Yesterday, former Reuters journalist Matthew Keys was sentenced to two years in prison. Keys had been convicted of assisting in hacking the Los Angeles Times website by providing usernames and passwords to members of Anonymous; he had the log-in credentials from having previously worked for a local TV station in California owned by Tribune Media, the same company that owns the L.A. Times.
Here is what the hackers did: They changed the headline on an article — “Pressure Builds in House to Pass Tax-Cut Package” became “Pressure Builds in House to Elect CHIPPY 1337” — as well as the sub-headline and byline. The change was live for 40 minutes. Keys himself did not make the alterations; a user in the chat room where he had posted the credentials did. (According to chat transcripts, he did encourage the cyber-vandalism.) CHIPPY 1337 was never identified or prosecuted.
This past October, Keys was found guilty on three counts of computer hacking under the archaic Computer Fraud and Abuse Act, following a trial in which Tribune had, in some instances, claimed nearly $1 million dollars in loss and damages. Keys continues to assert his innocence.
The exact loss and consequent damages caused by the hack has been in dispute throughout the legal proceedings. The alterations on the article were brief, and Tribune was never able to definitively prove that anyone actually saw them. It seems extremely unlikely that anyone cancelled a subscription because of the defacement, and even less likely that the Times’s credibility as a news organization was threatened. But, the prosecution argued, in the wake of the intrusion, the large media conglomerate did have to go through a comprehensive security audit and upgrade, which adds up to thousands of dollars in time and labor. Minor acts can have major cascading effects.
Still: A brief, minor defacement that led to money spent on beefed-up security doesn’t add up to two years in prison. If you’re wondering how the court reached that sentencing figure, this might help explain it: The Computer Fraud and Abuse Act — the federal law under which Keys was prosecuted — was enacted in 1986. That’s three decades ago, and seven years before the world wide web launched. Computers at the time were the property of corporations and those wealthy enough to afford them, not the widely accessible, fully networked tools they are today. (The CFAA is the same statute used to prosecute famed programmer Aaron Swartz, who committed suicide in 2013.)
The CFAA, among other provisions, makes it illegal to “[access] a protected computer without authorization, and as a result of such conduct, [cause] damage and loss.” The language of the law is vague, to say the least. Humans authorize things by giving permission, and computers authorize actions by accepting log-in credentials.
That vagueness of “unauthorized access” has given prosecutors astronomically wide latitude in what can be prosecuted under the CFAA. If, for instance, you use your ex-boyfriend’s email address and password to log in to Netflix without his knowledge, you are potentially violating the law. It’s often invoked for things that aren’t really hacking in the contemporary sense, but can be defined as such under the CFAA, or in cases where no other charges will stick. As the podcast Reply All put it, prosecutors wield the CFAA in the same way that the tax code was used to convict Al Capone.
Before the sentencing, Keys posted on Medium, in part:
I am innocent, and I did not ask for this fight. Nonetheless, I hope that our combined efforts help bring about positive change to rules and regulations that govern our online conduct. As I’ve previously written, nobody should face terrorism charges for passing a Netflix username and password. But under today’s law, prosecutors can use their discretion to bring those exact charges against people—including journalists—whenever they see fit. Prosecutors did so in this case. Until the law catches up with the times, there’s no doubt that prosecutors will do it again.
All of this is to say that Keys certainly does not deserve two years in prison, and the CFAA needs serious reform. To put this in perspective, just a day prior to Keys’s sentencing, Ethan Couch — who killed four people in a drunk-driving accident in 2013 — was sentenced to two years in prison … for violating his parole.
The Electronic Frontier Foundation has an entire section of its website devoted to advocating for CFAA reform. There are three main tenets: violating a website’s terms of use should not be the basis for a criminal complaint; commonplace circumvention techniques like changing one’s IP address should not be criminal; and, most importantly, the punishment should fit the crime.
The legislative process moves more slowly than the tech industry, and it always will, but lagging 30 years behind is not only ridiculous, it poses a danger to anyone who touches a computer.
