Return to Blog Archives>>

CFAA Ninth Circuit Oral Argument Preview: United States v. Matthew Keys

YouTube channel.

BACKGROUND

On March 14, 2013, Mr. Keys was initially indicted for his role in the edit of a Los Angeles Times website (“latimes.com”) headline, slug, and byline for an article about proposed federal tax cuts. On April 23, 2013, he made his initial appearance in federal court and was released on minimal supervised release. On December 4, 2014, the Government superseded the indictment (the “Indictment”), broadening the date range for Count Two, and adding an allegation that Mr. Keys kept log in credentials to his employers’ computer system for “malicious purposes” after he was terminated, but otherwise leaving the original Indictment unchanged. The Indictment alleges a conspiracy, an attempt, and an actual violation of 18 U.S.C. §1030(a)(5)(A) of the Computer Fraud and Abuse Act (“CFAA”). Section 1030(a)(5)(A) criminalizes the knowing “transmission of a program, information, code, or command” the result of which “causes damage without authorization, to a protected computer.” If the loss caused by the damage is more than $5,000.00, then a violation of § 1030(a)(5)(A) becomes a felony. §1030(c)(4)(B). Damage (“CFAA Damage”) is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” § 1030 (e)(8). Loss (“CFAA Loss”) is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” § 1030(e)(11). According to the Indictment, the conspiracy to violate § 1030(a)(5)(A) occurred between December 8, 2010 and December 15, 2010. (Indictment at p. 2 ¶ 2). The object of the conspiracy was “to make unauthorized changes to web sites that Tribune Company used to communicate news features to the public; and to damage computer systems used by Tribune Company.” (Indictment at p. 3 ¶ 3). The Indictment lists the Tribune Company, local Sacramento television station Fox 40, and the Los Angeles Times as targets of the conspiracy. (Indictment at p. 3 ¶ 4). The Tribune Company owned Fox 40 and the Los Angeles Times, which utilized the Tribune’s Content Management System (“CMS”) for much of their digital content and websites. (Indictment at p. 2 ¶ 1(c)-(d)). At trial, it was established that the CMS would back up prior versions of stories on the Los Angeles Times website and save new version if changes were made. The conspiracy was allegedly devised on an Internet Relay Chat (“IRC”) between Matthew Keys and several co-conspirators claimed to be associated with Anonymous, a decentralized movement of computer hackers. The overt actions taken to carry out this conspiracy include a December 8, 2010 IRC communication in which one of the co-conspirators expressed a desire to gain access to the computer systems of Fox News. (Indictment at p. 3 ¶ 9). Mr. Keys allegedly responded by offering login credentials from his former employer that would grant access to the CMS. (ER at 237 (Indictment at p. 3 ¶ 10).) A second alleged overt act was carried out between December 8 and December 14, 2010, when a member of the conspiracy used username “anon1234” to reconnoiter the Tribune’s CMS. (Indictment at p. 4 ¶ 12) On December 11, 2010, a member of the conspiracy began using the username “ngarcia” on the CMS. (Indictment at p. 4 ¶ 13). The username “ngarcia” was eventually used to revise the title, slug, and byline of a latimes.com story on or about December 14 or 15. (Indictment at p. 4 ¶ 14).) The article’s title, slug, and byline originally appeared as follows: Pressure builds in House to pass tax-cut package House Democratic leader Steny Hoyer sees ‘very good things’ in the tax-cut deal, which many representatives oppose. But with the bill set to clear the Senate, reluctant House Democrats are feeling the heat to pass it. By Lisa Mascaro, Tribune Washington Bureau After the minor revisions by “ngarcia,” the article’s title and byline allegedly read: Pressure builds in House to elect CHIPPY 1337 House Democratic leader Steny Hoyer sees ‘very good things’ in the deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP. By CHIPPYS NO 1 FAN, Tribune Washington Bureau At trial, it was established that the original was restored in approximately 40 minutes. The last alleged overt act was a December 15, 2010 IRC conversation among the conspirators discussing the alteration and acknowledging that they had been locked out of the system. (Indictment at pg. 4-5 ¶ 15). At trial, these facts were offered to support Count One, the conspiracy charge. Count Two of the Indictment repeats the allegations contained in Count One, while extending the date range to October 28, 2010 through on or about January 5, 2011. (Indictment at p. 5-6 ¶ 1-2). Count Three alleges an attempted violation of § 1030(a)(5)(A). Count Three incorporates the allegations in Count One but adds that the attempt occurred on or about December 15, 2010. (Indictment at pg. 6 ¶ 1-2). The attempted transmission is alleged to have been aimed at causing damage that would have resulted in a loss to a person during a 1-year period aggregating at least $5,000 in value. Additional Uncharged Conduct Introduced at Trial Beyond the facts alleged in the Indictment, the Government introduced additional, uncharged alleged conduct of Mr. Keys. Specifically, beginning on October 28, 2010, the Government alleges that Mr. Keys downloaded an email address list from the Tribune Company’s CMS, and used that email address list to send a series of emails from private Google and Yahoo email accounts to his former boss Brandon Mercer and individuals who subscribed to the mailing list. Several subscribers who received the emails expressed concern to Fox40. None testified at trial, and no evidence was introduced demonstrating that any email addresses were deleted from the database they were copied from, or that any damage was done to the email address database. The database was operated by a third party vendor called “Green Links” (“Green Links Database”). Although this course of conduct is not discussed in the Indictment, at trial, the Government consistently referred to it as relating to Count Two. The Government advanced the causally implausible theory that transmission of the emails constituted the transmission of the code that caused the damage (i.e. the edit) to the latimes.com website story. The email campaign was generally referred to at trial as the “Cancer Man” emails or the “Fox Mulder” emails. This is because several of the aliases Mr. Keys allegedly used to carry out the email campaign, cancerman4099@yahoo.co.uk, walterskinner@yahoo.co.uk, and foxmulder4099@yahoo.co.uk, were derived from the Fox television show the XFiles, which features a protagonist named Fox Mulder and an antagonist referred to as the “Cancer Man.” Additionally, the Government alleged that during the same time period as that the Cancer Man emails were sent, Mr. Keys locked Sam Cohen, a Fox 40 employee, out of her CMS account for roughly a week. This conduct was also unmentioned in the Indictment but was referred to by the Government as relating to Count Two. Upon cross examination Ms. Cohen admitted that whenever she had difficulty with her username and password she simply requested a new username and password that allowed her to gain access to the CMS. She also testified that those working with her had ready access to the CMS, and contradicted her prior testimony that she had been locked out of CMS access for roughly a week. She further testified that she had not lost any documents or emails when she successfully logged back into the CMS.  Use of the Cancer Man Emails at Trial and Objections The Cancer Man emails were featured prominently in the Government’s opening statements. The Defense objected to the relevance and prejudicial effect of these emails after the close of the Government’s opening. The Cancer Man emails were also introduced during testimony from Government’s first witness, Brandon Mercer, Mr. Keys former boss at Fox40. Defense objected at the beginning of Brandon Mercer’s testimony as to the Cancer Man emails’ relevancy and prejudicial affect, and again renewed its objection when evidence specific to the emails was introduced during his testimony. The Court overruled all objections as to the relevancy and prejudicial affect of the Cancer Man emails but granted the Defense a standing objection. Finally, the Cancer Man emails were discussed by Government’s closing arguments as satisfying Count Two.  Federal Rule of Criminal Procedure 29 Motion for Acquittal The Defense moved under Fed. R. Crim. P. 29 for a directed verdict on all counts on the basis that the elements of each count had not been established. On Count One and Two the Defense argued that CFAA Damage had not been satisfied, as the evidence showed that the CMS system operated securely, properly, and none of the information stored by that system was lost. Any altered information was immediately retrieved and, therefore, there was no damage under 1030(a)(5)(A). Further, the defense argued that CFAA Loss had not been satisfied under Count One and Two as testimony introduced to establish loss was based on speculation, there was no expert testimony introduced to determine whether the loss incurred was reasonable relative to the damage caused, loss was recorded in an imprecise manner, and most of the evidence introduced to establish loss was attributed to conduct not alleged in the Indictment or not cognizable under the CFAA. With regard to Count Three, the Defense argued that the Government had not provided sufficient evidence of intent or a substantial step to establish liability for the inchoate crime of attempt to damage a protected computer under § 1030(a)(5)(A). The Court denied the motion.  Jury Instructions The Defense requested that the Court have the Jury Instructions exclude from consideration as to the elements of each offense harms not cognizable under the CFAA. Specifically, the Defense asked the Court to exclude from consideration alteration of data that was backed up and readily retrievable, alleged harm to the CMS caused by the mere sharing of passwords or the creation of additional accounts used by the co-conspirators to access the CMS, and harm caused by the sending of the Cancer Man emails to Fox 40 viewers and Brandon Mercer. The Jury Instructions adopted by the Court do not caution the Jury about excluding these harms. Verdict and Sentencing Mr. Keys was found guilty on all three counts and was sentenced to a custodial sentence of 24 months to be served concurrently and 24 months of supervised release. Restitution Mr. Keys was ordered to pay $249,956.00 in restitution. $200,000 relates to alleged damage to the Green Links Database, and $49,956 relates to “the value of employee time expended on responding to [Mr. Keys] actions in telephone calls, meetings, e-mails, and the initial and subsequent response to defacement of the Los Angeles Times website.” The value of the Green Links Database “was calculated at $10.00 per customer” although no testimony or evidence was offered at trial for this proposition, and no receipts, invoices, spreadsheets or expert testimony were offered at the restitution hearing to support this hearsay statement. Additionally, no credible evidence was offered, either at trial or the restitution hearing, that Fox40 “lost” $200,000 worth of customers and that Mr. Keys alleged access and copying of an email address list from the Green Links Database necessitated hiring a new vendor and rebuilding and entirely new database.

ARGUMENT SUMMARY

At trial, the Government, over a standing objection and repeated objections, introduced irrelevant and highly prejudicial evidence of uncharged conduct. Concurrent with this, it introduced, over objection, evidence of uncharged and charged conduct relating to CFAA Damage and Loss that did not meet the legal definition of those terms. The Government’s insistence on introducing evidence via uncharged conduct mentioned nowhere in the Indictment resulted in a constructive amendment of Count Two of the Indictment. Additionally, the introduction of improper CFAA Damage and Loss evidence was confusing and prejudicial. Furthermore, the Government failed to prove that Mr. Keys took a substantial step in his attempt sufficient for a conviction under Count Three. Finally, the Restitution Order should be vacated because it was not supported by the evidence. United States v. Matthew Keys, No. 16-10197 (9th Cir.) Here’s the Indictment and briefing: Filed Opening Appellate Brief 2016-08-24 (corrected) U.S. v. Keys (371) (ED Ca) Keys Superseding Indictment 12.4.14 (1) 44 Filed Correct Reply Brief 2017-02-02 U.S. v. Keys (371) 33 Answering Brief of U.S. 2016-11-18 U.S. v. Keys (371)    ]]]]> ]]>

Road to Nowhere

In Liminae: The Road to Nowhere

It takes us about six hours to drive to the rural state jail (that’s owned by two judges) the Feds contracted with to hold our client. Accused of computer crimes, he can’t effectively review evidence in jail – there’s no practical access to computers in the gulag. They’ve seized all his assets claiming they’re the ill-gotten gains of crimes the government can’t identify, and their computer forensics – if you can call them that – have no scientific basis and are full of basic errors and typos. In my decade as a federal criminal defense lawyer doing computer cases across the country, I’ve never come across a case where the government was so completely off.

Read More »

Guilty Until Proven Innocent

A defendant’s view from the trenches of federal criminal court This post is originally published to Substack. You can read and follow us there. https://torekeland.substack.com/p/guilty-until-proven-innocent

Read More »

For media inquiries, please email info@torekeland.com

30 WALL STREET, 8TH FLOOR • NEW YORK, NY 10005

©2022 Tor Ekeland Law, PLLC   •  info@torekeland.com

Attorney Advertising   •   Past results do not guarantee future results   •   Licensed in New York