                           NOT FOR PUBLICATION

                    UNITED STATES COURT OF APPEALS
                                                                           FILED
                            FOR THE NINTH CIRCUIT
                                                                           JUN 26 2017
                                                                        MOLLY C. DWYER, CLERK
                                                                         U.S. COURT OF APPEALS
UNITED STATES OF AMERICA,                        No.   16-10197

              Plaintiff-Appellee,                D.C. No.
                                                 2:13-cr-00082-KJM-1
 v.

MATTHEW KEYS,                                    MEMORANDUM*

              Defendant-Appellant.


                   Appeal from the United States District Court
                      for the Eastern District of California
                   Kimberly J. Mueller, District Judge, Presiding

                        Argued and Submitted June 13, 2017
                             San Francisco, California

Before: SCHROEDER and N.R. SMITH, Circuit Judges, and BATTAGLIA,**
District Judge.

      Defendant Matthew Keys appeals his conviction and sentence under the

Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. We affirm.

      1.     Keys was not subjected to a constructive amendment, which occurs

      *
             This disposition is not appropriate for publication and is not precedent
except as provided by Ninth Circuit Rule 36-3.
      **
            The Honorable Anthony J. Battaglia, United States District Judge for
the Southern District of California, sitting by designation.
when (1) the government presents at trial “a complex of facts . . . distinctly

different” from those in the indictment, or (2) the trial proof or jury instructions

alter the crime charged, making it “impossible to know whether the grand jury

would have indicted for the crime actually proved.” United States v. Mancuso, 718

F.3d 780, 792 (9th Cir. 2013) (citation omitted). Neither standard is met here.

      The superceding indictment alleged that, after Keys’s employment ended, he

“kept and used, for malicious purposes, login credentials to the Tribune

Company’s CMS [(content management system)]”; “identified . . . Fox 40 . . . as [a

target] for online intrusion and web vandalism”; “obtain[ed] control of at least one

additional username and password . . . to log in and make changes to Tribune

Company’s CMS”; and intended “to damage computer systems used by Tribune

Company.” These allegations encompassed Keys’s conduct prior to December 8.

Because, after this date, Keys used credentials he created well after his

employment ended, the allegation that he used credentials he kept after his

employment necessarily refers to prior conduct, such as the Fox 40 emails and

creating back-door access. Importantly, the superseding indictment expanded

Count II’s date range. The only practical purpose of this expansion was to add

Keys’s conduct between October 28 and December 8. A common-sense reading of

the indictment as a whole, including facts that were necessarily implied, see United


                                           2
States v. Livingston, 725 F.3d 1141, 1148 (9th Cir. 2013), shows that the

government tried Keys only on facts presented to the grand jury. Therefore, the

government did not prove a complex of facts distinctly different from those in the

indictment. See Mancuso, 718 F.3d at 792.

      The government did not try Keys for unauthorized access, because Keys’s

use of back doors was CFAA “damage.” 18 U.S.C. § 1030(e)(8). Keys’s illicit

conduct for the entire period of Count II stemmed from the facts that he “kept and

used . . . login credentials to the Tribune Company’s CMS,” and “obtain[ed]

control of at least one additional username and password.” Acquiring and creating

passwords that can be used as back-door access points to a computer system in the

future impair the security of that system. See United States v. Middleton, 231 F.3d

1207, 1212 (9th Cir. 2000);1 Multiven, Inc. v. Cisco Sys., Inc., 725 F. Supp. 2d 887,

894–95 (N.D. Cal. 2010). Prior to Keys’s conduct, the CMS existed in a certain

state of security. Keys made the CMS far weaker by taking and creating new user

accounts. This manipulation of user accounts and login credentials (not Keys’s

access) impaired the system.

      2.     The district court did not allow the jury to consider harms not


      1
        Although the provision defining “damage” was amended after Middleton,
“[t]he new [CFAA] version defines ‘damage’ the same way [as the prior version].”
Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 934 (9th Cir. 2004).
                                          3
cognizable as CFAA damage or loss. Keys makes a scattershot of arguments

concerning damage and loss, none of which is persuasive. Keys’s taking and

creating new user accounts (not downloading the email list) was the CFAA

damage. Middleton, 231 F.3d at 1212. His conduct directly resulted in the damage;

therefore, the damage was not “speculative harm,” as argued by Keys.

      The district court did not err in declining to instruct the jury that information

altered by a defendant was not damaged under the CFAA, if the original version

was not permanently lost. We are not persuaded by the out-of-circuit district court

cases Keys cites, none of which involve circumstances analogous to the alteration

of the L.A. Times website. The temporary unavailability of the original article, and

the posting of an altered version, fall within the statutory definition of “damage”:

“impairment to the integrity or availability of data, a program, a system, or

information.” 18 U.S.C. § 1030(e)(8). The website was not able to function as

intended while the customers could not access the article. The district court

properly instructed the jury using the statutory definitions of “damage” and “loss.”

      3.     By re-styling his contentions on the issues above, Keys argues the

district court admitted unfairly prejudicial evidence. We reject these arguments.

      4.     Concerning the attempt charge, the government presented evidence

sufficient for the jury to find that Keys had the required intent and took a


                                           4
substantial step toward the offense. See United States v. Gracidas-Ulibarry, 231

F.3d 1188, 1192 (9th Cir. 2000) (en banc). At the time of Keys’s December 15

chatroom discussion with the hacker, Keys knew the hacker had attacked the L.A.

Times only hours earlier. Thus, when the hacker told Keys he was going to alter

the entire front page, Keys knew the hacker was capable. Possessing this

knowledge, Keys showed the required intent when he made an unsolicited offer to

get the hacker back into the CMS and then actually tried to do so.

      Although Keys argues his efforts to get the hacker back into the system

amount only to unauthorized access, gaining access to the CMS is a substantial

step toward accomplishing the damage. In fact, providing access to more skilled

hackers was as far (toward the initial L.A. Times alteration) as Keys was able to

go, based on his computer skills. Although signing into his VPN to cover his tracks

was mere preparation for Keys, by affirmatively trying to take what he knew would

be his final step toward completing the damage, Keys took a “substantial step.” See

United States v. Still, 850 F.2d 607, 609–10 (9th Cir. 1988). The fact that

something outside his control prevented the offense from going forward does not

save him.

      5.     The district court found the amount of restitution by a preponderance

of the evidence, considering evidence with “sufficient indicia of reliability.” See


                                           5
United States v. Waknine, 543 F.3d 546, 556–57 (9th Cir. 2008) (citation omitted).

Concerning employee response time, the district court did not abuse its discretion

by relying on loss estimates based on employees’ testimonies or on the worksheet

prepared by a Fox 40 executive. In response to Keys’s challenge to inconsistences

in the employee salary evidence, the district court appropriately re-reviewed the

trial testimony and considered the amount in light of national statistics on the value

of non-liquid employee benefits.

      The government presented evidence that nearly all of the 20,000 Fox 40

Rewards Program members cancelled their participation in response to Keys’s

conduct. Starting essentially from square one, the database took three years to

rebuild. The district court did not abuse its discretion in relying on the Fox 40

executive’s representation that this process cost $200,000. It was appropriate for

the district court to order restitution in the amount it cost Fox 40 to replace the

member database, as it would be difficult to determine the fair market value of

such an asset. See United States v. Kaplan, 839 F.3d 795, 801–02 (9th Cir. 2016).

      The restitution was reasonably based on Fox 40’s actual losses and did not

result in a windfall to the victims. See id. at 802. Keys’s arguments to the contrary

are unpersuasive.

      AFFIRMED.


                                            6
