The St. Louis Cardinals, one of baseball’s most famous teams, is under investigation (by both Major League Baseball and the FBI) for allegedly hacking into a data warehouse compiled by the Houston Astros. At first blush, this seems strange: the Cardinals play in the National League Central, and the Astros in the American League West. While all teams compete, this isn’t a bitter divisional rivalry, such as between the Red Sox and Yankees. So why break in?
In this case, it appears it is personal. Jeff Luhnow, currently general manager of the Astros, was formerly a player development executive for the Cardinals. He left, and took his (money)ball with him to Houston. In this case, Luhnow set up a data warehouse called Ground Control for the Astros, which the organization uses to catalog player data and rate their prospects. (It seems to be going well: the Astros, previously a laughingstock, are in first place at the moment in their division.) For the Cardinals, he’d done something similar, creating a system called Redbird to play the same role. Cardinals executives appeared concerned that Luhnow had engaged in theft of trade secrets or confidential information about how to evaluate players algorithmically. So, it seems that the Cardinals people tried Luhnow’s old password from Redbird on Ground Control, and it worked.
As Deadspin brilliantly notes, there is a lot of stupid in the story as currently understood. First, Luhnow apparently didn’t bother to change passwords when he changed teams. (This may be the only case study ever in favor of password change requirements.) Second, the Cardinals hacker team broke into Ground Control from a team member’s home. Third, ESPN “legal analyst” Lester Munson makes a genuinely hilarious series of errors in his screed on ESPN.com. Just for fun, let’s tackle those:
- Lester claims it’s not clear that this activity (if as alleged) by the Cardinals is a crime. Dead wrong. It’s a clear violation of the federal Computer Fraud and Abuse Act, 18 U.S.C. 1030. Take a look at 1030(a)(2). For criminal liability, there are but three elements: 1) intentional access without authorization (or exceeding authorized access), to 2) a protected computer (defined as “used in or affecting interstate or foreign commerce or communication” by 1030(e)(2)(B)), and 3) obtaining information. The Cardinals folks (allegedly again) intentionally accessed Ground Control. Ground Control affects interstate commerce – that’s both the business of Major League Baseball, and being connected to the Internet – so it’s a protected computer. And the Cardinals retrieved information from Ground Control. That’s it. Lester claims that “the prosecutor must be able to show that the information was the work product of significant efforts by Astros officials and, more importantly, was not available elsewhere.” This is completely wrong. Lester appears to be channelling trade secret theft, which is 1) a state crime, not a federal one, under these circumstances, and 2) totally unrelated to computer crime statutes. (Texas has a state-based computer crime offense that prosecutors could charge, too. Check out Section 33.02 of Title 7 of the Texas Penal Code: “A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.” Even easier to prove than the CFAA violation.) [Update 11:16AM: Of course, federal prosecutors could also charge under 18 U.S.C. 1832, which I just re-checked. It is frequently used against hacking to benefit non-US interests, but the language covers interstate commerce, too.]
- Lester needs a refresher on how intent works in criminal law. Here he is again: “the prosecutor must be able to show that Cardinals executives knew they were committing a crime. If the Cardinals’ activity was just a dirty trick or an attempt at getting even with a former colleague, the hacking might not qualify as a crime.” NO NO NO. Ignorance of the law is no defense. You have to look at the applicable statute. For the CFAA, for example, the key is intentional access to a computer. That’s the mens rea element – the defendants don’t have to know anything about computer crime law. They jus have to have the intent to access a computer, and then carry out such access. This is Crim Law 101.
- Lester doesn’t bother to consider criminal liability for trade secret theft under Texas law. Section 31.05(b) of the Texas Penal Code makes it a felony if: “without the owner’s effective consent, he knowingly: (1) steals a trade secret; (2) makes a copy of an article representing a trade secret; or (3) communicates or transmits a trade secret.” If Ground Control contains trade secrets (and I bet it does) and the Cardinals stole them, they can be liable under Texas law. Lester is even incorrect about prosecution here – you have to show that the thing stolen / transmitted is a trade secret, defined in 31.05(a)(4) as “the whole or any part of any scientific or technical information, design, process, procedure, formula, or improvement that has value and that the owner has taken measures to prevent from becoming available to persons other than those selected by the owner to have access for limited purposes.” The statute doesn’t state that the information must not be publicly available, although courts at times read in such a requirement based on common law precedent.
- I’d also disagree with Lester’s conclusion that it’s a mistake for the FBI to tackle this intrusion. MLB is big business, and we’ve decided to have prosecutors go after computer hacking, especially when it’s big business. Sure, maybe we’d like the FBI to spend more time on hacking of government data and less on private firm attacks, but given where we are on hacking enforcement, there doesn’t seem anything improper about this investigation, especially since prosecution of executives of a famous baseball franchise would likely have significant deterrence effects.
The whole episode tastes of fail.