Is former Sacramento media employee Matthew Keys a victim of overzealous, misguided cybercrime prosecution?
His trial here in Sacramento in federal court to wrap up soon
The trial of former KTXL Fox40 Web producer Matthew Keys in Sacramento federal court appears to be approaching its anticlimax.
The 27-year-old blogger and journalist is accused of helping hackers break into the Los Angeles Times website, where they changed the headline of a story. Keys has even confessed to the substance of the crime, though it hardly qualifies as misdemeanor vandalism. So why make a federal case out of it? Couldn’t Department of Justice resources be better directed elsewhere?
It’s a question of priorities, according to Surviving Cyberwar author Richard Stiennon. “For those in justice, your career path is to get a whole bunch of successful prosecutions and get noticed,” Stiennon says. “So you’re going to go after the low-hanging fruit.”
Lately, prosecutors have been taking advantage of the wide latitude afforded them by the Computer Fraud and Abuse Act to press cases involving “network security.” And they press hard.
Last January, Internet entrepreneur and activist Aaron Swartz killed himself while under felony prosecution for downloading academic journals. Swartz, who helped create the crowdsourced entertainment site Reddit, was facing 50 years and $1 million in fines.
“The days of ’Let’s haul this kid in front of the judge, scare him and send him home with a warning’ are long since gone,” says attorney Jay Leiderman, who represents Keys. “Prosecutorial discretion is a great thing if it’s exercised, but it doesn’t happen in any meaningful way these days, because prosecutions are so politicized.”
That’s the crux of the problem for Keys, the former Reuters social-media editor and possessor of 23,000 Twitter followers. In December 2010, he crossed paths with Hector Xavier Monsegur, a.k.a. Sabu, the eventual leader of AntiSec, a more mischievous offshoot of hacktivist group Anonymous. Keys passed them the credentials he once used to log into KTXL’s computers, which were linked to the Tribune Company network.
Keys left KTXL two months earlier, and he’s since expressed surprise that the credentials still worked. An AntiSec member used them to access the L.A. Times website and change a story headline from “Pressure Builds in House to Pass Tax-cut Package” to “Pressure Builds in House to Elect CHIPPY 1337,” a reference to another hacker group. Within 30 minutes, the hacker was frozen out and the headline corrected.
Keys might have expected, at worse, a stiff warning and small fine. But he literally messed with the wrong guy. Sabu had been an FBI informant since his arrest in June 2011, right around the time he started AntiSec.
For months, Monsegur encouraged his followers to commit cybercrime while under the FBI’s control. He was the “honeypot” attracting would-be perps into an operation seemingly designed to intimidate future hackers and anyone who might associate with them, like Keys.
“Part of this is [the feds’] broader push to send a message that anything and everything is going to go punished that appears to suggest that the control of the Internet is up for grabs,” says Hanni Fakhoury an attorney at Electronic Frontier Foundation in San Francisco. “It is not a coincidence that this was linked to behavior undertaken in the name Anonymous.”
It wasn’t always like this. Keys and Swartz were charged under CFAA, a 28-year-old law whose contours, like the shore, have worn away with time, yielding to much wider application.
The CFAA was conceived in the wake of the Matthew Broderick movie WarGames, about a hacker who inadvertently almost starts a nuclear war. The original drafters focused narrowly on government computers and the intent of the intrusion.
But changes in the law and vague wording have turned “unauthorized access” to a computer into a prosecutorial blank check.
Eleven years ago, nearby Fiddletown resident Bret McDanel was jailed under the CFAA for a crime the government later admitted he hadn’t really committed.
McDanel noticed a security flaw in his firm Tornado Development’s Web-based communications software. He told his supervisors, but his concerns went unaddressed. After leaving their employ, he sent an email to all the software’s users informing them of the issue. The Amador County resident was charged with undermining the “integrity of a computer system.”
By the time the feds admitted the law wasn’t meant to protect a software company’s reputation, he had already served his 16-month sentence. He’d lost his fiancée and was living with his parents, while his former employer had gone out of business. But McDanel can surely tell you which way the railroad runs.
As Keys has discovered, the feds lean hard and wear you down. He faces up to $750,000 in fines and 25 years in prison.
Swartz initially faced only 35 years, but four months before his death (20 months after his initial arrest), they added nine more felony counts, raising his jeopardy to 50 years. The idea, critics say, was to squeeze a plea out of him; Swartz found a different way out.
Swartz’s act of martyrdom generated a firestorm of protest. It caught the attention of Bay Area Congresswoman Zoe Lofgren, who sponsored (still-stalled) legislation known as Aaron’s Law to change some CFAA provisions.
“In talking to Aaron’s family and others who were involved in his situation, it was a real eye-opener to what happens in the criminal-justice system,” says Lofgren. “What they felt was very abusive was this sort of thing where you more or less try to extort concessions through the use of overprosecution.”
Keys’ odyssey appears to be drawing to its close, for better or worse. His last court appearance, on April 2, was accompanied by news that the case had gone to “reverse proffer.” This involves the prosecution sharing their case with the defense, generally with an eye toward an agreement.
Nearly all those swept up in the feds’ Anonymous-related enforcement actions have been processed. The sole remaining exceptions are Keys and cooperating ringleader Monsegur. In January, Monsegur’s sentencing was delayed for a third time, so it’s not difficult to believe he’s the bow on the whole operation.
Keys is certainly guilty of something, but probably not a felony. In that respect, he’s perhaps a victim of cybercrime’s intrigue and a prosecutor’s desire to leverage that publicity.
“Any case that has the word ’cyber’ in it brings headlines, because it’s interesting. There’s a degree to which careers are made this way,” says Leiderman. “’Cyber prosecutor blah-blah-blah.’ Nobody reads the ’blah-blah-blah.’ They just go, ’They caught a cybercriminal. Fantastic.’”
Lofgren continues to push changes in the law to make it less prone to abuse. Unfortunately, there’s precious little to be done about overzealous prosecutors.
“You really can’t impose good judgment legislatively,” Lofgren says, “but we do need to have better oversight over the Department of Justice.”