Last month, Lori Drew the middle-aged Missouri mother who participated in a plan to deceive a 13-year-old girl that ultimately led to the girl's suicide was convicted by a Los Angeles federal jury of several misdemeanor counts of unauthorized access to MySpace's computers.
The ultimate verdict was perhaps the worst possible outcome, from both a legal and a social standpoint. The final ruling could pose a genuine threat of widespread civil and criminal litigation against almost everyone, especially security researchers and white-hat hackers.
The government argued that Drew, together with her daughter and a post-adolescent employee, created a fictitious MySpace user account in the name of a 16-year-old boy, and used that account not only to obtain information about the girl, but ultimately to "intentionally inflict severe emotional distress," the indictment charges.
However, the jury didn't buy it. They rejected the government's argument about motive, noting to at least one reporter that there was no evidence that the messages Drew sent through MySpace were malicious. However, the jury did convict Drew of electronic trespass — that is, hacking.
What is left of the government's theory is that, if you violate the terms-of-service of any online agreement, you are using the services in excess of your authorization. While the risks of an actual criminal prosecution may be minimal, from a legal perspective the precedent is disastrous. For example, the Google TOS expressly says that you have to have the capacity to contract before you can use the service: Thus, a 16-year-old boy who does a Google search technically violates the TOS and commits a crime. What is worse is that, if I am asked for legal advice, I would have to say that it is technically a crime, but that you would be unlikely to be prosecuted.
This undoubtedly will have a chilling effect on all kinds of conduct that should be permitted even though it is technically in violation of some provision of a terms-of-service agreement.
A legal pretzel
When the Federal Computer Fraud and Abuse Act, 18 USC 1030 was drafted in the early 1980s, it was intended to fix a loophole in the law.
If a person "broke in" to a house, an office, a store, or some physical place, they could be convicted of criminal trespass. If they did so with the intent to commit some crime, they could be convicted of a more serious crime — say, for example, burglary. But there was no similar crime for breaking in to a computer, computer system, or computer network. Hence, the new statute.
Originally, the statute distinguished between breaking in (accessing without authorization) and stealing something (obtaining certain kinds of protected information), recognizing that not all kinds of information should be protected under federal criminal law.
Over the years however, the requirements of the statute were progressively weakened. Accessing a computer without authorization — never a particularly well-defined concept to begin with — morphed into the even more ambiguous "exceeding the scope of authorization" to access a computer. Instead of protecting certain classes of information — such as financial transaction or classified secrets — the statute now permits prosecution of people who obtained any kind of information, including publicly available information.
Moreover, the misdemeanor provisions of the federal law now make it a crime to, in interstate commerce, intentionally exceed authorized access to a computer and thereby obtain information.
Essentially, the new statute took vague, ambiguous, and undefined concepts of authorization, access, computer, and information, and made them even more convoluted. It vests in the prosecutor and the jury the sole discretion about whether or not a particular action constitutes a crime.
Felonies and misdemeanors
Had the jury been convinced that the government had proven that Lori Drew intended to commit some crime or tort in creating the fictitious account, then a felony conviction would have at least been understandable. The jury wanted to "punish" Drew.
The problem is that the jury stated that they were not convinced that Drew had intent to commit any crime or tort. Lori Drew was ultimately convicted only of having exceeded the scope of her permission to use the MySpace account by violating the MySpace's terms-of-service agreement. They were likewise not persuaded that Drew hadn't "intentionally" exceeded the scope of her authorization, because she never saw the terms-of-service. One juror commented to Wired News that "I always read the terms of service ... If you choose to be lazy and not go though that entire agreement or contract of agreement then absolutely you should be held liable."