Just in case you thought that the federal government would be satisfied with massively overcharging Aaron Swartz and Barrett Brown, we now have the case of Reuters social media editor Matthew Keys (@TheMatthewKeys).
Seems that a grand jury indictment has been filed in Sacramento, alleging that Keys participated in an online chat where he gave Anonymous hackers login credentials for his former employer, the Tribune Company, possibly in exchange for access to the IRC channel where Anonymous hackers were discussing future exploits, and possibly out of disapproval of the Tribune Company using paywalls. The indictment alleges that he told the channel to “go f*** some sh** up”. A hacker then used those credentials to alter, for about half an hour, a story on the Tribune website, so that it claimed that a hacker called “Chippy 1337” was about to be “elected head of the [U.S.] Senate”, to which Keys apparently responded “Nice”.
May I take a moment? [Sips glass of water] Thank you. [Deep breath]
ARE YOU HIGH? WHAT GODDAMN MORON IS WASTING HIS TIME WITH THIS CRAP? THEY RUN OUT OF CRIMES IN SACRAMENTO? THEY BETTER HAVE SOLVED ALL THOSE 137 RAPES REPORTED THIS YEAR ALREADY. OH, I’M SO SORRY, TRIBUNE COMPANY, ONE OF YOUR ONLINE STORIES WAS DEFACED FOR HALF AN HOUR, IT WAS COMPLETELY REVERSIBLE, KEYS ISN’T EVEN THE HACKER CONCERNED, AND HE’S BEING THREATENED WITH A DECADE IN THE JOINT AND $750,000 IN FINES? WHAT WERE YOU THINKING?
That’s better. Come along with me, and let’s look more closely at the indictment. The exact charges are:
one count each of conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer and attempted transmission of information to damage a protected computer.
The charges appear to refer to section 5(a) of the CFAA, which criminalizes anyone who:
knowingly causes the transmission of a program, information, code, or command, …
This is clearly aimed at people who send viruses, but “information” may arguably be broad enough to cover a username and password.
…and as a result of such conduct, intentionally causes damage without authorization, to a protected computer
There are two obvious points to make relating to this language.
First, it is hard to envision what “damage” may have been done to a protected computer. If a webpage stored on my computer were hacked, I would not consider my computer “damaged”. At worst, I might have to change a password to prevent future intrusions – something the Tribune Company should have done anyway, if an employee from some time ago still had valid credentials – but nothing about the computer itself, its hardware or its applications, would have been damaged.
Second, it’s hard to envision that a computer owned by the Tribune Company classes as a “protected computer” under the Act. “Protected computers” appear to have been envisioned as US government computers, computers at atomic energy facilities, and computers “used in or affecting interstate or foreign commerce or communication”. Under the CFAA, “protected computers” are a subset of and not coextensive with “computers” in general, which are defined separately. Under routine rules of statutory construction, that distinction must mean something, or they wouldn’t have put it in. Therefore, the rationale for classing a Tribune Company computer as being “used in or affecting interstate or foreign commerce or communication” must be something more than, say, that it is connected to the Internet and therefore accessible from states that are not California, because that would at this point include more or less all computers in California. I do not see how the prosecution would meet its burden of showing that the computer in question is a “protected computer”.
The defacement was childish, sure. Let’s stipulate to that. Let’s imagine, for instance, that my brother Toby encouraged my brother Greg to break through my passwords and retitle one of my posts “ALEX BLOWS GOATS. I HAVE PROOF” as a prank.
[Toby, Greg: This is not an invitation.]
Would I be pissed? Sure. Would I call the cops round to threaten Toby with a decade in jail and a fine massive enough to force him into bankruptcy? No, I would not, because that would make me a monumental jerk.
This is not about the actual crime committed. Prosecutors don’t lightly bring a prosecution on charges that most people would find laughable. They have reputations to protect too. Just as with the Barrett Brown prosecution, this is about Anonymous, and about the fact that Anonymous – sometimes intentionally – spooks powerful people.
Anonymous is a thoroughly anarchic, shifting set of people who, as individuals or small groups, do stuff that is sometimes childish, sometimes funny, sometimes awesome and sometimes illegal. Yet as a result of their collective defense of Wikileaks, the US government conceives of them and the culture they represent as a major threat. They therefore aim to cut off their support and discourage people from working with or helping Anons in any way.
Whether this childish prank was illegal or not is very doubtful. With a jaundiced eye and an infinite budget, an aggressive prosecutor could possibly squeeze something out of it, but the same could be said for half of the conduct on the Internet. It’s such a marginal, half-assed sort of activity that a reasonable prosecutor with a limited budget would surely focus on other things, like, say, the 137 rapes or the 36 murders reported in Sacramento this year. To focus on this at all suggests that it’s political. To threaten a member of the public who did no hacking himself with a ludicrously long sentence undermines faith in the law, and is as childish as the prank itself.