One of the basic tenets of a civilized society is that the punishment should be proportionate with the crime. What essentially amounts to vandalism should not result in even the remote possibility of a 25-year jail sentence. But that very possibility is on the table in the government’s case against journalist Matthew Keys, whose sentencing hearing is about one month off. The case is an illustration of prosecutorial discretion run amok—and once again shows why reform of the federal anti-hacking statute, the Computer Fraud and Abuse Act (CFAA), is long overdue.
The case arises out of Keys turning over the username and password of the content management system of his former employer, the Tribune Company, to members of Anonymous in an online chat room. An individual going by the name of “Sharpie” then used the credentials to log into the Tribune system and made some relatively silly changes to an Los Angeles Times article—such as changing the title from “Pressure builds in house to pass tax-cut package” to “Pressure builds in House to elect CHIPPY 1337.” The original article was restored in approximately 40 minutes, and Tribune blocked access to its content management system.
Obviously, as Assistant U.S. Attorney Matthew Segal put it, “This is not the crime of the century.” But the government still charged Keys with three federal felony violations of the CFAA: conspiracy to cause damage to a protected computer, transmission of computer code that resulted in unauthorized damage, and attempted transmission of malicious code to cause unauthorized damage. Keys was convicted on all three counts and faces a maximum punishment of 25 years in federal prison—10 years each for the first two offenses and 5 years for the third. This case underscores how computer crimes are prosecuted much more harshly than analogous crimes in the physical world.
Why CFAA Maximums Matter
It’s true that Matthew Keys’ actual potential jail sentence could be significantly less than 25 years. The government has actually signaled—but not promised—that it will "likely" seek less than 5 years. And it’s conventional wisdom that maximum punishments may sometimes be a ploy to capture the public’s attention.
But as we’ve explained before, the maximum punishment can impact calculations pursuant to the United States Sentencing Guidelines. For instance, many prosecutors and judges use the maximum punishment as an indicator of how serious the crime is. They also ratchet up pressure on defendants to plea bargain or settle—after all someone facing 25 years is more likely to agree to serve five than someone facing a maximum of five year penalty.
Damages and the CFAA
Under the CFAA in particular, the amount of damages claimed can also result in a longer prison sentence. More dollar loss means more prison time for the defendant. And here, the government has argued that due to the approximately 40 minutes that the defaced article was up, the Tribune Company incurred losses of $929,977.00.
That math just doesn’t add up. The government has used events completely unrelated to the alleged CFAA violations to derive the number. For instance, the government has alleged that after his departure from the Tribune Company, Keys sent harassing emails to former coworkers and viewers, and reset the password of a former coworker. The government has rolled the supposed damages from those incidents into Keys’ prosecution, despite the fact that the conduct has not been affirmatively tied to Keys, and that sending harassing emails is not a crime under the CFAA. There is also evidence that Tribune Company employees knew exactly what was needed to move the federal prosecution forward. As WIRED points out from emails introduced at trial, a manager at the Tribune Company’s KTXL Fox 40 television station (where Keys worked) asked a company lawyer “if you bill $1,000 an hour, that would help us get this prosecuted.”
This leads to an obvious question—how much of the claimed “damages” are actually the result of “hacking” and how much are part of an attempt to ratchet up loss to ensure a felony CFAA conviction?
Prosecutorial Discretion
The government certainly seems to be making an example out of Matthew Keys—as it did in the tragic case of Aaron Swartz. Meanwhile, the government hasn’t even gone after the individual who actually made the changes to the LA Times article.
The Second Circuit Court of Appeals, which recently held that the CFAA does not apply to violations of employer-imposed use restrictions, stated that “[w]hile the Government might promise that it would not prosecute an individual [for violating its employers terms of use], we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.”
And with the Matthew Keys’ prosecution, it appears true that prosecutors can’t be trusted to not abuse their prosecutorial discretion. It is questionable whether this case should have been charged in the first place, and yet Keys is now facing up to 25 years in prison.
“The Law That Sticks”
After Keys was convicted in October 2015, ReplyAll put out a podcast about the CFAA and quite appropriately described it as “the law that sticks.” It has, after all, been on the books for 30 years. And as this case demonstrates, it’s time for reform. The statute serves as a vehicle for abuse by prosecutors—who are using what was supposed to be an “anti-hacking” statute to make examples out of individuals for relatively mundane online behavior.
Keys’ sentencing hearing is on January 20, 2016. We hope that the sentencing judge will pay attention to the actual damage here—a vandalized website for 40 minutes, and not be swayed by the digital context and the draconian scope of the CFAA.
Update: Keys was sentenced on April 13, 2016 for 24 months. Keys' lawyers have said they intend to appeal the verdict.