After a six-day trial that involved hours upon hours of technical testimony, a federal jury on Wednesday, June 6, convicted former San Francisco resident Ross M. Colby of two felonies and three misdemeanors relating to computer hacking that preceded the Sept. 17, 2015, take-down of Palo Alto Online and four other websites of parent company Embarcadero Media.
The jury of eight women and four men deliberated for a day and a half. Sentencing is set for Sept. 19. For each of the felony convictions, Colby faces a fine of up to $250,000, a prison term not to exceed 10 years, or both, according to indictment documents. He also faces a fine of up to $100,000 and a maximum one year in prison for each of the three misdemeanors. (The actual sentence will be affected by factors including past criminal record, if any, cooperation in the case and the judgment of the court.)
Colby, 35, at one time worked for the former EMC Corporation as a software engineer. He was also employed as the chief security officer and IT administrator at Earnest, a San Francisco-based personal- and student-loan lender, where he reviewed data-compliance contracts between the lender and large clients such as Goldman Sachs, Verizon, Nationwide, AARP and Intuit, according to court documents.
He did not express emotion as the five guilty verdicts were read. He did not testify during the trial nor were there any witnesses called for the defense, which relied on raising doubts about the prosecution's evidence. The case went to the jury on Tuesday morning.
Jurors found Colby guilty of one felony count for transmitting a program, code, command, or information to a computer, intending to cause damage; one felony count of attempting to do the same; and three misdemeanor counts of unlawfully obtaining information from a protected computer.
During the trial, the prosecution presented as evidence a trail of IP addresses linked to Colby that had been used to access Embarcadero Media's accounts and data -- including the accounts of the three IT employees -- more than 200 times.
Three jurors, who asked not to be identified, said the jury deliberations were extensive and difficult. They said the jury ultimately rejected the defense's theory that another person could have been responsible for the hacks.
"The most compelling evidence was his (Colby's) access via the VPN (a private internet address allowing user anonymity) and to his email account," said juror 11, a statistical research manager.
There was enough of an overlap between his access to the Embarcadero accounts and his own email accounts from the same IP addresses to find he was the culprit, she said.
Juror 10, a software engineer, said it wasn't believable that another person might have hacked the company, as had been suggested by Colby's attorney.
Juror 11 agreed.
"The common-sense explanation stood out to me versus it all being a setup," she said. "I believed the testimony of the roommate," who testified that Colby had told him he had hacked a news website.
Juror 5 said he and juror 1, who are both software engineers, weren't initially convinced by the IP-address evidence alone.
"We wanted to be convinced by more logs. The IP addresses alone seemed insufficient to convict, but the defense did not raise enough questions regarding someone else having done it," he said.
Juror 11 said they did their own digging into the logs and sent questions to the judge regarding the scope of their responsibilities.
The fact that much of the evidence was circumstantial was not problematic, she said.
"With cyber-crimes, there are a lot of cases where you won't have direct evidence. You won't have video showing someone sitting at a keyboard committing the crime. It was all circumstantial," she said. In these kinds of cases, she added, jurors must ask themselves, "How do we convict people of cyber-crimes without direct evidence?"
Embarcadero Media Publisher and President Bill Johnson was present throughout the trial and as the verdict was read.
"We are grateful to the FBI and federal prosecutors for their hard work on this case, and for the jury's patience in digesting an enormous amount of technical information. This was not only a sophisticated attack on our business but also on the First Amendment and the work we do as journalists in the public interest," he said.
U.S. Assistant Attorney Joseph Springsteen, during his closing argument prior to the jury deliberations, noted the gravity of the hack, which prosecutors said was strategic.
"Make no mistake. This was not a prank; this was not a harmless act. ... It's not vandalism. It was a serious and targeted attack on Embarcadero Media," he said on June 1.
The hack caused more than $32,000 in damage, but there was also damage done to Embarcadero's reputation, Springsteen said. It is ironic that Embarcadero Media, which was the first newspaper in the United States to have published its news on the World Wide Web, should have been targeted, he noted.
"These acts brought (an institution) of the community for 40 years to its knees. Imagine how vulnerable they must have felt -- how helpless," he said.
"The defendant did it over and over and over again. It's not casual. This is not brief. It was methodical and repeated and intentional," he said.
During her closing arguments, Defense Attorney Vicki Young argued that there was insufficient evidence tying Colby to the intrusions. She said that since some intrusions into the Embarcadero systems had come from a virtual private network (VPN) and therefore were not traceable, another person besides Colby could have been responsible. She also argued that intrusions made from the IP address at Colby's San Francisco residence were made on two days in July 2015 when, his father testified, he had been visiting the family home in Massachusetts.
But federal Prosecutor Susan Knight said Colby's father's testimony was vague and not credible regarding the timeline of his son's presence in Massachusetts. Knight said the evidence showed Colby was still in San Francisco from July 23-25. Colby not only accessed Embarcadero IT employee Cesar Torres' account on those days, but he also accessed his own personal email from San Francisco.
The same virtual private network (VPN) IP address used in one of the hacks was also used to log in to Colby's personal email and Facebook accounts, Knight said, citing evidence presented at trial.
This was the evidence the jurors said they found most compelling.
Colby declined to comment after the verdict. Currently a Richmond, California resident, he remains out of custody on $50,000 bail.