Matthew Keys, a 29-year-old journalist, was sentenced to two years in prison this April after being convicted on three felony counts related to the Computer Fraud and Abuse Act (CFAA). Calling Keys a disgruntled ex-employee of the Tribune Company, federal prosecutors accused him of passing his log-in credentials along to hackers associated with Anonymous, the decentralized network of activists known for creating mischief for governments, corporations, and others. The hackers, prosecutors said, used his log-in info to briefly deface a single page on the Los Angeles Times website in 2010.
Keys maintains his innocence, though he admits to having infiltrated several Anonymous-affiliated chat rooms for stories he wrote about the group. His troubles began, he says, when he refused to hand over his source material to FBI agents who were also investigating the hacktivists.
Associate Editor Anthony L. Fisher talked to the convict in April.
Q: What happened between you and the FBI?
A: They approached me first as a journalist, but when I refused to share my source material they decided the best way to get access to the material was through a criminal investigation. So they came to my apartment at 5:45 in the morning, interviewed me for two hours, and seized my hard drive. Then I didn't hear anything for months. In March 2013 the indictment came down, and I heard about it on Twitter.
[The jury] never got to hear that these were felony charges, that it could mean 25 years. The court wants the jury to find on the fact of the case—just the evidence put before them and the specific question the judge puts before them, which is, "Do you think this guy did this?"
Q: All this for a webpage being defaced for less than an hour? Why was the prosecution so heavy-handed?
A: It's Sacramento. How many computer crimes cases come across this prosecutor's desk? Not a whole lot. He needs to justify his own existence. This was a case of opportunity for him; he wanted to make a name for himself. At the end of the day, violations of the CFAA qualify as terrorism. When you prosecute under this statute, you can justify more federal funding for terror investigations.
Q: What else falls under the CFAA?
A: Everything from stealing trade secrets to sharing your Netflix user name and password.
Q: It seems like the CFAA covers so much ground, it's bound to be abused.
A: I've spoken to developers at Apple, who were speaking for themselves, not as representatives of the company, that are concerned this law could be used against them while they're testing products. It's an antiquated law created [in 1986] before the World Wide Web even existed. It's never caught up with the times.
Let's say you share your Netflix password with a friend or a family member. You also happen to be working on a story about a massive leak of government secrets, and the government would really like to know what you have. They could do exactly what they did to me, to you. They'll investigate this crime to get to your source material. That seems like it shouldn't be allowed to happen.
This Justice Department has impersonated Associated Press reporters and gotten the phone logs of AP reporters. They've tried to go after two journalists, James Risen [of The New York Times] and James Rosen [of Fox News], in two different leak investigations, threatening them both with jail time if they didn't reveal their sources. When you really think about it that way, [my hypothetical] doesn't seem so conspiratorial, does it?