UNITED STATES OF AMERICA, Plaintiff-Appellee, v. MATTHEW KEYS, Defendant-Appellant.
Defendant Matthew Keys appeals his conviction and sentence under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. We affirm.
1. Keys was not subjected to a constructive amendment, which occurs when (1) the government presents at trial “a complex of facts ․ distinctly different” from those in the indictment, or (2) the trial proof or jury instructions alter the crime charged, making it “impossible to know whether the grand jury would have indicted for the crime actually proved.” United States v. Mancuso, 718 F.3d 780, 792 (9th Cir. 2013) (citation omitted). Neither standard is met here.
The superceding indictment alleged that, after Keys's employment ended, he “kept and used, for malicious purposes, login credentials to the Tribune Company's CMS [ (content management system) ]”; “identified ․ Fox 40 ․ as [a target] for online intrusion and web vandalism”; “obtain[ed] control of at least one additional username and password ․ to log in and make changes to Tribune Company's CMS”; and intended “to damage computer systems used by Tribune Company.” These allegations encompassed Keys's conduct prior to December 8. Because, after this date, Keys used credentials he created well after his employment ended, the allegation that he used credentials he kept after his employment necessarily refers to prior conduct, such as the Fox 40 emails and creating back-door access. Importantly, the superseding indictment expanded Count II's date range. The only practical purpose of this expansion was to add Keys's conduct between October 28 and December 8. A common-sense reading of the indictment as a whole, including facts that were necessarily implied, see United States v. Livingston, 725 F.3d 1141, 1148 (9th Cir. 2013), shows that the government tried Keys only on facts presented to the grand jury. Therefore, the government did not prove a complex of facts distinctly different from those in the indictment. See Mancuso, 718 F.3d at 792.
The government did not try Keys for unauthorized access, because Keys's use of back doors was CFAA “damage.” 18 U.S.C. § 1030(e)(8). Keys's illicit conduct for the entire period of Count II stemmed from the facts that he “kept and used ․ login credentials to the Tribune Company's CMS,” and “obtain[ed] control of at least one additional username and password.” Acquiring and creating passwords that can be used as back-door access points to a computer system in the future impair the security of that system. See United States v. Middleton, 231 F.3d 1207, 1212 (9th Cir. 2000);1 Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887, 894–95 (N.D. Cal. 2010). Prior to Keys's conduct, the CMS existed in a certain state of security. Keys made the CMS far weaker by taking and creating new user accounts. This manipulation of user accounts and login credentials (not Keys's access) impaired the system.
2. The district court did not allow the jury to consider harms not cognizable as CFAA damage or loss. Keys makes a scattershot of arguments concerning damage and loss, none of which is persuasive. Keys's taking and creating new user accounts (not downloading the email list) was the CFAA damage. Middleton, 231 F.3d at 1212. His conduct directly resulted in the damage; therefore, the damage was not “speculative harm,” as argued by Keys.
The district court did not err in declining to instruct the jury that information altered by a defendant was not damaged under the CFAA, if the original version was not permanently lost. We are not persuaded by the out-of-circuit district court cases Keys cites, none of which involve circumstances analogous to the alteration of the L.A. Times website. The temporary unavailability of the original article, and the posting of an altered version, fall within the statutory definition of “damage”: “impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). The website was not able to function as intended while the customers could not access the article. The district court properly instructed the jury using the statutory definitions of “damage” and “loss.”
3. By re-styling his contentions on the issues above, Keys argues the district court admitted unfairly prejudicial evidence. We reject these arguments.
4. Concerning the attempt charge, the government presented evidence sufficient for the jury to find that Keys had the required intent and took a substantial step toward the offense. See United States v. Gracidas-Ulibarry, 231 F.3d 1188, 1192 (9th Cir. 2000) (en banc). At the time of Keys's December 15 chatroom discussion with the hacker, Keys knew the hacker had attacked the L.A. Times only hours earlier. Thus, when the hacker told Keys he was going to alter the entire front page, Keys knew the hacker was capable. Possessing this knowledge, Keys showed the required intent when he made an unsolicited offer to get the hacker back into the CMS and then actually tried to do so.
Although Keys argues his efforts to get the hacker back into the system amount only to unauthorized access, gaining access to the CMS is a substantial step toward accomplishing the damage. In fact, providing access to more skilled hackers was as far (toward the initial L.A. Times alteration) as Keys was able to go, based on his computer skills. Although signing into his VPN to cover his tracks was mere preparation for Keys, by affirmatively trying to take what he knew would be his final step toward completing the damage, Keys took a “substantial step.” See United States v. Still, 850 F.2d 607, 609–10 (9th Cir. 1988). The fact that something outside his control prevented the offense from going forward does not save him.
5. The district court found the amount of restitution by a preponderance of the evidence, considering evidence with “sufficient indicia of reliability.” See United States v. Waknine, 543 F.3d 546, 556–57 (9th Cir. 2008) (citation omitted). Concerning employee response time, the district court did not abuse its discretion by relying on loss estimates based on employees' testimonies or on the worksheet prepared by a Fox 40 executive. In response to Keys's challenge to inconsistences in the employee salary evidence, the district court appropriately re-reviewed the trial testimony and considered the amount in light of national statistics on the value of non-liquid employee benefits.
The government presented evidence that nearly all of the 20,000 Fox 40 Rewards Program members cancelled their participation in response to Keys's conduct. Starting essentially from square one, the database took three years to rebuild. The district court did not abuse its discretion in relying on the Fox 40 executive's representation that this process cost $200,000. It was appropriate for the district court to order restitution in the amount it cost Fox 40 to replace the member database, as it would be difficult to determine the fair market value of such an asset. See United States v. Kaplan, 839 F.3d 795, 801–02 (9th Cir. 2016).
The restitution was reasonably based on Fox 40's actual losses and did not result in a windfall to the victims. See id. at 802. Keys's arguments to the contrary are unpersuasive.
1. Although the provision defining “damage” was amended after Middleton, “[t]he new [CFAA] version defines ‘damage’ the same way [as the prior version].” Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 934 (9th Cir. 2004).