Today, federal judge George Wu officially overturned the conviction of Lori Drew, who was convicted of cyberbullying 13-year-old Megan Meier to suicide. That conviction was based on the federal Computer Fraud and Abuse Act (CFAA), which makes it a crime to intentionally accessing a computer system with intent to commit a crime or tort.
But that law, the judge found, cannot be stretched so far that it would include mere violations of website terms of service. Something more than violating a TOS is needed. Otherwise, the law would "convert a multitude of otherwise innocent Internet users into misdemeanant criminals."
At trial, the jury found Drew guilty of misdemeanor violations of CFAA based on the theory that accessing MySpace with intent to harrass Meier was an unauthorized access of an interstate computer. The verdict drew consternation because it seemed to suggest that merely violating a website's terms of service could be the basis for criminal prosecution.
While it's clear enough that Congress's intent was to make it a crime to break into computer networks, the question here was whether (1) violating a TOS could ever be the basis for a CFAA, (2) whether in this case the conviction was supported by the evidence, and (3) whether it was Constitutionally legit.
In his decision overturning the conviction (PDF) (via the Register), Wu concluded that while it's possible to violate the CFAA through violated a TOS, the conviction in this case will not stand. The Computer Fraud and Abuse Act
The CFAA has three elements:
The first element is the key consideration. Can someone "intentionally" "access" interstate computers "without authorization" or "exceed" her "authorization" by violating a terms of service provision? The court's answer is yes, the TOS surely does set the level of authorization a user is granted. Thus, violating the TOS is an authorized access.
But a criminal statute must make it reasonably clear to all what conduct could result in conviction.
Terms of service which are incorporated into a browsewrap or clickwrap agreement can, like any other type of contract, define the limits of authorized access as to a website and its concomitant computer/server(s). However, the question is whether individuals of “common intelligence” are on notice that a breach of a terms of service contract can become a crime under the CFAA. Arguably, they are not.Simply put, the TOS lists a great many prohibited activities and gives neither law enforcement nor users any clues as to which ones could lead to CFAA prosecution. Thus, there's a vagueness problem, which is compounded by the logical conclusion that criminal statute-writing would effectively be outsourced to the lawyers drafting Terms of Service agreements.
Treating a violation of a website’s terms of service, without more, to be sufficient to constitute “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” would result in transforming (the CFAA) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals. ...If every such breach (of a TOS) does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. ...
In sum, if any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that (CFAA) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].”