#43 The Law That Sticks
October 28, 2015
How to listen:
Subscribe (it’s free!) in your favorite podcast app.
The Computer Fraud and Abuse Act is a law. It's been on the books for almost 30 years. And it makes totally mundane online behavior illegal.
Our theme music is by Breakmaster Cylinder.
Our ad music is by Build Buildings.
Sarah Jeong's article "Why the Government Went After Matthew Keys"
ALEX GOLDMAN: From Gimlet, this is Reply All. I’m Alex Goldman.
PJ VOGT: Alright, Alex. Let’s giddyup and ride one more week. What are we talking about today?
ALEX: We are talking about a law. It’s called The Computer Fraud and Abuse Act, or the CFAA. And you should care about it because it makes things that people are doing online all the time illegal. And this law, it’s been in the news lately because of the strange case of this guy named Matthew Keys.
NEWSCASTER: 26-year-old Matthew Keys was formerly employed by Tribune-owned KTXL FOX40…
NEWSCASTER: ...connection with an attack on a Tribune Company website that was carried out by the group Anonymous. Joining me now to discuss...
ALEX: Three weeks ago Keys was convicted of hacking on three counts, including something called “transmission of malicious code.”
PJ: Transmission of malicious code.
ALEX: it sounds really sinister, right?
PJ: Yeah, it sounds really sinister.
ALEX: And now he’s facing a bunch of years in jail. So, a little background on the guy. Matthew Keys is a reporter. He covers breaking news stories using social media. And back in 2010, his day job was as a web producer at FOX40, which is a television station in Sacramento. It’s owned by the Tribune company. The Tribune Company is this big media company that owns a bunch of other TV stations and newspapers. So, just keep that in mind. So Keys has this job putting up web pages and stuff like that, and he’s fired in October of that year. He says he quit, but either way he’s not happy with his dismissal. Or departure. So not long after he left the television station started receiving emails that were written by X-Files characters. They were from email addresses like firstname.lastname@example.org.
PJ: Are there other X-Files characters?
ALEX: There’s the Cancer Man.
ALEX: The Tribune Company says that these emails were Keys. Keys denies this whole version of events. In fact, he denies just about everything I’m about to say in the next eight minutes or so. But the Tribune Company says that he’s sending these emails, they were anonymous, and he was saying I’m gonna let the world know that you don’t appreciate your staff, that you fire the wrong people, that you’re taking this place in the wrong direction...
PJ: He’s like a disgruntled ex-employee being like I’m going to blow the whistle on how awful this place is.
ALEX: Yeah but I think that they were just menacing enough that people were actually kind of freaked out by them. So Matthew Keys was doing this for a while, and people at FOX40 are upset about receiving these anonymous kind of creepy emails. And then in December of 2010, Matthew Keys goes totally Nuclear. You see, Keys still has user credentials to access the Tribune Company’s content management system, which is where they post all the content that appears on their websites. I talked to Sarah Jeong, she’s a Vice reporter who covered the Keys trial.
SARAH JEONG: So he dropped user credentials to the Tribune Company content management systems into an Anonymous chatroom, like Anonymous capital A, like the hacktivist group. So like a username and password that would get them access to the entire Tribune CMS.
PJ: So he just went into a roomful of notorious computer hackers, and he said, “Hey guys, I don’t like my old job, here’s the keys to the place, do whatever you want, burn it down…”
ALEX: Yeah, and he was really trying to whip them up. He also said stuff like, “Fox News is not media, it’s infotainment for inbreds. I say we target them.”
PJ: Rude to inbreds.
ALEX: So this guy named Sharpie takes him up on his offer and Keys gives him the username and password and says, “Go fuck some shit up.”
PJ: He says literally that?
ALEX: Yes. He literally types that.
SARAH: The result being that someone defaced a LA Times article for 40 minutes. It’s just like the headline and the deck, which is, you know, like the subtitle, and it just turns, this like really boring article about a tax bill turns into “Chippy1337 Elected Speaker of the House.”
ALEX: So, Chippy1337 seems to be I guess another hacker, and the exact wording that appears on the site is, “Pressure Builds in House to Elect Chippy1337.” And that’s it. It’s probably the most meaningless hack in the history of time. Not to mention pretty short-lived.
SARAH: It was like for 40 minutes. And actually like, no one knows if anyone even saw it. They were never able to get that information during the pretrial process, which is really funny because surely the LA Times has metrics somewhere about whether or not people actually clicked on that article. But yeah, there’s no evidence in this case that anyone ever saw it.
ALEX: So, this is kind of like writing something mean in the sand at high tide. Very likely nobody saw it. Except the guy who changed it back… and the Tribune Company… and the Federal Bureau of Investigation. Matthew Keys confessed everything to the FBI on tape and he was indicted in 2013. Sarah was at his trial.
SARAH: I was kind of riveted when they were playing the audio of the confession. He cops to sending those emails, he talks about entering that Anonymous chatroom, he walks about using the handle AESCracked.
MATTHEW KEYS: I did it. There were things that I did. I can’t deny it. I’m not going to now...
SARAH: It’s a very damning piece of audio.
MATTHEW: Can I grab that paper from you? Cuz I’d like to write these down. Thank you. And I’ll start a fresh piece. In fact, I’ll do this on a separate…
FBI AGENT: But I want it to be your own words, man.
MATTHEW: No, I understand.
FBI AGENT: These are the issues that I wanna cover: one is your willingness to cooperate...
SARAH: And at the beginning there’s no hint of this, but at the very end he mentions that he’s in his pajamas.
SARAH: Yeah, and that’s sort of how I came to realize that this entire interview took place in Matthew Key’s bedroom, right?
SARAH: So he’s sitting on the bed, the two agents are sitting on chairs from the dining room, and the agents get him to write out a confession while he’s still in his pajamas and supposedly on these sleep medication pills.
ALEX: So, he later recanted that confession because he said he’d taken a double dose of Trazidone, but the confession itself was super specific. It matched with everything that the FBI already knew, they found screenshots of the hack on his computer, there was just a ton of evidence pointing to this being something that he had done.
PJ: Right, there’s not a lot of sleeping pills that people take that make them confess in specific detail to crimes that they didn’t do and weren’t involved with.
ALEX: Right. But the most interesting aspect of this case hasn’t been whether Matthew Keys is actually guilty or not. The most interesting thing is the question of how much money it cost the Tribune Company to fix that dumb headline about Chippy1337. Because the more money that this hack cost the Tribune, the more time Matthew Keys could spend in jail. So at first, the Tribune Company as the victim, they go to the court and they provide a number. $5000.
PJ: That’s absurd. I used to have to fix broken webpages. I would have changed that headline for 20 bucks.
ALEX: I agree, it doesn’t seem that costly. But Sarah Jeong said that when she mentioned that $5000 damage estimate on Twitter...
SARAH: I got sort of this pile-on of info security professionals all competing to tell me how high their rates are.
ALEX: how much were they saying the rates were?
SARAH: Oh man, they were talking, you know, “I won’t get up in the middle of the night for less than like $1000 an hour” kind of thing. And basically what I’ve come to gather from that is that $5000 is really easy to clear.
ALEX: And for Matthew Keys, this $5000 figure is really bad news. Because $5000 is the threshold at which a hacking crime can be moved from a misdemeanor to a felony.
PJ: Very interesting that when they crunch the numbers it turned out he’d done exactly the amount of monetary damage that would make it a felony.
ALEX: But that is just the first number. Because once the trial gets underway, that number, the estimated cost of this hack, it’s gone up. It’s gone up to $17,650.
PJ: Can we just call that $18,000?
PJ: So $5000 got him arrested, when they get to trial they’ve already raised it to $18,000. How did they go from 5 to 18, like they must have said something to a judge, what did they say?
ALEX: They said that the $18,000 amount was based on 333 hours of Tribune Company work to diagnose and fix this. So the prosecution sticks to that number for the length of the trial. That the Chippy1337 Hack cost the Tribune Company $17,650. And then, three weeks ago, October 7th, Matthew Keys is found guilty. And the Tribune Company at that point floats one more number, and it’s a number they’re likely to use during sentencing for how much this hack actually costs. They will say that this hack actually costs $929,977.
PJ: That’s insane. That is a million dollars. That is what that number really is. That’s crazy. From 18 to a million is crazy. So follow up question: how long do you go to jail for changing what is apparently a million dollar sentence on a website?
ALEX: According to the sentencing guidelines, a million dollars in damage is worth about five years in prison. So I called Matthew Keys’s lawyer, Tor Ekeland, and he told me that five years would be ridiculous sentence for this crime.
TOR EKELAND: There was like, frickin a few words were edited in one paragraph of an LA Times website story. And I think that’s why the prosecution actually went and tried to run these loss numbers up, because they realized it looked kinda silly.
ALEX: Ekeland says this is a lot of bitching and moaning from a big company that got really embarrassed, so now the Tribune’s just out for blood. And if anything, he says this matter should be settled in a civil court, not a criminal court.
TOR: Like, let Tribune, the owner of the LA Times, sue Matthew KEys for their damages. You know what I mean? Like this should not be a felony.
ALEX: And I mean you might agree that one tiny headline seems like small potatoes. But there is at least one person who thinks that this argument is just stupid.
MATT SEGAL: Hey, it’s Matt Segal.
ALEX: Hi. How you doing?
MATT: I’m fine, how are you?
ALEX: This is Matt Segal. He prosecuted Matthew Keys. And Segal you can’t just fix the vandalized headline and figure that your work is done.
MATT: The system administrators can’t just say “oh,” they can’t just assume that the thing that they found is the only damage in the system, right? If you find one rat in your house, god forbid, you should not assume that that’s the only one.
ALEX: And Segal says that this is about more than just the Chippy Hack and those emails that he was sending as Fox Mulder or whatever. On his way out the door, Keys stole the email addresses of thousands of FOX40 viewers, and he was sending hate mail about the television station to the viewers. And didn’t just give Anonymous the password and admin privileges to the Tribune site. He kept pushing them to mess stuff up.
MATT: The username in the chatroom that Keys admitted to using, AESCracked, pops back in from time to time, and urges the hackers of Anonymous to do something, and identifies Tribune properties that he thinks would have the greatest impact. And for the LA Times, AESCracked posted a link to some opinion piece in the LA Times that said, it was kind of critical of WikiLeaks, and said, “Yet one more reason why the Los Angeles Times must be demolished.”
ALEX: Saying “the LA Times must be demolished” doesn’t sound like a prank. Matt Segal sees real malice in what Keys did. And while you could say Keys didn’t break very much, that doesn’t really matter. That’s not how the law works.
MATT: In every other case, not just hacking cases, people are liable not just for the crime that they succeed in doing, but for the crime that they conspire to do or attempt to do. Because it’s that that measures their moral culpability. That’s what they set out to do. And sentencing law accounts for that.
ALEX: When we come back from the break, the law that Matthew Keys is going to be sentenced under. Why people hate it, why prosecutors love it, and why maybe, just maybe, you should be afraid of it.
ALEX: Welcome back to the show. The Computer Fraud and Abuse Act, the law at the center of the Matthew Keys case: it was written back in 1986, and at the time, no one really knew what a hacker was. Legislators actually watched the movie “War Games” in congressional hearings to show people how dangerous hackers could be.
COMPUTER: Shall we play a game?
MATTHEW BRODERICK: Oh!
ALLY SHEEDY: I think it missed him.
MATTHEW BRODERICK: Yeah. Weird, isn’t it? Love to…
ALEX: And if you’ve seen that movie, you know that the worst case scenario is global thermonuclear war.
MATTHEW BRODERICK: ...thermonuclear war.
ALEX: So, the stakes were high.
MIKE MASNICK: The idea of computer hacking seems really scary, and it’s a really easy one for them to say, “Well, something must be done” and to push solutions where they don’t really understand how they’re going to be used.
ALEX: This is Mike Masnick of the website TechDirt. He says that lawmakers wrote the CFAA before the worldwide web even existed, and they really had no idea just how far-reaching this new law would turn out to be.
MIKE: It’s written so broadly and in such a bizarre way, that it’s really easy to use against lots of people doing things that most people would not think of as criminal, let alone as some sort of computer hacking kind of thing.
ALEX: But prosecutors love it. The CFAA is like flypaper for bad people who aren’t necessarily hackers, but whom authorities really want to put in prison. Kind of like how the tax code was used to put away Al Capone. For example, you know the cannibal cop, the New York police officer who was fantasizing about eating people?
PJ: Yes, I do.
ALEX: Well, the authorities couldn’t get a conspiracy to kidnap charge to stick, but he went to jail for using a police database to look up the women he was fantasizing about. Sarah Jeong told me about another creepy case.
SARAH: So this guy would like, follow women around that he met through prayer groups, right? He joined these prayer groups to creep on women and one of the ways that he’d creep on them is, I guess that he was working at the IRS and he would like, search them in the database, find all their information, and get their addresses. And like usually he wouldn’t do anything with this information at all. So, a bunch of these women didn’t even know he was stalking them. But some of the women knew because he’d like go to their houses and send them creepy presents and stuff like that. The feds couldn’t get charges to stick except for under the Computer Fraud and Abuse Act. When nothing else sticks, you can always turn to the CFAA.
ALEX: And the reason this is the law that sticks is because it criminalizes what it calls “unauthorized access.” And this doesn’t have to mean hacking into Norad like they do in “War Games.” It could be almost anything. Like, say you use a fake name on Facebook.
PJ: Yes, I have done that.
ALEX: That violates Facebook’s terms of service, which could be considered a violation of the CFAA.
PJ: Can I throw other grand acts of malfeasance from my life at you?
PJ: So like for instance, I have a friend who definitely does not remember that I know his Netflix login, and I watch Netflix exclusively through stolen access to his account. I haven’t talked to him in 15 years.
ALEX: Yeah, that violates the CFAA. The law has been used to go after people who have violated their MySpace terms of service, people who have looked at Facebook in violation of their company’s computer usage guidelines. And that’s why organizations like the Electronic Frontier Foundation and Demand Progress are so worked up about it. Because a law that every single person has broken becomes a weapon that can be wielded against anyone who ends up on the wrong side of a prosecutor.
PJ: But the government is not actually gonna go after me for something that innocuous, right?
ALEX: I mean no, probably not. But their point is that a law this broad always gives the government an option. And people who may not deserve it have been swept up by this law. The most notorious example being Aaron Swartz.
INTERVIEWER: Um, why do you do what you do?
AARON SWARTZ: That’ s a good question, I mean I, you know, feel very strongly...
ALEX: This is an interview Aaron did in 2010 with a website called SpunOut
AARON: It’s not enough to just live in the world as it is, to just kind of take what you’re given and follow the things that adults told you to do and that your parents told you to do and that society tells you to do. I think you should always be questioning...
ALEX: So Aaron Swartz was like this internet boy genius. When he was fourteen, he helped invent RSS feeds, he later helped create Reddit, and his big vision was for a much more free and open internet. So in his early 20’s, while he was at Harvard as a research fellow, he met this woman named Taren Stinebrickner-Kauffman. They started dating, and then Aaron told her that he’d recently gotten into some trouble.
TAREN STINEBRICKNER-KAUFFMAN: I knew there was something big and bad in his life but I didn't know, he referred to it as “the bad thing.” And I didn't know what it was.
ALEX: Like how often was it talked about?
TAREN: You know, he would mention it somewhat regularly, like he came to visit me in Washington DC after we started dating and he had to do a phone call about the bad thing. He called me, I was at frisbee practice. Ultimate frisbee and he called me and he said he thought the bad thing might be in the papers the next day and did I wanna know what it was or did I want to read about it in the papers. And I said I wanted to know what it was, and he told me that he had, he was gonna be indicted for downloading too many academic journal articles. And they wanted to make an example out of him. And I was like, that's all? That's the bad thing?
ALEX: In september of 2010, Aaron had snuck into a server closet at MIT and downloaded 4.8 million academic articles from a database called JSTOR. He could have distributed these articles online, but he never did. Nonetheless, he was charged with 13 felonies and faced 35 years in prison and a 1 million dollar fine.
TAREN: I remember how scared he was. I remember him being scared to leave his apartment door unlocked for even a moment. Because if the door was unlocked, then the police didn't need a warrant to come in. It was paranoia but in the sane sense, right, there actually were people out to get him. And that's totally draining.
ALEX: The prosecution offered Aaron a plea deal of 6 months in prison if he plead guilty to all 13 of these felonies, but he refused.
TAREN: He just couldn't. He couldn't deal with the prospect of having a felony on his record because of the things that he wanted to do with his life. It would have made it difficult for him to do all, it would have made it difficult for him to travel, it would have made it difficult or impossible for him to get elected to public office. And for Aaron, he felt it would keep it back from his, the thing he cared about most, which was changing the world.
ALEX: Aaron was paranoid and terrified at the prospect of going to prison, and being a convicted felon. And unfortunately on top of all that he struggled with depression. A month before his trial was set to begin, Aaron took his own life. He was 26. Aaron Swartz’s death brought all kinds of new attention to his case. And the thrust of that attention was why would the justice system come down so hard on him? Why Aaron? Why prison?
TAREN: These are academic journal articles, written by scientists. Many of them funded by the federal government. In the pursuit of furthering human knowledge. And even if Aaron had been planning to put them on the internet, which we don’t know that he was, even if that was his plan, they were just completely wrong about whether this was something that someone should go to prison for, regardless of the motivation, regardless of what, like there's no version of events that anyone has put forward that is something that you should go to prison for, for 30 years, there just isn't one.
ALEX: After Aaron’s death, there was a strong push to change the CFAA, to revise it to target malicious hackers more narrowly—folks like identity thieves and virus creators—and to make it against the law to charge someone for breaking the terms of service on something like Facebook or iTunes. The draft of this reform bill was called “Aaron’s Law.” But according to Mike Masnick, Congress was never going to go for it.
MIKE: I mean, there just really wasn’t any appetite to reform the CFAA in that direction. You have law enforcement that really likes the CFAA, they like having that and the ability to pile on additional charges and use them. You also have a number of private companies that actually do like the CFAA. And you know, lobbied pretty hard against any kind of amending CFAA.
ALEX: Aaron’s law died in committee. At the same time, the Obama administration has asked that the CFAA actually be broadened, to make sentences longer and to stop more crimes by expanding the definition of “unauthorized access.” This is the president from this year’s State of the Union.
BARACK OBAMA: Tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort.
ALEX: As for Matthew Keys, he is scheduled to be sentenced in January of next year. He plans to appeal.
ALEX: Reply All is hosted by PJ Vogt and me, Alex Goldman. Our producers are Tim Howard, Sruthi Pinnamaneni, and Phia Bennin. Our editor is Peter Clowney. Production assistance from Kalila Holt. We were mixed by Rick Kwan. Special thanks to Emily Kennedy. Matt Lieber is a surprise party you secretly hoped for, but you never let yourself expect. Our theme music is by the mysterious Breakmaster Cylinder and our ad music is by Build Buildings. You can find more episodes itunes.com/replyall. Our website is replyall.soy. Gimlet Producer Matthew Nelson would like more Twitter followers, so you can help him out by following him at the Twitter handle @mattyfatpants.