Monday, December 1, 2008

It's Not YourSpace

Sorry for the break, Faithful Readers -- I was away for Thanksgiving.

Perhaps the most interesting legal story over the break was the Myspace cyberbullying verdict. Lori Drew, a woman in her 40s, created a fictitious persona of a teenage boy on MySpace and used it to send messages, first friendly and then nasty, to a teenage girl who had had a falling out with Drew's daughter. The girl committed suicide after receiving the message "the world would be a better place without you” from her fictitious friend. Drew was convicted last week.

Drew's conduct was obviously horrible and it had terrible consequences. But not all such conduct is a crime. It's important to be careful about stretching the boundaries of criminal law to cover anything that some prosecutor wants to punish. Prosecutors are often busy pushing their own careers and sometimes seem to lack the sense of restraint that one would hope accompanies the exercise of prosecutorial discretion.

In this case, Drew was convicted of violating the federal Computer Fraud and Abuse Act. This statute, as one would imagine, has primarily been applied in cases of what one would think of as real computer hacking -- breaking into computers that one isn't supposed to be accessing. But, looking carefully at the statute, one sees that it applies to anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication." 18 U.S.C. § 1030(a)(2)(C). And the crime is a felony if it was done "in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State." § 1030(c)(2)(B)(ii). "Exceeds authorized access" is defined as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."

Drew was supposedly guilty of this crime in that she violated the "terms of service" of MySpace by giving false information when she created the fictitious MySpace profile. The U.S. Attorney in Los Angeles has evidently decided that pretty much any violation of a website's TOS is a federal crime.

Looking at the text of the statute, I would say that, if it weren't for the definition of "exceeds authorized access," it would be pretty clear that Drew did, in fact, violate the statute. Without the definition, the statute basically says that you're not allowed to access other computers in an improper way. The exact definition given in the statute leaves some room for doubt: did Drew obtain information she wasn't entitled to? If you could have gotten the same information with an honest access, it's not totally clear to me that the information is information you are "not entitled . . . to obtain." But it is at least arguable.

So based on the text of the statute, I would have to say that the U.S. Attorney is not totally out of bounds. Even with respect to websites that are right out there on the Internet for anyone to access, there's a decent argument that that Congress has made it a crime to access them in other than the proper way.

The real question is whether this is the world we want to live in. Judging from the number of messages I get from people who call themselves "v4vendetta" or "Crouching Lesbian" or the like, people like the anonymity of the Internet. We don't want to have to give all our real personal information just to look at a website or send someone else a message. Of course this means that the Internet is a breeding ground for fraud, but we are content to let caveat emptor rule the day and to count on people to understand that there isn't really millions of dollars waiting for them in a blocked Nigerian bank account.

So one might even think that the verdict represents an appropriate compromise -- Drew was convicted of misdemeanors only, and perhaps the answer is that prosecutors will ignore the millions of violations of the statute that probably occur every day, and trot out the statute only when, as in Drew's case, someone uses unauthorized access to a computer for truly bad ends. But at the same time, it's important to remember that the terrible consequences that occurred in this case are not an element of the crime of conviction. If this verdict holds up, it means that people are committing crimes when they use a false name to look at a weather forecast on the Internet. I do find it somewhat chilling to know that prosecutorial discretion is all that stands between people who give a flase name to any Internet site and a jail cell. Some tightening of the statute would, I think, be a good idea.

1 comment:

Anonymous said...

This statute can very easily become the government's equivalent of the snail mail fraud statute - a catch-all to allow a prosecutor to pad a list of criminal charges.

The answer to such abuse or overuse might be to require a detailed purpose and scope statement of intent which would be itself a controlling part of each statute.

Any prosecutorial or judicial parsed or micro- textual interpretation giving meaning contrary to or beyond that of the statement of purpose would then perhaps be automatically void.

Let's hope it doesn't get so risky that we will be afraid to anonymously reply to your posts....