Reuters Employee Exposed as Alleged Anonymous Agent (Updating)

Matthew Keys, one of Reuters News' top social media managers, is facing potentially serious prison time after federal accusations that he's a member of Anonymous. According to the DOJ, Keys tried to help hackers deface Tribune Company news sites.

Deputy Social Media Manager Keys is a prominent, vocal (and young, at 26) employee of Reuters—very much a 21st century company man. He was even named as one of TIME's top 140 Twitter users in the world last year. But these aren't the kind of allegations of inside job crime that'll make Reuters sleep well tonight. According to a DOJ release, Keys worked with Anonymous to help undermine his former employer, while working at KTXL FOX 40 TV in Sacramento:

According to the indictment, Keys identified himself on an Internet chat forum as a former Tribune Company employee and provided members of Anonymous with a login and password to the Tribune Company server. After providing log-in credentials, Keys allegedly encouraged the Anonymous members to disrupt the website. According to the indictment, at least one of the computer hackers used the credentials provided by Keys to log into the Tribune Company server, and ultimately that hacker made changes to the web version of a Los Angeles Times news feature.

The indictment further alleges that Keys had a conversation with the hacker who claimed credit for the defacement of the Los Angeles Times website. The hacker allegedly told Keys that Tribune Company system administrators had thwarted his efforts and locked him out. Keys allegedly attempted to regain access for that hacker, and when he learned that the hacker had made changes to a Los Angeles Times page, Keys responded, "nice."

Nothing even slightly sophisticated—just providing login information that resulted in a joke headline which lasted 30 minutes.

Reuters Employee Exposed as Alleged Anonymous Agent (Updating)

A screenshot of the defacement was uploaded to Reddit back when it happened in 2011, and detailed in the indictment papers.

Reuters Employee Exposed as Alleged Anonymous Agent (Updating)

Emphasis added. Court documents obtained by HuffPo provide more detail into Keys'—who went by AESCracked—encounters with Anon, which read like any other casual hacker prank:

Reuters Employee Exposed as Alleged Anonymous Agent (Updating)

But the absolute strangest part? BuzzFeed's Ryan Broderick points out that, Sabu—one of the absolute highest-profile hackers of our time—outed Keys via Twitter. Two years ago.

Two years ago, and just a few months before Sabu himself was arrested. The connections don't end there: as The Atlantic Wire notes, the same federal prosecutor going after Keys right now, Benjamin Wagner, originally took down Sabu. This raises two big possibilities: Sabu turned in Keys for a slightly better deal with the government, or perhaps the FBI is hoping to get Keys to roll on his former friends as well.

Keys faces up to 30 years in prison and fines up to $750,000 if convicted. Enormously steep, given the alleged crime.

A phone call placed to Keys' cellphone was not answered.

Reuters Employee Exposed as Alleged Anonymous Agent (Updating)

Update: A source who requested anonymity had the following online run-in with Keys last night, before news of the indictment broke. Sounds like he was... understating the situation.

Update 2: Below is a Gchat transcript between the same source and Keys last night:

Keys: I don't even know if I have much longer here
Me: Why do you say that
Keys: Think my days are numbers
Me: ? Getting fired or going elsewhere?
Keys: Probably being let go
Me: WTF FOR
Keys: Dunno. Just a feeling I have.
Keys: Let's talk more about it when I'm not at work
Me: Don't be paranoid
Keys: I'm not being paranoid.

Update 3: Politico notes that Keys' career at Reuters had an interesting start:

Update 4: Reuters is "investigating" the Keys indictment, Politico reports:

"We are aware of the charges brought by the Department of Justice against Matthew Keys, an employee of our news organization. Thomson Reuters is committed to obeying the rules and regulations in every jurisdiction in which it operates. Any legal violations, or failures to comply with the company's own strict set of principles and standards, can result in disciplinary action. We would also observe the indictment alleges the conduct occurred in December 2010; Mr. Keys joined Reuters in 2012, and while investigations continue we will have no further comment."

Update 5: Keys says he is "fine."

Update 6: We reached out to some legal experts about Keys situation. Hanni Fakhoury of the Electronic Frontier Foundation told us this about Keys' legal chances:

How much evidence would the DOJ need to bring an indictment like this?

Well judging by the indictment, not much. The only piece of evidence they've put in the indictment beyond the actual hack itself is the IRC logs. I'm assuming they have some sort of IP information about where the hack came from that got them to trace it to Keys (or someone snitched on him). But this indictment is pretty bare bones.

What about to take it to trial and get a conviction—would they indict without having all the evidence they'd ideally want?

Federal prosecutors typically file with the bulk of their evidence already in place (although I would note the government here is seeking the forfeiture of one of Keys' laptop so that suggests there may be something else they're looking for). And here, where the actions took place more than 2 years ago, one would suspect that they had been investigating the case for quite some time, especially because the government has indicated this case is related to the criminal case against Sabu in New York.

And what are the chances they just filed now to get a plea bargain in exchange for information?

That possibility exists in every criminal case, but may be amplified here since this case involves Anonymous and already has one cooperating witness (Sabu), and perhaps others.

Are some of those charges more or less likely to stick?

You can't really predict simply on the basis of an indictment and a press release so I really can't say.

What is a realistic expectation for the sentence, considering each count is a max of 10 years and $250k?

That depends on the amount of damage caused, in other words how much it cost the Times to fix the hack. That is going to be the main factor in determining what type of sentence Keys is looking at. He's certainly not going to realistically get 25 or 30 years in prison or pay a quarter million dollar fine. But I would note the CFAA has a much stronger penalty scheme than physical trespass does. California law treats vandalism causing more than $400 in damage as a wobbler, meaning it can be a misdemeanor or felony. CFAA doesn't make this conduct a misdemeanor. In CA, the maximum on the felony is 3 years and the court would have to find an aggravating factor to impose this sentence; in the CFAA the maximum is 5 years. That shows some of the sentencing disparity, not because Keys is likely to get the maximum (especially if he's a first time offender), but because judges and prosecutors use the maximum in deciding how serious a crime is. In fact, federal law tells a judge that he or she must consider the "seriousness of the offense" when imposing a sentence and prosecutors routinely use the maximums to advocate for a higher sentence because the crime is more "serious."

Plus, the government also wants him to forfeit a computer and hard drive, presumably one used to either obtain the username/password or communicate over IRC channels. That's a pretty broad interpretation of forfeiture law, which has been traditionally used to either seize the instrumentalities of a crime (i.e., the gun used to rob the bank) or something derived from the proceeds of a crime (i.e., the fancy car you bought with the money you stole from the bank). Now the government is claiming simply using a computer to communicate with another person is enough to trigger forfeiture of an electronic device, and that's extremely broad and worrisome.

Joseph V. DeMarco of DeVore & DeMarco LLP added that though they only need probably cause (more likely than not) prosecutors only indict with a relative certainty they can win a conviction. "Generally, prosecutors don't bring charges just to get a person to cooperate. They'll only turn their attention to you if they think you deserve to be charged."

"Cooperating generally requires three things," DeMarco explains. "One depends on if they choose to cooperate, then it depends on if the prosecutor wants them to, and finally if they can." On the surface, it seems like all three of those should line up for Keys, but there might not be as much incentive for him as you'd imagine.

Like Fakhoury, DeMarco notes that CFAA is strict, but stresses Keys' probably won't face a harsh fine. "Federal sentencing is based at least in part by economic damages. So if it was minimal, like say $5,000 or $10,000 based on the hack, you definitely wouldn't see a maximum sentence, though the court is free to do whatever it wants" he says. "Assuming the economic damage is minmal and not someone who traffics in stolen identities or medical records, a first time offender will get off pretty light, with the possibility though not a likelihood of even probation, which is essentially nothing."

Additional reporting by Kyle Wagner