In light of a federal jury’s decision this week to convict journalist Matthew Keys of three counts related to a cyber incident suffered by the Los Angeles Times in 2010, critics of the Computer Fraud and Abuse Act are once again urging lawmakers to re-examine the country’s anti-hacking statute.
Keys, 28, was found guilty on Wednesday this week of conspiracy to commit computer hacking and two violations of the CFAA, a 30-year-old law that prosecutors have used to pursue criminal charges against individuals ranging from Russian cybercriminals to WikiLeaks source Chelsea Manning.
Prosecutors hadn’t accused the former Reuters social media editor of going after any government targets, but rather his former employer. The DOJ brought charges against Mr. Keys rather after the L.A. Times website was vandalized in 2010 by members of the hacktivist group Anonymous. Evidence presented at trial, including a video-taped confession, indicated Keys had posted administrative credentials in an Internet chat room which allowed members of Anonymous to access servers managed by the Tribune Co. media conglomerate shortly after he was terminated.
The L.A. Times claimed it spent $929,977 after a headline on its website was subsequently edited by a hacker as a result of the compromise to read “Pressure builds in House to elect CHIPPY 1337.”
Pursuant to federal sentencing guidelines, Keys now faces a maximum penalty of 25 years in prison for the prank; a spokesman for the U.S. Attorney’s Office said prosecutors will likely seek no more than five.
Keys described the verdict on Wednesday as “bull-****,” and insisted the government’s had gone after because he had been investigating Anonymous.
“We are pleased that the justice system worked,” a spokesman for Tribune Media, Gary Weitman, told Reuters. “We will let today’s verdict speak for itself.”
“Individuals who use ’bully’ tactics to attack computer networks will face justice for their actions,” said FBI Special Agent in Charge Monica M. Miller.
But as Keys prepares for a sentencing hearing in January, critics of the CFAA are sounding an alarm once more in an effort to retool the anti-hacking law in a way that encouraging acts of online vandalism won’t yield possible quarter-century prison stints.
“At the very worst, Matthew Keys was guilty of a violation of trust and poor judgement,” Lauri Love, a British man currently facing charges in the US under the same anti-hacking law, told the Washington Times.
“Any custodial sentence whatsoever is ridiculously disproportionate and further underlines the degree to which the outdated CFAA articles are routinely and egregiously abused by prosecutors, at gratuitous public expense, to the benefit of nobody, impairment and waste of human life for those directly affected, and the detriment to society as a whole,” said Mr. Love, who is currently fighting efforts to be extradited from the U.K.
The U.S. government has been opening 70 to 80 CFAA cases annually, Georgetown University Law Professor Orin Kerr said last year, and statistics released this month revealed that the FBI made 105 arrests in 2014 for violations of the anti-hacking act — notwithstanding efforts to reform the law’s sentencing structure, especially following computer prodigy Aaron Swartz’s suicide in 2013 while awaiting trial for CFAA charges and, potentially, decades in prison.
“I’m not sure any quantity of years is going to sound appropriate for a crime whose impact was measured in minutes,” Edward Snowden, the former intelligence contractor, said of the Keys case in a tweet this week.
But while the impact of the Times hack did not appear to extend beyond the crude defacement , the damage didn’t have to stop where it did. Evidence presented during trial, including chat logs, suggested Keys, using the screen name “AESCracked,” actively encouraged members of Anonymous to “attack” media websites, especially those owned by Fox.
“You have no idea the scope. This wasn’t simply a defacement. He gave out administrative control to dozens of people,” said Hector Monsegur, a former Anonymous hacker who was in chatrooms with AESCracked when credentials were handed out.
“Although he did no lasting damage, Keys did interfere with the business of news organizations, and caused the Tribune Company to spend thousands of dollars protecting its servers. Those who use the Internet to carry out personal vendettas against former employers should know that there are consequences for such conduct,” said U.S. Attorney Ben Wagner.
Andrew Auernheimer, a controversial computer hacker and Internet troll who spent 13 months in prison before his CFAA conviction was vacated by a federal appeals court last year, is now using the Keys case to carry out a vendetta of his own. On Thursday Mr. Auernheimer claimed to have identified high-ranking members of the Justice Department as members of Ashley Madison, the now infamous infidelity site whose data was dumped on the web by hackers earlier this year, and would be outting them with the aid of conservative blogger Chuck Johnson in retaliation to the Keys prosecution.
“We have located a number of U.S. Attorneys within the Ashley Madison dataset using the resources of the taxpayer (offices, computers, paid time, and Internet connections) to attempt to cheat on their wives,” Mr. Auernheimer said.
“Ironically, as you wrongfully prosecute hackers across the planet for ludicrous CFAA technicalities, the act of using computers provided by the government for work purposes to shop for whores is in itself a CFAA violation. You have no just authority to prosecute laws your own workers violate,” he wrote in an open letter to his prosecutors, later blaming the DOJ for the deaths of three men — Lance Moore, Jonathan James and Mr. Swartz — who have committed suicide while under investigation for CFAA violations, adding “blood is on your hands.”
On his website, GotNews, Mr. Johnson reported that the data suggested U.S. Attorney Martin S. Bell had created an account on Ashley Madison and browsed it from an IP address registered to the DOJ. The user records of some 37 million account holders were leaked online as a result of the hack, but the authenticity of those records are difficult to verify since the site allowed for users to any email address of their choosing when creating a profile.
“We have no comment,” a representative for the Justice Dept. told The Washington Times in regards to the claims.
An attorney for Keys, Tor Ekeland, told Reuters that they would appeal the verdict. He previously accomplished as much when the CFAA conviction against another one of his clients, Mr. Auernheimer, was vacated by the Third Circuit.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.