The Matthew Keys Case, the CFAA, and Why Maximum Sentences Matter
In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. The CFAA has many problems and users can contact their representative to demand reform. In this two-part series, we'll explore the specific problems with federal sentencing under the CFAA.
Yesterday, the Department of Justice (DOJ) announced the indictment of journalist Matthew Keys for violating the CFAA. According to the indictment, Keys turned over the username and password to the content management system (CMS) of the Tribune Company, his former employer, to a member of Anonymous in an IRC chatroom. The person logged into the CMS, and changed a news story appeared on the L.A. Times’ website for approximately 30 minutes. The page was quickly taken down and access into the CMS was blocked.
For allegedly aiding this act of vandalism, Keys was charged with three felony crimes: conspiracy to cause damage to a protected computer, transmission of malicious code (i.e., the username and password) and attempted transmission of malicious code.
As seems to be standard DOJ protocol these days, its press release played up the possibility of an extremely long jail sentence for a crime that caused little harm, noting that Keys faced a maximum punishment of 10 years for two of the counts and five years for the third—totaling twenty-five years.
DOJ employed the same tactic in its prosecution of Aaron Swartz, noting he faced a maximum sentence of 35 years in its press release announcing the case. After Swartz’s suicide, Attorney General Eric Holder was dragged to Congress to defend the prosecution and he claimed there was no way Swartz was going to receive 35 years and that instead prosecutors would “look at the conduct regardless of what the statutory maximums were and to fashion a sentence that was consistent with what the nature of the conduct.”
More broadly, this case underscores how computer crimes are prosecuted much more harshly than analogous crimes in the physical world. For example, count one of Keys’ indictment charges him with conspiracy to cause damage to a protected computer. The damage was altering a news article, the equivalent of vandalism. Under the CFAA, this is a felony with a maximum punishment of five years in prison. Meanwhile, California state law criminalizes physical vandalism – like spray painting graffiti on a freeway sign– as a “wobbler” meaning it can be punished as either a misdemeanor—which comes with a maximum of a one year sentence—or a felony. If charged as a felony, the court can impose a sentence of 16 months, 2 years or 3 years.
This says a great deal about how digital vandalism is treated differently than physical vandalism. Because Keys' alleged crime was committed using a computer, he faces a much harsher sentence than if the same crime was committed in the real world.
With Keys’ indictment, there is talk of the same disconnect between the maximum punishment and the actual sentence Keys is likely to be facing. Commentators have noted that focusing on the maximum sentence is pointless, just a ploy to capture people’s attention and that any good criminal defense attorney will determine the actual sentence a person is facing and explain that to their client.
All of that is somewhat true. But it doesn’t follow that statutory maximums play no role in criminal sentencing.
Federal Sentencing Crash Course
Obviously, maximum punishments are used to classify just how bad legislatures perceive certain behavior to be. It goes without saying the greater the punishment, the more serious the crime. You don’t get life in prison for running a stop sign, and a murderer isn’t going to get probation.
When Congress passes a criminal law, it must provide in the law itself a maximum punishment, to indicate to both society and the criminal himself the severity of the crime and give judges some limit on the sentence it can impose. But those maximums can oftentimes be very high. So how is a judge to decide where on the spectrum a sentence is supposed to fall?
For that, the Court must turn to 18 U.S.C. § 3553(a), which lay out certain principles the judge must consider before imposing sentence. One of the things the judge must consider is the sentence recommended in the United States Sentencing Guidelines. The Guidelines are a complex set of rules, written by the United States Sentencing Commission, that determine a sentencing range for criminal conduct. The Guidelines are also nothing more than a recommendation: the court is free to disregard them and impose a higher or lower sentence, as it sees fit.
The overwhelming majority of federal criminal sentences are within the Guideline range. In 2011 (PDF), 54.8% of all federal sentences were within the Guideline range, 43.7% were below the Guideline range (though as part 2 will make clear, that’s somewhat misleading), and only 1.8% were above the Guideline range. That means most federal sentencing hearings are focused on what the proper Guideline calculation is, and not the statutory maximum.
Besides, when a defendant is charged with multiple crimes arising out of the same course of criminal conduct, the Sixth Amendment’s protection against double jeopardy prohibits the government from punishing the same behavior twice. So when a press release, like the ones in Keys or Swartz’s case, claim that a person is facing decades in prison, that’s unlikely to happen in most cases.
But that doesn’t mean trumpeting the maximum serves no purpose other than press.
Maximums Still Matter
Most critically, statutory maximums affect the Guideline calculations in two ways. First, when Congress increased maximum punishments for crimes, it oftentimes directs the Sentencing Commission to increase the Guideline ranges too. Congress did precisely this with the CFAA in 2008 (PDF) when it increased penalties and then directed the commission to increase the Guideline ranges for CFAA crimes too.
Second, many specific Guideline sections, including the one covering CFAA crimes, use the statutory maximum punishment to determine the starting point for the Guideline calculation. Plus statutory maximums also dictate the length of supervised release a defendant is subject to following their conviction, or eligibility for and the amount of probation a court can grant a criminal defendant. It dictates the maximum fine a court can impose.
When it comes to determining the § 3553(a) factors, a court is to consider the “nature and circumstances of the offense.” And many prosecutors and judges use the maximum punishment as an indicator of how serious the crime the defendant is being sentenced for is. In other words, the maximum punishment can be used to justify a sentence at the top of the Guideline range or to oppose the defendant’s request at a below Guideline sentence.
But these maximums also serve a far more sinister goal: to intimidate defendants into foregoing their jury trial rights and to plead guilty.
The right to trial is an important one, enshrined in our constitution. But it’s also a costly, time consuming burden for prosecutors and judges. And while a defendant isn’t supposed to be punished for exercising his right to a jury trial, its clear prosecutors use maximum punishments as a tool to deter defendants from exercising this right. The Guidelines themselves give the defendant a sentencing reduction for pleading guilty and plea bargains typically involve prosecutors agreeing to dismiss some charges or agree to more favorable Guideline calculations in exchange for a guilty plea.
This is business as usual in federal courts across the country, including those handling CFAA cases. And that’s precisely how Congress wants it.
So while these maximum sentence press releases may not be in the realm of reality, they do serve a purpose: to scare future defendants and deter current ones from fighting their case. After all, there must be a reason why Congress is consistently trying to impose harsher CFAA penalties rather than reduce them.
That’s why as part of our push to reform the CFAA, we’re advocating that the law’s penalties are actually proportionate to the wrongdoing they're meant to punish. So please join EFF in calling on Congress to fix the CFAA by sending an email to your elected representatives now.
Recent DeepLinks Posts
Aug 23, 2016
Aug 22, 2016
Aug 22, 2016
Aug 19, 2016
Aug 18, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games