On May 15, Lori Drew, a 49- year-old woman from Missouri, was indicted by a Los Angeles federal grand jury for using a MySpace account to torment and harass a 13-year-old girl who, as a result, committed suicide. The indictment alleges that Drew and other unnamed co-conspirators violated MySpace’s terms of service (TOS) by creating a MySpace account using the alias “Josh Evans.” As the fictitious Josh Evans, a 16-yearold boy, Drew initiated and fostered an online relationship with the juvenile girl, a former friend of Drew’s daughter identified in the indictment as M.T.M. About four weeks into this online relationship, Drew sent M.T.M. a message stating “in substance, that the world would be a better place without M.T.M in it.” On that same day, the young girl hanged herself. Drew was charged with violating the federal Computer Fraud and Abuse Act (CFAA).
The press reports on this indictment almost universally questioned the propriety of using the CFAA as the basis for this prosecution. The New York Times proclaimed that “Experts were skeptical that the charges would withstand close legal scrutiny,” citing a former federal prosecutor who said she was “not sure this statute technically covers the essence of the harm.” The Associated Press carried a story quoting another former prosecutor, who claimed that this use of the CFAA raised “constitutional issues related to speech and due process” and failure to provide “adequate notice” that “using an alias online is criminal.” While there is no way to predict the ultimate success of this prosecution, all of these shoot-from-the-hip criticisms overlook the plain language of the statute and the well-established federal law interpreting it. The media coverage also failed to credit MySpace’s TOS as a model of good corporate citizenship, which should be emulated by other companies that sponsor public Web sites.
While this may be the first prosecution under the CFAA for cyberbullying, the statute neatly fits the facts of this crime. Drew is charged with violating ßß 1030(a)(2)(C), (c)(2)(B)(2) of the CFAA, which make it a felony punishable up to five years imprisonment, if one “intentionally accesses a computer without authorization…, and thereby obtains… information from any protected computer if the conduct involved an interstate… communication” and “the offense was committed in furtherance of any…tortious act [in this case intentional infliction of emotional distress] in violation of the…laws…of any State.”
There is no question that the MySpace network is a “protected” computer as that term is defined by the statute. Indeed, “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005). There is also no question that a violation of MySpace’s TOS provides a valid predicate for proving that the defendant acted “without authorization.” What the commentators ignored in their critique of this indictment is that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). A company “can easily spell out explicitly what is forbidden.” Id. at 63. Thus, companies have the right to post what are in effect “No Trespassing” signs that can form the basis for a criminal prosecution.
Violating the terms of service.
As the indictment charged, “only conduct consistent with the MySpace TOS was authorized.” Users first had to agree to the TOS before they could become MySpace members and gain access to its content and services. Thus, they had to agree to “provide truthful and accurate registration information,” and to “refrain from” the following: “using any information obtained from MySpace services to harass, abuse, or harm other people,” “soliciting personal information from anyone under 18,” “promoting information that they knew was false or misleading” and “promoting conduct that was abusive, threatening, obscene, defamatory, or libelous.” Lack of authorization under the CFAA can clearly be established through the breach of such an agreement. U.S. v. Phillips, 477 F.3d 215, 220 (5th Cir. 2007); EF Cultural Travel, 274 F.3d at 583-84.
MySpace’s TOS should be emulated by other companies. There is no question that what Drew is alleged to have done in the indictment- tormenting, harassing, embarrassing and humiliating a 13-year- old girl, causing her to kill herself-is criminal. What the commentators failed to recognize is that the CFAA clearly outlaws such criminal activity. One way Web site sponsors can protect the public is to do what MySpace did with comprehensive terms of service that can be enforced through the CFAA. Although terms of service are usually used to protect a company’s competitive position by limiting a user’s scope of access to the Web site, the Drew indictment should be a wake-up call to all companies to check whether their Web site’s terms of service are sufficient to protect their customers and themselves.