SAN FRANCISCO (CN) — Uber’s former head of security Joseph Sullivan told a Ninth Circuit panel Tuesday morning that his 2022 obstruction of justice conviction should be overturned because the jury received improper instructions.
A federal jury convicted Sullivan of concealing a 2016 data breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices after two hackers broke into Uber’s Amazon data storage server and swiped the personal information of 57 million app users, including names, phone numbers, email addresses and 600,000 driver’s license numbers.
After the breach, one of the hackers reached out to Sullivan’s personal email demanding a six-figure ransom payment. After that, prosecutors said that Sullivan and his security team decided to treat the incident as a routine “bug bounty” — a program used to reward people for finding and reporting security vulnerabilities in their software, systems or websites — to hide the breach and funneled a $100,000 ransom to the hackers.
Sullivan was fined $500,000 and ordered to serve three years’ probation after being convicted.
At Tuesday’s hearing, Chris Cariello, Sullivan’s attorney, said that the jury in the case was not told of a nexus requirement or a duty to disclose requirement and that Sullivan should have a new trial because of it.
“The government accused Mr. Sullivan of concealing a crime under the Computer Fraud and Abuse Act, a notoriously unclear statute that had never been applied in these circumstances in history at the time,” Cariello said.
The nexus requirement means that the charged conduct must have the “’natural and probable effect of interfering with’ an official proceeding” and requires that the accused must know that his actions would likely affect “a particular proceeding.”
As for his misprision of felony charge, Cariello said that Sullivan was not guilty because once the bug bounty program was authorized, all conduct afterwards was authorized.
“At the time, no one ever had been prosecuted after a bug bounty agreement, because, presumably, the understanding, at least the understanding on the security team, was you’re authorized after that. So there’s nothing in the real world where people are constantly getting in trouble after a bug bounty agreement. It had never happened,” Cariello argued.
Senior U.S. Circuit Judge Mary Margaret McKeown, a Bill Clinton appointee, called Cariello’s argument “troubling,” noting that before the hack, the hackers did not qualify for Uber’s bug bounty program because they used a prohibited Amazon Web Services key to expose the vulnerability.
“There is this retroactive pasting over,”McKeown said.
Cariello replied that it was Uber’s prerogative to change the terms of its bug bounty program whenever it wished, and that Sullivan did not know he was concealing criminal conduct.
Ross Mazer, counsel for the government, said that Sullivan’s conduct was a “flagrant example of obstruction of justice,” and that Sullivan acted to conceal the breach.
“There was overwhelming evidence that the defendant, for over 10 months, falsified documents, authorized hush money, engineered a series of affirmative misstatements to the FTC,” Mazer said.
“At what point does it stop being bug bounty and start being unauthorized hush money?” asked U.S. Circuit Judge Ana de Alba, a Joe Biden appointee.
“The program did have a few limitations, a few categorical rules, and maybe the most striking was that the policy excluded using an Amazon Web Services access key to download data. And there is no question that that is precisely what Mereacre and Glover, the two hackers, did in this case, they violated one of the few cardinal non-flexible rules in Uber’s bug bounty program,” Mazer answered, noting that no one at Uber originally thought the breach was a bug bounty.
Sullivan had to reinvent the entire bug bounty policy, Mazer said, by changing it to a private program and increasing the maximum payment from $10,000 to $100,000, as well as getting the hackers to agree to sign an NDA containing false terms about the hackers’ conduct.
On rebuttal, Cariello said that there is no law that Uber could not change its bug bounty program on a whim.
“There is no bug bounty purity test,” he said.
“Originally the bug bounty said you can’t use information found [with an Amazon Web Services key]. You’re telling me it’s okay for them to modify it after the fact? I mean, that does smell like a cover up,” de Alba said.
“It is Uber’s bug bounty program, and it is within Uber’s prerogative to authorize it after the fact. They understood it that way, and that’s why Mr. Sullivan did not have criminal intent,” Cariello said.
The panel — rounded out by U.S. Circuit Judge Anthony Johnstone, also a Biden appointee — took the matter under submission.