC created a new Cyber Unit tasked with poring over smart contracts, Initial Coin Offerings (ICOs), and other cutting-edge technologies, in search of violations. “Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry,” Stephanie Avakian, codirector of the SEC’s enforcement division, said in a press release announcing the new unit.
That same year, the SEC filed its first charges against a blockchain company, related to the issuance of an ICO.
In Chicago, the case against Thakkar hinged largely on the testimony of Navinder Sarao, the British futures trader blamed for the 2010 crash. Sarao had already pleaded guilty, facing as many as 30 years behind bars. Before sentencing, Sarao agreed to help the government. Yet in Chicago his testimony led to a hung jury in the Thakkar trial, and US District Judge Robert Gettleman acquitted the programmer of the conspiracy charge. Only now has the judge dismissed the whole case.
Thakkar’s attorney compared the prosecution of his client to a cell phone salesperson on trial for selling a phone later used in a drug crime. To
convict, by this logic, the jury would have had to infer that Thakkar knew, or had reason to know, that Sarao was using his program to trick the market for financial gain.
You may not have to actually know you’re violating the law to be liable.
Notwithstanding the results in the Thakkar case, the worry among lawyers like me who practice in this area is that the relevant markets are in great flux. The world is still wrestling with blockchain, cryptocurrencies, smart contracts, and other emerging technologies—with too little guidance from regulators, who are similarly struggling to keep pace. Expect more enforcement actions, along with challenges, as governments modernize the rules to keep up with a reinvention of markets and exchanges.
Meanwhile, programmers run the risk of ending up on the wrong side of the law for getting involved with projects that might seem just interesting but are, in fact, nefarious. It wouldn’t take much to place a programmer in jeopardy. You may not have to actually know you’re violating the law to be liable. If prosecutors believe that you should have known your code would be put to an unlawful purpose and that you deliberately avoided learning that fact, you could find yourself in the same predicament as Thakkar.
Programmers need to remain aware that the programs they write carry legal implications and that regulators are watching. That’s especially true when taking a job in the financial community. Think about the legality of what you’re signing up for. As I’ve written before, ignorance is risk.
No matter how much faith you put in the First Amendment, the potential for personal liability looms for any coder who signs up with the wrong company.

0 comments:

Post a Comment