Legal experts wary of MySpace hacking charges
'We are all felons if this flies'
On October 16, 2006, 13-year-old Megan Meier fled from her family's computer, distraught over the cutting comments of her supposed "friends" on MySpace. Twenty minutes later, the troubled teen was dead; she had hung herself in her closet.
The story, widely reported, garnered the girl's family widespread sympathy on the Internet. The twist that Lori Drew, a 47-year-old neighbor and mother of a former friend of Megan's, had allegedly created the fake persona of a 16-year-old boy to befriend and later torment the girl brought outrage. Yet, state investigators could not find a law under which Drew could be charged.
More than a year and a half later, federal prosecutors finally have their case. On Thursday, the US Attorney for the Central District of California announced that Lori Drew, now 49 years old, was indicted on conspiracy and hacking charges. The indictment charges Drew, a resident of O'Fallon, Missouri, with three counts of unauthorized access by violation of MySpace's terms of service and one count of conspiracy.
"This adult woman allegedly used the Internet to target a young teenage girl, with horrendous ramifications," US Attorney Thomas P. O' Brien said in a statement announcing the indictment. "After a thorough investigation, we have charged Ms. Drew with criminally accessing MySpace and violating rules established to protect young, vulnerable people. Any adult who uses the Internet or a social gathering website to bully or harass another person, particularly a young teenage girl, needs to realize that their actions can have serious consequences."
Yet, legal experts argue that charging a person for violating computer-crime statutes because they broke the terms-of-service agreement of an online site could lead to the ability to charge nearly anyone with computer crime. Using residential broadband for business purposes? A violation of the terms of service and, thus, potentially a crime. Checking sports sites while at work? A violation of corporate policy and, thus, potentially a crime.
"'Hard cases make bad law' is an axiom in the legal world," said Mark Rasch, managing director of enterprise-services firm FTI Consulting and a former U.S. prosecutor. "This is a case where people have seen bad conduct and have said there must be something we can do, but if prosecution of this case is successful, every pseudonym and every minor violation of the terms of service becomes a computer crime."
According to the indictment, Drew and others allegedly conspired to violate MySpace's terms of service and intentionally inflict emotional distress on Megan, identified only as MTM in the court documents. The indictment alleges that Drew obtained a MySpace account under a fictitious name, used the account to garner information from a juvenile, and used that information to torment, humiliate and harass that member -- all violations of the social-networking site's terms of service.
While the US Attorney's office refused interview requests, a spokesperson said that the harm done to Megan is key to the case. Known as a "tortious act," the legal argument is generally the basis for civil lawsuits, but can be used as the basis of criminal prosecution. In this case, the tortious act elevates the unauthorized access charges from misdemeanors to felonies, FTI's Rasch said.
Yet, legal experts argue that, by trying to do right by Megan, U.S. prosecutors are doing the wrong thing.
At the center of the debate is the meaning of what is "unauthorized access," Orin Kerr, professor of law at George Washington University, said in an analysis of the indictment.
"The federal statute ... generally prohibits accessing a computer 'without authorization' or 'exceeding authorized access.' But what makes an access 'without authorization'?" Kerr stated. "If the computer owner says that you can only access the computer if you are left-handed, or if you agree to be nice, are you committing a crime if you use the computer and are nasty or you are right-handed?"
The indictment offers no guidance as to what type of violation might prod prosecutors to action, added John Morris, general counsel for the Center for Democracy and Technology, a Washington D.C.-based policy group.
"There is nothing in the indictment that differentiates between what is a serious violation of the terms of service and a trivial violation of the terms of service," Morris told SecurityFocus. "I would bet that the majority of U.S. Internet users have committed a federal crime, if the charges in this indictment are upheld."
While courts have upheld the enforceability of some terms-of-service and click-wrap agreements, many online click-to-agree contracts - especially those that accompany spyware - have not been found valid. Consumer studies have also found that people rarely read end-user license agreements (EULAs), privacy agreements and terms of service. For example, one study by the Helsinki University of Technology (pdf) found that less than 2 percent of users actually read through a software agreement while two-thirds of users rarely read such agreements.
Making a violation of such agreements a crime would allow prosecutors the ability to investigate nearly any Internet user, Scott Greenfield, a criminal defense attorney, stated in an online analysis.
"Violating a website's 'TOS' is carte blanche to an imaginative prosecutor," Greenfield said. "We are all felons if this flies."
Attorneys interviewed for this article believed that the charges in the indictment will be dismissed. GWU's Kerr described at least two major hurdles for the government's case: a great many people regularly violate terms-of-service agreements and the defendant Drew likely did not set out to violate the TOS.
In his own brief analysis, Daniel Solove, an associate law professor, also at GWU, agreed that the government's case will be difficult to argue.
"While Drew's (alleged) conduct is immoral, it is a very big stretch to call it illegal," Solove said.
A call to Drew's attorney, H. Dean Stewart, requesting an interview was not returned.
This article originally appeared in Security Focus.
Copyright © 2008, SecurityFocus