Cybersecurity

American Justice: Five Years Prison for Changing a Headline

Apparently messing (even briefly) with a newspaper website is a federal matter.

|

Today members of the House Judiciary Committee are unveiling some of its bipartisan federal criminal justice reforms, focusing on fixing overlong sentencing and mandatory minimums. (Read more about the Senate version of the legislation from Jacob Sullum here).

In the meantime, Matthew Keys could very well spend years in federal prison because of his role in giving members of Anonymous access to the website for the Los Angeles Times. The damage? They changed a single headline. For 40 minutes.

Keys, a former Tribune employee, was accused of handing over his username and password to somebody from Anonymous, who then changed the headline and subhead to some silly but harmless hacker nonsense. The alteration was found relatively quickly and fixed.

Then federal prosecutors stepped in and threw the book at Keys for his childish behavior. He was charged under federal anti-hacking laws with conspiring to make unauthorized changes to the Tribune-owned site, conspiring to damage its computers, and for transmitting or attempting to transmit "malicious code."

The last two of those charges are self-evidently nonsense, but nonetheless Keys was convicted yesterday. Technically all the charges combined could land Keys 25 years in federal prison, but prosecutors are magnanimously asking for less than five. Keys called the verdict "bullshit" in several different ways in a phone interview with the Washington Post.

Over at Vice's Motherboard, Sarah Jeong took note of another little detail that adds to the absurdity of the whole affair. In order for Keys' behavior to be considered a federal crime, the amount of damage caused by this "hacking" had to amount to more than $5,000. Remarkably, prosecutors claimed Keys caused nearly $1 million in damage. I'm not familiar with the Times' back end myself, but if it cost more than a cup of Starbucks coffee to fix the altered headlines, well, then no wonder Tribune went through bankruptcy. Here's how U.S. Attorney Benjamin B. Wagner describes the outcome of Keys' behavior:

"Although he did no lasting damage, Keys did interfere with the business of news organizations, and caused the Tribune Company to spend thousands of dollars protecting its servers. Those who use the Internet to carry out personal vendettas against former employers should know that there are consequences for such conduct."

If Keys prompted Tribune to better protect its servers and change its behavior, frankly, one could argue he did them a favor. Important reminder: Keys was fired in October 2010 from his job at a Tribune-owned television affiliate. He provided his account information to Anonymous in December 2010 and his password was still valid. If Tribune had better online security practices, like immediately suspending access privileges of the employees it had fired to the internal operations of the company, this wouldn't have even had happened. This doesn't absolve Keys of responsibility for his behavior, of course (which arguably could have been dealt with in a civil, not criminal, case). It's just important for people to grasp how easily Tribune could have prevented this problem (and the alleged thousands of dollars in costs) not with high-tech anti-hacking measures or encryption, but with very basic, common-sense security practices.