MySpace suicide case: conviction overturned

MySpace suicide case: conviction overturned

Summary: Today, federal judge George Wu officially overturned the conviction of Lori Drew, who was convicted of cyberbullying 13-year-old Megan Meier to suicide. That conviction was based on the federal Computer Fraud and Abuse Act (CFAA), on the theory that Drew violated the law by violating MySpace terms of service. Nope - such a reading would make the law unconstitutional, the judge said.

SHARE:

Today, federal judge George Wu officially overturned the conviction of Lori Drew, who was convicted of cyberbullying 13-year-old Megan Meier to suicide. That conviction was based on the federal Computer Fraud and Abuse Act (CFAA), which makes it a crime to intentionally accessing a computer system with intent to commit a crime or tort.

But that law, the judge found, cannot be stretched so far that it would include mere violations of website terms of service. Something more than violating a TOS is needed. Otherwise, the law would "convert a multitude of otherwise innocent Internet users into misdemeanant criminals."

At trial, the jury found Drew guilty of misdemeanor violations of CFAA based on the theory that accessing MySpace with intent to harrass Meier was an unauthorized access of an interstate computer. The verdict drew consternation because it seemed to suggest that merely violating a website's terms of service could be the basis for criminal prosecution.

While it's clear enough that Congress's intent was to make it a crime to break into computer networks, the question here was whether (1) violating a TOS could ever be the basis for a CFAA, (2) whether in this case the conviction was supported by the evidence, and (3) whether it was Constitutionally legit.

In his decision overturning the conviction (PDF) (via the Register), Wu concluded that while it's possible to violate the CFAA through violated a TOS, the conviction in this case will not stand. The Computer Fraud and Abuse Act

The CFAA has three elements:

  1. The defendant intentionally accessed without authorization or exceeded authorized access of a computer;
  2. The access involved an interstate or foreign communication; and
  3. Third, by this access, the defendant obtained information from a computer . . . used in interstate or foreign commerce or communication

The first element is the key consideration. Can someone "intentionally" "access" interstate computers "without authorization" or "exceed" her "authorization" by violating a terms of service provision? The court's answer is yes, the TOS surely does set the level of authorization a user is granted. Thus, violating the TOS is an authorized access.

But a criminal statute must make it reasonably clear to all what conduct could result in conviction.

Terms of service which are incorporated into a browsewrap or clickwrap agreement can, like any other type of contract, define the limits of authorized access as to a website and its concomitant computer/server(s). However, the question is whether individuals of “common intelligence” are on notice that a breach of a terms of service contract can become a crime under the CFAA. Arguably, they are not.
Simply put, the TOS lists a great many prohibited activities and gives neither law enforcement nor users any clues as to which ones could lead to CFAA prosecution. Thus, there's a vagueness problem, which is compounded by the logical conclusion that criminal statute-writing would effectively be outsourced to the lawyers drafting Terms of Service agreements.
Treating a violation of a website’s terms of service, without more, to be sufficient to constitute “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” would result in transforming (the CFAA) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals. ...If every such breach (of a TOS) does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. ...

In sum, if any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that (CFAA) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].”

Topics: Hardware, CXO, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • bullying

    Is it a crime to bully someone to a degree such that they commit suicide?
    kevintxu
    • Probably...

      ...but what it seems the court is saying is that it doesn't fall under the CFAA. Surely there are other statutes under which it could have been prosecuted. Harassment, perhaps?

      Carl Rapson
      rapson
      • It's a civil matter

        Clearly, the parents have a civil case for
        wrongful death. It probably should have been left
        at that. No criminal law existed at the time, but
        they've been passed since.
        rkoman@...
        • Actually, a criminal law does exist

          It's derivative of the the phrase in the Declaration of Independence, "the pursuit of happiness"; and it's specified in the Preamble to the Constitution under the "insure domestic Tranquility" and "promote the general Welfare" statements.

          At the very least this is a case of felony level assault and battery, and manslaughter. The defendent clearly, with premeditated intent and malice, caused grevious harm resulting in the death of this young woman. Weapon used was psychological, human engineering via the Internet. She set out to gain trust and control of the girl, she knew she was mentally and socially vulnerable, and she led the girl right down the path that ended with her killing herself. What do the courts do with the people that abuse children that results in the child's death? It's the exact same thing in this case.
          Dr_Zinj
    • Yes, it is

      Here in California it's a felony...
      Penal code section 401:
      "Every person who deliberately aids, or advises, or encourages another to commit suicide, is guilty of a felony."
      drkimca
  • Internally Contradictory

    "The first element is the key consideration. Can someone ?intentionally? ?access? interstate computers ?without authorization? or ?exceed? her ?authorization? by violating a terms of service provision? The court?s answer is yes, the TOS surely does set the level of authorization a user is granted. Thus, violating the TOS is an authorized access."

    Should not the last two words be UNAUTHORIZED access?
    Legal_Beagle