Why the Government Went After Matthew Keys
Inside the prosecution of a journalist for computer hacking.
Photo: Sarah Jeong
On October 4, 2012, two FBI agents visited the home of Matthew Keys, aged 25, in Secaucus, New Jersey. At the time, he was the deputy social media editor for Reuters. Special Agents John Cauthen and Gabriel Andrews showed him a sheaf of papers—a search warrant over 50 pages including chat transcripts.
Keys was living with roommates, so Agent John offered to interview him somewhere else instead. Keys declined.
They interviewed him inside his bedroom. Keys was in his pajamas. He sat down on his bed, and the agents brought in chairs from the dining room.
Agent Cauthen had been working for over a year on the case of the December 2010 LA Times hack. The hack was associated with Anonymous. The group had been hit with a series of indictments in March 2012. Months later, transcripts from Anonymous chatrooms had brought the FBI to Matthew Keys's door.
The transcripts show someone called AESCracked copy/pasting login credentials for the content management system of Tribune Company (which owns the LA Times) into an Anonymous IRC channel, then telling the others to "go fuck some shit up."
Someone used the credentials to access the Tribune CMS, and changed a bland article about a House tax bill into this:
The defacement lasted 40 minutes, and was fixed 3 minutes after discovery. On October 7, 2015, Matthew Keys was convicted on three counts of computer hacking. The statutory maximum is 25 years, but the US Attorney's Office has stated it will seek something closer to sentencing guidelines—"likely under five years" in prison.
Keys has never claimed to be a hacker. In a conversation with Brandon Mercer, his old boss, he talks about embedding himself in an Anonymous chatroom, and says, "I learned why they say programming is a language—it really is a language that people seem to know how to speak. I don't know anything about… computer programming languages." As AESCracked, he called himself "internet dumb" in a private conversation with Anonymous hacker kayla. When questioned by the FBI about his use of a VPN, he said he found a VPN service by Googling for "how to watch British television from the United States?"
This case is a use of the Computer Fraud & Abuse Act to go after behavior that, in common parlance, isn't "hacking." It happens often with the CFAA, which has long been criticized for being overbroad—it's a statute that can be brought to bear on a perceived bad actor when all other statutes don't fit the bill. In closing arguments, defense attorney Jay Leiderman alluded to CFAA creep when he said, with some measure of resignation, "Just about any computer these days is 'a protected computer.'" (The statutory language of the CFAA only covers "protected computers.")
The ultimate disagreement between prosecution and defense is whether the CFAA was used appropriately. "Hacking is one thing," Leiderman said in closing. "Vandalism is another."
"It's important to prosecute trusted insiders who abuse their network access to sabotage the business of their former employers," Assistant US Attorney Matthew Segal told me after the verdict.
There's no indication that the government thinks Keys is a skilled computer criminal. They apparently went after him—using an anti-hacking law—for being a nightmare ex-employee.
In October 2010—two months before the hack—Keys left his job at KTXL 40, a TV station owned by Tribune Company. In the taped interview with Agent Cauthen, which was played to the jury on Friday, Keys said that he still had access to the Tribune CMS after he left his job, and that he was AESCracked.
In his interview with the FBI, Matthew Keys presented himself as an outsider embedded inside a group of dangerous hackers—a reporter working on an exposé of Anonymous, a journalist who just got in too deep. Anything suspicious he said in the chatroom, he seemed to be implying, was part of a persona, mere posturing in order to gain access. He didn't know what AES encryption was, he said. All he knew was that WikiLeaks had used it, and that if he referenced it in his username, maybe he'd gain some credibility. "If you're going to a county fair, you dress down," he told the agents. "If you're going to a dressy event, you dress up."
But it was all too much, he said. "I can tell you the first couple of days that I was in that room I didn't sleep well that night."
Agent John Cauthen testified in court on Friday and Monday. He's a tall, skinny, balding man with a wire-frame glasses and graying beard—he looks like a dad, talks like a dad, and has a dadly sense of humor.
"What is the meaning of the portmanteau 'hacktivist'?" defense attorney Jay Leiderman asked him at one point—then, for the benefit of the confused court reporter who was transcribing the proceedings, backed up and asked, "Portmanteau means two words that are put together to make a new one, right?"
"In English, I think so, but in French it means raincoat," Cauthen said with a twinkle. The jury burst into laughter.
"Do you believe Mr. Keys was being truthful to you?" Cauthen was asked, at a different point.
"Not entirely, no," Cauthen replied. Later, he added, "He was acknowledging the facts but he wasn't acknowledging his intent." Keys had said to Cauthen that he had never intended for his actions to cause damage. But "as we talked about it, clearly that wasn't the truth. That was a lie."
The biggest and most controversial issue in the trial is the question of damage and loss. The LA Times "hack" resulted in the defacement of an article about a tax-cut bill in Congress into a bizarre paean to "Chippy 1337" which the defense described in opening arguments as "a hacker mascot of some sort." (In the end, neither party offered any evidence as to who or what Chippy 1337 is.)
The defacement lasted 40 minutes. There's no indication that the defaced article was ever on the front page. In fact the government did not offer any evidence as to whether any readers ever even saw it.
The specific provisions of the Computer Fraud and Abuse Act that Matthew Keys was convicted under require the government to show that he caused over $5,000 of loss. The Tribune Company is alleging nearly a million dollars of loss, much of it billed as lost hours of productivity from employees across the company.
Various emails from Brandon Mercer, Keys's former boss at KTXL Fox 40, repeatedly reminded his employees to record hours spent in the aftermath of the hack, since, "[t]he FBI cannot prosecute a case unless there is $5,000 in damages." In another, he emails a Tribune lawyer, "By the way, if you bill $1000 an hour, that would help us get this prosecuted."
In court, defense attorney Tor Ekeland confronted him with the email. "It was a joke," Mercer said, a pained expression on his face. According to him, it was nothing but a jab at his lawyer friend's high billing rates.
"That's a joke to you? That someone could get charged with a felony and go to prison?"
Mercer was practically squirming with discomfort. "This was before I realized you should probably not put jokes in emails."
In a different, apparently non-joking email, Mercer tells Agent John Cauthen that the "hours calculated so far" come out to $3,583.91.
In the end, the government would claim that Keys caused $929,977.00 worth of loss.
Brandon Mercer was the one who hired Matthew Keys at KTXL Fox 40. "I hired Matthew because he is incredibly intelligent, innovative, and a leader in social media," Mercer said in court on September 29th. "I needed someone fresh, an alternative voice that could see things differently."
The Keys trial is a time capsule, a crystallized moment from 2010, right before Anonymous and Lulzsec became well-known. The chat transcripts record conversations happening at a time when "WikiLeaks," "Julian Assange," and "hacktivism" still feel like new words and phrases.
It's also an awkward moment of transition in journalism. Mercer was hired to transform Fox 40 News, to drive up user engagement using new tools and methods. "Social media strategy" was just becoming a ubiquitous phrase, one that was slung around at even a local TV channel in Sacramento, California. Keys was a part of Mercer's social media strategy.
In New York's words, Keys was, at the time, a "budding Twitter celeb." Keys marched in the vanguard of the social media revolution. He was one of the first journalists to become huge on Twitter, and he was one of the first journalists to get in trouble at work because of Twitter.
In October 2010, KTXL was covering a fire at a local mall, when Keys criticized the station's coverage from his personal Twitter account. There were, in Mercer's own phrasing, "loud words and opinions being exchanged about the incident." Keys wanted to "exert his right to say what he wanted on his personal Twitter feed."
Eventually, Mercer asked him to go home, and to not log on or work over the weekend.
"I can't guarantee that," Keys reportedly said. He never returned to work.
Even after a jury trial in a federal district court, whether Keys quit, resigned, or was fired is still disputed. From the point of view of the lawyers in the room, it's not a very interesting question, but they tiptoed around it nonetheless. The indictment refers to Keys being "terminated" from his position, but in court, prosecutors didn't use the word. The defense suggested that Keys was fired, but then he quit before he could actually be fired.
Either way, Keys was not happy when he left.
Immediately after, Mercer says, KTXL and Keys began to struggle for control of the station's Facebook and Twitter accounts. The Twitter account went from 8,000 followers to 2,000. Mercer suggested Keys had used a third party tool to initiate a sudden, massive drop in followers. The Facebook account was tied to Keys's work email, so KTXL was able to reset the password and retrieve it. The Twitter account took longer to get back, but eventually the drama subsided.
Then, in December, Sam Cohen, an old coworker of Keys, began to get locked out of the CMS. She'd have to email IT and then wait for them to reset her password. She did this over and over again. Some days it was fine—then she'd get locked out again. For hours at a time, she was stuck at her desk, unable to do her job. (Eventually these hours would be logged and added onto Tribune's estimate of the loss they suffered from Keys's hacking.) It was infuriating for her, but it wasn't the biggest worry for the station at that moment.
Around the same time, Mercer and other staffers had begun receiving a series of strange emails—emails that would eventually be dubbed "The Cancerman Emails" by lawyers.
They were angry, erratic, inconsistent communications. They came from addresses like firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org—all characters from the tv show The X-Files. Sometimes the sender referred to themselves as "we." More than once—according to Mercer, at least—the emails referenced events and details that only Matthew Keys knew about.
Several of Keys's former colleagues assumed he was behind the emails. One posted, "Fox Mulder?" onto Keys's Facebook. In a party in December, one of his co-workers asked him if he was behind the emails. Keys denied it at the time.
The Cancerman emails are full of a wide range of grievances. They bemoan the station's lack of ethics. The emails claim that the station dropped a news story because the subject threatened to pull its advertisements.
They also claim that the station invaded viewers' privacy through an online program / engagement strategy that got viewers to sign up for a chance to win an iPad.
Fox Mulder / Cancerman had acquired a list of those viewers' emails from the CMS, and then told Tribune Company he was going to blast the list with emails about KTXL Fox 40's perceived misconduct.
And then he did.
It was not well-received. Mercer and other staffers, already on edge from the threats, spent hours fielding emails from upset viewers. KTXL was in crisis mode. Mercer's subsequent emails to Fox Mulder are overwrought.
If you divide up these incidents into discrete parts—the Cancerman emails, Cohen's login troubles, and the LA Times defacement—it's hard to see how a computer hacking prosecution came out of it. Angry erratic emails aren't hacking, Sam Cohen's computer problems aren't definitively tied to Keys, and a 40 minute defacement that was reverted in three minutes is not exactly the scariest thing. But these things happened in the same span of days, maybe weeks.
For Tribune Company, and for the government, the computer hacking case against Matthew Keys begins with the Cancerman emails. Although the government indictment focuses almost exclusively on the LA Times hack, the case mounted in court shows the hack as the culmination of a longer arc of retribution, a campaign of terror mounted over weeks.
"Individuals who use 'bully' tactics to attack computer networks will face justice for their actions," said FBI Special Agent in Charge Monica Miller, in an official statement from the US Attorney's office in Sacramento.
"This was a prosecution against a trusted insider who used his network access to attempt, in his own words, to demolish the business of his former employer," Assistant US Attorney Matthew Segal told me after the verdict.
"Yeah, this was not the crime of the century," said Segal. "But you cannot do this stuff. And when you do, it's a federal crime."
Keys's defense has maintained that the Cancerman emails are irrelevant and should not have been entered into evidence. They were offered by the government, said Leiderman in his closing argument, "for no other reason to make you think Matthew Keys is horrible."
In a phone call with Brandon Mercer that was recorded and played back in court, Keys denies sending the Cancerman emails. In the call, in fact, he's pitching a story to Mercer. He's embedded himself into a hacker group, he says. They've hacked Gawker and it looks very serious. This will go down as "one of the largest data breaches in history," says Keys, his voice played back as a dispatch from 2010, blissfully unaware of how routine these kinds of data breaches were about to become. But in that moment in 2010, it's hot news. Keys is already talking to other outlets about doing this story, but maybe KTXL would like to do one about it too?
Mercer is less interested in that and more in accusing Keys of writing the Cancerman emails. But Keys steadily denies it. He tells Mercer that he hasn't emailed his old co-workers since he left. "I don't have any issues with you, or the station, or anyone at the station," he said.
But in his recorded interview with Agent Cauthen, a year later, he cops to sending the emails. He even writes out a confession afterwards. "The emails was, was to be antagonistic, you know," he says. And then later, "It was more or less hooliganism."
Matthew Keys did not testify at his own trial, as was his constitutional right. For the jury, his voice, and his side of the story, were only available through the conversations with Mercer and Cauthen, and through the chat transcripts from the Anonymous IRC channels.
Keys, who spoke to me after the verdict was read, was particularly upset about the recordings of his conversations with Mercer and Cauthen. "I think they put on a great show that excluded a lot of evidence and edited a lot of evidence." The government was clear that Agent Cauthen's interview, as played in court, was snippets cut from a much longer recording. I've read the transcript of the longer recording—however, Keys told me that it was revealed during pre-trial that that is actually a composite of two separate recordings.
This case is a use of the Computer Fraud & Abuse Act to go after behavior that, in common parlance, isn't "hacking."
On top of that, Keys says that he was under the effect of sleep medication at the time of the interview with Cauthen, and that Cauthen had led him into giving the answers he did, as well as the confession that was eventually written in his own hand.
According to Keys, the prosecution was politically motivated. He claimed that months after he had written his first story about Anonymous, the FBI had contacted him and asked to "scan" his computer. Keys refused. Some time after, he was indicted. Those two events, he seemed to imply, were not unconnected. "The government wanted to send a clear message that if you want to a cover a group they don't agree with and you're not complicit with them [the government], they will target you."
"I don't know what Matthew Keys's politics are," Assistant US Attorney Segal, a prosecutor in the case, told me.
Keys also said to me that his "only crime is committing the act of journalism."
"Everything I've done since Day 1 as a journalist has been in the interest of the public," Keys told me. "That hasn't changed. The charges didn't change that, the conviction won't change that, either." He called the prosecution hypocritical, given that the DOJ has "asked for the ability to hack into anybody's computer." Keys also mentioned the FBI's falsification of an Associated Press story in order to deliver malware to a target's computer.
When asked to comment on Keys's remarks, Segal was biting in his response—maybe even a little scornful. He pointed out that Keys had tried to egg on Anonymous by showing them a LA Times opinion piece that had been critical of Julian Assange.
"The evidence at trial was that Matthew Keys gave a malicious online hacking group super-user credentials to the Los Angeles Times, and told them to… mess stuff up," said Segal. (The actual quote from the chat transcript is "go fuck some shit up").
"And what he did after that when they didn't mess stuff up enough to his liking, is that he took a link to an article that the Los Angeles Times had published, and said that this is why the Los Angeles Times must be 'demolished.' I don't understand how any person, journalist or not, could consider that journalism or promoting the First Amendment. That is a serious threat to all the things that the First Amendment is supposed to protect."
When looking at US v. Matthew Keys from a purely legal standpoint, it's rather interesting. Unlike other high-profile CFAA cases, it's not an "unauthorized access" case—it's a "damage without authorization" case.
Damage and loss under the CFAA, said Keys's attorneys, should not be defined the way they were defined at trial. It does seem absurd that Tribune Company added up the total loss to the princely sum of $929,977. Incident response to a security breach is often quite costly, but many of the hours logged were from journalists and executives, rather than technical staff, and the way the hours were accounted for was often vague.
But beyond that, none of those hours of "loss" should count because there's no damage, said Leiderman. He said that as they appeal the decision, they're going to seek out a clear precedent that says "when something isn't damaged, it's not damage. Damage has to be real damage."
Leiderman pointed out that when a wall is graffitied, there's no "revert to backup" button on the wall. There was a revert button in the CMS that could have instantly fixed the defaced Chippy 1337 article—though it wasn't used, because the person who found the defacement decided it would be faster to just rewrite the title and subtitle (known as a hed and a dek in the industry) from memory. The body of the article had been left untouched. The vandalism was fixed in three minutes.
Defense attorney Mark Jaffe said that the prosecution's definition of loss, as used in the trial, was "murky, misguided, and full of holes."
The appeal is an opportunity to clarify the CFAA on this legal issue. Leiderman said that "Matthew Keys is excited to press forward and change and clarify the law."
An appellate decision favorable to Keys could limit the use of these provisions of the CFAA, narrowing down the number of potential CFAA prosecutions in the future. It would be CFAA reform, but enacted through the courts. Keys's hope is that eventually, vandalism that can be reverted to a backup can't be charged as hacking under these specific provisions.
"There shouldn't be a part of the law that allows us to call it damage," Leiderman said to me.
Jaffe then interjected, saying, "And in fact, the law doesn't."
That's the law in this case. The facts of the case are a tiny, forgettable blip in the bigger picture of the year 2010. When Segal told me that "this was not the crime of the century," his words mirrored Leiderman's closing arguments:
"This is not exactly the most unforgettable case of hacktivism, and they've made a federal case out of it."
If anything, Keys is a bit player in the events of Operation Payback and Operation Avenge Assange, where Anonymous struck back against payment processors for their role in the WikiLeaks banking blockade—an industry-wide agreement not to process donations to WikiLeaks.
Of course, Keys would like to present himself as even less than a bit player—nothing but a passive observer, writing his own stories as well as giving transcripts and screenshots to journalists like Parmy Olson at Forbes and Adrian Chen at Gawker. He was never a member of Anonymous, he says. There was no conspiracy between him and any hacker.
AESCracked fell out with Anonymous in January 2011. In a conversation between him and the hacker kayla, he says, "there was a good chunk of time when I didn't fit in anywhere, and finally I fit in somewhere, even if it was among a group of renegade criminals."
A year later, six hackers, including Ryan Ackroyd, also known as "kayla," are charged by the US government.
And seven months after that, Matthew Keys sits in his bedroom with two FBI agents. They give him a piece of lined notebook paper and a pencil. He's reluctant. He stammers. "I don't know that right now I'm in the state of mind where I can… and it's not because I don't want to… it's because I want be cognizant of any event." And then, "I'm just saying, in my pajamas, right now…"
But eventually he agrees, and scrawls out a confession for both the Cancerman emails and the LA Times defacement.
I am extremely remorseful for both actions, and am fully willing to cooperate with any agency on this or any other matters, and cooperate now and in the foreseeable future.
Years later, Matthew Keys is convicted of computer hacking in a federal district court.
Correction: The article originally stated that AESCracked fell out with Anonymous in 2012. The year was actually 2011. The article has been changed to reflect that. An earlier version of this article also implied that the Anonymous hacker-turned-FBI informant Hector Monsegur, also known as Sabu, might have provided information that led to Keys' arrest; that is not necessarily the case.