Share this on
Is it a crime to exploit a bug in a video poker game? Vegas court to rule on controversial "hacking" case

As Wired reports, the case was filed after engineers from Nevada’s Gaming Control Board followed up on suspicions that something was not quite right with an International Game Technology Game King video poker game on the floor of the Silverton Casino Lodge. After dismantling the machine and taking it back to the lab, it was found that the software had a bug which was being exploited by John Kane, a local Vegas resident, and others like him.

The Gaming Control Board accused the player of fraud for winning over $500,000 because of the bug and took him to court under contravention of the CFAA. This controversial 1986 act was originally passed to punish hackers who remotely access banks or defence systems. But, with major advancement in technology since then, its use in court has been widely criticised, especially when it is used to accuse people of violating websites’ terms of service and other unrelated areas.

Notoriously, the law was used against internet guru Aaron Schwartz before his suicide in January for making available large amounts of data publicly. There have been moves to amend the law since Schwartz’s suicide, most notably, Representative Zoe Lofgren’s ‘Aaron’s Law’, but that bill is yet to be put before congress and, in the meantime, hacker Andrew Auernheimer was sentenced last March to three-and-a-half years in prison under the CFAA for running a script that downloaded 120,000 customer e-mail addresses that AT&T exposed on its iPad support website.

According to Kane’s lawyer, Andrew Leavitt, his client stumbled upon the bug accidentally after spending more than $12m on the game in one year, and losing half a million dollars.

“He’s played more than anyone else in the United States,” Leavitt told Wired.

It was during one of these games in April 2009 that Kane “accidentally hit a button” and “presto”, he discovered that his payout for an $820 win could be transformed to $8,200 in an instant.

Kane got in touch with his friend, Andre Nestor, also being charged, who flew out to Vegas and over the following weeks one or both of the men allegedly showed up at the Fremont, the Golden Nugget, the Orleans, the Texas Station, Harrah’s, the Rio, the Wynn, and the Silverton, beating the house everywhere they went.

“What you see in most gambling cheating cases is the guy’s got a magnet in his boot or he’s shocking the machine with static electricity.” says Leavitt. “All these guys did is simply push a sequence of buttons that they were legally entitled to push.”

The prosecution disagrees.

In court filings, they say that the complex series of button-presses Kane and Nestor used to exploit the bug makes it more like computer hacking than poker-playing.

Under the relevant section of the CFAA, Kane and Nestor are charged with exceeding their otherwise legitimate access “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

“In short, the casinos authorised defendants to play video poker,” wrote Assistant US Attorney Daniel Bogden. “What the casinos did not do was to authorise defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.”

However, Judge Miranda Du, overseeing the case, has already questioned whether the CFAA is the correct law to be trying the defendants. In an April 15 order, she asked the parties to submit supplemental briefings whether video poker machines are “protected computers” under the CFAA, and, considering the “considerable legislative history demonstrating that Congress intended the CFAA to punish computer hacking, rather than computer misuse,” was Kane and Nestor’s behaviour akin to hacking or misuse?

The briefings are due on May 8 with a trial set for August 20.

Related Articles

Bradley Chalupski

Bradley Chalupski made his first deposit onto an online poker site in 2009 and has been paying rake and following the poker scene ever since. He received his J.D. from the Seton Hall University School of Law in 2010.