Journo who went to prison for 2 years for breaking US cyber-security law is jailed again
Deletion of employer's YouTube account deemed violation of release
Former journalist Matthew Keys, who served two years in prison for posting his Tribune Company content management system credentials online a decade ago in violation of America's Computer Fraud and Abuse Act, has been ordered back to prison for violating the terms of his supervised release.
On Monday, Keys, 34, a resident of Vacaville, California, received an additional six-month sentence and 18 months of supervision with computer monitoring requirements, according to the US Attorney's Office of the Eastern District of California. The sentence follows from a judge's finding that Keyes intentionally deleted a YouTube account he was managing on behalf of his then employer, Comstock’s Magazine.
"Businesses and individuals are already struggling against threats to the integrity of their data from hackers and data thieves,” said Acting US Attorney Talbert in a statement on Monday. "They should not also have to worry about data destruction from former employees seeking retribution."
Keys's attorney, Mark Reichel, told The Register in a phone interview that he's appealing the decision.
"The reason we are appealing is the Federal Computer Fraud and Abuse Act is continuously being reinterpreted and reexamined in the courts of appeal, so any district judges ruling on a novel approach or unique circumstance as presented here clearly need to be reviewed in the appellate courts," said Reichel.
Initially indicted in 2013 [PDF] for posting his corporate username and password to IRC, which allowed a miscreant claiming to be a member of the Anonymous hacking group to alter a Los Angeles Time article, Keys was convicted under the controversial CFAA – recently narrowed by the US Supreme Court – and served his two-year sentence.
Following his release in 2018, he began working in 2019 as the digital editor at Comstock’s Magazine in Sacramento, California, where he also managed the publication's social media and YouTube accounts.
- Hack hack jailed 2 years
- Alleged Anonymous-aiding journo's brief tells jury nowt's been proven
- Police accuse Reuters hack of helping Anonymous hackers
According to the USAO, he resigned unexpectedly in January 2020, less than a year after he started and three months before his supervised release term was set to expire. He allegedly refused to turn over the credentials for the magazine's online accounts and subsequently is said to have emailed the publisher to express frustration with the publication's work environment and business practices.
"He accused editors of badgering him after hours, interrupting his sick leave, creating a hostile work environment, 'making comments about protected classes,' spreading lies about his work, and lying about the reasons for his departure," according to the judge's April 20, 2021 order [PDF].
A new assistant editor was hired around February, 2020, to take the place of Keys. But she found she could not login to the Google account associated with the magazine's YouTube channel – the password had been changed and the videos were gone. Comstock's filed a police report and the ensuing investigation led authorities to conclude that Keys was responsible.
According to the judge's order:
[S]oon after he resigned, in the early morning hours between February 9 and 10, the password for the magazine’s Google account was changed, a recovery email address deleted, and the only recovery tools available to secure the account were Keys’s old Comstock’s email address and his phone number.
Google’s records for the same timeframe confirmed that someone logged into Comstock’s account. Monitoring software captured screenshots of someone using Keys’s laptop to look at accounts and passwords related to Comstock’s during that same early-morning window. And the next night, the browsing history on Keys’s iPhone shows it was used to search for 'how to delete youtube account,' that it navigated through the YouTube options necessary to delete an account, and that it landed on a YouTube address containing the text string 'deletesuccess.'
The judge found the government's case persuasive, and Keys' explanation implausible, and concluded that Keys violated his release requirements.
Reichel nonetheless argues that what happened was not a CFAA violation, particularly in light of the US Supreme Court's recent Van Buren decision. "[The government] may think he did this and they obviously don't like it, but that doesn't make it a federal crime," he said. "Everything done with a computer does not become a CFAA violation."
Reichel hopes to have the case reviewed by the US 9th Circuit Court of Appeals. ®