Goldman Sachs sent a brilliant computer scientist to jail over 8MB of modified open source code uploaded to an SVN repo

In 2009, a brilliant software engineer Sergey Aleynikov was arrested by the FBI at Newark Liberty International Airport. The allegation? He stole Goldman Sachs source code, about 8 megabytes of it. But it wasn't purely GS code — It was open source code mixed with Goldman Sachs proprietary code. If anything, if the source code was LGPL or a similar license (common among open source projects), Goldman Sachs was actually supposed to release this code back out to the community.  (Clarification: If the binary is distributed, it must be released back. Not required legally in this case.)

In Vanity Fair, Michael Lewis writes:

Serge quickly discovered, to his surprise, that Goldman had a one-way relationship with open source. They took huge amounts of free software off the Web, but they did not return it after he had modified it, even when his modifications were very slight and of general rather than financial use. “Once I took some open-source components, repackaged them to come up with a component that was not even used at Goldman Sachs,” he says. “It was basically a way to make two computers look like one, so if one went down the other could jump in and perform the task.” He described the pleasure of his innovation this way: “It created something out of chaos. When you create something out of chaos, essentially, you reduce the entropy in the world.” He went to his boss, a fellow named Adam Schlesinger, and asked if he could release it back into open source, as was his inclination. “He said it was now Goldman’s property,” recalls Serge. “He was quite tense. When I mentioned it, it was very close to bonus time. And he didn’t want any disturbances.”

Open source was an idea that depended on collaboration and sharing, and Serge had a long history of contributing to it. He didn’t fully understand how Goldman could think it was O.K. to benefit so greatly from the work of others and then behave so selfishly toward them. “You don’t create intellectual property,” he said. “You create a program that does something.” But from then on, on instructions from Schlesinger, he treated everything on Goldman Sachs’s servers, even if it had just been transferred there from open source, as Goldman Sachs’s property. (At Serge’s trial Kevin Marino, his lawyer, flashed two pages of computer code: the original, with its open-source license on top, and a replica, with the open-source license stripped off and replaced by the Goldman Sachs license.)

Aleynikov decided to take another job, but in the meantime he stayed on at Goldman to help out. That's where it got sticky for him:

He agreed to hang around for six weeks and teach other Goldman people everything he knew, so they could continue to find and fix the broken bands in their gigantic rubber ball. Four times in the course of those last weeks he mailed himself source code he was working on. (He’d later be accused of sending himself 32 megabytes of code, but what he sent was essentially the same 8 megabytes of code four times over.) The files contained a lot of open-source code he had worked with, and modified, over the past two years, mingled together with code that wasn’t open source but proprietary to Goldman Sachs. As he would later try and fail to explain to an F.B.I. agent, he hoped to disentangle the one from the other, in case he needed to remind himself how he had done what he had done with the open-source code, in the event he might need to do it again. He sent these files the same way he had sent himself files nearly every week, since his first month on the job at Goldman. “No one had ever said a word to me about it,” he says. He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds. And then he did what he had always done since he first started programming computers: he deleted his bash history. To access the computer he was required to type his password. If he didn’t delete his bash history, his password would be there to see, for anyone who had access to the system.


The story the F.B.I. found so unconvincing—that Serge had taken the files because he thought he might later like to parse the open-source code contained within—made complete sense to the new jurors. As Goldman hadn’t permitted him to release his debugged or improved code back to the public—possibly in violation of the original free licenses, which often stated that improvements must be publicly shared—the only way to get his hands on these was to take the Goldman code. That he had taken, in the bargain, some code that wasn’t open source, which happened to be contained in the same files as the open-source code, surprised no one. Grabbing a bunch of files that contained both open-source and non-open-source code was an efficient, quick, and dirty way to collect the open-source code, even if the open-source code was the only part that interested him.
And so this case is disturbing to me, because a software engineer like any of us is assailed by one of the more infamous financial institutions in the world. He violated confidentiality, but 8 years of jail, really? He's spent 11 months in prison already. He didn't steal the crown jewels or the secret sauce— his acquittal was on the basis that the code saved to SVN wasn't the proprietary trading strategies at all, and it was extensions to open source software that he wrote himself. 

Yet Goldman Sachs pursued criminal charges against him anyway. And continues to pursue him. 

I'd love to know what specific pieces of software they were. Software engineers would be able to tell what was kosher and what was not. It scares me that a jury of non software engineers (truly, not a jury of Aleynikov's peers) will likely be responsible for deciding his fate. (Edit: Note, 8 megabytes is actually a good deal of code. But that's why what code it is matters so much. There's little transparency in this case here, so we are left to speculate.)

Serge was acquitted via the 2nd Circuit Court of Appeals, and released in February of 2012. (photo above) He has since been re-arrested and is being tried by the state of New York. In the United States we have a thing called double jeopardy — you can't be tried for the same thing twice. Somehow that doesn't apply here. Not when Goldman is after you. 

Sergey Aleynikov faces two felony counts in New York. 

58 responses
Why the hell would you not leave the country 30 seconds after your court battle was overturned? Russia? Venezuela?
> We have a thing called double jeopardy — you can't be tried for the same thing twice. Somehow that doesn't apply here. I've wondered that too. Apparently, if you violate both a state and a federal statute, you can be tried for both. Random cases cited on Wikipedia: * Abbate v. United States * Bartkus v. Illinois * United States v. Lanza From last: "The defendants thus committed two different offenses by the same act, and a conviction by a court of Washington of the offense against that State is not a conviction of the different offense against the United States and so is not double jeopardy. This view of the Fifth Amendment is supported by a long line of decisions by this Court."
I worked literally side by side with Serge while at Goldman Sachs, so I have substantial perspective on this. Let's be clear -- Goldman Sachs did not pursue him, the relevant district attorney of NY did. Goldman's job is not to prosecute, it is to provide the facts of the case to the judicial system, which decides whether to go after him or not. We can argue about whether the punishment was excessive but let's stop blaming a firm that is a private company which has no ability to prosecute. And I can tell you that what Serge did was incredibly against the terms of his employment agreement. The open source aspect is overblown, obviously if it were freely available and not substantially different he would have no need to upload it days before he left. The fact of the industry is people steal code all the time, he just happened to be one of the unfortunate programmers to be caught and made an example of. But it certainly doesn't mean he's a victim here. When a company is paying you 500k+ a year to write code on its time, the understanding is that they have the say as to what happens to it, not you. You can't just say, I don't think this is that materially different so I'm going to send it to myself before I work for a competitor.
Disgusting behaviour from Goldman Sachs.
PC - Thanks for your comment. The court systems exist to adjudicate this kind of stuff. It's certainly not a clear cut case. Your first hand experience in this case is appreciated. As it is, we (the public) have no idea what specific kind of software was taken, and it's the job of the courts to figure out what needs to be done here. It would be great to get a clearer picture of what library was shared. The Michael Lewis article seems to imply that the library was of little proprietary value, e.g. the kind of "heartbeat" or "instant failover" software that sys admins routinely use. It definitely seems as though Aleynikov is being made an example of. When it comes to computer crime, our community is reeling from another rabid prosecution. (Aaron Swartz)
I understand the pain of the Aaron Swartz case. As an MIT course 6 alum and a computer programmer, I certainly appreciate this aspect. But as a GS alum with very detailed knowledge of this group and situation, I just wanted to get out there that Michael lewis and Serge have a ton of facts simply wrong. Serge said and threw around figures and analysis that were simply not within his ability to talk about, I can guarantee you that factually a lot of that article is simply wrong. Again, I personally think that the punishment was excessive (the fact that the server was in Germany allowed the DA to do things otherwise not possible). But I dislike when people keep saying that GS is going after people over and over. It's the district attorney that does that, and we can talk about how overly aggressive DAs can ruin people's lives, but let's leave the firm out of it. GS has done some questionable things but overly pursuing Serge is not something that was substantially in GS's hands.
"not being able to prosecute the actual bad behavior that was actually really important" Again, really misguided. Michael Lewis has a poor grasp of all of this, despite his few years on wall street. You don't prosecute bad behavior just like you don't prosecute a silicon valley VC for a bad / frothy investment. You prosecute things that are illegal. That's why you don't see the Lehman Brothers executive committee being charged with crimes. They made mistakes, but they didn't do anything illegal. This bloodthirsty need to prosecute people because of a financial crisis, despite nobody asking that could such a thing occur without any illegalities, is the reason people like serge are being targeted on narrowly defined laws. The DA needs cases, and if the public continues to demand blood, well, guess what. It's going to be what's achievable given the laws, now necessarily what people find satisfying. "Goldman’s C.F.O., David Viniar, even said on an earnings call that the code Serge took had little value, that Goldman was fine. So if it has no value, why are you so distressed? Why are you putting him in jail?" Why are you putting him in jail? Again, Goldman has no ability to put people in jail. Only the justice system does. Why this kind of narrative continues to be OK with people, I have no idea. I could rip apart everything else on this article but it's too easy. And it's supremely depressing that people read this at face value, especially for someone who actually has first hand knowledge of this + a CS background.
"As Serge says, there was no one at Goldman who actually understood the whole computer system. He said to me, “When I got there, there was a guy who seemed pretty well versed in everything. He left.” And there was such turnover at Goldman, and the system was such a hairball, that I think people knew pieces but they didn’t know the whole. Serge might have been as close as there was to an expert on the how the whole system worked. I think the valuable thing that Serge took when he walked out the door was himself." I know the guy that left that he mentions. I have drinks with him once in awhile. He did know the system fairly well. But there were others who understood it fairly well. Serge certainly didn't, given some basic conversations I had with him. His sense of what he understood, just like the financial details he provided to M Lewis, were completely inflated and distorted. For a journalist with no IT knowledge whatsoever, who criticizes the witnesses (who do actually have extremely good programming knowledge, despite the implications in the artilce) and jury for their lack of technical knowledge, the idea that Lewis thinks he can make an assessment that Serge might have been as close as there was an expert on the system is ridiculous. Serge spent a short time at the firm and Lewis spent even less time talking to him. As someone who worked on the system and has a deep understanding of it, I can tell you Serge patched certain aspects of it and wanted to do these pie in the sky projects on the side. There's nothing wrong with that, but let's disabuse this notion that he was the only guy who understood everything, it's ridiculous.
"So, proponents have argued that high-frequency trading has made markets more liquid. Hah! Critics say it has become more volatile. Who exactly is hurt by the competitive advantage offered by high-frequency trading? It’s essentially a tax on productive investment, and it’s a tax that’s largely unnecessary. The reason people aren’t more outraged about it is that the cost of financial intermediation in the stock market—the old-fashioned stockbroker system—has gone down because of the technology. There is this whole separate question, which I’m actually not prepared to answer right now: has it introduced new instabilities in the markets for which we all pay a price? I suspect so, but I don’t know. What I know is not true is that high-frequency trading provides liquidity. There’s a line in The Big Short; one of the characters, who was cynical about the subprime-mortgage market, says, “When I hear Chinese Wall, I think you’re a fucking liar.” I feel that way about liquidity. When I hear the word liquidity, I think you’re a fucking liar. If this is liquidity, we don’t need it." Ok is there any pretense at backing these statements up with facts? As a journalist making these claims, I'm sure Lewis has done the same amount of painstaking analytical research that me and my colleagues have done. The predominant factor in whether things are more liquid or not is how expensive it is to trade. That is, if I want to do trade X, how much will it cost me? There is nobody who has done this analysis that doesn't conclude it is immeasurably cheaper, by an order of magnitude, than it was when humans were doing it. If you did it on the floor of the NYSE back in the 80s, it could cost at LEAST 30 basis points. Now it costs 3. For an audience as technically savvy as this one, this should be obvious that technology is a superior intermediary compared to human high school drop outs who graduated from sweeping the floors of the NYSE to market making traders (this is true, how traders used to come up). But somehow because it is technology in finance, people are skeptical. Trust me, high frequency makes things very, very liquid and very, very cheap. He talks about volatility and instability. So you think in the 1987 stock market disaster, when everything crashed 20% in one day, that things were less volatile? It's not a tax that is unnecessary, it's simply a service charge for a service that people need. And that charge has gone down a lot since the high school drop out days of the new york stock exchange.
"I'd love to know what specific pieces of software they were" Supposedly the code was for part of Goldman's HFT software, for front-running. Borderline illegal, so it's not surprising that Goldman wouldn't want this to get out (not to mention it could harm their "competitive advantage").
If it's some systems thing that is non-essential, man, it seems like he should go free. If it is that proprietary, it seems illegal to me. It's hard for me to believe a that core HFT part of the Goldman stack is from open source though! I want to see github links.
what I find the most disturbing about the article is that goldman sachs allegedly removes the license headers from the source code and replaces it with their proprietary license. Thus they void all rights to the open source code in the first place. Also if the open source code was GPL'd (which the article suggests), then it becomes questionable whether or not Goldman Sachs were even legally permitted to use the source code. What I find so mind numbingly stupid about the whole thing is how completely incapable the government is at making logical, justifiable decisions when it applies to digital technology.
As a Systems Administrator this is a practice I've openly done myself within my former term of employment. My boss didn't seem to care too much as long as I wasn't transmitting any sort of cryptographic information or passphrases for internal systems, most of our stacks are open-source software to begin with as well as in this case. Even in cases where we aren't restricted by a GPL license, I've often sent myself our modifications for review and self-teaching. "We did things this way, but way _x_ might be more efficient. I'll send myself this code to review at a later time." Common practice in the industry really. I can see a financial firm getting annoyed by it though. I've often done work for lawyers where management and risk assessment teams wouldn't so much as let me leave with a CD I burned myself (usually a Linux distribution to troubleshoot a problem) while on premesis. I make a habit of billing clients like that the $0.50 the CD itself costs, these days, just to make a point. I once had a client refuse to let me take the RAM out of a workstation (after it had been rebooted and even off for quite a while) fearing I'd steal documents. All while under an NDA anyways. Case in point, if their secrets are worth enough money to them, they're worth enough to go through this mess for. Even if they're not really secrets. And who on earth still uses SVN!?
PC? more like PR. Just because GS doesn't pursue something legally or publicly, doesn't mean their hands are clean. Who knows what's going on behind the scenes-- promises could be made, money could be changing hands, the prosecution could be persuaded and certainly encouraged. There are such things as leverage and public standing. If I were GS and in such a cutthroat business, I wouldn't allow my image to be tarnished and appear to not be able to control what goes in or out. If GS were "actively" pursuing criminal charges and the court says he's not guilty, GS would look like bullies. This way, if the court says he is guilty/innocent, the prosecutor looks like the bully.
@PC You keep stressing that Goldman Sachs cannot press charges. This is technically correct, no doubt about that. But did they file a complaint?
Clearly Goldman was not abiding by the terms of the open source agreement. And clearly, @PC, Michael Lewis has a better grasp on this this than you and Golden Slacks would like. The REAL question is why no one at GS or any other bank were prosecuted for all the toxic mortgage fraud that ruined millions of people's lives?
Great article, double jeopardy never applies in state court after federal charges attempted. They're considered seperate soverigns. source:lawyer
This is fairly disturbing set of facts from what you have presented. But maybe you should leave the jabs at the legal system out of it. First off, juries are used in all types of incredibly complex cases, including medical liability cases, products liability cases, and patent infringement disputes. Those cases can require ridiculously complex testimony from myriad experts and other witnesses, who are tasked with explaining what happened and why it presents a problem. It's the job of the lawyer to make sure that the judge and jury can understand the issues involved, and come to a reasonable decision based upon those facts. "A jury of your peers" has never meant a jury of similarly-minded, equally skilled persons (not to mention that they would likely find a way out of jury duty anyway). Being scared that a jury will decide someone's fate is a valid concern, but the bigger concern is whether his counsel is capable of persuasively presenting his case to a set of disinterested people. Second, your quip about double jeopardy belies a basic misunderstanding of federalism and state sovereignty. The 5th Amendment does protect against double jeopardy by preventing a person from being tried by the same sovereign twice for the same crime. The danger sought to be avoided is the government repeatedly attempting to obtain a conviction. But because each state has its own individual laws, which are distinct from federal laws, the Separate Sovereigns doctrine allows different governments to try that same defendant for the same alleged offense under their own unique laws, provided that jeopardy hasn't already attached in that jurisdiction. So the fact that it's Goldman Sachs only really goes to show what interest New York State takes in the protection and security of investment banks.
Dick G, did you not read any front page articles of national newspapers the past week? Try Googling Fabulous Fab... Also, having worked in IT at a major bank--and it seems PC knows this as well--every employment agreement makes it clear that ALL code you write while employed is the property of the firm. It doesn't matter whether you wrote it at home outside of work or if it's even remotely related to finance. Also on HFT... What some many people fail to realize is that HFT and algorithmic trading is not just the province of buy-side firms out to make money on their own and/or their clients' assets. Many firms provide such execution as a service to retail companies like Fidelity, E-Trade, etc. Guess who benefits in the end from the extremely low cost of execution that is passed on due to the highly competitive market?
@PC What developer gets paid 500k+ a year? Also, you are clearly not a developer as you think that you can remember all code you've ever changed over X years of employment? The big tragedy here is that his manager violated the terms of the open source code they used by refusing to allow him to share improvments.
Fabulous Fab -- 1 person?! You must be joking. Oh, you're not, since that is the only example you can come up -- five years later. And @Swamp, you think that signing an employment agreement negates your contract with GPL or whatever open source you're using? If anything, what he did passes the integrity test, while sadly, Goldman is just business as usual... take what they want and ignore their obligations.
I just want to say that while 8MB sounds like a small amount, thats actually a huuuuuuuuuuuuge amount of code. Assuming (since this code is professionally made) the coder(s) stuck with programming conventions, there should be about 80 characters per line. Thats about 100k lines of code - or about 3 graphics intensive video games worth of programming source code. That's one hell of a monster program - I can almost guarantee it wouldn't be secure, (just a single off-by-one error in the wrong place and it's shot) and suicidal-thought-inducing to debug.
8 MB is no less code. As someone already explained, its about 100k lines of code! Though Sergey created the modified code, since its just a modification of the open source code, I dont see why he had to be tried at all. And more over even the double jeopardy is in jeopardy!! GS must learn to be little more sensible in its actions. And doesnt the jury require some serious briefing about the open source coders' methodologies? I wonder I am supporting or opposing Sergey, but in whatever case 11 years of imprisonment!! Seriously! Thats definitely gross and disturbing...
I don't see how jail time is sufficient sentence for this case. If anything it should be compensation based on perceived damages. As there would be no damages due to the nature of the code itself, there would be no case. It just turns in to a case of principle based on IP, with Goldman Sachs lawyers trying to make an example out of him. The lawyers and Goldman Sachs are too greedy to contribute anything back in to the open source community that they like to use code from. Quite despicable behaviour and another topic altogether, although not surprising when you see them pay off a legal system to put someone in a cage for trying to contribute back to the open source community. If they are prepared to do that, then its not surprising that they are the kind of people that would take and not give back to open source community.
Goldman Sachs is the big bad wall street wolf. Money hungry and scary. We get it. Goldman Sachs didn't push for prosecution, the NYC District Attorney did. On pressure from Goldman Sachs? Possibly some since GS has been beaten like a stray dog over the years because of their own stupidity. I've done a lot of code in my life, but I am not a developer. I've worked in companies that have been substantially hurt because of the inability of their developers to understand the importance of intellectual property. Sergey may be a "brilliant" computer scientist, but he's dumber than a box of rocks in the area of security and all other things not computer related. C'mon, now. Let's talk common sense. He is being paid to provide a service, in this case, his intelligence in solving common and some unique problems. Although the source code came from the open source community, he altered that code and made it his own.. well, not his own but Goldman Sachs' own code since they are paying him handsomely for his time and unique intelligence in the matter. Free public SVN repository? Really? He can't be THAT brilliant and make THAT stupid of a mistake. I worked for a company where twice, two different developers, uploaded code to pastebin which inadvertently included a backend password that ended up costing the company tens of thousands in unplanned usage fees. And those guys were relatively green. Sergey is smarter than that. Should he have gotten jail time? I don't know what the court saw (not the court of public opinion) that would have made it sway that way, but from what little I know, he wasn't malicious about it. He should have been canned right away and threatened with legal action from GS for potential $$ loss (albeit small), but tried in a court of law seems like an excessive waste of taxpayer money.
Boggles my mind how many people here are rabidly defending the Vampire Squid. If you think that the prosecutor's office is not marching to their tune, you know nothing about politics or Goldman Sachs. If GS said 'drop the case, we'll sue him over his employment contract' then NY would be outta there so fast it would make your head spin. This is essentially a mafia move: GS wants to remind all of its employees that the slightest bit of disloyalty will be punished with all the force that they can possibly muster. Expect them to sue for as much as they can get as well. Should he actually get out of jail, and should someone ever actually offer him a decent job with a felony on his record, I would not be surprised in the slightest if that company got a quiet call from GS as soon as he updates his linkedin profile or facebook or whatever, saying, 'Hey, we heard you hired the wrong person...' I've known two people who worked for GS, one as a programmer and one as a strategist. They both quit, disgusted at what they saw going on there.
merely b.c the case was overturned on appeal does not mean the defendant walks away. The appeals court could have returned the case on a fact-finding basis, acting the district court to re-establish/clarify circumstances. Alternatively, the appeals court could have simply granted a mistrial. In short, a case can be returned for many reasons, many of which require a new trial, not acquittal.
@PC - LOLOLOL. Seriously. What helps you forget that your employer made a sizable donation to the NYPD at a time that happened to be shortly after Occupy started, and shortly before the NYPD really stepped things up around the GS Building? I'm not sure whether Serge is guilty or not; that's for the courts to decide. Playing devils advocate, depending on what was uploaded, 8MB may not be a lot; Were library builds/Debugging symbols/etc covered in that figure? When I do a backup I usually just 7z the whole project directory. Also, the article mentions that GS Stripped out the open source licenses. I wonder if that is the case; almost every OSS license I've seen states that it must be kept in, i.e. 5 years down the line GS distributes it for one reason or another. Just tossing that out there. //
PC >But I dislike when people keep saying that GS is going after people over and over. There's a slight disconnect here, in that it's not uncommon for major corporations to request, investigations, and demand action from federal, state and local authorities. Had you kept up on issues like the RIAA, MPAA, Dotcom, Apple and Gizmodo, etc etc you'd know the fallacy of the above statement. Corporations have been deftly running the governement at various levels now for some time.
I have no sympathy for him. Working for GS should be considered as a crime already.
Justice as it was meant to be (John Rawls, Kant, et all): "Entitlement to legitimate expectation." Justice as it is practiced: "Legitimising the expectations of the entitled."
@PC, no GS cannot prosecute or jail someone, but because they are a company with a lot of money, they can exert pressure on the DA to prosecute and jail someone. The DA has plenty of cases to work on and unless someone is pressing them to follow up on a case, they would probably just let it go.
Fucking banksters, I wish they get sued for breaking the free licence.
I think that the EFF should step in and verify if that code was supposed to be opened up, in the first place.
Wow, I didn't know this. Thanks for writing this article, I'll make sure to pass it along
22 visitors upvoted this post.