In the months since Aaron Swartz’s death, it’s become clear to the American public that the Computer Fraud and Abuse Act (“CFAA”) has become one of the most dangerous and abused criminal laws available to prosecutors. One of its biggest problems—its draconian sentencing scheme—is on full display in the case of Jeremy Hammond.
Hammond was arrested for allegedly hacking into private intelligence contractor Stratfor and obtaining internal emails and other sensitive information for a political, rather than financial, purpose. Hammond then leaked this data to the media, attempting to highlight Stratfor’s work as a “private intelligence firm” and expose surveillance on political protesters at the behest of both private companies and the government. He made this information available to the media, and major publications including Rolling Stone, WikiLeaks, and McClatchy published material from the leaks.
The indictment alleges credit card numbers were found in the leaked emails as well. He was ultimately indicted on six counts, including violating the CFAA and identity theft.
Hammond admitted his actions by pleading guilty on Monday to one count of violating the CFAA with a “non-cooperating plea agreement,” meaning the prosecutors have no sentencing agreement with Hammond. But even when actions violate the law, criminal punishment must fit the crime and the potential punishment here—10 years in prison—demonstrates the problems with sweeping prosecutorial power generally, and the severity of the CFAA specifically.
First, as Techdirt’ Mike Masnick wrote – and as we’ve noted before too – this is yet another case “in which the DOJ piled on charge after charge after charge until the person they were pressuring accepted a plea bargain.” Hammond confirms this in a lengthy public statement after his guilty plea, saying “because prosecutors stacked the charges with inflated damages figures, I was looking at a sentencing guideline range of over 30 years if I lost at trial.” This of course will sound familiar to those who followed Aaron’s case.
That leads to the second problem with Hammond’s case: the stiff penalties for CFAA violations regardless of the context. We’ve written before about how damage figures for CFAA charges can easily be inflated and how the sentencing guidelines are broken for the CFAA, leading to excessive sentences and unjust results. And you don’t have to look any further than Hammond’s co-defendants to see this inequality in full effect.
Three of Hammond’s co-defendants were charged and sentenced for the same conduct in the U.K. They received far shorter sentences than what Hammond faces, indeed their full prison sentences are shorter than the time Hammond will have served in pre-trial detention. Ryan Ackroyd received a 30-month jail sentence and Jake Davis a 24 month sentence, though for each, only half of that sentence will be served in jail. Mustafa al-Bassam received a suspended 20-month jail sentence with 300 hours of community service in lieu of imprisonment. The pleas in the U.K. were likely the result of the CFAA as well: by pleading guilty these co-defendants potentially precluded extradition to the U.S.
Hammond, in contrast, has been in pretrial custody for 15 months already and will be in jail another three months until his sentencing in September. And you can be sure at that sentencing hearing the government will ask the Court to impose a sentence closer to the ten year maximum than the time-served sentence Hammond is likely to ask for.
In fact, even with good time credit (which only reduces a federal prison sentence by 15%), Hammond is like to serve more than Ackroyd, Davis and al-Bassam combined, despite having lesser culpability than some of these co-defendants, as the indictment itself makes clear.
Regardless of whether you think Hammond’s conduct should or shouldn’t be criminal, its clear the stiff punishment here doesn’t belong in the CFAA. As Hammond’s sentencing date approaches and the government files its sentencing requests, we’ll be keeping a close eye on his case and other cases involving the CFAA.
Go here to ask Congress to reform the Computer Fraud and Abuse Act.