Blog Jay Leiderman Law

Is former Sacramento media employee Matthew Keys a victim of overzealous, misguided cybercrime prosecution?

Matthew Keys’ trial here in Sacramento in federal court to wrap up soon
By  

This article was published on .

Some say the U.S. Department of Justice’s priorities are out of whack when it comes to cyberterrorism prosecutions.

ILLUSTRTAION BY BRIAN BRENEMAN
spacer

The trial of former KTXL Fox40 Web producer Matthew Keys in Sacramento federal court appears to be approaching its anticlimax.

The 27-year-old blogger and journalist is accused of helping hackers break into the Los Angeles Times website, where they changed the headline of a story. Keys has even confessed to the substance of the crime, though it hardly qualifies as misdemeanor vandalism. So why make a federal case out of it? Couldn’t Department of Justice resources be better directed elsewhere?

It’s a question of priorities, according toSurviving Cyberwar author Richard Stiennon. “For those in justice, your career path is to get a whole bunch of successful prosecutions and get noticed,” Stiennon says. “So you’re going to go after the low-hanging fruit.”

Lately, prosecutors have been taking advantage of the wide latitude afforded them by the Computer Fraud and Abuse Act to press cases involving “network security.” And they press hard.

Last January, Internet entrepreneur and activist Aaron Swartz killed himself while under felony prosecution for downloading academic journals. Swartz, who helped create the crowdsourced entertainment site Reddit, was facing 50 years and $1 million in fines.

“The days of ’Let’s haul this kid in front of the judge, scare him and send him home with a warning’ are long since gone,” says attorney Jay Leiderman, who represents Keys. “Prosecutorial discretion is a great thing if it’s exercised, but it doesn’t happen in any meaningful way these days, because prosecutions are so politicized.”

That’s the crux of the problem for Keys, the former Reuters social-media editor and possessor of 23,000 Twitter followers. In December 2010, he crossed paths with Hector Xavier Monsegur, a.k.a. Sabu, the eventual leader of AntiSec, a more mischievous offshoot of hacktivist group Anonymous. Keys passed them the credentials he once used to log into KTXL’s computers, which were linked to the Tribune Company network.

Keys left KTXL two months earlier, and he’s since expressed surprise that the credentials still worked. An AntiSec member used them to access the L.A. Times website and change a story headline from “Pressure Builds in House to Pass Tax-cut Package” to “Pressure Builds in House to Elect CHIPPY 1337,” a reference to another hacker group. Within 30 minutes, the hacker was frozen out and the headline corrected.

Keys might have expected, at worse, a stiff warning and small fine. But he literally messed with the wrong guy. Sabu had been an FBI informant since his arrest in June 2011, right around the time he started AntiSec.

For months, Monsegur encouraged his followers to commit cybercrime while under the FBI’s control. He was the “honeypot” attracting would-be perps into an operation seemingly designed to intimidate future hackers and anyone who might associate with them, like Keys.

“Part of this is [the feds’] broader push to send a message that anything and everything is going to go punished that appears to suggest that the control of the Internet is up for grabs,” says Hanni Fakhoury an attorney at Electronic Frontier Foundation in San Francisco. “It is not a coincidence that this was linked to behavior undertaken in the name Anonymous.”

It wasn’t always like this. Keys and Swartz were charged under CFAA, a 28-year-old law whose contours, like the shore, have worn away with time, yielding to much wider application.

The CFAA was conceived in the wake of the Matthew Broderick movie WarGames, about a hacker who inadvertently almost starts a nuclear war. The original drafters focused narrowly on government computers and the intent of the intrusion.

But changes in the law and vague wording have turned “unauthorized access” to a computer into a prosecutorial blank check.

Eleven years ago, nearby Fiddletown resident Bret McDanel was jailed under the CFAA for a crime the government later admitted he hadn’t really committed.

McDanel noticed a security flaw in his firm Tornado Development’s Web-based communications software. He told his supervisors, but his concerns went unaddressed. After leaving their employ, he sent an email to all the software’s users informing them of the issue. The Amador County resident was charged with undermining the “integrity of a computer system.”

By the time the feds admitted the law wasn’t meant to protect a software company’s reputation, he had already served his 16-month sentence. He’d lost his fiancée and was living with his parents, while his former employer had gone out of business. But McDanel can surely tell you which way the railroad runs.

As Keys has discovered, the feds lean hard and wear you down. He faces up to $750,000 in fines and 25 years in prison.

Swartz initially faced only 35 years, but four months before his death (20 months after his initial arrest), they added nine more felony counts, raising his jeopardy to 50 years. The idea, critics say, was to squeeze a plea out of him; Swartz found a different way out.

Swartz’s act of martyrdom generated a firestorm of protest. It caught the attention of Bay Area Congresswoman Zoe Lofgren, who sponsored (still-stalled) legislation known as Aaron’s Law to change some CFAA provisions.
“In talking to Aaron’s family and others who were involved in his situation, it was a real eye-opener to what happens in the criminal-justice system,” says Lofgren. “What they felt was very abusive was this sort of thing where you more or less try to extort concessions through the use of overprosecution.”
Keys’ odyssey appears to be drawing to its close, for better or worse. His last court appearance, on April 2, was accompanied by news that the case had gone to “reverse proffer.” This involves the prosecution sharing their case with the defense, generally with an eye toward an agreement.

Nearly all those swept up in the feds’ Anonymous-related enforcement actions have been processed. The sole remaining exceptions are Keys and cooperating ringleader Monsegur. In January, Monsegur’s sentencing was delayed for a third time, so it’s not difficult to believe he’s the bow on the whole operation.
Keys is certainly guilty of something, but probably not a felony. In that respect, he’s perhaps a victim of cybercrime’s intrigue and a prosecutor’s desire to leverage that publicity.

“Any case that has the word ’cyber’ in it brings headlines, because it’s interesting. There’s a degree to which careers are made this way,” says Leiderman. “’Cyber prosecutor blah-blah-blah.’ Nobody reads the ’blah-blah-blah.’ They just go, ’They caught a cybercriminal. Fantastic.’”

Lofgren continues to push changes in the law to make it less prone to abuse. Unfortunately, there’s precious little to be done about overzealous prosecutors.

“You really can’t impose good judgment legislatively,” Lofgren says, “but we do need to have better oversight over the Department of Justice.”

twitter Facebooktwittergoogle_pluslinkedinmail

On 20 July 2000, the state court of appeal for the Fourth District announced its opinion in People v. Giardino, 82 Cal.App.4th 454 (2000), holding that Penal Code section “261(a)(3) proscribes sexual intercourse with a person who is not capable of giving consent because of intoxication.” Id. at 462.[1] Thus, it was perfectly clear as of July 2000 that actual capitulation and agreement is not a defense in a rape case if the victim is intoxicated or unconscious or otherwise incapable of exercising free will, because they lack the capacity to legally .  No competent attorney could have thought otherwise.[2]  Accordingly, attorneys who as of that date suggested otherwise fell below the standard set forth in Strickland.

This was not the case in the proceeding complained of herein. It was ineffective to not tell the client about the clarification in law and that he had no defense.

consent

Notes:

[1] All counsel needed to do was read this paragraph, toward the beginning of Giardino, to know that any defendant situated like the facts of these cases did not have a defense of “consent”.  It was literally that easy, and the Giordino decision that clear:

 

“By itself, the existence of actual consent is not sufficient to establish a defense to a charge of rape. That the supposed victim actually consented to sexual intercourse disproves rape only if he or she had “sufficient capacity” to give that consent. (See People v. Mayberry (1975) 15 Cal.3d 143, 154 [125 Cal.Rptr. 745, 542 P.2d 1337]; 2 Witkin & Epstein, Cal. Criminal Law (2d ed. 1988) Crimes Against Decency and Morals, § 774, p. 873.) For example, if the victim is so unsound of mind that he or she is incapable of giving a legal “go ahead,” the fact that he or she may have given actual consent does not prevent a conviction of rape. (People v. Griffin (1897) 117 Cal. 583, 585-587 [49 P. 711], overruled on others grounds by People v. Hernandez (1964) 61 Cal.2d 529, 536 [39 Cal.Rptr. 361, 393 P.2d 673, 8 A.L.R.3d 1092].) Hence, the consent defense fails if the victim either did not actually consent or lacked the capacity to give legally cognizable consent.”

 

82 Cal.App4th 454, 460.

 

[2] No reasonable practitioner of criminal law could read Giardino, supra, and conclude the defense of actual acquiescence could be used in the instant case  Two years later, on 13 September 2002, while the present trial was still pending, the court in People v. Dancy, 102 Cal.App.4th 21 (2002), reiterated that a victim cannot legally agree to sex when she is severely intoxicated. A man’s reasonable belief that a woman has consented or would have consented to unconscious sex is irrelevant because a woman must always be able to “withdraw her consent to a sex act even after the initiation of sexual intercourse.” Id. at 36-37. Dancy is entirely consistent with and has the same holding as in Giardino and a reasonably competent attorney would have known so.  To fail to know the basic law of the case falls below the Strickland standard.  On the issue of rape and consent, see also People v. Roundtree (January 21, 2000) 77 Cal.App.4th 846.

 

 

Here are portions of Giordano that explain the issue in detail:

Reasoning that lack of consent is an element of rape, or conversely that consent is a defense, the defendant contends that the trial court should have defined consent in accordance with section 261.6 and instructed the jury that lack of consent is an element of the offenses of rape by intoxication and oral copulation by intoxication. [ ] He is mistaken. Giardino, 82 Cal.App.4th 454, 459.

In the context of rape and other sexual assaults, “consent” is defined as the “positive cooperation in act or attitude pursuant to an exercise of free will.” (§ 261.6.) To give consent, a “person must act freely and voluntarily and have knowledge of the nature of the act or transaction involved.” (Ibid.; accord, CALJIC No. 1.23.1.) In short, that definition describes consent that is actually and freely given without any misapprehension of material fact. We shall refer to this as “actual consent.” (82 Cal.App.4th 459, 460.)

By itself, the existence of actual consent is not sufficient to establish a defense to a charge of rape. That the supposed victim actually consented to sexual intercourse disproves rape only if he or she had “sufficient capacity” to give that consent. [citations] For example, if the victim is so unsound of mind that he or she is incapable of giving legal consent, the fact that he or she may have given actual consent does not prevent a conviction of rape. [citations] Hence, the consent defense fails if the victim either did not actually consent or lacked the capacity to give legally cognizable consent. (Id. At 460.)

We conclude that, just as subdivision (a)(1) of section 261 proscribes sexual intercourse with a person who is not capable of giving legal consent because of a mental disorder or physical disability, section 261(a)(3) proscribes sexual intercourse with a person who is not capable of giving legal consent because of intoxication. In both cases, the issue is not whether the victim actually consented to sexual intercourse, but whether he or she was capable of exercising the degree of judgment a person must have in order to give legally cognizable consent. (Id at. 462.)

 

twitter Facebooktwittergoogle_pluslinkedinmail

A Petitioner is entitled to competent privately retained counsel on Habeas Corpus. (In re Clark (1993) 5 Cal.4th 750, 780)  In addition to that, here, the ineffective assistance of counsel has denied the petitioner access to the courts.  The ineffective assistance of counsel claimed denied petitioner actual access to courts including the trial court, the appeals court and the court on habeas.  As stated by the California Supreme Court in In re Clark (1993) 5 Cal.4th 750, 779 (emphasis added):

consent

“In limited circumstances, consideration may be given to a claim that prior habeas corpus counsel did not competently represent a petitioner. An imprisoned defendant is entitled by due process to reasonable access to the courts, and to the assistance of counsel if counsel is necessary to ensure that access, but neither the Eighth Amendment nor the due process clause of the United States Constitution gives the prisoner, even in a capital case, the right to counsel to mount a collateral attack on the judgment. [¶] Regardless of whether a constitutional right to counsel exists, a petitioner who is represented by counsel when a petition for writ of habeas corpus is filed has a right to assume that counsel is competent and is presenting all potentially meritorious claims.”

 

This language in Clark applies to a situation like the one presented herein, where counsel and successor counsel denied petitioner access to the courts .

Thus, petitioner was denied due process by the ineffective assistance of counsel.  He has alleged facts to support that he received ineffective assistance of counsel, and the ineffective assistance denied him the right to be present at trial, to appeal, and to present the claims in his habeas.   The Clark court was clear that they could not countenance improper representation that would fail to present all potential meritorious claims.

twitter Facebooktwittergoogle_pluslinkedinmail

Tuesday, January 15, 2013

Jay Leiderman on Russia Today Discussing DDoS as Protest Speech

Demanding the right to digitally protest: Hacktivists petition the White House to legalize DDoS

Another wonderful article by Andy Panda Blake accompanied this RT story on DDoS as protected speech.  The title is above, here is the unabridged text.  Thanks to Andy for, as usual, being fair and getting it right:
Is temporarily slowing down a website a legal form of protest? Current US law says it isn’t, but hacktivists want the White House to make changes that would force the government to reconsider their witch-hunt against alleged computer criminals.

In the latest WhiteHouse.gov petition to go viral, the Obama administration is asked to make a method of momentarily crippling a website comparable to real word demonstrations, essentially allowing for a whole new legal form of online protest.

“With the advance in internet technology comes new grounds for protesting,” writes ‘Dylan K’ of Eagle, Wisconsin.

Dylan’s petition, uploaded this week to the White House’s We the People page, is the most recent of these electronic pleas on the website to generate national headlines. A series of petitions in late 2012 demanding the peaceful secession of certain states from the US garnered nearly one million signatures from across the country, and just this week the Obama administration was prompted to respond to one popular request to depot CNN host Piers Morganover his outspoken anti-gun views. That call for action, advocated by Second Amendment proponents and firearm owners concerned over a possible rifle ban, eventually accumulated around 110,000 electronic signatures.

When the White House responded to the petition to deport Morgan this week, press secretary Jay Carney said Americans shouldn’t let “arguments over the Constitution’s Second Amendment violate the spirit of its First.”

DDoS

DDoS should be viewed by the courts as speech protected withing the First Amendment as long as the protests are reasonable in time, place and manner

Those rallying for new computer laws say that current legislation limits those very constitutional rights, though, and that one electronic form of action should be covered under the First Amendment — the provision that provides for the freedom of speech, protest and assembly.

In the latest instance, the White House is asked to evaluate a federal rule that currently makes it unlawful to engage in distributed denial-or-service, or DDoS, attacks — a harmless but effective way of flooding a website’s server with so much traffic that it can’t properly render pages for legitimate users.

Performed by both seasoned hackers and novice computer users alike, DDoS-ing a website essentially makes certain pages completely unavailable for minutes, hours or days. Unlike real world protests, though, demonstrators don’t even have to leave the house to protest. Instead, humongous streams of information can be sent to servers with a single mouse click, only for that data to become so cumbersome that the websites targeted can’t properly function.

Under the Computer Fraud and Abuse Act, a DDoS assault is highly illegal. For those familiar with the method, though, they say it’s simply a matter of voicing an opinion in an online format and should be allowed.

“Distributed denial-of-service is not any form of hacking in any way,” states the petition. “It is the equivalent of repeatedly hitting the refresh button on a webpage.”

Overloading a targeted website with too much traffic, says Dylan K, is “no different than any ‘occupy’ protest.”According to him and the roughly 1,100 cosigners, there is much common ground between the two. “Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time,” he says.

For companies that are hit with DDoS assaults, though, they sing a different song. In 2006, controversial radio host Hal Turner had his website taken offline after members of the then-infant hacktivist movement Anonymous used denial-of-service attacks to shut down his site to visitors. Turner said the bandwidth overflow cost him thousands of dollars in fees from his hosting company.

When Turner tried to sue those he blamed for the DDoS attack, a federal judge for the United States District Court in New Jersey eventually dismissed his claim. Other “hackers,” however, haven’t been so lucky.

When PayPal, Visa and MasterCard announced in 2010 that it would no longer accept funds for the website WikiLeaks, Anonymous and others responded with a DDoS attack on the payment service providers. The following summer, the US Department of Justice filed an indictment against 14 Americans they accused of participating in shutting down PayPal.

That same year, a homeless hacker using the alias “Commander X” was charged with waging a DDoS attack on the official government website of Santa Cruz, California because he opposed the city’s policy that outlawed sleeping in public space. X could have been sentenced to serious time for committing a felony, but he escaped the United States, allegedly seeking refuge in Canada where he is reported to be in hiding today.

“For a 30-minute online protest I’m facing 15 years in a penitentiary,” he told the National Post last year while on the run. According to an interview he gave last month with Ars Technica, he also participated in OpPayBack — the Anonymous-led assault PayPal and others over their WikiLeaks blockage.
California attorney Jay Leiderman has represented X, and has gone on the record to compare DDoS attacks with real life sit-ins.

“A DDoS is a protest, it’s a digital sit it. It is no different than physically occupying a space. It’s not a crime, it’s speech,”he told Talking Points Memo in 2011. “They are the equivalent of occupying the Woolworth’s lunch counter during the civil rights movement,” The Atlantic quoted him saying last year.

A DDoS is a protest, it’s a digital sit it. It is no different than physically occupying a space. It’s not a crime, it’s speech

Speaking specifically of the operation against the companies that cut funding to WikiLeaks, the lawyer said online action is equivalent to peaceful protest.“Take PayPal for example, just like Woolworth’s, people went to PayPal and said, I want to give a donation to WikiLeaks. In Woolworth’s they said, all I want to do is buy lunch, pay for my lunch, and then I’ll leave. People said I want to give a donation to WikiLeaks, I’ll take up my bandwidth to do that, then I’ll leave, you’ll make money, I’ll feel fulfilled, everyone’s fulfilled,” he said. “PayPal will take donations for the Ku Klux Klan, other racists and questionable organizations, but they won’t process donations for WikiLeaks. All the PayPal protesters did was take up some bandwidth. In that sense, DDoS is absolutely speech, it should absolutely be recognized as such, protected as such, and the law should be changed.”

Leiderman added that he considers the use of DDoS not to be an “attack” in some circumstances, but actually legitimate protest. 

“[T]he law should be narrowly drawn and what needs to be excised from that are the legitimate protests,” he said. “It’s really easy to tell legitimate protests, I think, and we should be broadly defining legitimate protests,” he said.

New York attorney Stanley Cohen, who is representing one of the accused “PayPal 14” hackers responsible for the Anonymous-led operation, agrees.

“When Obama orders supporters to inundate the switchboards of Congress, that’s good politics, when a bunch of kids decide to send a political message with roots going back to the civil rights movement and the revolution, it’s something else,” Cohen told TPM in 2011. “Barack Obama urged people to shutdown the switchboard, he’s not indicted.”

“It’s not identity theft, not money or property, pure and simple case of an electronic sit in, at best,” he said.

Leiderman added that he considers the use of DDoS not to be an “attack” in some circumstances, but actually legitimate protest. 

So far over 1,100 people agree on WhiteHouse.gov, and hope the Obama administration will get their point. Until then, though, Commander X and others face upwards of a decade in prison apiece for violating a clause in the Computer Fraud and Abuse Act that makes it unlawful to “knowingly cause the transmission of a program, information code or command, and as a result of such conduct, intentionally causes damages without authorization to a protected computer.”
With attorneys like Leiderman and Cohen arguing that the damages in questions aren’t quite criminal, the White House may have to respond to the latest WhiteHouse.gov petition. The Obama administration is mandated to respond if it can garner 25,000 signatures in the next month. Until then, though, proponents of DDoS as free speech can cite what Jay Carney said when petitioners rallied for the deportation of Piers Morgan for his call to ban assault weapons.

“The Constitution not only guarantees an individual right to bear arms, but also enshrines the freedom of speech and the freedom of the press – fundamental principles that are essential to our democracy,” said Carney.

Meanwhile, exercising constitutional rights by way of overloading web servers isn’t being accepted as such by the government. That doesn’t mean that Anonymous or other so-called ‘hacktivists’ will change their ways: just last month, members of the hive-mind computer collective waged a DDoS attack on the website of the Westboro Baptist Church after the religious group announced plans to picket the funerals of mass shooting victims in Newtown, Connecticut. Anonymous waged a similar wave of attacks on the Church of Scientology in 2008, the result of which landed a number of Anons in prison for violating federal law.

twitter Facebooktwittergoogle_pluslinkedinmail

A client that is seeking to flee the jurisdiction must be advised of the consequences of flight — including being tried, convicted and sentenced in absentia and losing all appellate rights under the fugitive disentitlement doctrine.  See In re Ivker, BD-2004-034 (Mass. 2004): “While helping a client concoct perjurious testimony is a direct fraud on the court, counseling a client to flee deprives the court of any ability to adjudicate the charges.  Failure to appear is itself a punishable offense, and a client who follows such advice is exposed to considerably increased penalties.  See [Massachusetts] G. L. c. 276, § 82A [Failure to appear in court after release on bail or recognizance; penalty].  As such, advising a client to flee seriously undermines the administration of justice, and places the client at considerable risk.”

See also In re Axel, 757 S.W.2d 369, 373 (Tex. Cr. App. 1988) (“for an unknowing defendant to learn of his appellate rights someone must advise him of them”); see also Koons v. State, 771 N.E.2d 685 (Ind. Ct. App. 2002) and Perry v. State 638 N.E.2d 1236, 1239-1240 (Ind.Sup.Crt.1994) (both court’s explaining that it is ineffective assistance under Strickland to advise a client to flee).

It can hardly be disputed that flight from the jurisdiction at the insistence of one’s attorney is distinct from flight based upon a defendant’s own idea of absenting himself from a jurisdiction.  Indeed, the duress that led to the flight, done for financial gain, was itself a criminal act.

fugitive dismantlement doctrine

When a fugitive fails to appear for court proceedings, he or she loses their right to appeal

In In re Young (1989) 49 Cal.3d 257, a defense attorney was given a four year suspension for arranging bail for a defendant who had given a false name to the police at the time of his arrest. (He gave a false name because he was wanted on a robbery case where the victim had died.) The attorney had been arrested and convicted for violating Penal Code section 32, an accessory to a felony in helping the defendant avoid felony arrest. In rejecting the attorney’s arguments against discipline, the court stated:

… petitioner violated his oath and duties as an attorney under sections 6068 and 6103 when he arranged bail for his client under a false name. An attorney’s duty to maintain his client’s confidences does not extend to affirmative acts which further a client’s unlawful conduct. While petitioner admittedly had no duty to disclose that his client gave the arresting officer a false name, he had a duty not to further his client’s unlawful conduct by arranging bail for him under a false name. Petitioner’s actions misled the bail bondsman and the officers of the court responsible for bail and allowed a fugitive wanted for a violent felony to evade prosecution. We conclude that there is sufficient evidence that petitioner acted dishonestly, and that his misconduct constituted a fraud on the court. (Id. at 265.)

***

In the Matter of DeMassa (Rev. Dept. 1991) 1 Cal. State Bar Ct. Rptr. 737, the Bar court held that the attorney, although affirmatively obligated by his duty to his client to conceal knowledge of the client’s whereabouts, crossed the line from “zealous protector of client confidences” when he allowed the client, then a fugitive, to stay at his house.

In the hypothetical problem, the defense attorney should have advised his client to appear in court as soon as possible. To acquiesce in a client’s desires to remain a fugitive would violate DR 1-102(A)(4)(5) and could result in 25 disciplinary action.

If contacted by the client and advised that he no longer intends to appear in court, it would be advisable to tell him that such a communication may not be deemed protected by the attorney-client privilege because it is a statement of intent to commit a future crime and that at some later date a court can force it to be revealed.  Charles Sevilla http://charlessevilla.com/_pdf/CPDA.ETHICS.pdf

twitter Facebooktwittergoogle_pluslinkedinmail

 

 ^