On Thursday afternoon, the Department of Justice announced it had indicted Matthew Keys, the deputy social media editor at Reuters, on one count of conspiracy and two counts of computer fraud. As Slate’s Emma Roller and others have reported, Keys allegedly helped members of the hacker collective Anonymous access the back end of the Los Angeles Times’ website in 2010 and change the content of one of its news stories. Though the damage done was minimal, the consequences for Keys may be severe: the three counts with which he was charged carry a maximum combined penalty of 25 years in prison. To put that in perspective, that’s almost two years for every word that was changed in the hacked Los Angeles Times story in question.
Keys is being charged under the general federal conspiracy statute and under the Computer Fraud and Abuse Act (CFAA), the same act under which Aaron Swartz was charged. And as far as I can tell, just like with the Swartz case, the feds are going to use the threat of a huge maximum sentence to intimidate Keys into accepting a plea bargain. The DOJ doesn’t want to lock Keys up for 25 years, but they’ll be more than happy to pretend they do in order to get the outcome they really want—likely for Keys to spend no more than a few months in jail and provide information about members of Anonymous. (The feds are probably betting this data is stored on the computer and hard drive Keys will be required to hand over if convicted on any of the charges.)
The key charge is the first one—conspiracy to cause damage to a protected computer—although you really have to stretch the commonly understood meaning of the word “conspiracy” in order for the charge to make sense. Basically, Keys used to work for a television station in Sacramento, California, owned by the Tribune Company. After he was fired, he retained access to the TribCo computer systems, and he shared some logins and passwords with Anonymous members, encouraging them to “go fuck some shit up,” which they did, in a manner of speaking.
“It was part of the conspiracy to alter the online version of a news feature published on the web site of the Los Angeles Times,” the indictment alleges, and the “conspiracy” was successful, I guess: a single Los Angeles Times news story was altered to display humorously false content (“Pressure builds in House to elect CHIPPY 1337”) for like 30 minutes. That’s it. But judging by the indictment, the government probably has a case against Keys on this charge, however unfair it may seem.
Nonetheless, the charges under the CFAA seem outrageously severe. Keys is charged with transmitting and attempting to transmit malicious code, which in this case, as far as I can tell, just means that he shared his login and password with members of Anonymous. Each of these charges carries a maximum penalty of 10 years in prison. The trouble with our current computer laws is that they are so ridiculously vague that they can be used to justify garbage charges like these. When the CFAA was passed in 1984, most of the world wasn’t networked, and the law was meant to prosecute sophisticated, malicious hackers who targeted government computers or the financial system. Now the entire world is networked, but the CFAA still reads as if universities and the Department of Defense are the only institutions with Internet access. Why hasn’t the law been changed to sufficiently reflect the times? I suspect the CFAA has been left intentionally vague so that prosecutors can use it as a bludgeon—a catch-all statute that amps up prison time and frightens suspects into plea-bargaining.
The government wants Anonymous pretty badly, but I’m not sure what their actual game is here. Do they think Keys will roll over and lead them to other Anonymous members in exchange for a reduced sentence? Are they trying to make an example out of Keys so that other people will think twice before cooperating with Anonymous? Or are they simply being disproportionate and unreasonable out of habit? Apparently, they didn’t take away any lessons from the Aaron Swartz case.