Department of Justice

Business as Usual at DOJ: Threatening Guy with Prison Over an Altered L.A. Times Headline

Why do people keep accusing them of overzealous prosecution?


Matthew Keys

Sometimes folks do stupid things to former employers out of spite. These actions can be quite harmful, but often they're just embarrassing. Former Tribune employee Matthew Keys' actions fell on the embarrassing side. He gave his username and password to a member of Anonymous, who then changed the headline of a story on the Los Angeles Times website.

For this, Keys has been charged with a federal crime and could go to prison:

Matthew Keys, 26, of Secaucus, N.J., was charged in the Eastern District of California with one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer and attempted transmission of information to damage a protected computer.  …

Each of the two substantive counts carry a maximum penalty of 10 years in prison, three years of supervised release and a fine of $250,000.  The conspiracy count carries a maximum penalty of five years in prison, three years of supervised release and a fine of $250,000.

Just as with the Aaron Swartz case (and really most federal prosecutions), Keys won't face anywhere near the maximum penalties. But obviously the feds are piling on any possible charge to intimidate him into a plea agreement.

More importantly, there was no actual hacking here. Keys gave an Anonymous member his old access information after losing his job with a Tribune-owned television station in 2010. It turned out the codes still worked. Once Tribune discovered his old access information was being used, they locked him out. The end. Tribune could have saved itself this minor embarrassment (An image of the hack was posted on Reddit! The horrors!) if they had blocked his online access when he left the job.

NEXT: Iraq War Latest Cost Estimate: Likely $6 Trillion Over Next Four Decades

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Changing a text file is damaging a computer?

  2. I don’t get the alt-text. Must be one of them obscure Battlestar Galactica references.

  3. I don’t get it. If Keys wanted to embarrass the LA Times, why did he need to give his credentials to someone else to do it? If it was simply a matter of changing a text file, was he not capable of that? Something is missing from the story.

  4. Former Tribune employee Matthew Keys’ actions fell on the embarrassing side. He gave his username and password to a member of Anonymous, who then changed the headline of a story on the Los Angeles Times website.

    Wait. He was a former employee and the company hadn’t deactivated his account yet?

    You get what you pay for, fuckheads.

    1. This. What kind of security do they have where they don’t take out your password when they fire you or you quit?

    2. Curious Is there any legal precedent concerning accessing a network after employment ends without it being stated as a policy or in a contract by the company?

      1. That is, with the same credentials given to you by the company

        1. Trespassing, or the electronic equivalent of.

    3. So if I forget to lock the door to my house, it’s perfectly legal to burglarize it?

      1. I’d say it’s worse than that. A better analogy seems to be if you loan someone the key and then don’t get the lock changed.

      2. No but it is hard to argue that if you give me the keys to your house and after we have a falling out I use them to go in an rearrange the magnetic poetry on your Fridge that it justifies multiple felonies with the possibility of decades in jail either

  5. I’d like to see some legal scholars come up with a way to pass some sort of law to put an end to the ridiculous amount of overcharging that goes on in prosecutors offices in this country, for the sole purpose of extracting plea deals.

    If your choices are 6 months probation, or rolling the dice on either walking or getting a life sentence, you really don’t have much of a choice and must plead guilty regardless of whether you are or not. It’s an absurdity and truth be told probably a violation of the defendant’s legal rights.

    1. The plea bargain they can offer should be constrained based on the maximum sentence (e.g., they can take off no more than 30% of the sentence). It should also be fixed to a set of charges they commit to bring, so they can’t offer a plea bargain based on 3 offenses, but threaten to charge you with 3,000 offenses.

      Less leverage means they either drop charges or take this sort of the thing to a jury and argue for draconian punishment for minor crimes, which will probably spark sentencing reform for lesser crimes as well as more jury nullification as jurors refuse to subject even obviously guilty people to punishments that are grotesquely disproportionate to the crime.

  6. Disable access credentials of staff who end employment, even on good terms, idiots.

    1. I made this mistake…once. Our old office manager had been using her work email as a personal email address (against poorly enforced company policy and common sense) when she was let go, I let her retain access to it while she set up a new personal account and transferred all of her banking and whatnot to said new account. I also backed all of her emails and work contacts up. The next day she’d wiped the account clean. I locked her out and disabled the account, restored the data and wrote a legal looking letter warning her that sabotaging company property was a crime, and then sat back and watched her squirm.

  7. More importantly, there was no actual hacking here.

    What do you consider hacking? This is one of those issues where both sides seem to go to ridiculous extremes. One side makes the definition of hacking so broad that everything qualifies; the other makes it so narrow that nothing does.

    1. How hacking really works

    2. The claim that no actual hacking took place here is particularly cumbersome given that the main point of the post seems to be that the ex-employee did nothing wrong.

      1. Actually you are wrong, the main point of the post is that what this guy did was a minor and trivial affair which while wrong probably does not rise to the level of criminal activity however the Feds are seriously overcharging him in an effort to force him into a plea bargain.

        No one, in the article or the comments, has said he didn’t do anything wrong and if they charged him with a misdemeanor and hit him up with a $1000 fine and a couple hundred hours of community service this article would never have been written

        1. Well no, several people up thread seem to be making the argument that if the victim didn’t do everything they could to prevent the crime, that it becomes their fault that it occurred.

  8. Do I really, seriously have to explain proportionality every single time I talk about Department of Justice prosecutions? Saying that this prosecutorial behavior is absurd is not the same as saying a crime didn’t happen.

    1. Except you didn’t say “the federal government is overreacting to the hacking” you said “no actual hacking occured”.

      1. “No hacking occurred” isn’t the same as saying “no crime occurred.”

        1. So again, what is your definition of hacking?

        2. None of the charges appear to mention “hacking”; it seems reasonable to assume that you mean that no actual crime occurred when you bring it up out of nowhere.

          I can’t believe I’m even tangentially defending this kind of prosecution; I’m not even sure I think any criminal liability is appropriate here. This post is just woefully undeveloped given the things that a reasonable reader might conclude it implies.

    2. Nothing in this post gives any indication of how the government is over-charging here. I’m sure they are, but only because it seems they always over-charge any hacking related offense that they charge.

      1. It seemed clear to me, but if more than one commenter feels the blog post is incomplete (both you and Stormy), I’ll definitely keep that in mind for future posts.

  9. 90% of the fault lies with the company for not inactivating the account. However let’s not totally trivialize the ex-employee’s actions. Giving your old account info to someone is little different than giving them your old keys to the building. Yes, they should have changed the locks but you still intended to facilitate someone else causing harm. Admittedly its somewhat funny because it affected the paper but it wouldn’t be comical at all if had been a financial institution with peoples savings at risk.

    1. The company should have inactivated the account for practical reasons, but the failure to do so doesn’t shift any of the legal or more responsibility to them.

      The failure of the victim to prevent a crime does not make them responsible for it.

  10. New headline:

    ‘Dunce shoots his own nuts off’

Please to post comments

Comments are closed.