United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (full-text).
Lori Drew was indicted on one count of conspiracy and three counts of violating a felony portion of the Computer Fraud and Abuse Act (CFAA) when she, in concert with others, impersonated a 16-year-old male on MySpace to interact with Megan, a 13-year-old classmate of her daughter. She posted a picture of a boy, without his knowledge or consent, and carried on an online relationship with Megan ultimately leading to "Josh" telling Megan that "the world would be a better place without her in it," and Megan’s subsequent suicide.
The relevant felony portions of the CFAA prohibit accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involves an interstate or foreign communication and the offense is committed in furtherance of a crime or tortious act.
Trial Court Proceedings
At the close of trial, the jury was deadlocked and unable to reach a verdict as to the Count 1 conspiracy charge and unanimously found the Defendant "not guilty" as to Counts 2 through 4. The jury did, however, find Defendant "guilty" of the lesser included misdemeanor of 18 U.S.C. §1030(a)(2)(C).
The relevant misdemeanor provision of the CFAA has the following three elements: (1) the defendant intentionally accessed without authorization or exceeded authorized access of a computer; (2) the defendant's access of the computer involved an interstate or foreign communication; and (3) by accessing without authorization or by exceeding authorized access to, a computer, the defendant obtained information from a computer used in interstate or foreign commerce.
As used in the CFAA, the term "computer" includes any data storage facility or communication facility directly related to or operating in conjunction with such device, such as MySpace. The term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter . . ." The central question in this case then becomes whether a user's intentional violation of a website's Terms of Service (TOS), satisfies the requirement under the CFAA of exceeding authorized access.
While the Defendant was required to agree to the MySpace TOS, the full text of those terms did not appear on the same page as the check box that Defendant was required to check to register her profile. To find the terms she would have had to proceed to the bottom of the page and follow a hyperlink marked “Terms.” The MySpace TOS contained a prohibition against a wide range of content on the site, including material that:
- "harasses or advocates harassment of another person,"
- "solicits personal information from anyone under 18,"
- "provides information that you know is false or misleading or promotes illegal activities or conduct that is abusive, threatening, obscene, defamatory or libelous"
- "includes a photograph of another person that you have posted without that person’s consent."
Exceeding Authorized Access
Obtaining information from a computer has been described as "includ[ing] mere observation of the data" and the U.S. Supreme Court observed that "[t]he Internet is an international network of interconnected computers," therefore the second and third elements of the CFAA misdemeanor described in 18 U.S.C. §1030(a)(2)(C) will always be met when an individual using a computer interacts with an Internet website.
Contravention of the Void-for-Vagueness Doctrine
The vagueness doctrine bars the enforcement of a statute that cannot be reasonably interpreted thereby preventing an average person from having "fair warning" of the conduct that will constitute a violation. There are two prongs to the void-for-vagueness doctrine: (1) a definitional/notice sufficiency requirement and, (2) a guideline setting element to govern law enforcement.
"Ordinary people" might expect to be exposed to civil liabilities for violating a contractual provision but they would not reasonably expect criminal penalties. If the CFAA can be violated by the mere violation of a third-party's website's TOS, an ambiguity arises as to whether all violations result in criminal liability or only certain significant provisions.
In practice, anyone who lies about their age when signing up for MySpace could potentially be opening themselves up for prosecution. It should also be noted that the victim of this unfortunate course of events, Megan, was only 13 and had a profile in violation of the age restriction provision of the MySpace TOS. While the government argued that the scienter requirement of the CFAA dispelled such concerns, the court found the requirement that violations be "intentional" insufficient to protect against such deficiencies in the proposed standard.
While the Defendant's actions may have been a violation of the MySpace TOS and her access may have been without authorization, the breach of a website's TOS alone as the relevant consideration for CFAA violations places too much control in the hands of website operators and too little notice to the website users. Defendant's motion for a judgment of acquittal after jury verdict under F.R.Crim.P 29(c) was granted.
- See Kim Zetter, "Judge Acquits Lori Drew in Cyberbullying Case, Overrules Jury," Wired (July 2, 2009) (full-text).