NOT FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FILED
FOR THE NINTH CIRCUIT
JUN 26 2017
MOLLY C. DWYER, CLERK
U.S. COURT OF APPEALS
UNITED STATES OF AMERICA, No. 16-10197
Plaintiff-Appellee, D.C. No.
2:13-cr-00082-KJM-1
v.
MATTHEW KEYS, MEMORANDUM*
Defendant-Appellant.
Appeal from the United States District Court
for the Eastern District of California
Kimberly J. Mueller, District Judge, Presiding
Argued and Submitted June 13, 2017
San Francisco, California
Before: SCHROEDER and N.R. SMITH, Circuit Judges, and BATTAGLIA,**
District Judge.
Defendant Matthew Keys appeals his conviction and sentence under the
Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. We affirm.
1. Keys was not subjected to a constructive amendment, which occurs
*
This disposition is not appropriate for publication and is not precedent
except as provided by Ninth Circuit Rule 36-3.
**
The Honorable Anthony J. Battaglia, United States District Judge for
the Southern District of California, sitting by designation.
�when (1) the government presents at trial “a complex of facts . . . distinctly
different” from those in the indictment, or (2) the trial proof or jury instructions
alter the crime charged, making it “impossible to know whether the grand jury
would have indicted for the crime actually proved.” United States v. Mancuso, 718
F.3d 780, 792 (9th Cir. 2013) (citation omitted). Neither standard is met here.
The superceding indictment alleged that, after Keys’s employment ended, he
“kept and used, for malicious purposes, login credentials to the Tribune
Company’s CMS [(content management system)]”; “identified . . . Fox 40 . . . as [a
target] for online intrusion and web vandalism”; “obtain[ed] control of at least one
additional username and password . . . to log in and make changes to Tribune
Company’s CMS”; and intended “to damage computer systems used by Tribune
Company.” These allegations encompassed Keys’s conduct prior to December 8.
Because, after this date, Keys used credentials he created well after his
employment ended, the allegation that he used credentials he kept after his
employment necessarily refers to prior conduct, such as the Fox 40 emails and
creating back-door access. Importantly, the superseding indictment expanded
Count II’s date range. The only practical purpose of this expansion was to add
Keys’s conduct between October 28 and December 8. A common-sense reading of
the indictment as a whole, including facts that were necessarily implied, see United
2
�States v. Livingston, 725 F.3d 1141, 1148 (9th Cir. 2013), shows that the
government tried Keys only on facts presented to the grand jury. Therefore, the
government did not prove a complex of facts distinctly different from those in the
indictment. See Mancuso, 718 F.3d at 792.
The government did not try Keys for unauthorized access, because Keys’s
use of back doors was CFAA “damage.” 18 U.S.C. § 1030(e)(8). Keys’s illicit
conduct for the entire period of Count II stemmed from the facts that he “kept and
used . . . login credentials to the Tribune Company’s CMS,” and “obtain[ed]
control of at least one additional username and password.” Acquiring and creating
passwords that can be used as back-door access points to a computer system in the
future impair the security of that system. See United States v. Middleton, 231 F.3d
1207, 1212 (9th Cir. 2000);1 Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887,
894–95 (N.D. Cal. 2010). Prior to Keys’s conduct, the CMS existed in a certain
state of security. Keys made the CMS far weaker by taking and creating new user
accounts. This manipulation of user accounts and login credentials (not Keys’s
access) impaired the system.
2. The district court did not allow the jury to consider harms not
1
Although the provision defining “damage” was amended after Middleton,
“[t]he new [CFAA] version defines ‘damage’ the same way [as the prior version].”
Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 934 (9th Cir. 2004).
3
�cognizable as CFAA damage or loss. Keys makes a scattershot of arguments
concerning damage and loss, none of which is persuasive. Keys’s taking and
creating new user accounts (not downloading the email list) was the CFAA
damage. Middleton, 231 F.3d at 1212. His conduct directly resulted in the damage;
therefore, the damage was not “speculative harm,” as argued by Keys.
The district court did not err in declining to instruct the jury that information
altered by a defendant was not damaged under the CFAA, if the original version
was not permanently lost. We are not persuaded by the out-of-circuit district court
cases Keys cites, none of which involve circumstances analogous to the alteration
of the L.A. Times website. The temporary unavailability of the original article, and
the posting of an altered version, fall within the statutory definition of “damage”:
“impairment to the integrity or availability of data, a program, a system, or
information.” 18 U.S.C. § 1030(e)(8). The website was not able to function as
intended while the customers could not access the article. The district court
properly instructed the jury using the statutory definitions of “damage” and “loss.”
3. By re-styling his contentions on the issues above, Keys argues the
district court admitted unfairly prejudicial evidence. We reject these arguments.
4. Concerning the attempt charge, the government presented evidence
sufficient for the jury to find that Keys had the required intent and took a
4
�substantial step toward the offense. See United States v. Gracidas-Ulibarry, 231
F.3d 1188, 1192 (9th Cir. 2000) (en banc). At the time of Keys’s December 15
chatroom discussion with the hacker, Keys knew the hacker had attacked the L.A.
Times only hours earlier. Thus, when the hacker told Keys he was going to alter
the entire front page, Keys knew the hacker was capable. Possessing this
knowledge, Keys showed the required intent when he made an unsolicited offer to
get the hacker back into the CMS and then actually tried to do so.
Although Keys argues his efforts to get the hacker back into the system
amount only to unauthorized access, gaining access to the CMS is a substantial
step toward accomplishing the damage. In fact, providing access to more skilled
hackers was as far (toward the initial L.A. Times alteration) as Keys was able to
go, based on his computer skills. Although signing into his VPN to cover his tracks
was mere preparation for Keys, by affirmatively trying to take what he knew would
be his final step toward completing the damage, Keys took a “substantial step.” See
United States v. Still, 850 F.2d 607, 609–10 (9th Cir. 1988). The fact that
something outside his control prevented the offense from going forward does not
save him.
5. The district court found the amount of restitution by a preponderance
of the evidence, considering evidence with “sufficient indicia of reliability.” See
5
�United States v. Waknine, 543 F.3d 546, 556–57 (9th Cir. 2008) (citation omitted).
Concerning employee response time, the district court did not abuse its discretion
by relying on loss estimates based on employees’ testimonies or on the worksheet
prepared by a Fox 40 executive. In response to Keys’s challenge to inconsistences
in the employee salary evidence, the district court appropriately re-reviewed the
trial testimony and considered the amount in light of national statistics on the value
of non-liquid employee benefits.
The government presented evidence that nearly all of the 20,000 Fox 40
Rewards Program members cancelled their participation in response to Keys’s
conduct. Starting essentially from square one, the database took three years to
rebuild. The district court did not abuse its discretion in relying on the Fox 40
executive’s representation that this process cost $200,000. It was appropriate for
the district court to order restitution in the amount it cost Fox 40 to replace the
member database, as it would be difficult to determine the fair market value of
such an asset. See United States v. Kaplan, 839 F.3d 795, 801–02 (9th Cir. 2016).
The restitution was reasonably based on Fox 40’s actual losses and did not
result in a windfall to the victims. See id. at 802. Keys’s arguments to the contrary
are unpersuasive.
AFFIRMED.
6
�