Posts Tagged ‘hacking’

MySpace Judge Agrees with Us

Friday, July 3rd, 2009

 

Remember the Lori Drew case? She’s the mom who was convicted last Thanksgiving for creating a fake MySpace persona, which she then used to harass a teenaged girl until the girl committed suicide.

After she was convicted, we argued that her conviction stretched the meaning of the statute too far. Here’s what we wrote:

The underlying statute, the Computer Fraud and Abuse Act, is a federal law intended to prevent hacking. Drew created a fictitious MySpace account, which was used to harass the girl. In doing so, Drew violated MySpace’s terms of service, though she apparently never read them. By violating the terms of service, Drew got unauthorized access to MySpace’s servers, and the prosecution went out on a limb to argue that this technically violated the CFAA.

But does it really?

Plenty of pundits are now doubting that the verdict will survive an appeal. Congress clearly intended the law to criminalize hacking into someone else’s computer. That’s different from creating a fictitious screen name — a very common and socially acceptable occurrence.

Terms of service are conditions imposed by websites which govern permissible use, and which almost always prescribe penalties that may be imposed for violations. These penalties normally range from warnings and temporary disabling of access, to permanent denial of access. The relationship is essentially contractual.

But if the prosecution’s theory is upheld on appeal, then breaching such conditions would have criminal consequences.

Criminalizing this kind of behavior isn’t exactly far-fetched. Crime is essentially that behavior which society considers so threatening that the guilty must be punished with a restriction on liberty or a loss of property. The existence of a civil remedy does not preclude something from being criminal — a thief is civilly liable to return what he stole, but still faces jail regardless. And there may be something to an argument for criminalizing the false personas on social networking sites frequented by minors, to protect society from predators.

But that’s clearly not what Congress was trying to do here. Furthermore, the prosecution’s stretched interpretation is just too overbroad. Rather than being narrowly tailored to focus on those who violate the TOS of a child-used site for the purpose of committing a nefarious or dangerous crime, the prosecution’s theory simply criminalizes all violations of any site’s TOS agreement. A court of appeals is likely to find that an improper application of the law.

Lori Drew was scheduled to be sentenced today. (Well, technically yesterday. Thursday. We’re still working, so it’s still Thursday to us.)

But she wasn’t sentenced. Instead, Judge Wu threw out her conviction. According to CNN, he refused to uphold the jury’s verdict because the guilty verdict would set a bad precedent that anyone who violates a site’s TOS could also be found guilty of a misdemeanor. Criminalizing all violations of a site’s TOS agreement is not what the law is designed to do. Because it technically allows such improper application of the law, it is probably unconstitutional for vagueness.

This was just an oral decision. Wu is expected to issue his written decision soon.

Great minds think alike!

MySpace Conviction Probably Exceeded Scope of Law

Tuesday, December 2nd, 2008

 

We were away last week, achieving an unqualified victory in a case brought by the Antitrust Division. But while we were gone, Lori Drew got convicted of three criminal counts of accessing a computer without authorization. Drew is the mom who was accused of harassing a teenaged girl over the Internet to the point where the girl committed suicide.

The underlying statute, the Computer Fraud and Abuse Act, is a federal law intended to prevent hacking. Drew created a fictitious MySpace account, which was used to harass the girl. In doing so, Drew violated MySpace’s terms of service, though she apparently never read them. By violating the terms of service, Drew got unauthorized access to MySpace’s servers, and the prosecution went out on a limb to argue that this technically violated the CFAA.

But does it really?

Plenty of pundits are now doubting that the verdict will survive an appeal. Congress clearly intended the law to criminalize hacking into someone else’s computer. That’s different from creating a fictitious screen name — a very common and socially acceptable occurrence.

Terms of service are conditions imposed by websites which govern permissible use, and which almost always prescribe penalties that may be imposed for violations. These penalties normally range from warnings and temporary disabling of access, to permanent denial of access. The relationship is essentially contractual.

But if the prosecution’s theory is upheld on appeal, then breaching such conditions would have criminal consequences.

Criminalizing this kind of behavior isn’t exactly far-fetched. Crime is essentially that behavior which society considers so threatening that the guilty must be punished with a restriction on liberty or a loss of property. The existence of a civil remedy does not preclude something from being criminal — a thief is civilly liable to return what he stole, but still faces jail regardless. And there may be something to an argument for criminalizing the false personas on social networking sites frequented by minors, to protect society from predators.

But that’s clearly not what Congress was trying to do here. Furthermore, the prosecution’s stretched interpretation is just too overbroad. Rather than being narrowly tailored to focus on those who violate the TOS of a child-used site for the purpose of committing a nefarious or dangerous crime, the prosecution’s theory simply criminalizes all violations of any site’s TOS agreement. A court of appeals is likely to find that an improper application of the law.

Will Internet Anonymity Be the Next Federal Crime?

Wednesday, November 19th, 2008

anonymous-blogger.png

Jury selection began today in what many are calling a landmark trial in the new field of Internet law. As the first case of its kind, U.S. v. Lori Drew could have a far-reaching impact on the future of anonymity on the web.

Lori Drew faces federal counts of Conspiracy and of Accessing Computers Without Authorization. Drew is charged with creating a false Internet identity on the social networking site MySpace, posing as a teenage boy. Prosecutors say she then used that false identity to befriend a depressed 13-year-old girl, a former friend of Drew’s daughter, and then began to harass the girl with hurtful messages. The girl hanged herself after allegedly receiving the messages, including one telling her that “the world would be a better place without you.”

Although Drew is not charged with the girl’s death, U.S. District Judge George Wu ruled last Friday that evidence of the girl’s suicide could be introduced by prosecutors. He stated that any prejudice would not be unfair, because the fact that the girl committed suicide is common knowledge, and jurors would be instructed that Drew is not charged with causing the suicide. Although the events took place in Missouri, the trial is being held in Los Angeles, where the MySpace servers are located.

The case is being closely watched, as Drew is being prosecuted under a law normally used to target computer hackers, and expanding the reach of the law could create criminal liability for many.

The Computer Fraud and Abuse Act prohibits accessing protected computers without authorization. The prosecution seeks to expand the scope of this prohibition, to include violating the terms of service of a website that prohibits people from misrepresenting their identity through false accounts.

Using a false name to register with a website is commonplace. Anonymity is sought for a variety of reasons, most of them socially acceptable. Reasons range from fears of identity theft, protection from predators, avoiding spammers and scammers, and other justifiable concerns in this high-tech age. There are malicious reasons, too, such as concealing the identity of individuals committing crimes online.

The jurors being selected today will be asked to determine whether violating MySpace terms of service, by registering a false user profile, is a federal crime. They may well do so, especially now that they will hear that this particular false profile was allegedly used to harass a young girl to the point where she committed suicide.

Feel free to comment to this post anonymously or under a false name. It does not violate The Criminal Lawyer’s terms of service.