Former Reuters social media editor Matthew Keys is facing up to 25 years in prison after his conviction last month on conspiracy charges related to a 2010 hack of the Los Angeles Times web site. Although Keys didn't actually conduct the hack, prosecutors aggressively pursued him anyway. Now it turns out that authorities have known the alleged identity of the real hacker for at least two years, but apparently never pursued charges against him.
UK authorities identified the alleged hacker as a 35-year-old living in Scotland and shared this information with the FBI back in 2013, according to FBI documents that were published on the Cryptome web site last July and that recently came to WIRED's attention. Although the FBI indicated in one of the documents that UK authorities planned to pursue their own charges against the man, this never happened either. UK authorities say this is due to lack of assistance from the US.
"It's kinda complicated," a spokesman for the US Attorney's office in Los Angeles told WIRED about the US failure to pursue charges, without elaborating.
Keys was a deputy social media editor for the Reuters news agency when he was charged for providing a member of the hacking collective Anonymous with login credentials for a server belonging to the LA Times. Prior to working for Reuters, Keys had been a web producer for the television station KTXL FOX 40 in Sacramento. His job ended in October 2010 after a disagreement with his superiors.
Two months later he was in an online chat forum frequented by people affiliated with Anonymous when, using the online nickname “AESCracked,” he identified himself as a former Tribune Company employee and disclosed the username and password for a Tribune server. The Tribune Company is the parent company of both Fox 40 and the Los Angeles Times, and both the newspaper and Fox 40 shared the same network and login credentials. After he posted the credentials in the chat room, Keys encouraged members of Anonymous to use them to “go fuck some shit up.”
A hacker going by the name “Sharpie” then used the credentials to access a Tribune server and make a minor alteration to the headline of a Los Angeles Times news story.
Keys was charged in 2013 with conspiracy to cause unauthorized damage to a protected computer, with transmission of computer code that resulted in unauthorized damage of a protected computer, and with attempting to transmit malicious code to cause unauthorized damage. Earlier this month, he was convicted on all charges.
Following Keys' conviction, Matt Segal, Assistant US Attorney for the Eastern District of California, acknowledged to Motherboard, "This is not the crime of the century." Even so, authorities pursued the case against Keys aggressively.
Although Keys was charged under a specific provision of the Computer Fraud and Abuse Act—causing unauthorized damage to a protected computer—prosecutors calculated losses for activities that were unrelated to this charge and that caused no damage to a computer. Keys' attorney says the government did this to inflate the victim's losses and elevate Keys’ computer crime from a mere misdemeanor to a felony. The CFAA requires a minimum of $5,000 in losses to qualify as a felony.
Authorities accused Keys of sending harassing anonymous emails to his former colleagues at Fox-40 after he left his job. The emails accused the station of being unethical and of violating its viewers' privacy. The sender also told employees that he had downloaded a list of emails of about 20,000 Fox-40 viewers, whom he later spammed with emails denouncing the station’s misconduct. And during the month Sharpie allegedly defaced the LA Times article, a Tribune worker was repeatedly locked out of her server account. Prosecutors say Keys used his old credentials to gain entry to the Tribune server and repeatedly deactivate his former colleague’s login credentials after she and the IT department reset them.
Prosecutors could never definitively tie these incidents to Keys, yet the Tribune and the government have included these incidents in their calculation of damages attributed to Keys—which they have said amount to more than $900,000 based on the hourly wage of employees who spent time responding to the breach of the LA Times' site and dealing with the emails, password resets, and complaints from station viewers who received spam.
But while US prosecutors extended considerable effort to convict Keys of a felony hack, they extended much less effort on tracking down Sharpie, the person who actually did the hacking.
In a document that appears to be a June 6, 2011 FBI memo (.pdf) from Special Agent John Cauthen in the Bureau's Sacramento office, to Supervisory Special Agent Jason Smolanoff in the Los Angeles field office, Cauthen told Smolanoff that his office didn't plan to pursue a case against Sharpie because of venue issues. Since the hacked server was based in Los Angeles, Smolanoff's office, he wrote, was better suited to the task.
Cauthen added that the hacker known as Sharpie was believed to be in the UK, and police officials there already knew of him "for his involvement in the Anonymous group." Sharpie had apparently participated in Operation Payback, a series of DDoS attacks that targeted Visa, MasterCard, and Paypal in 2010 for refusing to process donations to WikiLeaks.
"The logical course of action is to request information from investigators in the United Kingdom to see if they have information regarding Sharpie," Cauthen wrote his Los Angeles counterpart.
But 18 months later, apparently nothing had progressed on this front. Even though another FBI memo dated January 16, 2013 identified the real name and birthdate of Sharpie as well as his home address in Stirling, Scotland, authorities hadn't made an arrest. UK Metropolitan Police Detective Andy Bloomfield told the FBI that his office had passed information about Sharpie to the Scottish Crime and Drug Enforcement Agency, but he doubted the Scottish authorities had taken any action "because no report was ever received from SCDEA [Scottish Crime and Drug Enforcement Agency]." Such a report was standard practice, he noted, whenever Scottish authorities acted on information the Metropolitan Police gave them.
WIRED was unable to independently verify the authenticity of the FBI documents, but there is no reason to believe the information disclosed in them is not correct.
When asked about the matter discussed in the documents, Iain Fleming, a spokesperson for the SCDEA, acknowledged that his department didn't pursue charges against Sharpie. He said it was because investigators never received enough information from US authorities to open a case against Sharpie for the Los Angeles Times hack.
"[I]t appears that we asked for additional information from the complainers, which was not forthcoming, and the result was that we did not have sufficient evidence to take to the [prosecutorial authority]," Fleming wrote WIRED in an email.
When WIRED asked Assistant US Attorney Segal why, two years after US authorities learned of Sharpie's identity, they still hadn't tried to prosecute him in the US, he replied, "I'm not going to authenticate any document that you think you have that you think is authentic. And I'm not going to answer the question. I'm not going to answer either way."
Tor Ekeland, Keys' defense attorney, thinks Scottish authorities declined to pursue the matter for a different reason. He thinks they simply determined the crime was too insignificant to pursue.
"I think it illustrates the difference in approach to hacking crimes in the UK as opposed to the United States," he told WIRED. "It wasn't that big of a deal [to them] what happened." And for the US to throw Keys in jail, possibly for years, while Sharpie remains uncharged, "is a disproportionate response to a minor event."
