We've written a few times now about the somewhat bizarre Matthew Keys
case. While he still denies having done anything, he has been found guilty
under the CFAA for sharing the login information to the Tribune Company's computer systems, which apparently resulted in someone hacking a story on the LA Times website. The hack was nonsensical and lasted for all of about 40 minutes. There's no indication that this bit of vandalism did any actual harm -- or even that very many people saw it. And yet... the Feds had to work overtime to figure out how to turn this minor bit of vandalism (which everyone agrees Keys did not actually do directly) into nearly $1 million in damages
(thanks to emails that the Tribune Company says were worth $200+ each, and random claims about "ratings declines" due to a separate incident involving Keys and the Tribune-owned TV station Keys used to work for).
When he was found guilty, the prosecutors told the press that they would likely ask for "less than five years" at sentencing, but apparently that's been turned into asking for exactly five years
. You can read the full filing here
The United States recommends that the Court impose a sentence of sixty months imprisonment. The Probation Department’s recommendation of eighty-seven months is reasonable and the best way to promote sentencing uniformity. But this prosecutor has been with this case since its inception in 2010 and submits that a five-year sentence as sufficient, but not greater than necessary, to comply with the purposes of sentencing. A sentence of five years imprisonment reflects Keys’s culpability and places his case appropriately among those of other white collar criminals who do not accept responsibility for their crimes.
Even assuming that the DOJ's claims about what Keys did are entirely accurate, Keys comes off as an immature jackass, rather than some sort of criminal hacking mastermind. It's difficult to see how that is worth five years in jail. Much of the DOJ's reasoning is because Keys has continued to assert his innocence. And while the DOJ does seem to have a fair amount of evidence that Keys did some fairly stupid and immature stuff, insisting he is innocent shouldn't be a reason to lock him up longer. The DOJ keeps going back to some stupid stuff Keys was accused of doing with a database of information he apparently had access to from the TV station -- including emailing people in the TV station's database with misleading messages -- but even the DOJ admits that this wasn't what the trial was about, and much of the evidence related to it was "redacted before it went to the jury" because it "created a substantial risk that the jury might read it and return a verdict based on something other than the elements of the offense."
So the DOJ recognizes that... but still argues he should be sentenced for those very same things that are not elements of the offense he's been charged with.
“Worried” would be an understatement for the emotions of at least one Fox 40 viewer. The Court will recall that Mercer told “Cancer Man” that Mercer had just talked down a tearful elderly woman who had been having a “panic attack” over the emails while her husband was in kidney failure. The Court ordered this and Keys’s reaction redacted before it went to the jury. The Rule 403 exclusion meant that the Court thought the unredacted email would have created a substantial risk that the jury might read it and return a verdict based on something other than the elements of the offense. The Government respects the Court’s ruling. The way Keys reacted shows he is a different and worse kind of person. Keys ridiculed the station for “reporting to the old folks home” and casually passed judgment on the poor woman for having her priorities “in the wrong place there.” ... Keys’s haughty, cold reaction to that woman’s suffering was the other reason that Mercer said he came to take a personal interest in the outcome of this case.... The Court should sentence to reflect the characteristics of the Defendant.... Keys’s characteristics include narcissism and an arrogant indifference to the suffering of innocent and vulnerable people.
Again, from all of this, Keys clearly comes off as an immature jackass -- but that's not necessarily a reason to lock someone up.
Meanwhile, Keys' lawyer has filed a much longer sentencing memorandum
arguing for no jail time at all for Keys, still arguing that Keys' actions were all part of an investigative reporting effort. Considering that the court has pretty much already rejected this line of thinking, I'm not sure it's going to be very effective here either. There's a huge section in the memorandum about Keys' history working in journalism (going back to school), most of which I'm guessing the court will ignore as well -- though the detailed explanations of his more recent investigative reporting does act as something of a counterbalance to the DOJ presenting him as nothing more than a petty internet vandal, annoyed at his former employer.
Despite his indictment, Matthew continued to report on matters of crucial public interest, bringing to light important facts on critical matters that, without his reporting, may never have seen the light of day. Taken as a whole, his commitment to journalism also demonstrates a commitment to public service. At a time when other journalists concern themselves with which burrito restaurant a presidential candidate patrons or the numerous antics of a real estate mogul-turned-politician, it someone who has dedicated serious personal and professional effort, sometimes at his own considerable expense, to research and publish impactful stories on topics that matter to the public, should not be incarcerated. If he were to be sentenced to any prison term, people in positions of authority who will go unchecked and stories of public importance that will go untold.
Frankly, I find this stuff to be about as relevant as the stuff about Keys being kind of a jerk to his former employer. Neither thing is at issue in this case. So it shouldn't be reflected in the sentencing either.
What seems much more relevant is discussions about people who actually
were breaking into computers and doing forms of computer vandalism... and who weren't penalized nearly as much as the DOJ is seeking for Keys, who is charged with just handing over a login and encouraging people to hack stuff (which only resulted in very minor vandalism).
But the biggest issue of all is the fact that, despite all of this, no one has ever gone after the actual hacker
who did the vandalism, who goes by the name "sharpie." UK officials apparently know who sharpie is and told the FBI (it's someone in Scotland), and yet, still, no one has done anything about it If what Keys did is deserving of five years in jail, why does no one even think about going after the person who actually made the edits to the Tribune website?
George David “Sharpie”. Sharpie was the individual who actually accessed the Tribune Companies CMS and caused the damage Matthew was convicted for. Sharpe was never charged on either side of the Atlantic. He was visited once at his home in Scotland by the FBI and Scotland Yard. He spoke to them and that was the last of his contact with this case.
Either way, this case, yet again, demonstrates the ridiculousness of the Computer Fraud and Abuse Act
(CFAA). Even if we accept that Keys did some immature things, this case is about a minor vandalism of a website. Hell, many years back, someone hacked into Techdirt and did much more serious vandalism (deleting the most recent 10 stories and all the comments), and if whoever did that was ever found, I wouldn't even want them sent to jail at all. That seems like a pretty extreme punishment for what honestly amounts to little more than internet graffiti.
If I had to guess, I'd predict that the judge will side with the DOJ, because that's what judges quite frequently do. The DOJ has done a good job distracting from the actual issues involved in this case and focusing it on other, unrelated issues, while painting Keys as something of a jerk. But on the actual issue of the CFAA, the whole thing seems like a massive stretch. Unfortunately, I think Keys' lawyers own filing is somewhat weak. It should have focused much more clearly on a few issues, rather than overloading it with what feels like a rambling attempt to throw every possible idea at the wall to reduce the jail term. His lawyer correctly notes that if the DOJ's focus is on "deterrence" that has already happened. Keys was fired from his job at Reuters, and no major news organization will hire him these days. That seems like plenty of deterrence for his activities. What, exactly, is five years in jail going to do at this point?