We were away last week, achieving an unqualified victory in a case brought by the Antitrust Division. But while we were gone, Lori Drew got convicted of three criminal counts of accessing a computer without authorization. Drew is the mom who was accused of harassing a teenaged girl over the Internet to the point where the girl committed suicide.
The underlying statute, the Computer Fraud and Abuse Act, is a federal law intended to prevent hacking. Drew created a fictitious MySpace account, which was used to harass the girl. In doing so, Drew violated MySpace’s terms of service, though she apparently never read them. By violating the terms of service, Drew got unauthorized access to MySpace’s servers, and the prosecution went out on a limb to argue that this technically violated the CFAA.
But does it really?
Plenty of pundits are now doubting that the verdict will survive an appeal. Congress clearly intended the law to criminalize hacking into someone else’s computer. That’s different from creating a fictitious screen name — a very common and socially acceptable occurrence.
Terms of service are conditions imposed by websites which govern permissible use, and which almost always prescribe penalties that may be imposed for violations. These penalties normally range from warnings and temporary disabling of access, to permanent denial of access. The relationship is essentially contractual.
But if the prosecution’s theory is upheld on appeal, then breaching such conditions would have criminal consequences.
Criminalizing this kind of behavior isn’t exactly far-fetched. Crime is essentially that behavior which society considers so threatening that the guilty must be punished with a restriction on liberty or a loss of property. The existence of a civil remedy does not preclude something from being criminal — a thief is civilly liable to return what he stole, but still faces jail regardless. And there may be something to an argument for criminalizing the false personas on social networking sites frequented by minors, to protect society from predators.
But that’s clearly not what Congress was trying to do here. Furthermore, the prosecution’s stretched interpretation is just too overbroad. Rather than being narrowly tailored to focus on those who violate the TOS of a child-used site for the purpose of committing a nefarious or dangerous crime, the prosecution’s theory simply criminalizes all violations of any site’s TOS agreement. A court of appeals is likely to find that an improper application of the law.