Reply All - #43 The Law That Sticks
Episode Date: October 26, 2015The Computer Fraud and Abuse Act is a law. It's been on the books for almost 30 years. And it makes totally mundane online behavior illegal. Learn more about your ad choices. Visit podcastchoices.com/...adchoices
Transcript
Discussion (0)
From Gimlet, this is Reply All.
I'm Alex Goldman.
All right, Alex.
Let's giddy up and ride one more week.
What are we talking about today?
We are talking about a law.
It's called the Computer Fraud and Abuse Act, or the CFAA.
And you should care about it because it makes things that people are doing online all the time illegal.
And this law, it's been in the news lately because of the strange case of this guy named Matthew Keys.
26-year-old Matthew Keys was formerly employed by Tribune-owned KTXL-5.
Three weeks.
...connection with an attack on a Tribune Company website that was carried out by the group anonymous.
Three weeks ago, Keyes was convicted of hacking on three counts, including something called Transmission of Malicious Code.
Transmission of Malicious Code.
It sounds really sinister, right?
Yeah, it sounds really sinister.
And now he's facing a bunch of years in jail.
So a little background on the guy.
Matthew Keyes is a reporter.
He covers breaking news stories using social media.
and back in 2010 his day job was as a web producer at Fox 40, which is a television station in Sacramento.
It's owned by the Tribune Company.
The Tribune Company is this big media company that owns a bunch of other TV stations and newspapers.
So just keep that in mind.
So Keyes has this job putting up web pages and stuff like that.
And he's fired in October of that year.
He says he quit, but either way, he's not happy with his dismissal or departure.
Sure. So not long after he left, the television station started receiving emails that were written by X-Files characters.
They were from email addresses like Fox Mulder, 4799, at yahoo.co.com.
Are there other X-Files characters?
There's the Cancer Man.
Okay.
The Tribune Company says that these emails were Keys.
Keys denies this whole version of events.
In fact, he denies just about everything I'm about to say in the next eight minutes.
or so. But the Tribune Company says he's sending these emails. They were anonymous. And he was saying,
I'm going to let the world know that you don't appreciate your staff, that you fire the wrong people,
that you are taking this place in the wrong direction. He's like a disgruntled ex-employee being
like, I'm going to blow the whistle on how awful this place is. Yeah, but I think that they were just
menacing enough that people were actually kind of freaked out by them. So Matthew Keyes is doing this for
while. And people at Fox 40 are upset about receiving these anonymous kind of creepy emails. And then,
in December of 2010, Matthew Keyes goes totally nuclear. You see, Keys still has user credentials
to access the Tribune Company's content management system, which is where they post all the content
that appears on their websites. I talked to Sarah Jong. She's a vice reporter who covered the Keys
trial. So he dropped user credentials to the Tribune Company content management.
management systems into an anonymous chat room, like anonymous capital A, like the hacktivist group,
so like a username and a password that would get them access to the entire Tribune CMS.
But so he just went into a roomful of notorious computer hackers and he said,
hey guys, I don't like my old job.
Here's the keys to the place.
Do whatever you want.
Burn it down.
Yeah.
And he was really trying to whip them up.
He also said stuff like Fox News is not media.
It's infotainment for inbreds.
I see, we target them.
Rude to inbreds.
So this guy named Sharpie takes him up on his offer, and Keyes gives him the username and password and says, go fuck some shit up.
He says literally that?
Yes, he literally types that.
The result being that someone defaced a LA Times article for 40 minutes, and it's just like the headline and the deck, which is, you know, like the subtitle.
And it just turns this like really boring article about a tax bill turns into chippy 1337.
elected speaker of the house.
So Chippy 1337 seems to be, I guess, another hacker.
And the exact wording that appears on the site is pressure builds in house to elect Chippy
1337.
And that's it.
It's probably the most meaningless hack in the history of time.
Not to mention pretty short-lived.
It was like for 40 minutes.
And actually, like, no one knows if anyone even saw it.
Like, they were never able to get that information.
during the pretrial process,
which is really funny
because surely the LA Times
has metrics somewhere
about whether or not
people actually clicked on that article.
But yeah,
there's no evidence in this case
that anyone ever saw it.
So this is kind of like
writing something mean
in the sand at high tide.
Very likely nobody saw it,
except the guy who changed it back
and the Tribune Company
and the Federal Bureau of Investigation.
Matthew Keyes confessed everything
to the FBI on tape.
and he was indicted in 2013.
Sarah was at his trial.
I was kind of riveted when they were playing the audio of the confession.
He cops to sending those emails.
He talks about entering that anonymous chat room.
He talks about using the handle AES cracked.
I did it.
There were things that I did.
I can't deny it.
I'm not going to now.
It's a very damning piece of audio.
Can I?
grab that paper from you because I'd like to write these gowns and thank you and I'll start a fresh
piece in fact all I will do this on us but I wanted to be your own merchant that I understand these are the
issues that I want to cover one is that your willingness to cooperate and at the beginning there's no hint of
this but at the very end he mentions that he's in his pajamas huh yeah and then that's sort of how
I came to realize that this entire interview took place in Matthew Keyes's bedroom right right
So he's sitting on the bed.
The two agents are sitting on chairs from the dining room, and the agents get him to write out a confession while he's still in his pajamas and supposedly on these sleep medication pills.
So he later recanted that confession because he said that he'd taken a double dose of trazodone, but the confession itself was super specific.
It matched with everything that the FBI already knew.
They found screenshots to the hack on his computer.
There was just a ton of evidence pointing to this being something.
that he had done. Right. There's not a lot of sleeping pills that people take that make them
confess in specific details of crimes that they didn't do and weren't involved with.
Right. But the most interesting aspect of this case hasn't been whether Matthew Keyes is actually
guilty or not. The most interesting thing is the question of how much money it costs the Tribune
company to fix that dumb headline about Chippy 1337. Because the more money that this hack costs the
Tribune, the more time Matthew Keyes could spend in jail. So at first, the Tribune Company is the victim,
them, they go to the court, and they provide a number.
$5,000.
That's absurd.
I used to have to fix broken web pages.
I would have changed that headline for $20.
I agree.
It doesn't seem that costly.
But Sarah Jong said that when she mentioned that $5,000 damage estimate on Twitter,
I got sort of this pile on of InfoSecurity professionals all competing to tell me, like,
how high their rates are.
How much were they saying their rates were?
Oh, man.
Like, they were talking, you know, oh, I won't.
get up in the middle of the night for less than like $1,000 an hour kind of thing.
And basically, like, what I've come to gather from that is that $5,000 is really easy to clear.
And for Matthew Keyes, this $5,000 figure is really bad news because $5,000 is the threshold at which a hacking crime can be moved from a misdemeanor to a felony.
Very interesting that when they crunch the numbers, it turned out he'd done exactly the amount of monetary damage that would make a
a felony. But that is just the first number. Because once the trial gets underway, that number,
the estimated cost of this hack, it's gone up. It's gone up to $17,650. Can we just call that $18,000?
Yes. So $5,000 got him arrested. When they get to trial, they've already raised it to $18,000.
How did they go from $5 to 18? Like, they must have said something to a judge. What did they say?
They said that the $18,000 amount was based on 33 hours of Tribune Company work to diagnose and fix this.
So the prosecution sticks to that number for the length of the trial, that the chippy 1337 hack cost the Tribune Company $17,650.
And then three weeks ago, October 7, Matthew Keys, is found guilty.
And the Tribune Company at that point floats one more number.
And it's a number they're likely to use during sentencing for how much this hack actually costs.
They will say that this hack actually cost $929,97.
That's insane.
That is a million dollars.
That is what that number really is.
That's crazy.
That, like, from 18 to a million is crazy.
So, follow-up question.
How long do you go to jail for changing what is apparently a million-dollar sentence on a website?
According to the sentencing guidelines,
a million dollars in damage is worth about five years in prison.
So I called Matthew Keys' lawyer, Tor Eklund,
and he told me that five years would be a ridiculous sentence for this crime.
There was like, freaking a few words were edited in one paragraph
from an LA Times website story.
And I think that's why the prosecution actually went
and tried to run these law numbers up
because they realized it looked kind of silly.
Eklund says this is a lot of bitching and moan.
from a big company that got really embarrassed.
So now the Tribune's just out for blood.
And if anything, he says this matter should be settled in a civil court, not a criminal court.
Like, let Tribune, you know, the order of the LA Times sue Matthew Keyes for their damages.
You know what I mean?
Like, this should not be a felony.
And, I mean, you might agree that one tiny headline seems like small potatoes.
But there's at least one person who thinks that this argument is just stupid.
Hey, it's Matt Siegel.
Hi, how you doing?
I'm fine. How are you?
This is Matt Siegel.
He prosecuted Matthew Keyes.
And Siegel says that you can't just fix the vandalized headline and figure that your work is done.
Rat in your house is the only one.
And Siegel says that this is about more than just the chippy hack and those emails that he was sending as Fox Mulder or whatever.
On his way out the door, Keyes stole the email addresses of thousands of Fox 40 viewers.
And he was sending hate mail about the television station to the viewers.
And he didn't just give Anonymous the password and admin privileges to the Tribune site.
He kept pushing them to mess stuff up.
The admitted to using back in from time to time and urges the Packers of Anonymous
and identifies Tribune properties.
Some opinion piece in the L.A. Times that said it was kind of critical of WikiLeaks and said...
Saying the L.A. Times must be demolished.
Doesn't sound like a prank.
Matt Siegel sees real malice in what Keyes did.
And while you can say the keys didn't break very much, that doesn't really matter.
That's not how the law works.
In every other case, not just hacking cases, people are liable not just for the crime that they succeed in doing,
but for the crime that they conspire to do or attempt to do,
because it's that that measures their moral culpability.
And sentencing law accounts for that.
When we come back from the break, the law that Matthew Keyes is going to be sentenced under,
why people hate it, why prosecutors love it, and why maybe, just maybe, you should be afraid of it.
Welcome back to the show.
The Computer Fraud and Abuse Act, the law at the center of the Matthew Keys case.
It was written back in 1986, and at the time, no one really knew what a hacker was.
Legislators actually watched the movie War Games in congressional hearings to show people how dangerous hackers could be.
Shall we play a game?
Oh.
I think I missed them.
Yeah, weird, isn't it?
Love to.
And if you've seen that movie, you know that the worst-case scenario is global thermonuclear war.
Thermonuclear War.
So, the stakes were high.
The idea of computer hacking seems really scary, and it's a really easy one for them to say,
well, well, something must be done, and to push solutions where they don't really understand how they're going to be used.
This is Mike Maznick at the website TechDirt.
He says that lawmakers wrote the CFAA before the World Wide Web even existed,
and they really had no idea just how far reaching this new law would turn out to be.
It's written so broadly and in such a bizarre way that it's really easy to use against lots of people doing things
that most people would not think of as criminal, let alone as some sort of computer hacking kind of thing.
But prosecutors love it.
The CFAA is like fly paper for bad people who aren't necessarily hackers,
but whom authorities really want to put in prison.
Kind of like how the tax code was used to put away Al Capone.
For example, you know the cannibal cop,
the New York police officer who was fantasizing about eating people?
Yes, I do.
Well, the authorities couldn't get a conspiracy to kidnap charge to stick,
but he went to jail for using a police database to look up the women he was fantasizing about.
Sarah Jong told me about another creepy case.
So this guy would like follow women around that he met through prayer groups, right?
He joined these prayer groups to creep on women.
And one of the ways that he creep on them was I guess he was working at the IRS and he would like search them in the database, find all their information and like get like their addresses.
And like usually he didn't do anything with this information at all.
So a bunch of these women didn't even know that he was like stalking them.
But some of the women knew because he'd like go to their houses or like send them creepy presents and stuff like that.
The feds couldn't get charges to stick except for under the computer fraud and abuse act.
Like that's when nothing else sticks, you can always turn to the CFA.
And the reason this is the law that sticks is because it criminalizes what it calls unauthorized access.
And this doesn't have to mean hacking into NORAD like they do in war games.
It could be almost anything.
Like, say you use a fake name on Facebook.
Yes, I've done that.
That violates Facebook's terms of service, which could be considered a violation of the CFAA.
Can I throw other grand acts of malfeasance from my life at you?
Yeah.
So, like, for instance, I have a friend who definitely does not remember that I know his Netflix login,
and I watch Netflix exclusively through stolen access to his account.
I haven't talked to him in 15 years.
Yeah, that violates the CFAA.
I mean, the law has been used to go after people who violated their MySpace terms of service,
people who've looked at Facebook in violation of their company's computer usage guidelines.
And that's why organizations like the Electronic Frontier Foundation and demand progress are so worked up about it.
Because a law that every single person is broken becomes a weapon that can be wielded against anyone who ends up on the wrong side of a prosecutor.
But the government is not actually going to go after me for something that innocuous, right?
I mean, no, probably not.
But their point is that a law of this broad always gives the government an option.
And people who may not deserve it have been swept up by this law.
The most notorious example being Aaron Swartz.
And why do you do what you do?
It's a good question.
I mean, I feel very strongly that...
This is an interview that Aaron did in 2010 with a website called Spun Out.
It's not enough to just live in the world as it is to just kind of take what you're given
and, you know, follow the things that adults told you.
do and that, you know, your parents told you to do and that society tells you to do,
I think you should always be questioning.
So Aaron Schwartz was like this internet boy genius.
When he was 14, he helped invent RSS feeds, he later helped create Reddit,
and his big vision was for a much more free and open internet.
So in his early 20s, while he was at Harvard as a research fellow, he met this woman named
Terran Steinbrichtner Kaufman.
They started dating, and then Aaron told her that he'd recently gotten into some trouble.
I knew there was something big and bad in his life, but I didn't know.
He referred to it as the bad thing, and I didn't know what it was.
Like, how often was it talked about?
You know, I mean, he would mention it somewhat regularly.
Like, you know, he came to visit me in Washington, D.C.
After we started dating, and he had to do a phone call about the bad thing.
He called me.
I was at Frisbee practice, Ultimate Frisbee, and he called me,
and he said that he thought the bad thing might be in the paper.
the papers the next day and did I want to know what it was or did they want to read about it in the papers.
And I said I wanted to know what it was.
And he told me that he was going to be indicted for downloading too many academic journal articles.
And they wanted to make an example out of him.
And I was like, that's all.
That's the bad thing.
In September of 2010, Aaron had snuck into a server closet at MIT and downloaded 4.8 million academic articles from a database called JSTOR.
He could have distributed these articles online, but he never did.
Nonetheless, he was charged with 13 felonies and faced 35 years in prison and a $1 million fine.
I remember how scared he was.
I remember him being scared to leave his apartment door unlocked for even a moment because if the door was unlocked, then the police didn't need a warrant to come in.
It was paranoia, but in the sane sense, right, there actually were people out to get him.
Right.
And that's totally draining.
The prosecution offered Aaron a plea deal of six months in prison
if he pled guilty to all 13 of these felonies.
But he refused.
He just couldn't deal with the prospect of having a felony on his record
because of the things that he wanted to do with his life.
You know, it would have made him difficult for him to do all,
it would have made him difficult for him to travel.
It would have made it difficult or impossible for him to, you know,
get elected to public office.
and for Aaron, he felt it would keep it back from his, like, the thing he cared about most, which was changing the world.
Aaron was paranoid and terrified at the prospect of going to prison and being a convicted felon.
And unfortunately, on top of all that, he struggled with depression.
A month before his trial was set to begin, Aaron took his own life.
He was 26.
Aaron's death brought all kinds of new attention to his case.
And the thrust of that attention was, why would the justice system calm down so hard on him?
Why Aaron?
Why prison?
These are academic journal articles written by scientists, many of them funded by the federal government.
In order to, you know, in the pursuit of furthering human knowledge.
And even if Aaron had been planning to put them on the internet, which we don't know that he was,
Even if that was his plan, they were just completely wrong about whether this was something that someone should go to prison for, regardless of the motivation, regardless of what.
Like, there's no version of events that anyone has put forward that is something that you should go to prison for for 30 years.
There just isn't one.
After Aaron's death, there was a strong push to change the CFAA.
To revise it to target malicious hackers more narrowly, folks like identity thieves and virus creators,
And to make it against the law to charge someone for breaking the terms of service on something like Facebook or iTunes,
the draft of this reform bill was called Aaron's Law.
But according to Mike Maznik, Congress was never going to go for it.
I mean, there just really wasn't any appetite to reform the CFAA in that direction.
You have law enforcement that really likes the CFAA.
They like having that and the ability to pile on additional charges and use them.
You also have a number of private companies that actually do like the CFAA and, you know, lobbied pretty heavily against any kind of amending the CFAA.
Aaron's Law died in committee.
At the same time, the Obama administration has asked that the CFAA actually be broadened to make sentences longer and to stop more crimes by expanding the definition of unauthorized access.
This is the president from this year's state of the union.
Tonight, I urge this Congress to finally.
pass the legislation we need to better meet the evolving threat of cyber attacks,
combat identity theft, and protect our children's information.
That should be a bipartisan effort.
As for Matthew Keyes, he's scheduled to be sentenced in January of next year.
He plans to appeal.
Reply all is hosted by PJ Vote and me, Alex Goldman.
Our producers are Tim Howard, Truthy Pinnamennanini, and Fia Bennon.
Our editor is Peter Clowny.
Production assistance from Kalila Holt.
We were mixed by Rick Kwan.
Special thanks to Emily Kennedy.
Matt Lieber is a surprise party that you secretly hoped for,
but you never let yourself expect.
Our theme music is by the Mysterious Breakmaster Cylinder,
and our ad music is by Build Buildings.
You can find more episodes at iTunes.com slash Reply All.
Our website is replyall.
Gimlet producer Matthew Nelson would like more Twitter followers,
so you can help them out by following him at the Twitter handle, Maddie Fat Pans.
Thanks for listening. We'll see you next week.