Hacker Case Leads to Calls for Better Law

Share with others:


Print Email Read Later

Matthew Keys, the 26-year-old deputy social media editor at Reuters charged with assisting computer hackers, has emerged as the latest lightning rod in the continuing battle between proponents of Internet freedom and the Justice Department.

A federal indictment of Mr. Keys filed in California on Thursday met an online cacophony of protests against the 1984 computer crime law under which he was charged, the Computer Fraud and Abuse Act.

The indictment says that Mr. Keys, who previously worked as a Web producer at KTXL Fox 40, a Sacramento-based television station that, like The Los Angeles Times, is owned by the Tribune Company, provided a user name and password to hackers associated with the group Anonymous. Those hackers then changed a headline on a Times online article from "Pressure Builds in House to Pass Tax-Cut Package" to "Pressure Builds in House to Elect CHIPPY 1337," a reference to another hacking group.

Each of the three charges against Mr. Keys could result in fines of as much as $250,000, with possible prison terms of as many as five years in one count and as many as 10 in the other two. The Tribune Company spent more than $5,000 to update its systems in response to the attack, the indictment says.

The aggressive tactics by prosecutors come amid an uptick in prominent cyberattacks in recent months. Last week, President Obama met with chief executives to discuss online security, which has become a hot issue on Capitol Hill.

In Mr. Keys's case, the scale of the potential punishment relative to the actual harm caused -- the vandalism to the Web site was quickly fixed -- raised comparisons to the potential sentence in the indictment of Aaron Swartz, a 26-year-old computer programmer and Internet freedom advocate. Accused of breaking into a university system to download an archive of scholarly papers, Mr. Swartz committed suicide in January.

"Anyone horrified by the amount of jail time" Mr. Keys faced should join in calling for Congressional reform of the computer fraud act, Trevor Timm, an advocate and blogger at the Electronic Frontier Foundation, a nonprofit that supports an open Internet, wrote in a Twitter post on Thursday.

Still, it is not clear that an overhaul of the fraud act would change the damage charges Mr. Keys is facing. Orin S. Kerr, a former computer crimes prosecutor who now is a legal scholar at George Washington University, said that the part of the fraud act covering damage to a computer, which Mr. Keys was accused of violating, was more straightforward than the part involving authorized access, which Mr. Swartz was charged with violating; some scholars, including Mr. Kerr, have called those provisions overbroad.

Moreover, several legal specialists said that even if Mr. Keys were convicted on all three charges, they most likely would be collapsed into a single offense for purposes of calculating a sentence since they involved the same basic conduct. The sentencing guidelines would then be consulted in light of Mr. Keys's previous criminal history, if any, and the economic harm caused by the vandalism -- including any overtime or outside consultants piad to audit the system after the intrusion was discovered.

Mark Eckenwiler, a former deputy chief of the Justice Department's computer crime section, said that statutory maximums cited in department news releases are "purely theoretical" in most cases, and that it would be inappropriate for the department to speculate at the start of the case about what an eventual sentence would be.

"The truth is that a lot of first-time offenders may well come in the very bottom band" of the sentencing guidelines, he said.

Nevertheless, Mr. Keys's defense team stoked the furor. "I think hackers are the new Communists for the D.O.J.," Tor Ekeland, a Brooklyn-based lawyer representing Mr. Keys, said in an interview. He maintained his client's innocence and said that he intended to "vigorously litigate" the charges.

Jay Leiderman, a criminal defense lawyer in Ventura, Calif., known for representing computer hackers affiliated with Anonymous, is also representing Mr. Keys.

The case against Mr. Keys struck a particular nerve because of his outsize, and outspoken, online presence. A popular and at times volatile figure in the world of social media, Mr. Keys is in many ways emblematic of the new-media landscape. The writer of what was described by Time magazine as one of the 140 best Twitter feeds, Mr. Keys quickly used his feed to discuss the indictment and assure his nearly 25,000 Twitter followers that he was "fine."

Mr. Keys is among a coterie of young journalists adept at social media who see their stars rise quickly and often are snapped up by major media organizations, said Sree Sreenivasan, chief digital officer at Columbia.

"At a young age you can have more influence than at any time in journalistic history," Mr. Sreenivasan said, adding, "and the mistakes you make at a younger age are more visible than ever before."

A Thomson Reuters spokesman said on Friday that Mr. Keys had been suspended with pay. "Any legal violations, or failures to comply with the company's own strict set of principles and standards, can result in disciplinary action," the company said in a statement, adding that Mr. Keys joined Reuters in 2012; the apparent crimes occurred in December 2010.

Supporters of Mr. Keys echoed criticism that reached a high pitch in January, when online activists accused prosecutors of trying to bully Mr. Swartz into pleading guilty. An article in Slate was posted on Friday under the headline "Has the Justice Department Learned Anything from the Aaron Swartz Case?"

Last week Attorney General Eric Holder Jr. was questioned at a Congressional oversight hearing on whether there had been prosecutorial misconduct in the Swartz case. Mr. Holder called the case tragic but defended prosecutors' conduct, noting that they had offered Mr. Swartz several versions of a plea deal that would involve only a few months of prison time.

"I don't look at what necessarily was charged as much as what was offered in terms of how the case might have been resolved," Mr. Holder said.

Mr. Kerr, the former prosecutor, said the Justice Department had noted the maximum statutory punishments in news releases in part for their deterrent effect -- to dissuade others from committing similar crimes -- and not because they were realistic. "It's mostly for show," Mr. Kerr said.

Anonymous, the global collective of loosely organized "hacktivists" who have used computer attacks to protest political causes, has recently faced particular scrutiny. In August, Higinio O. Ochoa III, a member of an offshoot of Anonymous, was sentenced to two years in prison after he pleaded guilty to defacing Web sites and stealing confidential data when he tapped into several law enforcement computers. In 2011, hackers associated with the group targeted the Sony Corporation's PlayStation online network, costing the company around $171 million.

"They're an organization that should be taken seriously, and anyone who is thinking about their network and their security should consider them a force to be reckoned with," said Edward Schwartz, chief security officer for RSA, the security arm of the EMC Corporation.

"There are three categories of hackers: Russian criminals trying to rob us blind; the Chinese who are trying to steal our secrets; and then there's Anonymous, and a lot of them are like merry pranksters," said Chester Wisniewski, a senior security adviser at the electronic security firm Sophos. He added: "We're treating them all the same."

According to the F.B.I., Mr. Keys went by the name "AESCracked" and in Internet chat rooms offered hackers access to the Fox 40 computer systems and e-mail addresses. "That was such a buzz having my edit on the LA Times," a user named "sharpie" suspected of being associated with Anonymous wrote, according to the indictment. Mr. Keys is said to have responded, "Nice."

When compared with recent attacks by Chinese hackers on media organizations including The New York Times, Mr. Keys's apparent crime is "nothing," said Josh Shaul, chief technology officer at Application Security Inc., a New York-based provider of database security software. "It's like someone handed you the keys to a building and you used them to get in."

interact

This article originally appeared in The New York Times.


Advertisement
Advertisement
Advertisement

You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here