Matthew Keys sentenced to 24 months in prison. Once again, journalists choose fantasy over facts
Yesterday, journalist Matthew Keys was sentenced to two years in prison for giving hackers access to servers owned by his former employer, the Tribune Company, and encouraging them to “go fuck some shit up.”
The hackers took Keys advice and changed editorial content on the homepage of of the LA Times.
If you've been following earlier coverage of the trial, a two year sentence might seem miraculously low. After all, just a few months back, a string of publications reported that Keys "faced" 25 years in jail for the crime. Twenty four months is just a fraction of that.
And yet, almost all of the coverage of the verdict has expressed outrage that the sentence is so high. What gives?
What gives is that none of the journalists who reported the 25 year threat ever actually believed it. As I wrote at the time, Matthew Keys 'faced' 25 years "like I 'faced' being eaten by an angry lion."
Keys' supporters (and, in many cases, friends) in the media deliberately exaggerated the jail term that might be imposed by the judge in order to stir outrage and fire up the public to demand that cybercrime laws be reformed. In fact, Keys was only ever "facing" a five year maximum term, according to the judge's own recommendation. The reason so many reporters are shocked today is that, despite what they told readers, most reporters only expected Keys to get a few months behind bars, at most.
Let's be clear: Two years is a long sentence and there's a serious discussion to be had around sentencing for hacker-related offences. Is it too long for a professional journalist who encourages hackers to delete or deface the work of his colleages? Does it matter that the damage was quickly fixed and the passwords changed? These are important questions, and ones we should try to answer ahead of Keys' appeal.
But instead of acknowledging their earlier inaccurate reporting, or trying to have a meaningful debate on the facts, those same journalists are once again deliberately misleading readers to maximise outrage over the case.
Take this report on Slate, which turns Keys' two year sentence into a hypothetical attack on anyone who has ever shared a Netflix password:
The CFAA—the same law that ensnared Aaron Swartz, Andrew “weev” Auernheimer, and other notable defendants—gives federal prosecutors the latitude to categorize a wide range of computer-related activity as felonious, and to willfully and regularly conflate the malicious with the innocuous. Have you ever used a friend’s password to access her Netflix or HBO Go accounts without paying for them, or used some other means to evade a paywall or otherwise violate a website’s terms of service? Congratulations! You’re a potential felon.
Let's ignore the obvious problem with putting Aaron Swartz in the same category as a neo-nazi troll. Instead, let's focus the ludicrous assertion that, because a judge sentenced a journalist who encouraged hackers to undermine the First Amendment rights of former colleagues, next he's coming for anyone who shares his Netflix account with a friend.
In no universe is what Keys did similar to giving a friend access to your Netflix accout, unless you happen to be an employee of Netflix and you give your friend admin access with the suggestion that he login and delete a couple of episodes of House of Cards, for the lulz.
Even Slate's reporter seems aware of the ridiculousness of that argument, but presses on with it regardless:
The Department of Justice doesn’t make a habit of prosecuting frugal cord-cutters, of course. But the CFAA is written broadly enough that a U.S. attorney could throw the book at you for so absurdly minor an infraction, if she wanted to. That’s precisely the problem: A law that qualifies basically everything as a crime means that ambitious computer-crime prosecutors can count anything one, and bring criminal prosecutions against people who have no business going to prison.
Yes, that could happen. And again, I could be eaten by that hypothetical lion.
The Keys case is a perfect opportunity to explain the realities of the CFAA and to spark a sensible, meaningful debate around the sentencing of hackers. It could even be an opportunity to ask why sentencing for other, more serious, crimes often seems so low.
But that conversation can't even get started in a meaningful way until journalists and activists start telling readers the truth about what is actually happening, as opposed to the dystopian fantasies playing out in their heads.