Today the U.S. Attorney’s Office in Los Angeles indicted Lori Drew for her role in the suicide of a 13-year old girl using Myspace:
A federal grand jury indicted a Missouri woman Thursday for her alleged role in perpetrating a hoax on the online social network MySpace against a 13-year-old neighbor who committed suicide.
Megan Meier, 13, hanged herself in her bedroom after being targeted in a MySpace hoax.
Lori Drew of suburban St. Louis is said to have helped create a false-identity MySpace account to contact Megan Meier, who thought she was chatting with a 16-year-old boy named Josh Evans. Josh didn’t exist.
Megan hanged herself at home in October 2006 after receiving cruel messages, including one stating the world would be better off without her.
Salvador Hernandez, assistant agent in charge of the Los Angeles FBI office, called the case heart-rending.
“The Internet is a world unto itself. People must know how far they can go before they must stop. They exploited a young girl’s weaknesses,” Hernandez said. “Whether the defendant could have foreseen the results, she’s responsible for her actions.”
Drew was charged with one count of conspiracy and three counts of accessing protected computers without authorization to get information used to inflict emotional distress on the girl.
This case involves a terrible tragedy. But the government’s legal theory, based entirely on the Computer Fraud and Abuse Act, 18 U.S.C. 1030, is very weak. Legally speaking, the prosecution is a real stretch. In my view, the courts should dismiss the indictment. In this post, I’ll explain why.
To understand this case, you need to understand the government’s theory. The indictment is not charging Drew with harassment. Nor are they charging her with homicide. Rather, the government’s theory in this case is that Drew criminally trespassed onto MySpace’s server by using MySpace in a way that violated MySpace’s Terms of Service (TOS).
Here’s the idea. The TOS required Drew to provide accurate registration information, not to harass or harm other people, and not to promote conduct that was abusive. She didn’t comply with these terms, the theory goes, so she was criminally trespassing onto MySpace’s computer when she was logging into her account. The indictment turns this into a federal felony conspiracy charge by arguing that she did this in concert with others to obtain information and to further tortious conduct — intentional infliction of emotional distress — violating the felony provisions of 18 U.S.C. 1030(a)(2).
But these arguments are a real stretch for three reasons.
Problem One: The first major hurdle is a legal question that I wrote an article on in 2003: Is it a federal crime to violate contractual limitations on use of a computer? The federal statute, 18 U.S.C. 1030, generally prohibits accessing a computer “without authorization” or “exceeding authorized access.” But what makes an access “without authorization”? If the computer owner says that you can only access the computer if you are left-handed, or if you agree to be nice, are you committing a crime if you use the computer and are nasty or you are right-handed? If you violate the Terms of Service, are you committing a crime?
In my article, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 NYU L. Rev. 1596 (2003), I argue that the answer should be “no.” I won’t recite the legal arguments here, as you can just read the article itself. (You can imagine the basic idea, though: Since everyone who uses computers violates dozens of different TOS every day, the theory would make everyone who uses computers a felon.) However, I will point out that the MySpace case is to my knowledge the very first federal indictment that has tried to claim that violations of Terms of Service for an Internet account amounts to a crime under Section 1030. In fact, I wrote my NYU article in part because I figured it was only a matter of time before a sympathetic case came along and some aggressive prosecutor would try the argument and see if it flew. It looks like this is the test case.
Problem Two: The second and third legal hurdles to the prosecution are less intellectually interesting but clearer and easier for the defense to make. The first problem is that the crime requires the government to show that Drew intended to violate the Terms of Service. That is, lack of authorization must be intentional — it must have been Drew’s conscious object to have violated the TOS. But here there is no evidence that Drew even read the TOS. Most people don’t, of course; I would be surprised if 1 person in 100 actually tried reading it. If Drew wasn’t aware that she was violating the TOS, she couldn’t be exceeding her authorized access intentionally. (Paragraph 11 of the indictment lamely notes that a copy of the TOS was “readily available” to MySpace Users if they went looking for it, clicked the link, and read it. But the statute requires intent, so whether the TOS was “readily available” is irrelevant.)
Problem Three: The third hurdle, and perhaps the easiest way for the defense to win, is that the government’s theory requires proof that the goal of the conspiracy was to obtain information. The alleged underlying crime here is 18 U.S.C. 1030(a)(2)(C), which prohibits exceeding authorized access to a computer to get information. Think hacking in to get credit card numbers, to get a copy of a special computer file, or to take data from a database. But based on the facts discussed in the indictment and the news stories, it doesn’t seem that Drew had the intent to obtain information from her victim. Her apparent goal was to harass her victim and to cause emotional distress, not to obtain information from her. That may not make it morally or ethically any less objectionable; indeed, perhaps it is more so. But the statute wasn’t violated unless Drew was acting to try to obtain information, and it doesn’t seem like that was her intent.
UPDATE: Over at Concurring Opinions, Daniel Solove agrees with most of the analysis but comments on this last issue: “I’m not so sure I agree. The news accounts I read about the case indicated that one of Drew’s primary motivations for creating the fake profile was to learn information from Megan Meier. She wanted to know information from Megan that pertained to her own daughter, who was a classmate of Megan’s. The harassing came later on.” I haven’t read the news reports closely, so maybe we’ll have to wait and see how the facts unfold on the third issue.