Being fascinated with both the use (and misuse) of technology and criminal law in general, I have been intently following the Lori Drew case. For those of you who haven’t, however, Drew is the Missouri mother who — as a response to some animus between 13-year-old Megan Meier and Drew’s daughter — created a false persona, “Josh Evans,” on Myspace to flirt with and gain the trust of Meier, then insulted and demeaned her to the point where Meier committed suicide. Missouri state officials reviewed the case, but felt that there was no appropriate state statute under which to bring charges against Drew; federal prosecutors in Missouri declined to charge the case for similar reasons. However, federal prosecutors in California (where Myspace’s servers are located) disagreed; claiming jurisdiction, they charged and were subsequently able to indict Drew under 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (CFAA). Specifically, the U.S. Attorney’s Office in California is charging her with violating 18 U.S.C. § 1030 (a)(2)(C), which makes it a crime for anyone to
intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer if the conduct involved an interstate or foreign communication.
The indictment can be found here, if anyone is interested in reading it, but the gist of the argument that the AUSAs in California are making is that by giving fictitious profile information, Drew violated Myspace’s Terms of Service, thus “exceeding” the access authorized by Myspace. Then, as she used this fictitious profile to “obtain information” from Myspace’s servers — personal information about Megan, as best as I can tell — to commit the tort of infliction of emotional distress upon Meier, and since to access Myspace’s servers she was required to send packets of data across state lines, she met all the elements of the crime.
Let’s ignore for a moment the “packet hopping” argument; it’s absolutely ridiculous — since I could send an e-mail to a professor at this law school while sitting yards away from him or her and have the packets cross state lines — but it’s a well-accepted way of establishing interstate communication, and in this case the servers were in a different state than Drew anyway. I’d also be willing to concede the “obtaining information” point, though I’d note that I really haven’t seen anything in the published e-mails between the two accounts that suggest any information was obtained that wasn’t immediately obvious to Drew, given that she lived only a few houses up the street from Meier and that the Meier and Drew families were good friends before this incident. Let’s even ignore the fact that the legislative intent of the CFAA was, quite simply, to criminalize hacking into servers to get information the server owners didn’t want a person to have; in fact, the vast majority of cases prosecuted under the CFAA involve exactly that.
But stop and think for a moment about the accusation that Lori Drew exceeded her authorized access of Myspace’s servers by violating its Terms of Service. Or, more accurately, think about the ramifications of the precedent set if the court allows this argument to carry the day. Does that put an end to Dateline NBC’s “To Catch A Predator” series, since the watchdog organization that carries on the chats (Perverted Justice) creates underage profiles and waits for the pedophiles to engage them? For that matter, what about the police stings in which officers have done the same thing? What about the recent Craigslist prostitution stings by the Milwaukee Police Department? And it’s not just deliberate decoy situations that this causes problems for. Marquette’s IT Acceptable Use Policy states that users may not
- Send email chain letters or mass mailings for purposes other than official university business.
- Engage in activities that harass, degrade, intimidate, demean, slander, defame, interfere with, or threaten others.
Hence, when someone sent a Republican friend of mine a chain letter mocking McCain, and he responded “I’m a diehard Republican, you idiot,” both the sender and the recipient violated the CFAA based on the arguments set forth by the AUSAs in the Drew case; the sender did so by sending the chain letter, and the recipient did so by demeaning the sender in his response. Another friend of mine placed a fake personal ad on Craigslist as a joke, to which she received half a dozen e-mails from local guys infatuated with her based on her (fake) photo. Some gave names, heights, weights, hobbies, etc. Should she be prosecuted? What about anyone who rounds down their weight in an instant message conversation with someone they like? At what point does the slippery slope end?
Let’s be clear for a moment: I find what Lori Drew did to be reprehensible. I don’t know if there’s enough here to warrant a wrongful death suit on behalf of Megan Meier, but I’d certainly support one if it came. But this prosecution under the CFAA reeks of desperation, a spaghetti approach (i.e., “throw everything against the wall and see what sticks”) to prosecution. It’s a crime that doesn’t address anything about the tragic suicide of Meier; in fact, it can’t, as the court ruled today, because evidence of the suicide has nothing to do with the crime charged and is unquestionably prejudicial. It’s time for the AUSAs in California to recognize what the people of Missouri did from the beginning: this was a horrible act, but one that was legal at the time it occurred. The way to keep Megan Meier from having died in vain isn’t to prosecute her offender under anything you can think of, but rather to close the loopholes by passing legislation criminalizing cyberbullying, which Missouri did this past July. To do anything but that is to sacrifice the principles of our criminal justice system for the sake of righting a perceived wrong.
I feel that a slippery-slope defense can be avoided, as is most often the case in which the argument is used, with the application of common-sense in regard to reading of the statute.
In the Drew case, (I feel that) it is arguable that she violated California’s Computer Fraud and Abuse Act. She violated the MySpace Terms of Service, amongst which are agreeing to provide truthful information in registering and to: refrain from harassing others, promote false information, solicit personal details from anyone under 18, refrain from posting photos of other people without their consent (I’m pretty sure that the picture’s owner (Josh Evans) had no clue they were using his picture).
They broke the terms of service (which have the potential threat of legal action listed below) and thus, used false information to access MySpace’s servers.
I’m doing my best to leave the “angry retributivist” part of me out of this viewpoint (as I could go on for weeks about how much punishment this woman deserves, given her lack of remorse and the vileness of her actions), but it is very clear that she DID exceed her authorized access of MySpace’s servers, and thus is guilty of Computer Fraud. Essentially, it is the same as using someone else’s password to access their computer and cause them distress by deleting their memo or something. You are using information which is not your own, to falsely access information to which you are not privy (I doubt the victim would have shared the same information, had she known that she was really talking to an aging, conscienceless neighbor as opposed to a boy her age), for the purpose of harassing/distressing that person. I think they have a very good case here. I’m pretty sure getting the minor to discuss things sexual in nature is a whole new can of worms (that they should pursue) in this case. Last-minute addition: adults can’t view the profiles of people under 18 unless they are their friends, right? I think MySpace limits it so that you cannot.
I feel that the main difference between this case and the references that you made to “To Catch a Predator” (awesome show, by the way) and Marquette’s IT policy is that in those examples, the victims were adults. I think that the risk one assumes when entirely trusting someone online should be regarded differently when it involves children. We can’t start holding issues involving children to the same expectations as adults, frankly. Children are being protected online from perverts, scams, sex offenders, pornography, and the like, so why not against cruel adults who prey on them merely because they are children? If she isn’t punished for violating federal statutes, what type of public policy standard does that raise? Doesn’t slippery-slope argue that this will give adults who wish to mimic Lori Drew legal sanctuary? I feel that a line of demarcation must be drawn where children are involved. She broke the law, and did so in a particularly abhorrent way, she deserves, from any standpoint, to be punished.
As for your friend and her prank (which is pretty funny, in its own right) and the chain letter, I don’t really have an opinion of that. Let that person who lords over the use of Marquette’s network deal with that.
“I feel that the main difference between this case and the references that you made to “To Catch a Predator” (awesome show, by the way) and Marquette’s IT policy is that in those examples, the victims were adults.”
Perhaps, but there’s nowhere in the statute that she’s being charged with that distinguishes between an adult and a minor. All of the examples you’ve mentioned are good ones, but the difference between those and this case is that the statutes specifically prohibit actions toward a minor.
“If she isn’t punished for violating federal statutes, what type of public policy standard does that raise? Doesn’t slippery-slope argue that this will give adults who wish to mimic Lori Drew legal sanctuary?”
No, specifically because of the last point I’ve made. Missouri enacted a cyberbullying statute this past July in response to this case; many states have done the same, and the federal government is looking into adding one as well. The loophole is, for all intents and purposes, closed. Could they have made the law retroactive and then prosecuted her under it? I think that would probably open its own can of worms, but it’s something to consider. However, they didn’t, and — morally reprehensible as it may be — Drew didn’t actually commit any crime.
But more to the crux of your argument: accepting that a mere violation of a ToS agreement constitutes “exceeding authorized access” means that, specifically because there is no way to distinguish between minors and adults in this statute, ANY person who does so violates the CFAA. After all, “protected information” is in the eye of the beholder, and the packet hopping takes care of “interstate communication.” The examples I gave may seem petty and silly to prosecute; that was my point. But based on the logic applied in this case, were it to be successful (and, for the record, it’s looking more and more likely that it won’t), they could all be prosecuted. Surely we can agree that that would constitute a bastardization of the intent of the CFAA?
Again, Drew is reprehensible, and there’s a part of me that feels no sympathy for what’s happening to her. Nevertheless, I can’t argue that I want to uphold the law if I turn a blind eye to it, even for people I find as morally reprehensible as Drew.
Thanks Andrew for posting on this! It’s an interesting issue. There’s a problem with the law here that this case highlights, which is that the definition of “unauthorized access” under both the CFAA and the Electronic Communications Privacy Act is vague and possibly overreaching. Orin Kerr at GWU has written a pretty good article describing the problem. The issue here and in other cases, like Snow v. Directv out of the 11th Circuit, is whether access to a publicly available website in violation of posted terms is a violation of the CFAA. It seems to me that the 11th Circuit got it right — there has to be something other than mere verbal restrictions on a website to limit “authorized access” to it for purposes of the CFAA and ECPA. It’s got to be something like 17 U.S.C. 1201’s “technological measure.”
Violation of the CFAA, including the one charged in the Drew case, can be a felony. Are you potentially guilty of a felony every time you violate the terms and conditions of a website? The idea is pretty ludicrous, given the number of sites out there with lengthy terms and conditions that almost no one reads. For example, the YouTube terms and conditions require that “If you use the YouTube Embeddable Player on your website, you must include a prominent link back to the YouTube website on the pages containing the Embeddable Player ….” Under the CD Cal US Attorney’s interpretation, failure to include the prominent link to YouTube on a page where you have the embedded player is at least a misdemeanor, and possibly a felony violation of the CFAA. To quote from Charles Dickens, “if the law says that, the law is an ass.”
I think Andrew has it right and this is an example of hard cases that can make bad law. Not knowing Missouri law on the intentional infliction of emotional distress and related torts, I can’t comment on a civil action.
But as someone who frequently links to YouTube videos of paleo (and sometimes more current) musical performances on my personal blog (I do it every Sunday), I had no idea that I was required to do this.
Using the YouTube embedding tool seems to do it for you, so I’m not in violation. (I am, quite frankly, too lazy or technologically challenged to do anything but use their tool.)
But what if I didn’t use it. I posted Bauhaus’ “Bela Lugosi’s Dead” for Halloween. A rather creepy song; famous for, among other things, being used as the intro for SNL’s “Goth Talk” skit. What if it prompted some Goth kids (do they exist anymore?) to do whatever bad thing Goth kids supposedly do (or did)?
No one would charge me? Probably not, but I am uncomfortable with constructions of the law that rely too much on the forebearance of officialdom.
As an update, apparently the jury let emotion overwhelm its reason . . . er, returned a conviction of Lori Drew on three of the four counts (failing to convict, if I read these articles correctly, on the one major felony charge of accessing protected computers with the intent to inflict emotional distress). It’s worth noting, however, that the judge in the case tabled a motion to dismiss the charges until after the verdict came in, which means that after the Dec. 29 hearing she may very well have those convictions overturned as well. Essentially, she’s being punished for violating Myspace’s Terms of Service.
How do I feel about it? Well, it doesn’t much quell my concern about prosecutions for any violations of the Terms of Service of any website. Still, the way that this verdict is being soundly ridiculed throughout the web and on local media (for example, see here: http://volokh.com/posts/1227896387.shtml — I guess I won’t be able to read his blog anymore because I’m interning for the P.D.’s Office!), I have a feeling that, at the very least, the sentence isn’t going to be all that heavy. The important thing is that, much as many news outlets predicted, Drew is NOT being linked to Meier’s suicide in a court of law.
I have more of a question really, if Perverted Justice uses Craig’s List to post an ad as a 14 year old, and Craig’s List clearly states you must be 18 years of age and also states you cannot bait and switch, would that not also be illegal? I have been reading where they started doing this and even said on youtube they were (luring) in people. Sounds questionable at the very least, but is it legal?
Not under the prosecution’s theory in the Drew case. Of course, I don’t agree with that theory. But under that theory, any intentional violation of website terms and conditions is a misdemeanor.
Thank you for your input. Here’s another question to ponder …. If Perverted Justice placed an ad that violated the terms of use agreement (a misdemeanor) would that not, in fact, make any and all evidence they obtained inadmissable, due to the fact it was obtained illegally?
Ms. Dean, I hesitated to comment before, because I figured you were using Perverted Justice as an example. However, it seems clear to me at this point that your intent is not to discuss the legal issues surrounding the CFAA, but rather to attack Perverted Justice. There are plenty of websites on the internet on which you can do so; it would be best served not to let your comments devolve to that here.
But I will take a moment to answer your question: no, it doesn’t make the evidence they collect inadmissible in any way. They’re not state actors and so they’re not subject to the Fourth Amendment’s prohibition on illegal searches and seizures. The federal government could, under the theory espoused in the CFAA, prosecute Perverted Justice members for the violation of the ToS. However, it’s all moot; no AUSA is going to choose to prosecute Perverted Justice instead of the pedophiles that answer the solicitation, and Craigslist isn’t going to ask the AUSA to do so anyway because their interests are better served by getting threatening members of society like those off of their site.
A further update: Judge George Wu tentatively ruled (read: orally ruled, but may still change his mind by the time he puts it down in writing) to acquit Lori Drew of the three misdemeanor counts of what essentially amounts to violating Myspace’s ToS, proving once again that legal logic doesn’t take a back seat to moral outrage. Drew should never have been convicted in the first place, but I suppose that’s the way the jury system is going to work.
And so the case is (I believe) completed: http://www.courthousenews.com/2009/08/31/Ruling_Reverses_MySpace_Suicide_Conviction.htm . Essentially, a written ruling was handed down today from federal court echoing what Judge Wu said a couple of months ago: that the AUSAs’ interpretation of the CFAA was overbroad and created a dangerous precedent. I’ve said quite a bit on this topic in my initial post and its subsequent responses, but I’ll add this: it’s good to know that the analysis I crafted based on my 3 years of law school is the same Judge Wu used. Kind of makes me feel like all that debt was worth it 🙂