Policy —

After being convicted under hacking law, Anonymous-linked man says he didn’t do it

DOJ has asked judge to sentence Matthew Keys to 5 years in prison.

After being convicted under hacking law, Anonymous-linked man says he didn’t do it

VACAVILLE, Calif.—Matthew Keys just can’t stop working, even when he’s about to face a US federal judge who could put him away in prison for years.

On a recent afternoon, the 29-year-old journalist sat outside at a Boudin restaurant in his hometown, reading various news stories on his laptop. Keys, who is currently unemployed, most recently held a job at Grasswire before the company terminated all of its paid employees in January 2016 after failing to secure new investment. Keys has continued to interview for other journalism jobs.

"I’m trying to do as much work as I can now," he said.

Several months after being convicted of federal hacking charges, Keys is set to be sentenced Wednesday morning in federal court in Sacramento. Keys said that the hacking conviction had "ruined his reputation."

Keys was convicted on three counts of conspiracy and criminal hacking after a jury trial. Since then, prosecutors have asked the judge to impose a sentence of five years, while his own lawyers have asked for no prison time. Keys continues to argue that this is a clear case of prosecutorial overreach. He also denies the actions that he was accused of and has vowed to appeal the case to the 9th Circuit Court of Appeals, a process that likely will last a year or more.

Matthew Keys' fate rests in the hands of United States District Judge Kimberly J. Mueller.
Enlarge / Matthew Keys' fate rests in the hands of United States District Judge Kimberly J. Mueller.
Either way, on Wednesday, US District Judge Kimberly J. Mueller will announce her sentencing decision in her courtroom in Sacramento.

More than five years after the alleged crime took place, Keys sees himself as a victim: a noble journalist standing up against what he views as overzealous prosecution of a relatively minor computer crime. He continues to maintain that the FBI is punishing him for his journalistic work of investigating the Anonymous collective and for not cooperating with the FBI when they contacted him in April 2011.

Keys said that he was given three plea deals, which he all turned down, lest he be forced to admit to a crime he claims he didn’t commit. (Two sets of what appear to be internal FBI documents, including the plea deals, an audio recording, and handwritten FBI notes related to Keys were leaked to the website Cryptome.org. Assistant United States Attorney Matthew Segal told Ars that he was "not authenticating anything from third parties.")

"I took this case to trial because I feel it can have a serious impact on this law that is really broken," Keys said, referring to the Computer Fraud and Abuse Act, a notorious anti-hacking law that dates back initially to 1984.

"I would hope through this experience, there are people who are out there that look at this and go: ‘You know what, this is bullshit. It’s bullshit that the government is invoking national security and terrorism laws and they do it all the time, and they’re doing it here. Where’s the bottom?’"

CHIPPY 1337

As the government tells it in court filings, in October 2010, Keys was fired from his job as an online news producer at KTXL Fox 40, a TV station in Sacramento, which at the time was owned by Tribune Company. (Keys says he resigned from Fox 40 before he was fired. He later worked at Reuters and at Grasswire.) The Chicago-based firm also owns the Los Angeles Times, among other media properties.

By December 2010, a number of e-mails were sent to Fox 40 from various @yahoo.co.uk e-mail accounts that bore the names of X-Files characters, including Fox Mulder and Walter Skinner. These e-mails taunted Fox 40 for its lax security and claimed to have taken a number of Fox 40 viewers' e-mail addresses from a company marketing database, criticized the company, and then contacted some of those viewers directly. Brandon Mercer, Keys’ former boss, had a phone call with Keys, who specifically denied that he was Fox Mulder—but Keys warned Mercer that Keys' own reporting on Anonymous suggested that the Times could soon be a target.

Days later, the government claims that Keys handed over a CMS username and password to members of Anonymous in an IRC chatroom (under the name "AESCracked") and instructed Anonymous to go "fuck some shit up." In turn, a person who went by the name "Sharpie" later used that login to eventually edit one headline and dek, or sub-headline, on the Los Angeles Times’ website. The body of the story was untouched. After 40 minutes, the permissions were revoked by the Times’ IT staff, edits were reversed, and the defacement halted.

The original headline reading "Pressure builds in House to pass tax-cut package" was changed to "Pressure builds in House to elect CHIPPY 1337."

George David Sharpe, aka "Sharpie," the man who federal authorities believe perpetrated the hack against the Los Angeles Times, has never been charged in the United States nor in his native Britain, Jay Leiderman, one of Keys’ lawyers, previously told Ars.

By all accounts, that edit was only online for 40 minutes, and there’s no evidence that it did any lasting damage to the Los Angeles Times. According to IRC logs that the government introduced at trial, Sharpie himself didn’t even manage to take a screenshot. Yet Tribune Company, seemingly urged on by the government, claimed that this hack caused nearly $1 million in damages to the company—criminal charges were not filed against Keys until more than three years after the incident took place.

In April 2011, the FBI contacted Keys, asking for his notes pertaining to his research into Anonymous. Keys refused to hand over his information and declined to respond to continued overtures by the FBI. By May 2011, the prosecutor decided to focus its investigation on Sharpie rather than Keys. However, months later, when reviewing a computer image in an Anonymous-related case, the feds set their sights back on Keys. A leaked FBI memo shows that AUSA Segal "really wants to indict Keys."

But that didn't happen until March 2013, when Keys was formally charged with three counts under the CFAA. It was the law that activist Aaron Swartz was prosecuted under, which ultimately resulted in his suicide. It is the same law that President Barack Obama has said he would like Congress to expand, to encompass broader reach and longer prison sentences. After Swartz’ death, some lawmakers proposed Aaron’s Law, a Congressional bill that would aim to rein in some of the expansions of the CFAA, but it has languished in Congress.

"A sentence of five years imprisonment reflects Keys’s culpability and places his case appropriately among those of other white-collar criminals who do not accept responsibility for their crimes," Segal wrote in the sentencing memorandum.

In the 12-page filing, Segal explained that, although Keys initially "succeeded in deflecting suspicion away from himself," the FBI changed course after it reviewed chat logs found on the computer belonging to Wesley "Laurelai" Bailey, a former Anonymous member. Those chat logs between Bailey and Ryan Ackroyd (aka "Kayla"), included a line where Kayla wrote: "Iol he's not so innocent and we have logs of him too, he was the one who gave us passwords for LA times, fox40 and some others, he had superuser on alot of media"

Segal explains further that Keys’ attack was "an online version of urging a mob to smash the presses for publishing an unpopular story," adding that Keys used "means that challenge core values of American democracy."

In a Monday e-mail to Ars, Segal continued to argue that Keys was prosecuted for more than a simple headline change.

"The more you read of the record, the more you will see that the damage in this case was not merely the Los Angeles Times defacement," he wrote. "A lot of trial testimony was about the damage to system integrity caused by what Keys did personally. He created and disseminated unauthorized superuser credentials and he taught others how to do the same thing.

"Tribune’s response to, and assessment of, that damage can be found mainly in Volumes 4 & 5 of the reporter’s transcript," he continued. "It’s covered in the testimony of Armando Caro, Dylan Kulesza, Timothy Rodriguez, and Jason Jedlinski. All those people, and others, worked on incident response and damage assessment in ways that went far beyond just changing back a headline."

However, Segal would not answer Ars’ question as to why Sharpie was never charged anywhere.

Did the DOJ prove its case?

Keys denied to Ars that he handed over the CMS login. He also specifically denied sending the "Fox Mulder"-related e-mails despite having admitted to it in a recorded interview with the FBI in October 2012.

"This is one of the reasons why I’m talking to you as opposed to saying, you know, I want a lawyer, or I want to talk to, you know, counsel at Tribune, or, again I’m sorry, Reuters or anything like that is because, you know, I did it," he said in the interview with the FBI.

He told Ars that prior to this case unfolding, he had never seen the X-Files, much less knew about Fox Mulder and the other characters on the TV show. [UPDATE 9:19am ET: This section has been edited to reflect the fact that the "I did it" line refers specifically to the e-mails, not the CMS handover. Keys still denies he did both.]

Keys maintains that he was taking the antidepressant trazodone during the time when the FBI interviewed him. He argues that because he was "medicated," his statements during that FBI interview were and remain unreliable. Keys’ lawyers even raised this issue at trial and brought in a Ventura County doctor who submitted a statement to that effect, but the judge ultimately didn’t buy it. Keys and his attorneys continue to maintain that the material from the FBI interview and the Fox Mulder e-mails are "prejudicial" and shouldn’t have been heard by the jury at all.

At trial, the government put FBI Special Agent John M. Cauthen on the stand, who walked the court through various evidence. That evidence includes explanations of compelling records showing that Keys’ Switzerland-based VPN IP address created by Overplay (a VPN provider) was the one that turned up to create the "anon1234" on the Tribune CMS. Those records also show that it was used to access the Yahoo-based Fox Mulder account. (While anon1234 was the account that Keys is accused of handing over, an account by the name of "ngarcia" was the one that actually perpetrated the hack. Keys told Ars that the government did not fully explain this discrepancy.)

Further, Overplay’s own records show that Keys’ VPN account was created from an AT&T IP address in Sacramento that was assigned to him, referred to as the 75.53.168.11 (or "75.11") IP address. The user agents also match on Yahoo and Overplay’s records. The defense attempted to counter with its arguments to address the IP records evidence, but Agent Cauthen didn't back down. Cauthen clarified that while the 75.11 address was the IP that AESCracked used to allegedly pass the login and password to Sharpie, when he went to pull the Overplay records during the period that "Cancer Man" was sending e-mails, he found a new IP address: one beginning with 75 and ending with 204. When Cauthen filed a subpoena with AT&T, he found that this IP was assigned to Keys, and said that it had "superseded" the "75.11" address, which was sometimes erroneously referred to as the 75.211 address.

Keys and his attorneys maintain that because Cauthen didn't pull records showing that the 75.11 address specifically were assigned to Keys, then there remains a plausible case that Keys could not have been the one who gave up the anon1234 login credentials.

At trial, the defense put on no witnesses, and Keys himself did not testify. During closing arguments, Jay Leiderman, one of his attorneys, largely focused on the second count that Keys was charged with: 18 U.S. Code § 1030 (a) (5) (A), which declares it to be a violation of the law if someone "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer."

Specifically, Leiderman argued that the defacement was not real damage:

So let's talk about what damage is, and I think this is from the actual jury instruction. I'll be corrected if I'm wrong. It's any impairment to the integrity or availability of data, program, system or information. The system wasn't hurt. The information wasn't hurt. There was a back-up. The integrity or the availability of the data wasn’t hurt.

Leiderman continued:

Nor was there any impairment to the content management system or CMS caused by the Cancer Man e-mails. If they—there's—there were different crimes that could have been charged that were not. You're not asked to decide about a trespass. You're asked to decide what's in front of you. This is not a trespass, computer trespass, computer intrusion case. This is a computer damage case. Those two are wildly different things especially under the evidence here. You're not asked to decide about a trespass.

Misappropriation and misuse of data, we assert, aren't damage or loss within the meaning of this case. A robbery isn't a burglary isn't a grand theft isn't a petty theft isn't receiving stolen property isn't shoplift. They are all different things, and they have different statutes. Likewise in this case.

Keys reiterated this during his interview with Ars.

"The bulk of our defense was that they didn’t prove their case under the laws that they targeted," he said. "I think that went above the heads of the jury, I think we kind of expected it to, but I don’t think it will go over the heads of the appellate judges."

Amok time

Keys sees his case as being somewhat like Aaron Swartz' case. Keys knows that his career will sustain a significant blow if he’s issued a years-long sentence and if his sentence stands on appeal.

"That’s why an appeal in this case is so important, it’s one way that we can, in this district, narrow the applicability of the law so it doesn't happen to anybody else," he said. "And for me, I’m hoping that sends a message to any prosecutor that thinks about going after a journalist again in a bullshit case. On a bigger scale, I hope that it’s the start of a chain reaction. And I hope people do fight these convictions. I hope they don’t look at me and become discouraged and become complicit in whatever the government brings."

However, the difference is that Swartz was a well-liked activist who held lofty goals of broader public access to court documents and academic materials—Keys’ alleged actions are seemingly much more self-serving. Still, the Electronic Frontier Foundation has advocated on his behalf, calling it "prosecutorial discretion run amok."

So, how does Keys explain why he was prosecuted, years after the fact? First, he believes it’s to account for a multi-year investigation into Anonymous that didn’t go very far. When Keys wasn’t willing to cooperate with the feds when they first contacted him in April 2011, he believes that they targeted him as a journalist.

"They said: ‘Well shit, we spent three years investigating this, and we have to show something for our work,’ he continued. "And here we are. So when I tweet something that says: ‘that was bullshit,' a good chunk of that is what I’m talking about."

Second, he believes that if this case had legs, it was largely because of an aggressive prosecutor in the Eastern District of California, a part of the Golden State not well-known for computer crimes. He speculated that this was a way for Segal to self-aggrandize his office.

"Can you then use this case and others like it to get more prosecutors or a promotion, which this prosecutor got during the course of this case?" Keys theorized.

Segal, the federal prosecutor, agreed that digital crime-related cases are rare, even for him.

"Until Keys, in the Eastern District of California, there had not been too many cyber cases against insiders," the AUSA said in an e-mail on Monday. "Cyber cases are rare in general, and cyber cases against employees are even more so. Criminal employee cases are more often for fraud crimes like embezzlement or bribery."

Channel Ars Technica