The Drew Verdict Makes Us All Hackers

The government argued that Drew, together with her daughter and a post-adolescent employee, created a fictitious MySpace user account in the name of a 16-year-old boy, and used that account not only to obtain information about the girl, but ultimately to "intentionally inflict severe emotional distress," the indictment charges.

However, the jury didn’t buy it. They rejected the government’s argument about motive, noting to at least one reporter that there was no evidence that the messages Drew sent through MySpace were malicious. However, the jury did convict Drew of electronic trespass — that is, hacking.

What is left of the government’s theory is that, if you violate the terms-of-service of any online agreement, you are using the services in excess of your authorization. While the risks of an actual criminal prosecution may be minimal, from a legal perspective the precedent is disastrous.  For example, the Google TOS expressly says that you have to have the capacity to contract before you can use the service: Thus, a 16-year-old boy who does a Google search technically violates the TOS and commits a crime. What is worse is that, if I am asked for legal advice, I would have to say that it is technically a crime, but that you would be unlikely to be prosecuted.

This undoubtedly will have a chilling effect on all kinds of conduct that should be permitted even though it is technically in violation of some provision of a terms-of-service agreement.

A legal pretzel

When the Federal Computer Fraud and Abuse Act, 18 USC 1030 was drafted in the early 1980s, it was intended to fix a loophole in the law.

If a person "broke in" to a house, an office, a store, or some physical place, they could be convicted of criminal trespass. If they did so with the intent to commit some crime, they could be convicted of a more serious crime — say, for example, burglary.  But there was no similar crime for breaking in to a computer, computer system, or computer network. Hence, the new statute.

Originally, the statute distinguished between breaking in (accessing without authorization) and stealing something (obtaining certain kinds of protected information), recognizing that not all kinds of information should be protected under federal criminal law.

Over the years however, the requirements of the statute were progressively weakened.  Accessing a computer without authorization — never a particularly well-defined concept to begin with — morphed into the even more ambiguous "exceeding the scope of authorization" to access a computer. Instead of protecting certain classes of information — such as financial transaction or classified secrets — the statute now permits prosecution of people who obtained any kind of information, including publicly available information.

Moreover, the misdemeanor provisions of the federal law now make it a crime to, in interstate commerce, intentionally exceed authorized access to a computer and thereby obtain information.

Essentially, the new statute took vague, ambiguous, and undefined concepts of authorization, access, computer, and information, and made them even more convoluted. It vests in the prosecutor and the jury the sole discretion about whether or not a particular action constitutes a crime.

Felonies and misdemeanors

Had the jury been convinced that the government had proven that Lori Drew intended to commit some crime or tort in creating the fictitious account, then a felony conviction would have at least been understandable.  The jury wanted to "punish" Drew.

The problem is that the jury stated that they were not convinced that Drew had intent to commit any crime or tort.  Lori Drew was ultimately convicted only of having exceeded the scope of her permission to use the MySpace account by violating the MySpace’s terms-of-service agreement. They were likewise not persuaded that Drew hadn’t "intentionally" exceeded the scope of her authorization, because she never saw the terms-of-service. One juror commented to Wired News that "I always read the terms of service … If you choose to be lazy and not go though that entire agreement or contract of agreement then absolutely you should be held liable."

So what we are left with is a plain vanilla breach of contract case leading to incarceration. This is made all the worse by the fact that, unlike the Drew juror claims, most of us either do not read or do not strictly comply with the terms-of-service agreement, which are written by lawyers to both protect the website or hosting service or, at a minimum, to limit their liability.  Thus, things like allowing your children to do a Google search violates criminal law. Using a work computer for a non-business purpose may be grounds not only for dismissal, but also for incarceration, even if no harm results.

The same concept has been repeatedly used in civil lawsuits claiming that a breach of a terms of service constitutes a "trespass to chattels." Thus, a corporate website which says something like "by using this website, you agree never to criticize this company" would not only open someone to breach of contract liability, but also to trespass prosecution.

Of course, the federal criminal law does have an exception. It permits authorized law enforcement or intelligence activities, so that the cops can lie. Entities like Perverted Justice, which pose as adolescents online to lure child predators would be repeat criminals themselves.  Children who themselves lie about their identities to ward off predators would similarly be subject to prosecution.

While the threat of actual criminal prosecution for any of these terms-of-service breaches is small, if you were to ask me — based on the Drew case — whether any of these actions were "legal," I would have to answer "no."

While we clearly do not want to encourage or reward irresponsible and malicious conduct like that Drew alleged committed, we similarly do not want to criminalize essentially innocent conduct, which is for what she was convicted.  This would have a chilling effect on a range of otherwise permissible behavior.

The trial judge has the option to dismiss the charges — either on factual or legal grounds.  Factually, there is scant evidence that Drew personally created the fictitious account or read — or had the opportunity to read — the terms-of-service agreement she is convicted of violating. For the judge to overturn the verdict from a legal standpoint, he would have to conclude that merely exceeding the scope of a terms-of-service agreement does not itself constitute a violation of a statute which makes it a misdemeanor to, in interstate commerce, "intentionally exceed authorized access to a computer and thereby obtain information."

We make lots of things crimes in this country. Spitting on the sidewalk, jaywalking, and even double parking.  Let’s not add breach of terms-of-service agreements to the mix.


http://www.securityfocus.com/columnists/489?ref=rss

Leave a Reply

Your email address will not be published. Required fields are marked *

Show some support!

We are 100% Listener & User supported!! Every little bit helps us continue. Donations help fund the site and keep all the free information on it. Thanks in advance and KEEP UP THE FIGHT!!!

Visitor Map

Subscribe For New Posts & Updates

Enter your email address to subscribe to FederalJack and Popeyeradio and you will receive notifications of new posts by email.

News Categories
The Wigner Effect
Col. L Fletcher Prouty: Secret Team