Blog Jay Leiderman Law

This Post Continues A Series That Will Comprise The Entirety Of The Matthew Keys Sentencing Documents Filed By The Defense – Part 9

THE COMPUTER MISUSE ACT (CMA) FROM THE UK COMPARED TO AND CONTRASTED WITH THE COMPUTER FRAUD AND ABUSE ACT (CFAA) FROM THE US – APPENDIX 2 IN THE MATTHEW KEYS CASE

Computer Misuse Act 1990 / 18 U.S Code 1030

Read more here…

twitter Facebooktwittergoogle_pluslinkedinmail

This Post Continues A Series That Will Comprise The Entirety Of The Matthew Keys Sentencing Documents Filed By The Defense – Part 8

OTHER COMPARABLE CASES NOT DISCUSSED IN THE MATTHEW KEYS SENTENCING BRIEF; A SUMMARY REFERENCE

Raynaldo “Royal” Keys aka “Neuron” and Cody Kretsinger aka “Recursion_” – Central District of California (Los Angeles) One year and one day in Federal prison, 13 months house arrest and 3 years supervised release. 

In late May, 2011, Kretsinger received a call from his friend Monsegur.  Kretsinger and Monsegur had known each other for years.  Kretsinger was 24 and a long-time member of Anonymous.  He claimed he had participated in the DDoS of the Church of Scientology and other Anonymous “Ops.”  Monsegur called because he was looking to recruit talented hackers for LulzSec.  Kretsinger attended the prestigious Arizona School the University of Advancing Technology.  This little but massively prestigious school, barely heard of throughout most of the world, is a pipeline of some of the most gifted computer hackers to the NSA, FBI and top corporations.

Read more here…

twitter Facebooktwittergoogle_pluslinkedinmail

This Post Continues A Series That Will Comprise The Entirety Of The Matthew Keys Sentencing Documents Filed By The Defense – Part 7

 

THE STATUTORY SENTENCING FACTORS IN 18 U.S.C. § 3553(a) REQUIRE A SENTENCE BELOW THE GUIDELINES RANGE FOR DEFENDANT MATTHEW KEYS.

 

The Sentencing Guidelines are not mandatory. It is always within the discretion of the court to avoid injustice which would result from their rigid application. In fact, it constitutes reversible error for a court to treat the guidelines as mandatory and fail to acknowledge any mitigating factors.

“[i]t would be procedural error for a district court to fail to calculate — or to calculate incorrectly — the Guidelines range; to treat the Guidelines as mandatory instead of advisory; to fail to consider the § 3553(a) factors; to choose a sentence based on clearly erroneous facts; or to fail adequately to explain the sentence selected, including any deviation from the Guidelines range. United States v. Autery, 555 F.3d 864, 869-870, (9th Cir. 2009).”

 

Under § 3553, a court considers the following factors:

  1. the nature and circumstances of the offense and the history and characteristics of the defendant
  2. the need for the sentence imposed to: (A) reflect the seriousness of the offense, to promote respect for the law, and to provide just punishment for the offense; (B) to afford adequate deterrence to criminal conduct; (C) to protect the public from further crimes of the defendant; (D) and to provide the defendant with needed educational or vocational training, medical care, or other correctional treatment in the most effective manner;
  3. the kinds of sentences available;
  4. the kinds of sentence and the sentencing range established for…the applicable category of offense committed by the applicable category of defendant as set forth in the guidelines;
  5. any pertinent policy statement issued by the Sentencing Commission
  6. the need to avoid unwarranted sentence disparities among defendants with similar records who have been found guilty of similar conduct; and
  7. the need to provide restitution to any victims of the offense.

A.    THE NATURE AND CIRCUMSTANCES OF THE OFFENSE AND THE HISTORY AND CHARACTERISTICS OF THE DEFENDANT.

Under 18 U.S.C. § 3553(a)(1), the court is required to consider “the nature and circumstances of the offense and the history and characteristics of the defendant.”

1.                  THE OFFENSE.

As discussed above, the offense at issue here involves the changing of a few words in a Los Angeles Times website article that was easily restored within 40 minutes.  The only reason it took 3 minutes to restore, and not 15 seconds, is because the editor on duty decided to re-write the headline several times.

2.                  THE DEFENDANT.

Matthew’s background as a journalist is discussed above in the facts section.  Matthew is not a “hacker.”  He is not a member of Anonymous, and never has been.  The story told by the Government at trial is one of someone who used his journalistic skills to infiltrate into a closely knit group of newsworthy persons, communicate with a couple of members, and develop a story.  The Government’s story is of someone who, at beat, unfortunately, got carried away with his work.  See, e.g. United States v. Autery, 555 F.3d 864, 875 (9th Cir. 2009) (affirming District Court’s departure from the sentencing guidelines in child pornography case because defendant “did not fit the profile of a pedophile” and thus did not pose a great threat to society as others who the court had sentenced under the crime).  If Matthew is given probation, he will only do what he has been doing for more than a decade, before and after his prosecution – engage in journalism.  See, e.g. United States v. Johnson, 391 Fed. Appx. 659, 660 (9th 2010) (affirming District Court’s departure from the Guidelines where defendant’s “post-arrest conduct had been ‘very impressive,’ ‘unique,’ and ‘extraordinary’” and co-defendants continued to engage in criminal activity).

  1. 18 U.S.C. § 3553(a) Factors

Witnesses testified at trial that the change to the Los Angeles Times headline was viewable to the public for a total of approximately 40 minutes.  The body of the article was not edited.  Additionally, witnesses testified that because of the lapse of security in the Content Management System, they conducted many hours of work in order to fix a system, mostly implementing security measures that should have been in place in the first instance but were not.  They also testified that they received the email from a colleague at Fox40 to record all their time so that they can hand to the federal authorities, because they needed to bulk up their “loss” numbers in order to prosecute Matthew.  Altogether, the defense agrees with the government that “this not the crime of the century.”

Moreover, there is no deterrent purpose in Matthew’s imprisonment that is proportionate to the harm caused to Fox40 or that justifies the damage that a lengthy prison sentence will do to Matthew. His journalism career, to which he has dedicated his whole life, has been undermined.  He lost his job at Reuters.  The Department of Justice, along with his former colleagues who testified against him, have branded him as nothing more than a criminal.

In any circumstance similar to Matthew’s, a former employee suspected of causing harm to a company, the imposition of draconian prison sentences will not further the purposes of criminal justice. The vast majority of companies under similar circumstances may, at most, seek civil damages against the former employee for their perceived losses.  Most people involved in these kinds of disputes do not want their former employees to go to jail, even if they are angered by the employee’s actions.  The knowledge that a criminal investigation can lead to prison sentences greater than five years will deter many people, including employers, from coming forward to the authorities – that is, all but the ones with the most personal of axes to grind.  Thus, the supposed deterrent effect of a lengthy prison sentence results in the unintended consequence of fewer prosecutions for harmful activity.

Matthew has no criminal record, and has never engaged in the activity he was convicted for either before or after the events in question.  He wants nothing more than to continue being a journalist.  A sentence of probation, with a strict warning from the court on the consequences of any criminal activity, will be sufficient to deter him.  See Autery, 555 F.3d at 876 (“It is said that there is nothing like being sentenced to hang in the morning to focus a man’s thoughts, and it is improbable that the district court’s stern warning will be an ineffective deterrent in this case”).

Specific deterrence is neither appropriate nor necessary in this case.  Nor is general deterrence appropriate in that we have extensively traced the history of Anonymous prosecutions above and shown that the aims of general deterrence have already been served, and they have been served effectively.  Those that did not receive prison time have fared as well as those who did.  General deterrence has undisputedly not only been served by those punished before him, but those prosecutions have been so widely publicized in news articles, books, and documentaries that if general deterrence was not effective in those prosecutions it will not be effective at all.  Matthew’s conviction comes out of a time and public perception that caused a group mentality which not only allowed such actions, but even cheered them on.  Those days have passed.  With the March 6, 2012 revelation that Monsegur was a government informant, the reckless and unabated hacking of the Anonymous “hacktivist” era ended.  General deterrence has been served by other, more serious, cases that have come before Matthew’s.

The events at issue here occurred in the winter of 2010.  It is now 2016.  He is at no risk of reoffending.  Matthew was in the Internet Feds chatroom as a journalist.  It was important for him to participate in chats as an embedded journalist to gain the trust of the subjects he was writing about.  Indeed, his information was used widely and led to a greater understanding of a mysterious and shadowy hacker collective.  With the exception of the conviction here, Matthew has no criminal history.

The public needs no protection from Matthew.  Rather, he has sought to benefit the public by exposing truth through his journalism.  He has shown over the last 5and 1/2 years that the need for rehabilitation is not present in this case.

Borrowing from United States v. Bergman, 416 F.Supp. 496, 498-99 (S.D.N.Y. 1976), which some say is the quintessential judicial sentencing memorandum, defendant offers the following regarding specific and general deterrance:

“The court agrees that this defendant should not be sent to prison for ‘rehabilitation.’  Apart from the patent inappositeness of the concept to this individual, this court shares the growing understanding that no one should ever be sent to prison for rehabilitation.  [See 28 U.S.C. § 994(k).]  That is to say, nobody who would not otherwise be locked up should suffer that fate on the incongruous premise that it will be good for him or her.  Imprisonment is punishment.  Facing the simple reality should help us to be civilized.  It is less agreeable to confine someone when we deem it an affliction rather than a benefaction.  If someone must be imprisoned for other, valid reasons we should seek to make rehabilitative resources available to him or her.  But the goal of rehabilitation cannot fairly serve in itself as grounds for the sentence to confinement.

Equally clearly, this defendant should not be confined to incapacitate him.  He is not dangerous.  It is most improbable that he will commit similar, or any, offenses in the future.  There is no need for ‘specific deterrence.’”

 

Matthew understands that if he is to be imprisoned in this case it will be to serve the ends of “general deterrence,” which is to say that it will exemplify that this is a wrong that one cannot commit without suffering sanction of a penal nature in addition to the other sanctions that naturally and judicially flow from the sort of act that defendant has been convicted of committing.[1]  Even so, it is of great consequence that Matthew is now a felon.  None of the top news organizations will now touch him.  He had already been employed by Reuters, the largest news organization in the world.  Now he is relegated to self-published freelance journalism and companies willing to take risks.

Once again, defendant borrows from United States v. Bergman, supra, 416 F.Supp. at 498-99, to offer the following:

In cases like this one, the decision of greatest moment is whether to imprison or not.  As reflected in the eloquent submissions for defendant, the prospect of the closing prison doors is the most appalling concern; the feeling is that the length of the sojourn is a lesser question once that threshold is passed.  Nevertheless, the setting of a term remains to be accomplished.  And in some respects it is a subject even more perplexing, unregulated, and unprincipled.

Days and months and years are countable with a sound of exactitude.  But there can be no exactitude in the deliberations from which a number emerges.  Without pretending to a nonexistent precision, the court notes at least the major factors.

The criminal behavior, as has been noted, is blatant in character and unmitigated by any suggestion of necessitous circumstance or other pressures difficult to resist.  However metaphysicians may conjure with issues about free will, it is a fundamental premise of our efforts to do criminal justice that competent people, possessed of their faculties, make choices and are accountable for them.

Matthew must reluctantly agree with the above statements and acquiesce that it would be unjust to not hold him accountable in any respect.  As the Government told the press, he will at least receive probation.  Notwithstanding the fact that he may disagree with the jury verdict, he respects the justice system and accepts their judgment.  He was found guilty at a jury trial.  Accordingly, he stands before the court a guilty man.  Even so, the events here do not merit a sentence that includes actual imprisonment.  There are situations wherein the age, background, and specific criminality of a defendant would militate towards a simple probationary sentence with conditions.  This is just such a case.[2]  Matthew was significantly less culpable than any other participant in the criminality of Anonymous during the entire “Hacktivist Era” of the collective, defined as September 21, 2010 to March 6, 2012.  Indeed, Matthew does not identify as a member of Anonymous, he identifies as a journalist who studied Anonymous for less than a month in the Internet Feds chatroom.  But when compared with each and every other conviction, his actions were de minimus compared with any even remotely similar case.

Matthew Keys’ background, other good acts and prospects call out for him to not be removed from society for any period of time, but rather to be placed on probation; or at most on house arrest for a period of time.

For reasons discussed above, there is no reason to seek out the aims of general deterrence in this case, as this time in hacking and computer misuse history has passed.  Even so, it bears mentioning that yielding to a prosecutor’s call to “send a message,” if any such call is to be made, with this sentence is also improper.  See, e.g., Sinisterra v. United States, 600 F.3d 900, 910-11 (8th Cir. 2010).  A sentencing is an individual determination, based on the facts of the crime and the life and background of the offender.  It is contrary to these purposes to ask the court to “make an example” of the defendant for the purposes of deterring other people.  Christopher Weatherhead’s case in the UK is such an example.  His presentence report recommended 3 months[3] after his trial, but the Judge determined he would send a message and sentenced him to 18 months.  If a message needed to be sent, it was already received loud and clear in Weatherhead’s case.

The need to protect the public from Matthew Keys going forward is nonexistent.  Accordingly, a prison sentence would not achieve the aim of protecting the public from Matthew, and may even create a risk where there was none before, prison being the sort of place that turns non-criminals into criminals due to the association of people that don’t belong there with those that do. This is admittedly unlikely here, since Matthew has matured and learned from these court proceedings.  His interview with the Syrian Electronic Army is a good example of how he has learned to keep an arm’s length between himself and his subjects.

Looking at the totality of circumstances present before the court, a probationary sentence is the most appropriate sentence here.  Among other reasons, probation will allow the defendant to work and be employed at a productive job, affording the best opportunity for at least some restitution to be swiftly paid.  Restitution in this case may be sizeable.  Rest assured, restitution will be shouldered by Matthew and it will be a debilitating factor for years, if not a lifetime.  The PSR lists his monthly income at approximately $1,700.00 before bills.

As stated in Bergman, the sentence should be calculated “with a sound of exactitude” such that the sentence is no more than is absolutely necessary to send a general deterrent effect to the community, if the court believes one is necessary.  Every day counts, as every defendant counts every day they are incarcerated.  Looking at all of the relevant factors, zero days in prison should be the sentence affixed in this case.  Of course, Matthew Keys could still be subject to house arrest or similar community-based conditions, and would agree that such a punishment would not necessarily be unreasonable in this case.

 

C.    THE KINDS OF SENTENCES AVAILABLE

As the PSR recognizes, the court has many sentencing options.  It may within its statutory power impose “(1) straight probation; (2) straight imprisonment; (3) a probationary sentence that includes community confinement or home detention as a condition; or (4) a sentence of imprisonment followed by a term of supervised release that includes community confinement or home detention as a condition.”  (PSR ¶ 95.)  In no event may Defendant’s sentence exceed five years.  18 U.S.C. §§ 371.

Admittedly, the Guidelines prohibit a straight probation sentence except where the Guideline range lands in Zone A or Zone B of the sentencing table.  U.S.S.G. § 5B1.1(a).  Because of the enormous financial loss suffered by Tribune Co., Defendant’s offense level is in Zone D.  Thus, the Guidelines do not authorize a probationary sentence.  Of course, the Guidelines are advisory, not mandatory.  Booker, 543 U.S. 220.

Under the statutory provisions—which are mandatory—the court may impose straight probation for a Zone D offense.  The only offenses categorically ineligible for a probationary sentence are Class A Felonies, Class B Felonies, and offenses which expressly preclude it.  18 U.S.C. § 3561(a).  Conspiracy is a Class D Felony and thus is statutorily eligible for probation.  See 18 U.S.C. § 3559(a)(4).  Moreover, in the statutory section defining the duties of the Sentencing Commission, Congress explicitly stated its preference for probationary sentences in cases such as this:

The Commission shall insure that the guidelines reflect the general appropriateness of imposing a sentence other than imprisonment in cases in which the defendant is a first offender who has not been convicted of a crime of violence or an otherwise serious offense, and the general appropriateness of imposing a term of imprisonment on a person convicted of a crime of violence that results in serious bodily injury.  28 U.S.C. § 994(j).

The court has at its disposal a wide range of sentencing options, including straight probation.  Despite the Guidelines’ advice to the contrary, Congress’ explicit preference for probationary sentences for nonviolent, first-time offenders should guide the court in making its choice here.

 

  1. THE NEED TO AVOID UNWANTED SENTENCING DISPARITIES AMONG DEFENDANTS WITH SIMILAR RECORDS WHO HAVE BEEN FOUND GUILTY OF SIMILAR CONDUCT

The Supreme Court has emphasized that “extraordinary circumstances” are not a prerequisite to upholding a sentence outside the Guidelines. Gall v. United States, 128 S.Ct. 586, 594 (2007).  Indeed, sentences outside the Guidelines are subject to the same abuse of discretion standard as those within the Guidelines. Id. at 596 (noting that “abuse-of-discretion standard of review applies to appellate review of all sentencing decisions — whether inside or outside the Guidelines range”).  And where the sentence under review is outside the Guidelines, we may not presume the sentence is unreasonable. Id. at 597.

Under § 3553(a)(6), the court must also consider sentences given to defendants with similar records who engaged in similar conduct.  As discussed above, the sentences meted out to LulzSec, and other Anonymous hackers, for much worse conduct were significantly lighter than what the PSR recommends.

The obvious starting point is to consider the sentences imposed on Internet Feds / LulzSec / Anonymous persons who engaged in similar type conduct – or much worse conduct – but received more reasonable sentences than the one proposed in the PSR – or even the one proposed by the Government.

Defendant deserves a much lighter sentence than the ones imposed on each and every member of Anonymous during the so-called hacktivist period of September 21, 2010 to March 6, 2012.  All this notwithstanding the fact that Matthew Keys exercised his right to a jury trial.

“[A]s a further deterrent, the district court threatened that if Autery violated any of the conditions of his probation, he would “be back before me and receive the maximum penalty allowed by law. It is said that there is nothing like being sentenced to hang in the morning to focus a man’s thoughts, and it is improbable that the district court’s stern warning will be an ineffective deterrent in this case.” United States v. Autery, 555 F.3d 864, 876 (9th Cir. 2009)

Though Autery was convicted of a computer crime, it a crime that was manifestly different than this one in terms of the conduct, but the offender shares some positive personal characteristics that bear upon this case.  As the judge described in that case:

The court began its analysis of the appropriate sentence by noting that Autery’s was “a very difficult case” because there was “no evidence that [Autery] was purchasing evident child pornography involving real children”[Fn. 2:  The court may have been referring to the images that Autery received in the government sting operation, images which the government stated were not of real children. Count 3 of the indictment, to which Autery pled guilty, alleges that Autery possessed “visual depictions of actual minors.”] (although the court stated that Autery believed they were real children). The court also noted that there was no evidence of Autery’s ever abusing family members and that he did not “fit the profile of a pedophile.”[4] These facts, the court concluded, made Autery “totally different than what … [the] court has normally experienced with people who are ordering this sort of child pornography.”

 

The court also described what it considered to be Autery’s redeeming personal characteristics: no history of substance abuse, no “interpersonal instability,” no “sociopathic or criminalistic attitudes,” and that he was motivated and intelligent.[5] The court thought it critical that Autery enjoys the continuing support of his family, especially his wife and children.

 

The court acknowledged that child pornography is “terrible stuff” and that it believed Autery “ordered it knowing that it was wrong and illegal.” But the court found that in several ways, Autery’s case differed from the “hundreds and hundreds” of other child pornography cases the court had adjudicated.[6]

 

The court also believed that Autery could not “be accommodated adequately in a federal institution,” and that he needed “outpatient psychiatric monitoring and management” instead. Concluding its sentencing justification, the court stated that it decided on a sentence of probation only “after a lot of soul-searching.” It further determined that imposing prison time would create “a much more disruptive situation and, actually, could be more damaging than the rehabilitation [regime the court believed would] work.” The court also opined in its written “Statement of Reasons” that the sentence “is fully justified in this exceptional case.”

 

The court observed that the five-year probationary sentence “would be subject to some very special conditions of supervision.” It also warned Autery, saying, “believe me, if you have any violation [of those conditions], you’ll be back before me and receive the maximum penalty allowed by law.”[7] Some of the conditions of probation included a prohibition on viewing any pornography whatsoever and on being within 100 feet of places where minors congregate unless approved by his probation officer. Autery was also not permitted to travel outside the State of Oregon without prior approval. He was required to participate in mental health evaluation and counseling, including psychotherapy, and to take any prescription drugs as directed. He was not permitted to possess any firearm, or to use any computer except for work, or, without approval, any other electronic media — such as a personal digital assistant or cellular phone — with Internet capability. In addition, Autery was not permitted to have “direct or indirect” contact with anyone under the age of eighteen, except his own children. Finally, Autery was required to register with the state sex offender registry.

  • 3d 864, 867-868

It is appropriate for a court to take into account other like cases to arrive at a just sentence that is not out of proportion with other apposite cases.  In this brief, we have traced what defendants that are similarly situated to Keys have received.  The courts have allowed judges to use “their experience of imposing sentences in past, relevant cases as an element in determining the fairness of the sentence for the individual defendant before them. This approach is encouraged by statute, which states that a judge should consider “the need to avoid unwarranted sentence disparities among defendants with similar records who have been found guilty of similar conduct.”” 18 U.S.C. § 3553(a)(6). United States v. Sanchez-Martinez, 537 Fed. Appx. 693, 695, 2013 BL 211009, 2 (9th Cir. 2013)[8] (“The court simply relied on a formalized version of what all district judges rely upon: their experience of imposing sentences in past, relevant cases.”).

Moreover, the facts in Sanchez-Martinez were in Matthews’ favor.  That the Court relied upon a table of cases that both sides were not permitted to see.  Here, Matthew has laid out the case that he wishes the court to consider in reaching a just sentence of probation with the possibility of house arrest.

Indeed, while the Court has not sentenced any of the defendants compared to Matthew Keys throughout this brief, the Court is now educated about the “going rate” for these cases around the globe, and has the perspective of what is not just appropriate for the offender, but what is appropriate for the offense when the two are considered together.

The sentencing judge is in the best position to find facts and judge their import under § 3553(a) in the individual case. The judge sees and hears the evidence, and copious evidence has been introduced in this brief of the factors, circumstances and players surrounding the events at issue in this trial.  The trial Judge has the superior ability to makes credibility determinations, has full knowledge of the facts and gains insights not conveyed by the record.  “The sentencing judge has access to, and greater familiarity with, the individual case and the individual defendant before [her] than the Commission or the appeals court.”  Rita v. United States, 551 U.S. 338, 127 S.Ct. 2456, 2469, 168 L.Ed.2d 203 (2007))

Matthew Keys, like almost all of the defendants described herein, has no prior criminal record.  This should be considered in Keys case as it was in so many of the other cases involving Anonymous computer activities.  It is appropriate to do so not just because it was done for other like defendants, but because a criminal history category of 1 can sometimes account for defendants with some criminal history.  IT is not well taken that the criminal history has already been calculated into the guidelines and is therefore not a mitigating circumstance as well.  “This argument overlooks the fact that a defendant with a minor criminal history can still fall within Criminal History Level I. See U.S. Sentencing Guidelines Manual § 4A1.1 & Ch. 5, Pt. A (2007). Therefore, because Autery’s Criminal History Level I did not fully account for his complete lack of criminal history, considering it as a mitigating factor was not redundant or improper. See United States v. Rowan, 530 F.3d 379, 381 (5th Cir.2008) (holding probation reasonable for defendant convicted of possessing hundreds of hardcore child pornography images where defendant had no criminal history).”

Keys will not recount the sentences received on three continents by similarly situated defendants who all engaged in significantly more serious and prolific criminality, as it has been so thoroughly briefed and argued supra that we do not wish to inundate the court with dualistic facts and arguments.  All that remains to be said is that if he receives a guideline sentence, or even a 60 month sentence, as the Government has said it will seek, a great and comparative injustice will have been done.

 

 

CONCLUSION

For the above reasons, the Court should impose a non-custodial sentence.

 

 

[1] Subections 3553(a)(2)(A) and (B) track this line of thought.  Whatever the court decides in terms of punishment, it will not alter the fact that Mr. Keys is a felon, and will suffer the consequences thereof over the rest of his life. This act, committed at 23 years old, will likely ruin his prospects of doing the important work at the pinnacle of his profession that he dreamed of doing.

[2] See the Koon brief filed under seal concurrent herewith

[3] Weatherhead was unable to find his copy of the probation report from his case.  His memory of the recommendation is crystal clear, 3 months was the recommendation.

[4] Like the fact that Keys does not fit the profile of either a hacker or a member of Anonymous.  He fits the profile of a journalist.

[5] The factors are likewise applicable to Keys.

[6] It is important to note that Keys’ conduct differed in that of any other like person described herein in that it was on a single occasion and not part of a pattern or spree of criminality that others described herein engaged in.

[7] Keys would not object to such a warning.

[8] See Rule of Appellate Procedure 32.1: (a) Citation Permitted. A court may not prohibit or restrict the citation of federal judicial opinions, orders, judgments, or other written dispositions that have been: (i) designated as “unpublished,” “not for publication,” “non-precedential,” “not precedent,” or the like; and (ii) issued on or after January 1, 2007.

 

Matthew Keys

Jay Leiderman & Matthew Keys leaving the federal courthouse in Sacramento

 

twitter Facebooktwittergoogle_pluslinkedinmail

This Post Continues A Series That Will Comprise The Entirety Of The Matthew Keys Sentencing Documents Filed By The Defense – Part 6

  1. THE PSR LOSS CALCULATION IS CONTRARY TO SENTENCING LAW AND POLICY AND SHOULD BE REDUCED

The loss enhancements under USSG §2B1.1 were initially designed to address traditional theft, fraud, and embezzlement offenses.  These offenses traditionally result not just in a loss for the victim, but also a gain for the perpetrator.  While certain offenses under the Computer Fraud and Abuse Act or CFAA may involve an analogous transfer of funds, or an intentional destruction of valuable property, the statute’s broad nature covers many offenses which do not. See 18 U.S.C. § 1030.  Here, the offenses charged are far more similar to vandalism or trespassing than theft or fraud, and are not warranted as a matter of policy. They will also have an extremely disproportionate effect on the sentencing range.  With what is essentially “digital vandalism,” it is arguable no loss was intended, and certainly a loss in the amount claimed here was neither intended nor reasonably foreseeable.  It is also incredibly difficult to establish, and has not been established here, whether the alleged loss included only the reasonable costs to a victim.  Applying these enhancement levels for speculative, unintended, and unforeseeable costs and losses creates a perverse sentencing structure that unduly punishes otherwise de minimis CFAA offenses.

  1. The Loss Calculations Fail to Meet Any Appropriate Burden of Proof

At trial, prosecution witnesses claimed the offenses caused over $900,000 in loss to the victim companies.  For sentencing purposes, the 9th Circuit generally accepts a preponderance of the evidence standard as the burden at sentencing, however “a heightened burden may sometimes be required … to satisfy due process concerns.” … where a sentencing factor would have an extremely disproportionate effect on the sentence.”  United States v. Staten, 466 F.3d 708, 717 (9th Cir. 2006); See United States v. Kilby, 443 F.3d 1135, 1140 n. 1 (9th Cir.2006).  For factors which have an extremely disproportionate effect on sentencing, the 9th Circuit applies a clear and convincing evidence standard.  United States v. Staten, 466 F.3d 708, 717 (9th Cir. 2006).[1]  Where a sentencing enhancement creates a greater-than-four-level increase and more than doubles the potential sentence, that enhancement likely has a disproportionate effect on sentencing. See United States v. Staten, 466 F.3d 708, 717-18 (9th Cir. 2006) (finding disproportionate effect for a greater-than-four level enhancement that more than doubled the sentence); see also United States v. Dare, 425 F.3d 634, 642 (9th Cir. 2005) (laying out a 7-factor totality of the circumstances test for disproportionate effect). Here, the clear and convincing evidence standard is appropriate, as the loss enhancement has just such a disproportionate effect.  It represents a 10-level increase and nearly triples the recommended sentence, moving the guidelines range from level 19 (30-37 months) to 29 (87-108 months).  (See PSR, p. 9, ¶ 24.)  The evidence offered to support these loss claims fails to meet either standard.

The prosecution’s evidence to support their loss claim fails to satisfy either standard. It includes no billing records or other business records beyond an unattributed, undated spreadsheet and a handful of emails.  There is no way to tell whether these time entries were directly related to the response, or how much of a given entry was directly related.  The jury was never asked to endorse any specific amount beyond the $5,000 minimum for a felony conviction, so the verdict does not endorse any specific number for loss.  The claimed losses are simply not established by the evidence, and certainly fail to establish a loss amount by clear and convincing evidence.

  1. Unrelated Costs Should be Excluded from the Loss Calculation

Additionally, under USSG §2B1.1, the loss amount must be reasonable, and should exclude, for example, frivolous or unnecessary costs or those not reasonably necessary for incident response or investigation.  The Court should look to the fair market value of any “property unlawfully taken … or destroyed” or, for proprietary information, the “cost of developing that information or the reduction in value … that resulted from the offense.”  See U.S.S.G. § 2B 1.1 cmt. n.3 (C)(i), (ii); United States v. Nosal, No. CR-08-0237 EMC, 2014 WL 121519, at *3 (N.D. Cal. Jan. 13, 2014).  Additionally, for CFAA related loss, the Court should consider “only those costs that were ‘reasonably necessary,’ and only those costs that would ‘resecure’ the computer to avoid ‘further damage.’” United States v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000).  Where the prosecution has not established that certain costs meet one or the other of these criteria, those costs should be excluded from the loss calculation.

The PSR rightly disregards the companies’ most nebulous loss claims, such as a decline in morning television news ratings and a vague “database loss in iPad contest.”  (See PSR, p. 7, ¶ 15.)   However, it incorrectly includes several loss claims that either fail to meet the appropriate burden of proof or are beyond the scope of loss under USSG §2B1.1.

The PSR incorrectly includes the costs associated with “rebuild[ing] the database.”  Id.  Nowhere does it say which database.  The undated spreadsheet does not specify this either.  In fact, nowhere else in the record seems to clarify what database this cost may refer to. Nowhere does the record establish that any database was “deleted” or needed to be rebuilt.  The record contains few mentions of databases at all, and none are alleged as deleted or lost.  One database mentioned at trial was the Green Links email address database, and Brendan Mercer admits he was unaware of any deletion of that database or any of its entries.  (TR, p. 149; p. 177.)  Another witness, Mr. Comings of Tribune Publishing Co., later described the CMS as sharing “a common database.” (TR, p. 248).  At one point, a witness describes the email list database being “compromised” but in context it is clear they mean the database’s information was accessed, not that the database or any information within was deleted. (TR, p. 707).  At most, the record supports that the CMS database, “Green Links” email address database, or both may have been accessed, but nowhere does the record suggest any database was deleted.

The Final PSR Response letter itself notes that the “$200,000 figure to ‘locate vendor and rebuild new database.’” is uncorroborated by any documents from the victim.  These documents have not been provided, nor does the record reflect any database deletion.  (See U.S. Probation Office Response to Objections, Dec. 30, 2015 (ECF # 127-3), at p. 2.)  Where there is no proof of deletion, and no deletion is described in the record, it would be improper to include this figure in Matthew loss or restitution amounts.

The PSR also mistakenly includes the time-value of “telephone calls, meetings, and emails,” which are not contemplated by USSG §2B1.1.  These are outside the realm of “reasonable costs to any victim” under the guideline section for 18 USC § 1030 offenses, which includes costs directly related to incident response, but not peripheral or administrative activities.  See USSG §2B1.1, Application Note 3(A)(v)(III).  Including these peripheral activities in the loss calculation would encourage unscrupulous victims to increase their restitution through unrelated or unnecessary meetings and correspondence.

Sentencing policy and the balance of justice weigh against applying these enhancements in a minor CFAA offense such as this.  However, if the enhancements for loss are to be strictly applied according to the guidelines, they should be similarly limited by those guidelines and the relevant burden of proof.  These loss entries, for an unspecified and unsupported database “deletion” and for administrative tasks at most peripheral to incident response, should not be included in the final loss number.  To include them would be unjust, unsupported by the evidence, and against both the spirit and letter of the Sentencing Guidelines.

With these items excluded, assuming the other loss items can be established by clear and convincing evidence, the correct loss amount would be at most $19,591.00, resulting in a 4-point enhancement.  See USSG §2B1.1(b)(1).  This number best reflects a strict adherence to the Sentencing Guidelines, exclusive of unsupported or out-of-scope loss claims.

[1]   Although United States v. Jenkins suggests this standard is not applied for conspiracy offenses, that case did not feature a loss calculation which had an extremely disproportionate effect on sentencing, and is thus distinguishable from Mr. Keys’s matter.  See 633 F.3d 788, 808 (9th Cir. 2011)

 

Matthew Keys

Matthew Keys leaving court with his legal team – Jay Leiderman, Tor Ekeland and Mark Jaffe. I guess we looked Blues-Brothers-ish, as we got this cool meme

 

twitter Facebooktwittergoogle_pluslinkedinmail

This Post Continues A Series That Will Comprise The Entirety Of The Matthew Keys Sentencing Documents Filed By The Defense – Part 5

  1. THERE IS NO BASIS FOR AN ENHANCEMENT FOR AN “AGGRAVATING ROLE,” BECAUSE THE ACTIVITY DID NOT INVOLVE FIVE OR MORE PARTICIPANTS AND KEYS DID NOT EXERCISE MANAGERIAL OR SUPERVISORY CONTROL

The PSR recommends a three level enhancement on the basis that Keys “was a manager or supervisor of criminal activity involving five or more participants” under § 3B1.1(b).  Its justification is that the “defendant obtained access into a chat room and communicated with at least five members/associates of Anonymous, whom he encouraged to deface the Los Angeles Times website.”  (PSR at 8).  This enhancement is improper because it includes numerous people who bear no criminal responsibility for the charged offenses, played no role in the conspiracy, and were not members of any conspiracy. This inclusion contradicts the Sentencing Guidelines. Moreover, Keys’s activity does not rise to the level of management or supervision.  An enhancement for role would not result in a sentence that is sufficient but not greater than necessary.  This is especially untethered to the Computer Fraud and Abuse Act (CFAA).

  1. The Charged Activity Did Not Involve Five or More Participants Under the Sentencing Guidelines, Because Mere Presence in a Chatroom Cannot Make Someone Bear Criminal Responsibility

To qualify as a “participant” for the purposes of this enhancement factor, it is not sufficient to have been in a chatroom where the “criminal activity” was discussed.  The Commentary to the Sentencing Guidelines states that a “‘participant’ is a person who is criminally responsible for the commission of the offense…”, adding that “[a] person who is not criminally responsible for the offense…is not a participant.”  §3B1.1, Commentary, Application Note 1.

Thus, the USSC has emphasized that participants are limited to those who are criminally responsible for the commission of the offense.  See, e.g. United States v. Anderson, 942 F.2d 606, 616 (9th Cir. 1991) (“Based on this construction of the guideline, we have to conclude that the district court incorrectly applied § 3B1.1(c) so as to adjust Anderson’s offense level upward by two points on the assumption that the person with respect to whom he was a leader, organizer, supervisor or manager need not have been criminally responsible for the commission of the offense”);  United States v. Ware, 577 F.3d 442, 453, 2009 BL 176479, 11 (2d Cir. 2009) (“the record does not indicate that they could be considered “participants” within the above Guidelines definition of that term, for we see no indication in the record that they would be criminally liable”).  To be a participant, a party must not only have been aware of the objective, but must have knowingly offered their assistance.[1]

However, the only person who contributed anything to the charged offenses was “sharpie,” the chatroom participant who accessed the system to “deface” the LA Times website, and who has otherwise not been identified, and “sabu,” who subsequently became a government informant.  There were other usernames in the chatroom, but none of them had any active participation in accessing the Fox40’s Content Management System.  Some of them did no more than make a glib comment, or express words of approval.  There is little communication between AESCracked, the username attributed to Matthew Keys, and most of the other persons in the chatroom.  None of the usernames in the chatroom have been identified, and there is no way of even knowing if they are separate individuals.  It is insufficient that they appear to have cheered on the activity, because in order to be a participant one must have actively participated.

In order to find that “AESCracked” was the manager or supervisor of five or more participants, the PSR must determine that each of these usernames bore criminal responsibility for the charged offenses.  This would be online equivalent of finding that each of ten persons in a room was responsible for crimes that only two or three of them discussed and planned, merely because they were in listening distance and they were presumed to be sympathetic to the true participants.  SeeUnited States v. Mann 161 F.3d 840 867 (5th Cir. 1998) (“A finding that other persons ‘knew what was going on’ is not a finding that these persons were criminally responsible for commission of an offense.”).  But at least in a physical world example, each person can be identified and their actual activities assessed.  In a virtual chatroom, the “presence” itself cannot be counted as participation.  In fact, it is not even known for sure how many usernames represent unique individuals.  The enhancement factor could not possibly have been meant to sweep this broadly.

  1. Keys Did Not Supervise or Manage Participants in Criminal Activity

Moreover, there is no evidence that Matthew “supervised” or “managed” any individuals.  See, e.g. United States v. Woods, 335 F.3d 993 (9th Cir. 2003) (finding that enhancer did not apply because defendant did not manage or supervise participants).  In order for this enhancement factor to apply, the court must identify a participant over whom defendant exercised managerial or organizational control. See United States v. Helmy, 951 F.2d 988, 997 (9th Cir. 1991) (“Consistent with the purposes of Part B, we hold that in order for a defendant to receive an adjustment under § 3B1.1(b) for his role as a manager or supervisor, the defendant must have managed or supervised at least one other participant–that is, a person who was criminally responsible for the commission of the offense”).  The adjustment does not apply to a defendant who “merely suggests committing the offense.”  USSG §3B1.1, Commentary, Application Note 4.

As discussed above, most of the so-called “participants” in the offense conspiracy were merely usernames in a chatroom that did little more than comment on the ongoing discussion.  AESCracked did not have any managerial control over them, and neither did Matthew.  He did not know who they were, and did not interact directly with most of them.  The only people with whom he discussed the activities were “sharpie” and, to a lesser extent, known hackers “sabu” and “kayla.”  Only one of those individuals, based on the evidence, actually entered into the Content Management System.  Matthew did not manage or control “sharpie” when the CMS was entered.

  1. The Activity was Not “Otherwise Extensive”

Although the PSR does not mention it, the Government may argue that, although there were fewer than five participants, the managerial control was “otherwise extensive” under § 3B1.1(b).  However, this subcategory generally requires that there are multiple participants and that there is managerial and supervisorial control.  As discussed above, neither of these is true.  Most of the Courts of Appeals follow the test expressed by the Second Circuit in United States v. Carrozzella, 105 F.3d 796 (2d Cir. 1997), which held that “otherwise extensive” requires, at a minimum, “a showing that an activity is the functional equivalent of an activity involving five or more participants.”  There is no functional equivalent to such an activity, where only one participant in the chatroom actively participated in the activity encouraged by AESCracked, the rest of the persons were merely commenting about it in a chatroom.

Thus, there is no basis for the three-point enhancement under § 3B1.1(b).

[1] See United States Sentencing Commission, Aggravating and Mitigating Role Adjusting Printer, available at http://www.ussc.gov/sites/default/files/pdf/training/primers/Primer_Role_Adjustment.pdf

 

 

Matthew Keys

California State Bar Certified Criminal Law Specialist arrives in Sacramento to defend Matthew Keys. Keys was charged with violating the Computer fraud and abuse act (CFAA). 18 USC section 1030.

 

twitter Facebooktwittergoogle_pluslinkedinmail