Attorneys for former Uber CSO Joseph Sullivan filed an appeal in federal court Tuesday criticizing the U.S. Justice Department’s case against him and demanding the convictions be reversed or a new trial be granted.
The 84-page brief filed Tuesday in the U.S. Circuit Court of Appeals for the 9th Circuit lays out the events over Uber’s cybersecurity breach before and after Sullivan was hired by the ride-hailing conglomerate as the chief security officer.
The U.S. Attorney’s Office in the Northern District of California alleged Sullivan, shortly after learning the extent of a 2016 breach, failed to report it to the FTC or any other authorities, or Uber’s users. Prosecutors charged that he “executed a scheme” to prevent any knowledge of the breach from reaching the FTC.
Then Sullivan, in the words of prosecutors, “arranged to pay off the hackers (100,000 in bitcoin) in exchange for them signing nondisclosure agreements in which the hackers promised not to reveal the hack to anyone.”
But Sullivan’s attorneys believe the DOJ mischaracterized Sullivan’s actions. “The government’s theory was tenuous. It accused Sullivan of executing a cover-up. But Sullivan never lied to the FTC or destroyed evidence,” his lawyers argued. “Thirty others at Uber knew of the incident and Sullivan never told any of them to conceal anything.”
Among other things, Sullivan’s attorneys say, Sullivan kept Uber’s CEO “continuously informed” about the incident and the CEO had also approved a $100,000 Bug Bounty agreement to hackers who exposed flaws in the company’s cyber protections. The CEO was never prosecuted in the case.
None of the 31 people aware of the incident raised the prospect of informing the FTC, “probably because the matter was so comprehensively resolved,” Sullivan’s attorneys argue. “So the government built a case on innuendo. It asked the jury to view the Bug Bounty agreement not as an effective way to protect users, but as hush money.”
The conviction – for which Sullivan was sentenced to probation in May – is “profoundly flawed,” the attorneys believe, as there is question over criminal liability for someone based on bare inaction alone.
As for the misprision charge, “the government could never resolve its central paradox,” the attorneys say. The predicate felony Sullivan was accused of concealing was the researchers’ access to Uber’s systems “without authorization,” but Uber, with CEO approval, had ratified the access through a Bug Bounty agreement.
“No one at Uber regarded the researchers as felons after that — and indeed no researcher had ever before been convicted of violating (the law) in like circumstances,” the appeal says. “The government thus failed to show that Sullivan believed the researchers had committed felonies.”
The DOJ is expected to file a response to the appeal next month, with oral arguments slated for spring.
