Anti-Social Networking

Anti-Social Networking
Mark Rasch, 2008-05-22

Story continued from Page 1

Social networking sites like MySpace and Facebook have gone to great efforts to try to protect the privacy and security of the services they offer, including reaching extensive agreements with state's attorneys general regarding policing of internal policies and protecting privacy. But in the case of MTM, the public outrage and outcry regarding the nature of Drew’s conduct sent prosecutors scrambling to find something, anything, that they could prosecute her for.

It was the paucity of relevant laws that lead the United States Attorney’s Office in Missouri, where the harassment occurred, to decline prosecution. Based upon the fact that MySpace’s servers are located in California, prosecutors in Los Angeles picked up the baton, and forged ahead with a prosecution for computer crime and conspiracy to commit computer crime.

Computer, crimes and misdemeanors

The Federal Computer Crime Statute, 18 USC 1030(a)(2)(c), makes it a crime to, in interstate commerce,

intentionally access a computer without authorization or exceed authorized access, and thereby obtain information from any protected computer.

The crime is a misdemeanor unless it is committed "in furtherance of any . . . tortious act in violation of the . . . laws of the United States or of any State." While the infliction of severe emotional distress is generally considered "tortuous conduct," it may not violate the laws of the state. In some states, torts or "civil wrongs" like negligence, libel, defamation, or even trespass are defined by statute and could violate state laws. Indeed, Missouri implicitly recognizes a list of different torts by statute, including things like wrongful death, trespass and medical malpractice. However, the tort of "intentional infliction of severe emotional distress" in Missouri appears to be a creature of common law, not statute. Just as a breach of a contract can lead to liability but is not truly a "violation of the law" the intentional tort of intentional infliction of emotional distress may not be a "violation of the law" even if it is subject to a civil action recognized by law.

This may be moot, as the felony-misdemeanor dichotomy is an illusion: If you exceed authorization to access a computer and thereby obtain information, it’s a misdemeanor, but if you do so with in furtherance of any tort or crime, it’s a felony. But wait. Trespass, including computer trespass -- that is, exceeding authorization to access a computer -- is itself a tort. Not only that, but it’s also a violation of many state computer crime statutes. So if all you do is exceed the scope of authorization to access a computer, you immediately are committing a tortuous and criminal act, and therefore a felony. You trespass -- a misdemeanor -- with intent to trespass -- a tort or another misdemeanor -- and thereby commit a felony. Indeed, if you gain any information, this may constitute the tort of "conversion" -– taking the property, in this case information, of another. Obtaining information could also be larceny, once again transforming the misdemeanor into a felony.

If convicted on all counts, Drew could go to jail for as much as twenty years, but the Federal Sentencing Guidelines would dictate a sentence of between four and six and a half years, depending upon such factors as whether a court finds Drew’s conduct involved a "vulnerable victim," an "abuse of a position of trust or skill," the "the conscious or reckless risk of death or serious bodily injury," or an "an intent to obtain personal information."

Intentional Trespass?

There are several other ambiguities in the statute.

First, while it requires proof that Drew "intentionally accessed a computer without authorization" the law does not make it clear whether the word "intentionally" modifies both "access" and "without authorization." Thus, if Drew knew she was accessing the MySpace computer server in Beverly Hills, but did not know that she was exceeding her authorization -- because, say like 99 percent of all users, she never read the Terms of Service -- would she be guilty of a crime?

Under contract law, failing to read a contract that is "readily available" doesn’t excuse you from being bound to its terms, and it is probably for that reason that the government in its indictment alleges that the TOS are readily available. But does an unread TOS mean that the unauthorized access is therefore intentional? Using the physical trespass analogy, if I know I am entering the property of another, but don’t know that I am not allowed to, am I guilty? Under the common law of "trespass to land," no intent to commit a trespass was required. All that was necessary was that the act resulting in the trespass be volitional -- that he knew he was walking onto land, not that he knew it was the land of someone else. As a general rule, the conspicuous "posting" of no trespassing signs is sufficient to provide "constructive" notice, even if the alleged trespasser did not see the sign. For example, under Missouri law, criminal trespass in the First Degree -- a misdemeanor -- requires proof that the property was fenced in, that the trespasser knew that they weren’t permitted in, or that there was a "posting in a manner reasonably likely to come to the attention of intruders" -– including apparently just putting a purple slash on a tree. Criminal trespass in the Second Degree -- a $200 fine -- is a crime of "absolute liability."

Story continued on Page 3

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."