Enterprise Security

Journalist Gets 2-Years in Prison for Aiding Anonymous Prank

A U.S. District Court judge last week sentenced Matthew Keys to two years in prison after he was found guilty of conspiring with the hacker group Anonymous to break into the Los Angeles Times’ website and modify a news story.

Keys had been site administrator forKTXL Fox 40, which was owned by Tribune, the same company that owned the Times.

He was charged under the Computer Fraud and Abuse Act.

U.S. District Judge Kimberly J. Mueller ordered Keys to surrender June 15 to begin serving his sentence.

His lawyers are expected to appeal the sentence and file a motion for bail pending appeal.

The Case Against Keys

Keys was dismissed from KTXL Fox 40 in 2010 and took credentials he had secretly created with him, according to the prosecution.

He used those credentials to steal a list of email addresses of KTXL Fox 40 viewers who had signed up for an affinity program, sent anonymous harassing emails to viewers and former colleagues through a proxy server, and launched an eight-day campaign of accessing the content management system to lock his replacement out of that system, prosecutors said.

Keys later created a backdoor for the Tribune CMS, gave that to Anonymous and told them which Tribune properties to target. He also repeatedly urged Anonymous to attack the Los Angeles Times.

One Anonymous member finally did hack into the Times and deface one of its stories.

The Rationale for Keys’ Sentence

A jury found Keys guilty in October.

His offense was serious enough to require a substantial prison sentence, the prosecutors argued, adding that he targeted the justice system following the verdict. The prosecution recommended a sentence of five years.

Pointing out that the Probation Department had called for an 87-month term and describing that as “reasonable and the best way to promote sentencing uniformity,” the prosecution suggested that five years was “sufficient, but not greater than necessary to comply with the purposes of sentencing.”

Keys retweeted the comments of people who thought the sentence was too harsh.

“Two years for a Web defacement lasting 40 minutes,” Edward Snowden tweeted.

“…and so, any lingering sympathies regarding my subscription to @latimes dies today,” tweeted dexterdyne.

“What happened to [Matthew Keys] is mind-blowingly scary,” tweeted Saina Behnejad. “And ridiculous. Priorities?!”

Electronic Frontier Foundation spokesperson Karen Gullo pointed the E-Commerce Times to anEFF blog post on the case.

A donation site for Keys’ legal fund has been set up.

Was the Sentence Just?

“Justice is relative, but I do think the punishment is within the realm of acceptable discretion,” observed Yasha Heidari and attorney at theHeidari Power Law Group.

“Keys’ intent played a heavy hand in his punishment and the prosecution of the case,” he told the E-Commerce Times. “It’s one thing to negligently forget your employer’s keys while at Starbucks; it’s quite another to deliberately hand over the keys in a sketchy part of town to some hoodlums and provide them a map to the employer’s office.”

Keys’ lack of remorse probably played a part in the sentence, Heidari remarked. “Considering he was found guilty beyond a reasonable doubt, I don’t think he did himself any favors by proclaiming his innocence.”

The sentence “is relatively lenient compared to other high-profile CFAA prosecutions such asAndrew Auernheimer,” observed Charles King, principal analyst at Pund-IT.

“Keys is lucky in the sense that the case was tried by a judge who understood how thin the charges against him really were,” he told the E-Commerce Times.

“It’s entirely reasonable to look at this from the other side — that Keys’ crime was so trivial that prosecutors were forced to inflate its effects in order to charge him and take the case to trial,” King said, “but that also casts light on the remarkable flexibility the CFAA grants to police and prosecutors. I expect prosecutors were really interested in sending a signal about the repercussions of supporting the activities of Anonymous.”

The person who actually hacked the Times website — allegedly a hacker with the moniker “Sharpie,” who lives in Scotland — has not yet been charged, although prosecutors reportedly have known his identity since at least 2015.

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Richard Adhikari
More in Enterprise Security

E-Commerce Times Channels