Federal prosecutors in Sacramento disregarded Matthew Keys’ role in the news media and said he was simply a disgruntled employee hitting back at his former employer, The Toronto Star reports.
Keys was sentenced by U.S. District Judge Kimberly Mueller after being convicted in October of providing login information for The Tribune Co.’s computer system.
The company owns the Chicago Tribune, Los Angeles Times, Baltimore Sun and several other media companies including FOX affiliate KTXL-TV in Sacramento, where Keys worked.
He left KTXL two months before the December 2010 hacking incident.
But this case is not as cut-and-dried as it seems.
His conviction sparked outrage on the web; many people believed that the crime he was associated with, which involved the minor defacement of the headline of the LA Times online, should have been a misdemeanor, not a felony, Wired reports.
Keys worked for Reuters news when he was indicted in 2013 for allegedly providing Anonymous with a username and password, giving them access to a server that belonged to the Tribune Company.
Once the charges were filed in 2013, Reuters fired him, The Star notes.
While being recorded by the FBI during an interview in October 2012, Keys allegedly admitted his involvement in the situation, Wired reports. Since then, he has maintained his innocence. In a brief note published online earlier this week, he wrote:
“I am innocent, and I did not ask for this fight. Nonetheless, I hope that our combined efforts help bring about positive change to rules and regulations that govern our online conduct.”
And even though the government expended plenty of effort to prosecute Keys, authorities didn’t charge the person who did the actual hack, even though they had a good idea who the suspect was.
Authorities in the UK identified the alleged hacker, a 35-year-old who used the name “Sharpie,” at that time. This individual lived in Scotland and shared the information with the FBI in 2013, according to FBI documents published last July on Cryptome. These documents indicated that UK authorities intended to pursue charges against the man, but it never happened. Asked about the follow-up that never occurred, a spokesman for the Los Angeles U.S. Attorney’s office told Wired, “It’s kinda complicated.”
When Keys allegedly gave the login credentials to Anonymous members, the hackers accessed the Times website and changed the headline over an article on Dec. 15, 2010, to read that “Chippy 1337” was going to be “elected head of the head of the U.S. Senate,” Mashable reports. It took less than an hour for Times editor to correct the changes.
But court documents assert the hacking cost Tribune $18,000 because employees spent 333 hours correcting the infiltration. However, Keys’ attorney noted that fixing the headline, byline and beginning paragraphs cost less than $5,000, which is on the cusp of a felony violation.
Sarah Jeong, who writes for Vice and has written extensively on the case, noted in Motherboard that the changes made by the hacker were only live for about 40 minutes and were changed three minutes after being found. Nevertheless, Tribune still claimed a loss of nearly $1 million because of the hack, Mashable reports.
Many, including Edward Snowden, see this as a harsh sentence.
Tor Ekeland, Keys’ attorney told Wired in an earlier report that the conviction will be appealed on the grounds that the government wrongfully used deceptively irrelevant losses to assess damages to the victim.
Even though Keys was charged under the Computer Fraud and Abuse Act (CFAA) for allegedly causing unauthorized damage to a protected computers, prosecutors also calculated losses for activities that were unrelated that didn’t cause any damage to a computer. They did this, Ekeland said, to inflate the victim’s losses, thus elevating Keys’ alleged computer crime from a misdemeanor to a felony in order to increase his sentence. The CFAA requires a minimum of $5,000 in losses in order to qualify as a felony. This means the amount of damages can profoundly affect a defendant’s sentence.
And these unrelated activities weren’t definitively tied to Keys, Wired notes. Authorities accused him of sending anonymous and harassing emails to former colleagues after he left his job at KTXL. He was also accused of sending spam to viewers of the station, but authorities were never able to prove these things. Even so, prosecutors included this in their damage assessment and claimed these amounted to more than $900,000 based on the hourly wages of employees who spent time repairing the breach at the LA Times site. This also included employees who had to respond to emails, reset passwords, and deal with complaints from viewers who received spam.
“Typically people think damages has to do with loss of money, but damages have nothing to do with money under the CFAA,” Ekeland told Wired. “Damage under the CFAA is [supposed to be about] simple impairment of the computer system. But there was no impairment [in this regard] — it was just a bunch of emails.”
At the sentencing hearing, the judge halted the prosecution’s efforts to inflate damages, saying they should be restricted to what was presented in court by prosecutors, not by what they listed in the pre-sentencing report. In that report, prosecutors had claimed damages amounted to about $249,000, but during the trial, their presented findings only amounted to about $13,000 in damages.
Keys’ surrender date is June 15, 2016, Mashable reports.
