How to punish a ‘hacker’? Federal prosecutors go too far in Matthew Keys case
Matthew Keys is not a nice person—at least based on his recent track record. The former Reuters employee helped to vandalize the website of the Los Angeles Times, used a “Cancerman” alias to spam former colleagues, and has engaged in journalistic acts that could be considered mean and irresponsible.
But that doesn’t mean he should face years in federal prison as a hacker.
In case you missed it, Keys was convicted last week for his role in the Times episode, during which he gave away confidential server passwords and encouraged hackers to “go f*** some s*** up.” This led to a fake story being posted on the Times’ website and to Tribune Co. employees being locked out of their accounts.
Keys now awaits sentencing. Judicial guidelines suggest he could serve between six months and three years behind bars. Many people in the technology community are outraged over this, though it’s hardly a surprise that Keys faced criminal charges in the first place.
What Keys did was malicious and it created a headache for the Times, which had to implement a raft of new security measures in response to the breach. Keys has displayed little remorse for his actions.
So what’s the problem? Why is this not simply a case of a hacker getting what he deserves? As Wired and others point out, the trouble with the Keys case is that it’s yet another example of federal prosecutors swinging a sledgehammer of a law in order to punish relatively minor offenses.
The law in question is called the Computer Fraud and Abuse Act, and it can pack a 25-year punch for nearly any alleged crime that involves a computer. Despite its vague language, federal prosecutors regularly trot out the CFAA’s harsh penalties as a trump card over defendants. In the most notorious example, the Justice Department used the CFAA in a relentless legal campaign against Aaron Swartz, a young computer genius who downloaded a database of scholarly articles he obtained from MIT computers without permission. Swartz hanged himself while the prosecution was ongoing.
Keys is not Aaron Swartz, of course. But it’s hard not to see some of the same CFAA-related zeal on the part of the prosecutors. As Keys’ lawyer points out, the government may have conflated different parts of the CFAA—especially those related to harm and damages—in order to tee up a potential potential penalty of 25 years when it comes time to sentencing.
This must stop. The threat of 25-year prison terms for computer crimes should be reserved for acts like major espionage or large-scale vandalism. Invoking such laws against people like Keys simply discredits the Justice Department and contributes to America’s larger problem of overly-ambitious prosecutors.
Correction: an earlier version of this story incorrectly stated Aaron Swartz was a student at MIT.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
For more on computer security, watch this Fortune video: