Matthew Keys: I’m Not a Hacker
Faced with 25 years in prison for defacing the LA Times’ website, Matthew Keys talked to The Daily Beast about his trial—and the future.
Last Wednesday, a California federal jury found Matthew Keys guilty on three criminal counts relating to the 2010 defacement of The Los Angeles Times’ website. The case itself is a complicated tale, one involving hacker collectives, FBI agents, and rogue login credentials. The most talked-about aspect of his conviction has been the maximum sentence—for all three counts, he could face 25 years in prison under the Computer Fraud and Abuse Act of 1986.
Keys, a 28-year-old journalist and former deputy social media editor at Reuters, has been vocal of his innocence throughout the proceedings. His willingness to talk about his situation stems from a desire to change decades-old laws, passed under President Ronald Reagan. We wrote last week about those laws, and now Keys has offered his perspective. He wrote to The Daily Beast over email a week after his conviction.
How did it feel when the verdict came down?
When you decide to go to trial, you're placing the fate of the rest of your life in the hands of 12 strangers, and you're relinquishing all control from that point on. You have to mentally prepare for every possible scenario: An acquittal, a conviction on some counts or a conviction on all counts.
I thought I'd be devastated at a blanket conviction. In the immediacy, I felt angry that the case had even been brought—I think a lot of people feel that way now. A few hours later, that anger gave way to energy, knowing that the case was headed to appeal and that the appeals process would help change—at least in this circuit—a broken and antiquated law.
If the appeal process leads to real reform on even a small level, this whole experience will have been worth it.
The term "hacking" in this case seemed ludicrous from the beginning. How was the defense presented against this?
We did not address innocence as a defense. My lawyers thought it would be better to present a defense that was built on the prosecution's legal error. At the time, I wasn't entirely sure this was the best approach, but now that the case is headed to appeal, I understand why they advocated for that approach, and I believe it was the right call.
"Hacking" is all public relations. The Department of Justice repeatedly presented this as a hacking case, and then presented it as a workplace dispute case after the verdict came down. They sought attorney general permission to interview a journalist, issued national security letters, and invoked several provisions of the Patriot Act throughout this case—only for the U.S. Attorney in my district to downplay the case as one in which there was no lasting damage (which was actually part of our defense all along). And as hard as the prosecutor pressed this case, even he had to admit that the alleged action was not the "crime of the century."
It's clear to every reasonable person who reviews the case that there was no computer hacking alleged here, so for the prosecution to assert it as such is beyond ridiculous.
What evidence do you think was edited or excluded in the case?
The main federal law enforcement official acknowledged editing chat logs that were allegedly connected to this case and others. Prosecutors also played excerpts from an apparent two-hour interview conducted at my apartment in New Jersey. The out-of-context evidence paired with the (by their own admission) edited records persuaded a jury who had no outside knowledge of me, my case, computers or computer legislation.
One piece of evidence in the case was emails sent from X-Files dummy accounts, criticizing the Fox affiliate you worked at of a number of somewhat questionable business practices. Regardless of whether or not you wrote those emails, did you witness any of the things mentioned in the emails, specifically the allegation the station asked for credit card numbers in order to track its website users?
I did not write any of these e-mails. In fact, the prosecution played a 40-minute tape in which I repeatedly deny writing or sending any of those e-mails.
Brandon Mercer, my former manager, testified that credit card information may have been stolen from the station as part of an e-mail database compromise from a few years ago. But other Tribune Company employees testified that there was no such credit card information collected from viewers or anyone else associated with the station.
In any case, the alleged e-mails are irrelevant in my case because the prosecutor did not charge me with sending e-mails. Even if they had, wouldn't sending an e-mail to a television station be protected under the First Amendment? Prosecutors only mentioned this prejudicial evidence to make me look bad in front of the jury. It was a serious legal error that will be brought up on appeal.
Much has changed on the Internet since this debacle began. What is your perception (as a “Twitter person” and journalist) of these changes, such as the Snowden Leaks? Do you think the raised awareness of digital security issues helped or hindered your case? How?
My case was opened, and I was charged, in March 2013. The first disclosures from the Snowden leaks happened three months later. In some ways, it was a bit of vindication—it showed the federal government, the same government that had charged me with three alleged computer crimes, was itself complicit in surreptitious and illegal computer intrusion and surveillance campaigns.
Did it raise awareness of digital security issues? Yes, but the government officials who committed those wrongdoings didn't lose any sleep over it because they know people tend to become pretty complacent with the things they feel they cannot control. It's a pretty depressing thought, really, that people feel powerless to change things. It's one of the things that worries me—that we'll make significant progress in this circuit as far as our appeal goes, narrowing the Computer Fraud and Abuse Act and creating authority for other federal cases, only to have Congress change and toughen the law, and for people to go along with it because they feel they cannot change things. And, really, I don't know what to say to convince them otherwise.
A favorable appeal could mean setting precedent. What is the ideal outcome here? Are you happy to be a catalyst here, even if it means you'll do time?
I don't intend to do any time. I will be very surprised if anyone feels the alleged conduct is even worth one day in prison.
Stepping out of my own shoes for a moment, let's look at this case on its face: A buried article on a niche government topic was allegedly changed for 40 minutes on one website. It was discovered and quickly reverted, and the people at the Tribune Company soon realized they had other security issues unrelated to the modified article that they decided to resolve at that time.
Through this case, we learned the identity of the person who actually changed the LA Times article. We know the identity because it was disclosed to us in FBI records that were overturned to us through the evidentiary discovery process. The guy who federal authorities say actually changed the article lives somewhere in Europe — and he's never been charged. There's never been an attempt to charge him. Why not? If the alleged crime was so serious, why would you only go after the person who allegedly provided access? It's the equivalent of going after a person who provides a gun to commit a murder, but never charging the murderer. That makes no sense.
Yet that's what happened in this case. They crafted a very convincing, but completely false, story in order to charge and convict me for crimes I did not do. And the person who actually did the crime? He walks. That makes no sense.
Twenty-five years is obviously egregious. How did that feel, even in theory?
A lot has been made about whether to focus on maximum sentences given the perceived unlikelihood in this case. However, maximum sentences are important: The Department of Justice mentions them in their press releases and charging documents because they are important.
They're important because they show the seriousness of alleged offenses compared to other crimes. For example, one single felony charge of wire fraud conspiracy carries a maximum sentence of 30 years in jail. One single felony count of conspiring to train with a terrorist group carries a maximum sentence of five years in prison. One single felony count of damaging a protected computer—or "computer hacking"—carries a maximum sentence of 10 years in prison.
What does that tell you? It says the government views wire fraud to be more serious than computer hacking, and both wire fraud and computer hacking to be more serious than conspiracy to work alongside a terrorist organization. The maximum sentences are not irrelevant—they are barometers for how serious the government considers an offense against the United States people.
Let's look at the Computer Fraud and Abuse Act another way: Where I live (California), the speed limit on the Interstate is 65 miles per hour. But nobody in California drives that slow— the actual speed most cars drive is around 80 miles per hour. Are people breaking the law when they drive 80 miles per hour? Yes. Is it something officers tend to pull people over and ticket for? Generally no, though there's always that officer who is having a bad day.
But most people here would tell you that driving five to 15 miles over the speed limit on the freeway is not a huge deal. In fact, they'd likely say that a speed between 70 and 80 miles per hour is going with the flow of traffic—even though it's technically breaking the law. "Everybody does it," they'd say. And police tend to look the other way, unless you're going faster than 80 miles per hour, not going with the flow of traffic or driving recklessly. Because they get how the real world works.
The speed limit is part of the law that governs the road, much in the way the CFAA is part of the law that governs the information superhighway. You'd be hard pressed to find a person who hasn't shared an HBO Go login, or a Netflix password, or downloaded music from Napster back in the day, or Torrented a movie screener, or used Popcorn Time or YouTube to watch an illicit copy of a movie or TV show. Those are against the law, but to the average Internet user, it's pretty benign activity. And in the case of the HBO Go login, it's something the network is well aware is taking place, and they've incorporated it to some degree in their business model.
Over the last few years, federal law enforcement has prioritized cybersecurity issues among other threats like domestic and foreign terrorism. And when it comes to certain malicious actions, like hacking into a credit card database or stealing personal health information, that absolutely makes sense, and I doubt you'll find one reasonable person who would be against law enforcement resources pursuing those matters.
But federal law enforcement has gone overboard. They have spied on activists who have committed no crime outside of their First Amendment protections, they have spied on journalists (including the phone records of Associated Press reporters), and they've sought to criminalize reporters for committing acts of journalism. That's what they did in my case—they concocted me a criminal after I refused to cooperate with the FBI in an April 2011 investigation into Anonymous, a group I had covered a few months prior. And they used the CFAA to do it.
Worse, thanks to Edward Snowden, we now know that benign computer crimes like sharing an HBO Go login or downloading a music file can land a person on a terrorism watchlist. According to a handbook published by The Intercept, crimes that fall under the Computer Fraud and Abuse Act are considered terrorism-related offenses alongside a presidential assassination or blowing up an airliner.
The handbook is here.
To bring the metaphor full circle: Imagine if driving 15 miles over the speed limit carried the same criminal offense as downloading a song from a torrent or sharing a Netflix login. Madness, right? That's the CFAA. That's why activist groups say it needs reform. That's one reason why were taking this case to the Ninth Circuit Court of Appeals.
If you were writing a story about the hackers, what was the angle here? Isn't defacing a website-or encouraging others do so a frivolous approach?
In December 2010, there were numerous news stories about an online hacker/activist collective known as "Anonymous" targeting financial institutions over an alleged blockade of the Wikileaks website. I was mildly familiar with Wikileaks and their mission, and not at all familiar with Anonymous, but understood most of the hacker/activists within the group to communicate with each other on Twitter and on an Internet service.
At the time, I was exploring a handful of freelance opportunities, and decided I would investigate this story as one potential opportunity. I logged on to the chat service and observed the activities of dozens of users over the course of about a week. Eventually, after conversing with one individual, I was invited into a secret room with about 30 individuals who fashioned themselves as high-level hackers. I used my interactions and observances of them as source material for a number of stories, including one filed by the PBS NewsHour on a breach of Gawker's website, and another filed by Gawker itself a few months later.
The source material also played a small role in a book by a Forbes journalist on the Anonymous group itself. I also used some of the source material for a Reuters.com story about two months after I was hired (the story was narrated by me, but written and published by an editor).
I identified myself as a journalist at all times during my observations and interactions with Anonymous. I did not participate in any online campaigns. I only observed. There was no promise made, no "frivolous approach," they knew I was a journalist and they allowed me to observe as such.
There was no passing of a username and password by me, as the government alleged, and no attempt to breach Tribune Company's content management service, as the government has also alleged. I didn't even work for the Tribune Company at that time—I had left months earlier, and all of my access to the company's computer systems and services had terminated with the end of my employment. So it's confusing to me how anyone at the company could claim I continued to have access—as several people asserted on the stand during my trial.
What else should we know?
A lot of people were upset after the verdict was handed down. Those who know me personally know the allegations are without merit, that the conduct alleged is something I would never do —and that I couldn't physically do because I hadn't worked for the company in two years. People who do not know me have said a number of things about me that are both hurtful and untrue—but often they do so while at the same time highlighting the ludicrous potential 25-year sentence that hangs over my head, while calling for an end to prosecutorial abuse with respect to CFAA-related cases and while noting a need for the CFAA to be reformed so that potential punishments for violating computer crimes laws are commensurate with the alleged crime itself.
No reasonable person can possibly believe that a 25-year prison sentence should hang over the head of someone accused of passing a username and a password, allegedly conspiring to alter a little-read news story on a website or allegedly sending an antagonistic e-mail to a former co-worker. But that's what happened here. And if we want things to change, we can't be outraged by a bullshit guilty verdict for a day or two, and then go about our normal lives. We have to carry our anger into progress and change. If we don't, nothing will be done. And this kind of case will be brought again and again and again. No more.