Lori Drew has been found guilty by a jury in a Federal Circuit Court in California of unauthorized access to a computer system in contravention of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The charges were laid after Ms. Drew set up a fake MySpace account posing as a 16 year old boy. She allegedly made and used the account in order to get back at her daughter’s school nemesis, 13 year old Megan Meier. Megan Meier suffered from depression and, after a few weeks of forming an online friendship and flirting, Ms. Drew, posing as the boy, turned mean towards Meier who then tragically committed suicide. The Government, lacking another suitable statute under which to charge Ms. Drew for this harassment, brought this charge under a novel interpretation of the above computer law which is typically used in cases of computer “hacking”.
Section §1030 (a)(2)(c) of the Act targets whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication. The Government’s argument was that since Ms. Drew had violated the terms and conditions of MySpace, which among other things bar accounts containing fake information, her access to the MySpace system was not authorized and her communications with Ms. Meier were therefore in violation of the law.
In an amicus brief filed by the EFF, the Center for Democracy and Technology and Public Citizen, and 14 individual academics who work in the area of internet law, it was argued that this decision could set a dangerous precedent by stretching the scope of the law too far by, in effect, making nearly any violation of a contract governing the use of a website an indictable offense. They argue that “[b]oth the plain language of the statute and the legislative history show that the statute is meant to punish trespassers and “hackers,” not users who ignore or violate sites’ contracts or customers who misuse the service.” The brief points out the potential absurd results in quipping that “the Electronic Frontier Foundation reports that terms of service for the popular dating site Match.com require users of either the website or the dating service to be single or separated from their spouses… The brief’s author has not been able to visit the site to confirm the report; because she remains happily married, doing so would be a violation of the site’s terms, potentially a criminal act under the interpretation of the CFAA advanced by the Government here.”
The matter is further complicated by an as yet undecided motion by the defence for dismissal on the grounds that there is not sufficient evidence that Ms. Drew actually read the terms and conditions of the site. Should they lose on this motion, the defense appears likely to appeal the overall decision.
This case also brings to mind the broader question of whether an act that occurs online ought to be viewed any differently under the law than an analogous offline act simply because it has an online element. What Ms. Drew has done is deplorable. However, if but for the use of the online service, the act was not a punishable offence, is it just to punish her in this way?
Of interest to Canadians, our two main criminal computer laws are section 342.1(1) and section 430(1.1) of the Criminal Code. Section 342.1(1)(a) is probably the most analogous to the above. It states that every one who, fraudulently and without colour of right, obtains, directly or indirectly, any computer service is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction. In Canada then, a decision in this vein would likely turn on whether the computer service was ‘obtained’ ‘fraudulently’.