Appellate court upholds sentence for former Uber cyber executive Joe Sullivan

The conviction of former Uber chief security officer Joe Sullivan on obstruction of justice charges was upheld by the U.S. Court of Appeals for the Ninth Circuit in California this week after the cybersecurity expert disputed several aspects of his sentence and charges.

Sullivan was given three years probation by a U.S. federal judge in 2023 after a federal jury convicted him of two charges related to his attempted coverup of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.

Sullivan appealed the verdict, arguing that the district court made several mistakes in rejecting two of his proposed instructions to the jury regarding one of the charges and by unfairly allowing the guilty plea signed by one of the hackers into the case. 

“The jury’s verdict in this case underscores the importance of transparency even in failure situations — especially when such failures are the subject of federal investigation,” wrote M. Margaret McKeown, one of three circuit judges that served on a panel hearing the appeal.

“The verdict is not tainted by any of the claimed instructional or evidentiary errors, nor can it be overturned for insufficiency of the evidence. We affirm the district court in all relevant respects.”

One of the key arguments Sullivan’s lawyers used in the appeal was centered on the concept of misprision — which is the crime of “having knowledge of the actual commission of a felony” and “conceal[ing]” or failing to “as soon as possible make known the same to some judge or other person in civil or military authority under the United States.”

Uber was mandated by the Federal Trade Commission to report all breaches after a separate 2014 hack exposed the names and driver's license numbers of 50,000 people. But after the 2016 breach, Sullivan instead paid two hackers $100,000 and made them sign nondisclosure agreements while not informing the FTC. He justified the payments by calling them a bug bounty.

Prosecutors said Sullivan "took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach."

In his appeal, Sullivan’s lawyers said he was not guilty of misprision because the nondisclosure agreement signed between the hackers and Uber meant their actions were retroactively no longer illegal. 

McKeown blasted this stance in her decision, explaining that the hackers' use of stolen credentials to access protected servers was a clear violation of the Computer Fraud and Abuse Act (CFAA) and said “nobody here argues that their access, and subsequent downloading of data, was authorized beforehand.”

“The panel held that the hackers’ illegal conduct could not be laundered through Uber’s post hoc authorization, via a non-disclosure agreement (NDA), of their computer access,” McKeown wrote.

“The panel held that the evidence does not support Sullivan’s claim that, even if the hackers were unauthorized within the meaning of the CFAA, he reasonably believed that the NDA cleansed the felonious access of its illegality.”

The 20-page opinion notes that as a former assistant U.S. attorney, Sullivan “knew that the conduct in question was a felony punishable by more than a year in prison.” One of the hackers also pleaded guilty to hacking charges, making Sullivan’s assertions moot. 

McKeown added that Sullivan’s own argument in his case was that “he knew and believed that their conduct was illegal” when it occurred.

“And the evidence suggests that Sullivan’s beliefs did not change even after the signing: A year after the incident, Sullivan referred to the hackers as ‘unauthorized’ in an email to Uber’s new CEO. Uber’s lawyers, too, continued to characterize the hackers as ‘unauthorized,’” she explained. 

Sullivan’s lawyers made their case to judges McKeown, Anthony Johnstone and Ana de Alba in October 2024 at a court in San Francisco. 

U.S. prosecutors wanted a much tougher sentence of 15 months in prison but were denied. In addition to probation, Sullivan had to pay a $50,000 fine, do community service and accept restrictions on his travel.

Since his trial, Sullivan has made several appearances at conferences and has gotten an outpouring of support from the cybersecurity community — many of whom believe he was effectively scapegoated by the rideshare giant for being the face of actions tacitly approved by then Uber-CEO Travis Kalanick and in-house Uber lawyer Craig Clark.

The judge deciding the sentence got 186 letters, including 50 from chief information security officers who warned that any custodial sentence would have a “chilling effect” on the industry.