Goldman Sachs sent a brilliant computer scientist to jail over 8MB of modified open source code uploaded to an SVN repo

In 2009, a brilliant software engineer Sergey Aleynikov was arrested by the FBI at Newark Liberty International Airport. The allegation? He stole Goldman Sachs source code, about 8 megabytes of it. But it wasn't purely GS code — It was open source code mixed with Goldman Sachs proprietary code. If anything, if the source code was LGPL or a similar license (common among open source projects), Goldman Sachs was actually supposed to release this code back out to the community.  (Clarification: If the binary is distributed, it must be released back. Not required legally in this case.)

In Vanity Fair, Michael Lewis writes:

Serge quickly discovered, to his surprise, that Goldman had a one-way relationship with open source. They took huge amounts of free software off the Web, but they did not return it after he had modified it, even when his modifications were very slight and of general rather than financial use. “Once I took some open-source components, repackaged them to come up with a component that was not even used at Goldman Sachs,” he says. “It was basically a way to make two computers look like one, so if one went down the other could jump in and perform the task.” He described the pleasure of his innovation this way: “It created something out of chaos. When you create something out of chaos, essentially, you reduce the entropy in the world.” He went to his boss, a fellow named Adam Schlesinger, and asked if he could release it back into open source, as was his inclination. “He said it was now Goldman’s property,” recalls Serge. “He was quite tense. When I mentioned it, it was very close to bonus time. And he didn’t want any disturbances.”

Open source was an idea that depended on collaboration and sharing, and Serge had a long history of contributing to it. He didn’t fully understand how Goldman could think it was O.K. to benefit so greatly from the work of others and then behave so selfishly toward them. “You don’t create intellectual property,” he said. “You create a program that does something.” But from then on, on instructions from Schlesinger, he treated everything on Goldman Sachs’s servers, even if it had just been transferred there from open source, as Goldman Sachs’s property. (At Serge’s trial Kevin Marino, his lawyer, flashed two pages of computer code: the original, with its open-source license on top, and a replica, with the open-source license stripped off and replaced by the Goldman Sachs license.)

Aleynikov decided to take another job, but in the meantime he stayed on at Goldman to help out. That's where it got sticky for him:

He agreed to hang around for six weeks and teach other Goldman people everything he knew, so they could continue to find and fix the broken bands in their gigantic rubber ball. Four times in the course of those last weeks he mailed himself source code he was working on. (He’d later be accused of sending himself 32 megabytes of code, but what he sent was essentially the same 8 megabytes of code four times over.) The files contained a lot of open-source code he had worked with, and modified, over the past two years, mingled together with code that wasn’t open source but proprietary to Goldman Sachs. As he would later try and fail to explain to an F.B.I. agent, he hoped to disentangle the one from the other, in case he needed to remind himself how he had done what he had done with the open-source code, in the event he might need to do it again. He sent these files the same way he had sent himself files nearly every week, since his first month on the job at Goldman. “No one had ever said a word to me about it,” he says. He pulled up his browser and typed into it the words: Free Subversion Repository. Up popped a list of places that stored code, for free, and in a convenient fashion. He clicked the first link on the list. The entire process took about eight seconds. And then he did what he had always done since he first started programming computers: he deleted his bash history. To access the computer he was required to type his password. If he didn’t delete his bash history, his password would be there to see, for anyone who had access to the system.


The story the F.B.I. found so unconvincing—that Serge had taken the files because he thought he might later like to parse the open-source code contained within—made complete sense to the new jurors. As Goldman hadn’t permitted him to release his debugged or improved code back to the public—possibly in violation of the original free licenses, which often stated that improvements must be publicly shared—the only way to get his hands on these was to take the Goldman code. That he had taken, in the bargain, some code that wasn’t open source, which happened to be contained in the same files as the open-source code, surprised no one. Grabbing a bunch of files that contained both open-source and non-open-source code was an efficient, quick, and dirty way to collect the open-source code, even if the open-source code was the only part that interested him.
And so this case is disturbing to me, because a software engineer like any of us is assailed by one of the more infamous financial institutions in the world. He violated confidentiality, but 8 years of jail, really? He's spent 11 months in prison already. He didn't steal the crown jewels or the secret sauce— his acquittal was on the basis that the code saved to SVN wasn't the proprietary trading strategies at all, and it was extensions to open source software that he wrote himself. 

Yet Goldman Sachs pursued criminal charges against him anyway. And continues to pursue him. 

I'd love to know what specific pieces of software they were. Software engineers would be able to tell what was kosher and what was not. It scares me that a jury of non software engineers (truly, not a jury of Aleynikov's peers) will likely be responsible for deciding his fate. (Edit: Note, 8 megabytes is actually a good deal of code. But that's why what code it is matters so much. There's little transparency in this case here, so we are left to speculate.)

Serge was acquitted via the 2nd Circuit Court of Appeals, and released in February of 2012. (photo above) He has since been re-arrested and is being tried by the state of New York. In the United States we have a thing called double jeopardy — you can't be tried for the same thing twice. Somehow that doesn't apply here. Not when Goldman is after you. 

Sergey Aleynikov faces two felony counts in New York.