United States v. Thompson (Motion In Limine) – Capital One Breach

CISO Legal Motion In Limine Result Summary:

Case No.: CR19-159-RSL
Date: June 8, 2022
Court: United States District Court, Seattle, WA
Judge: Robert S. Lasnik

Background:
Paige A. Thompson faced charges including wire fraud, violations of the Computer Fraud and Abuse Act (CFAA), access device fraud, and aggravated identity theft. The indictment alleged that Thompson used proxy scanners to identify Amazon Web Services servers with misconfigured web application firewalls. She allegedly exploited these vulnerabilities to obtain security credentials and access victims’ cloud storage, where she copied data and set up cryptocurrency mining operations.

Motion in Limine:
Thompson filed a motion to exclude the use of the terms “hack” and “cryptojacking” during the trial, arguing that these terms were pejorative, likely to cause confusion, and unfairly prejudicial. She suggested using “cryptomining” instead of “cryptojacking” and requested a jury instruction to clarify that “hacking” is a neutral term in the cybersecurity industry.

Court’s Decision:
The court denied Thompson’s motion, allowing the government to use the terms “hack” and “cryptojacking.” The court found that these terms were relevant and commonly used in legal contexts, including CFAA jurisprudence. The court also declined to issue a jury instruction regarding the neutrality of the term “hacking” but remained open to considering it if supported by evidence during the trial.

Conclusion:
The court ruled against Thompson’s requests, permitting the use of the contested terms and denying the proposed jury instruction. The decision emphasized the relevance and established usage of these terms in legal proceedings related to cybersecurity offenses.

Case No.: CR19-159-RSL
Date: June 8, 2022
Court: United States District Court, Seattle, WA
Judge: Robert S. Lasnik

Opinion

Case No. CR19-159-RSL

2022-06-08

UNITED STATES of America, Plaintiff, v. Paige A. THOMPSON, Defendant.

Andrew C. Friedman, Steven Masada, Assistant US Attorneys, Jessica Murphy Manca, Krista Kay Bush, Tania M. Culbertson, United States Attorney’s Office, Seattle, WA, for Plaintiff. Christopher Sanders, Mohammad Ali Hamoudi, Nancy Tenney, Public Defenders, Federal Public Defender’s Office, Seattle, WA, Emily R. Stierwalt, Pro Hac Vice, Melissa A. Meister, Pro Hac Vice, Brian E. Klein, Waymaker LLP, Los Angeles, CA, for Defendant.

Robert S. Lasnik, United States District Judge

Andrew C. Friedman, Steven Masada, Assistant US Attorneys, Jessica Murphy Manca, Krista Kay Bush, Tania M. Culbertson, United States Attorney’s Office, Seattle, WA, for Plaintiff.

Christopher Sanders, Mohammad Ali Hamoudi, Nancy Tenney, Public Defenders, Federal Public Defender’s Office, Seattle, WA, Emily R. Stierwalt, Pro Hac Vice, Melissa A. Meister, Pro Hac Vice, Brian E. Klein, Waymaker LLP, Los Angeles, CA, for Defendant.

ORDER DENYING DEFENDANT’S MOTION IN LIMINE #1

Robert S. Lasnik, United States District Judge

This matter comes before the Court on defendant Paige Thompson’s “Motion in Limine #1 to Exclude Use of the Terms ‘Hack,’ and ‘Cryptojacking’ ” (Dkt. # 272). Having reviewed the submissions of the parties and the remainder of the record, the Court finds as follows:

I. BACKGROUND

Defendant faces trial for charges of wire fraud, violations of the Computer Fraud and Abuse Act ( 18 U.S.C. § 1030 ) (“CFAA”), access device fraud, and aggravated identity theft. Dkt. # 166. The indictment alleges that defendant created proxy scanners that allowed her to identify Amazon Web Services servers with misconfigured web application firewalls that permitted outside commands to reach and be executed by the servers. Id. at ¶ 12. Defendant then allegedly sent commands to the misconfigured servers to obtain security credentials for particular accounts or roles belonging to the victims. Id. at ¶¶ 11-13, 16-18. Defendant allegedly used these “stolen credentials” to “copy data, from folders or buckets of data” in the victims’ cloud storage space and set up cryptocurrency mining operations on the victims’ rented servers. Id. at ¶¶ 14-15, 21.

II. DISCUSSION

Pursuant to Federal Rule of Evidence 403, defendant moves the Court for an order prohibiting the government from using the terms “cryptojacking” and “hacker” (and their linguistic variations) during all testimony, questioning, opening statement, and closing argument, and in exhibits at trial. Dkt. # 272 at 1. Defendant argues that the terms are pejorative, unnecessary, likely to sow confusion, and implicitly suggest that defendant’s actions were inherently illegal and criminal, causing her to suffer unfair prejudice. Id.

Under Federal Rule of Evidence 403, “The court may exclude relevant evidence if its probative value is substantially outweighed by a danger of one or more of the following: unfair prejudice, confusing the issues, misleading the jury, undue delay, wasting time, or needlessly presenting cumulative evidence.” Fed. R. Evid. 403. ” ‘Unfair prejudice’ within its context means an undue tendency to suggest decision on an improper basis, commonly, though not necessarily, an emotional one.” Fed. R. Evid. 403, Advisory Committee Notes, 1972 Proposed Rules. The Court has “wide latitude” in determining the admissibility of evidence under Rule 403. United States v. Joetzki, 952 F.2d 1090, 1094 (9th Cir. 1991). The Court applies Rule 403 ’s standard to the terms “cryptojacking” and “hacker” in turn.

A. “Cryptojacking”

Regarding the term “cryptojacking,” defendant requests that the government be required to use the term “cryptomining” in its place. Dkt. # 272 at 1. Defendant argues that the term is unfairly prejudicial and would sow confusion because it sounds like commonly known negative terms that connotate violence and force such as “carjacking” and “hijacking,” and the term “jacking” is itself prejudicially suggestive in that it means to “take (something) illicitly; steal.” Dkt. # 272 at 3 (citing Jack , Oxford English Dictionary (3d Ed. Mar. 2018)).

“In reaching a decision whether to exclude on grounds of unfair prejudice, consideration should be given to the probable effectiveness or lack of effectiveness of a limiting instruction.” Fed. R. Evid. 403, Advisory Committee Notes, 1972 Proposed Rules. The government presents evidence demonstrating that defendant frequently referred to her own conduct as “cryptojacking.” See Dkt. # 284 at 5-7. Given that the Court would not go so far as to exclude evidence of defendant’s own statements on the ground that the term “cryptojacking” is prejudicial, or to prevent the government from referencing such statements, the Court is skeptical of the efficacy that any other limiting instruction might have. The Court therefore declines to limit the government’s use of the term “cryptojacking.”

B. “Hack”

Regarding the term “hack,” defendant requests that the government be required to use the terms “black hat hacking” or “illegal hacking” in its place. Defendant also requests a jury instruction stating that the term “hacking” is a neutral term in the cybersecurity industry that can include legal behavior. Dkt. # 272 at 1-2. The Court considers the requests for an order prohibiting use of the term and a jury instruction in turn.

Defendant argues that the term “hack” is problematic because while the cybersecurity community views the term as neutral and encompassing both legal behavior (i.e., “white hat” hacking) and illegal behavior (i.e., “black hat” hacking), the general public views the term as applying to illegal behavior. Dkt. # 272 at 4. For example, the Merriam-Webster dictionary defines “hack” as “to gain illegal access to (a computer network, system, etc.).” Hack , Merriam-Webster, https://www.merriam-webster.com/dictionary/hack (last visited June 3, 2022).

The government counterargues that the word “hack” permeates much of the evidence and is commonly used in CFAA jurisprudence, see Dkt. # 284 at 2-5; see, e.g., Van Buren v. United States, ––– U.S. ––––, 141 S. Ct. 1648, 1656, 1658, 1660, 210 L.Ed.2d 26 (2021) ; hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1196, 1198, 1201 (9th Cir. 2022) ; United States v. Nosal, 676 F.3d 854, 857-59, 863 (9th Cir. 2012). The Court agrees. For the same reasons explained above regarding “cryptojacking,” the Court declines to limit the parties’ vocabulary in this way.

Defendant next requests a jury instruction stating that the term “hacking” is a neutral term in the cybersecurity industry that can include legal behavior. The Court is open to including a properly supported jury instruction if the evidence shows that inclusion of such an instruction is appropriate, but it will not order its inclusion at this time. III. CONCLUSION

For all of the foregoing reasons, IT IS HEREBY ORDERED that defendant’s Motion in Limine #1 to Exclude Use of the Terms “Hack,” and “Cryptojacking” (Dkt. # 272) is DENIED.

1. Defendant’s request for an order prohibiting the government from using the term “cryptojacking” (and its linguistic variations) is DENIED.

2. Defendant’s request for an order prohibiting the government from using the term “hack” (and its linguistic variations) is DENIED.

3. Defendant’s request for a jury instruction stating that the term “hacking” is a neutral term in the cybersecurity industry that can include legal behavior is DENIED without prejudice.