On Wednesday, Matthew Keys, a 28-year-old social-media journalist known for his work at Reuters, was convicted by a California federal jury on three criminal counts, stemming from the defacement of The Los Angeles Times’ website in 2010.
Prosecutors presented evidence that Keys provided the hacker group known as Anonymous with login credentials facilitating the hack, and that he encouraged the hackers to act. Keys had the login info via his time as a web producer for KTXL FOX40; that Sacramento station and the LA Times are both under ownership of the Tribune Company. Prosecutors argued the computer responsible for defacing the website had used the login info Keys shared.
US District Judge Kimberly J. Mueller, who heard the case, will sentence Keys on January 20, 2016. He faces a maximum of 25 years in prison—more than some murderers, rapists, and other violent criminals face. Under the Computer Fraud and Abuse Act (CFAA) he nabbed one count each: conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer, and attempted transmission of information to damage a protected computer.
However, the prosecutors in the case say they will seek a significantly reduced sentence.
“We have no intention of seeking 25 years,” Lauren Horwood, the Public Information Officer at the U.S. Attorney’s Office for the Eastern District of California, told The Daily Beast. “The sentencing that we’re going to ask the judge for will be less than five years.”
The 1986 Computer Fraud and Abuse act, under which Keys and others have been prosecuted—such as Chelsea Manning and Aaron Swartz—was an amendment to the Comprehensive Crime Control Act of 1984. In a cruel twist of irony, the same laws that could have put Keys away for 25 years are also at the root of the United States Sentencing Commission, a federal agency formed to adjudicate fair sentencing in federal courts.
This committee was a direct result of the 1984 update of the criminal code, which expanded federal jurisdiction to computer crimes. The USSC sentencing guidelines relating to “certain computer fraud and abuse,” can be “determined without regard to any mandatory minimum term of imprisonment.”
Speaking of minimums, the LA Times claimed the defacement of their site cost them $5,000, though it took about an hour and a few dozen keystrokes to correct the breach. This dollar amount happens to be the minimum required for prosecutors to pursue possible charges under the CFAA.
A couple years after the Times hack, Anonymous went after the website of the US Sentencing Commission. The hackers threatened, via the defaced USSC website, the release of sensitive materials the group supposedly possessed. This was in January 2013, and in response to the very publicized death of Swartz, who hung himself.
Keys is lucky enough to face prosecutors without the bloodlust. However, in the case of Swartz, federal prosecutors dogged the Internet innovator. Swartz faced the same extreme penalties imposed by the CFAA that Keys faces, after downloading a cache of academic documents from MIT servers.
MIT didn’t even want to pursue civil charges. Swartz’s crime—downloading free articles in bulk from a server he had access to—was shown not to be malicious. It was, however, a breach of terms of service. Prosecutors dropped state charges in order to pursue the CFAA punishments, under the charge of United States Attorney for the District of Massachusetts, Carmen Ortiz. She and other federal prosecutors viciously pursued the case, eventually slapping Swartz with 13 felony charges, which meant a possible 30 years behind bars. Understandably, Swartz cracked under the pressure.
As a result of Swartz’s death, Zoe Lofgren, a US Congresswoman for California, and Ron Wyden, a US Senator for Oregon, introduced proposed reforms to the CFAA. The bill didn’t make it through Congress when it first appeared in 2013. But in April of this year (a month after Keys was arraigned) they reintroduced the bill, this time with a co-sign from Rand Paul.
In sum, the so-called “Aaron’s Law” makes the penalties for these crimes proportional, in addition to modifying and clarifying vague or redundant language. It would ensure others would not be prosecuted so drastically for the same terms of service violations Swartz faced.
In the introduction to the bill, Lofrgen wrote:
“The Computer Fraud and Abuse Act is long overdue for reform. At its very core, CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations.”
Just nine days before Aaron’s Law was reintroduced to congress, NY Senator Kirsten Gillibrand introduced two different bills to Congress. Gillibrand brought the Cybersecurity Information Sharing Credit Act and the Data Breach Notification and Punishing Cyber Criminals Act, to the floor. These would further expand federal prosecutors’ powers where the defendant obtained “information from a protected computer without authorization,” protected computer being the key, legally vague phrase of the CFAA as well.
Internet privacy activists say these bills sidestep the issue, while expanding prosecutors’ already egregious powers. “Dressed up as an answer to data breaches,” the Electronic Frontier Foundation wrote, “this proposal is yet another way to avoid addressing the real issues with data breaches: the lack of strong incentives for industry to keep our data safe and the FBI’s concerted efforts to reduce the security we could all enjoy through the use of strong encryption.”
Keys could not be reached for comment.