Friday, May 16, 2008

The MySpace Suicide Indictment -- And Why It Should Be Dismissed.

Orin Kerr explains:

Problem One: The first major hurdle is a legal question that I wrote an article on in 2003: Is it a federal crime to violate contractual limitations on use of a computer? The federal statute, 18 U.S.C. 1030, generally prohibits accessing a computer "without authorization" or "exceeding authorized access." But what makes an access "without authorization"? If the computer owner says that you can only access the computer if you are left-handed, or if you agree to be nice, are you committing a crime if you use the computer and are nasty or you are right-handed? If you violate the Terms of Service, are you committing a crime?

In my article, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 NYU L. Rev. 1596 (2003), I argue that the answer should be "no." I won't recite the legal arguments here, as you can just read the article itself. (You can imagine the basic idea, though: Since everyone who uses computers violates dozens of different TOS every day, the theory would make everyone who uses computers a felon.) However, I will point out that the MySpace case is to my knowledge the very first federal indictment that has tried to claim that violations of Terms of Service for an Internet account amounts to a crime under Section 1030. In fact, I wrote my NYU article in part because I figured it was only a matter of time before a sympathetic case came along and some aggressive prosecutor would try the argument and see if it flew. It looks like this is the test case.

Problem Two: The second and third legal hurdles to the prosecution are less intellectually interesting but clearer and easier for the defense to make. The first problem is that the crime requires the government to show that Drew intended to violate the Terms of Service. That is, lack of authorization must be intentional — it must have been Drew's conscious object to have violated the TOS. But here there is no evidence that Drew even read the TOS. Most people don't, of course; I would be surprised if 1 person in 100 actually tried reading it. If Drew wasn't aware that she was violating the TOS, she couldn't be exceeding her authorized access intentionally. (Paragraph 11 of the indictment lamely notes that a copy of the TOS was "readily available" to MySpace Users if they went looking for it, clicked the link, and read it. But the statute requires intent, so whether the TOS was "readily available" is irrelevant.)

Problem Three: The third hurdle, and perhaps the easiest way for the defense to win, is that the government's theory requires proof that the goal of the conspiracy was to obtain information. The alleged underlying crime here is 18 U.S.C. 1030(a)(2)(C), which prohibits exceeding authorized access to a computer to get information. Think hacking in to get credit card numbers, to get a copy of a special computer file, or to take data from a database. But based on the facts discussed in the indictment and the news stories, it doesn't seem that Drew had the intent to obtain information from her victim. Her apparent goal was to harass her victim and to cause emotional distress, not to obtain information from her. That may not make it morally or ethically any less objectionable; indeed, perhaps it is more so. But the statute wasn't violated unless Drew was acting to try to obtain information, and it doesn't seem like that was her intent.

Daniel Solove on the other hand, has some doubts:

"I'm not so sure I agree. The news accounts I read about the case indicated that one of Drew's primary motivations for creating the fake profile was to learn information from Megan Meier. She wanted to know information from Megan that pertained to her own daughter, who was a classmate of Megan's. The harassing came later on." I haven't read the news reports closely, so maybe we'll have to wait and see how the facts unfold on the third issue.

No comments: