Matthew Keys is facing 25 years in jail.
It was announced yesterday that Matthew Keys, a deputy social media editor for Reuters, is being indicted by the US government for providing a member of the hacktivist group Anonymous with login information to the LA Times website. The hacker used that login to allegedly alter an article so that it read: "Pressure builds in House to elect CHIPPY 1337," a reference to the hacker's alias. According to that edited article, Chippy 1337 told the House Democrats to “SUCK IT UP.” Good for Chippy! Sounds harmless, right?
Well, Matthew is facing 25 years in prison and a $500,000 fine for three counts of cybercrime-conspiracy charges. In his indictment, passing off that login information is described as “conspiracy to cause damage to a protected computer”, a charge that by itself is potentially worth five years of jail time. How could a computer be “damaged” by a blog post being edited by an outside source? What constitutes a “protected computer”? Isn’t this just the digital equivalent of vandalism?
The other two counts in Matthew’s case are described even more vaguely, and those are the ones that really matter, since they are worth ten years each – the fairly straightforward allegation that he shared corporate login info with a hacker is only worth five of the 25 years he’s facing. One, an allegation of “transmission of malicious code”, contains a description of his crime that reads:
“Matthew Keys did knowingly transmit a program, information code, and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer, and the offense caused loss to a person during a 1-year period from the defendant’s course of conduct affecting a protecting period aggregating at least $5,000 in value.”
Uh, what? There are different ways of “transmitting” information, right? Was what Matthew did the equivalent of intentionally sending a virus to the boss of the LA Times, or is what he did more like accidentally forwarding a Viagra spam message that made everyone in the company’s computers run slower? And would either action be worth ten years of his life?
The third count that Matthew is looking down the barrel of is an even more nebulously defined charge of “attempted transmission of malicious code” that essentially repeats the language from the second charge:
“Matthew Keys did knowingly attempt to cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally to cause damage without authorization to a protected computer.”
I’m no lawyer, but I fail to see how these allegations describe Matthew transmitting anything that could be described as a “program”, and again, the weight of the sentencing seems absurd. How can there be equal sentences for the “attempt” to distribute malicious code and the alleged malicious-code transmission itself? Does this mean Matthew is up against years and years in prison for the process of sending out a virus to important corporate computers?
The root of the problem for Matthew’s legal predicament appears to be twofold: one, the legal language that drives cybersecurity trials in the United States is terrifyingly general, and two, journalists who cover Anonymous sometimes blur the lines between reporting on what the hacktivists do and aiding them.
One only needs to remember the story of Barrett Brown to realise that it’s not at all unprecedented for a journalist who reports on Anonymous to become an active participant in the group. Barrett inevitably stumbled into the role of figurehead for the group, particularly during their attack against the Zetas, the Mexican drug cartel, and he became the target of scrutiny – and criminal charges – as a result. Barrett may have started out simply wanting to find out about Anonymous’s inner workings, but he ended up getting caught sharing a link to stolen internal emails from a security company called Stratfor, which contained credit card information for Stratfor’s customers, then threatening an FBI officer and being accused of concealing evidence. He now faces a century of hard time.
The penalties these men face are absurd. Sure, they should have kept their distance from the active operations of Anonymous, but why is passing off the login information to a website worth a five-year stint in jail? Part of the problem is that the people who write these laws are afraid of, and don’t understand, the internet.
We need to develop some new terms to describe the individuals who manipulate computer systems. We cannot keep calling Russian and Chinese cyberoperatives who are looking to crack the White House’s systems by the same name as someone who uses a borrowed login to manipulate a completely inconsequential piece of data on a media outlet’s website. “Hacker” as a catch-all term is no longer going to cut it in a world where computer manipulation can mean so many different things.
If we can’t manage to do that, then we will continually be plagued by imprecise language that will continue to lead our governments to hand out life-ending sentences to people who don’t deserve them. Barrett Brown and Matthew Keys have never been charged with any type of violent crime, or intentionally directly harmed anyone. We should not be locking these guys up in boxes.
The late Aaron Swartz.
And then there’s Aaron Swartz, the brilliant co-creator of reddit who released academic journal articles into the digital wild. For liberating that information (an act that I’d call nothing more than a beautiful disregard of copyright), he was threatened with a massive sentence by a prosecutor, which may or may not have contributed to his decision to commit suicide. Aaron Swartz’s life and death is by far the most tragic example of the US government’s wildly flawed legal language when it comes to the internet.
We need to stop this insane bullshit now. Cyberwar will only be getting more and more important and widespread as time goes on, and it’s essential that we prepare for the future by not treating all forms of hacking the same and not prosecuting people who share information as if they were war criminals.
Follow Patrick on Twitter: @patrickmcguire
More on hacktivists: