In their eagerness to visit justice on a 49-year-old woman involved in the Megan Meier MySpace suicide tragedy, federal prosecutors in Los Angeles are resorting to a novel and dangerous interpretation of a decades-old computer crime law – potentially making a felon out of anybody who violates the terms of service of any website, experts say.

Lori Drew is charged with violating the Computer Fraud and Abuse Act"This is a novel and extreme reading of what [the law] prohibits," says Jennifer Granick, civil liberties director at the Electronic Frontier Foundation. "To say that you're violating a criminal law by registering to speak under a false name is highly problematic. It's probably an unconstitutional reading of the statute."

Lori Drew, of O'Fallon, Missouri, is charged (.pdf) with one count of conspiracy and three violations of the anti-hacking Computer Fraud and Abuse Act, in a case involving cyberbullying through a fake MySpace profile.

Drew is one of three people who helped set up and maintain a phony MySpace account in 2006 under the identity of a nonexistent 16-year-old boy named Josh Evans. The Evans account was used to flirt with and befriend 13-year-old Megan Meier, who'd had a falling-out with Drew's daughter.

The fake "Josh" ultimately turned on Meier and told the girl that the world would be a better place without her. Meier already suffered from clinical depression, and shortly after that final message she hanged herself in her bedroom.

A nationwide community backlash ensued, after a news story published last year revealed Drew's role in the cyberbullying, and pressure was placed on Missouri authorities to charge Drew with a crime. But after investigating the incident, local prosecutors concluded last December that they could find no law under which to charge Drew.

That's when federal prosecutors began working to build a case – a difficult task, given that there is no federal law against cyberbullying. On Thursday, the U.S. Attorney's Office in Los Angeles unveiled its solution by charging Drew with "unauthorized access" to MySpace's computers, for allegedly violating the site's terms of service.

MySpace's user agreement requires registrants, among other things, to provide factual information about themselves and to refrain from soliciting personal information from minors or using information obtained from MySpace services to harass or harm other people. By allegedly violating that click-to-agree contract, Drew committed the same crime as any hacker.

That sets a potentially troubling precedent, given that terms-of-service agreements sometimes contain onerous provisions, and are rarely read by users.

"Empowering terms of use to be key pieces of evidence in criminal matters – when terms of use are generally thought of by the people who are entering into them as purely contract or civil matters – is something that should be done carefully," says Andrea Matwyshyn, law professor at the University of Pennsylvania's Wharton Business

School. "I think you're going to have strong disagreement as to whether this is an advisable course to take."

In a statement, MySpace says it supports the prosecution.

"MySpace does not tolerate cyberbullying and is cooperating fully with the U.S. attorney in this matter," a company spokeswoman said. The company declined to say what the precedent would mean for otherwise innocent users who, for example, misstate their age or ZIP code when setting up their MySpace profiles.

"Theoretically, it applies to any use of a service in violation of the terms of service," says EFF's Granick, who says the impact of the Drew prosecution could be far-reaching.

By way of example, Granick notes that some terms-of-use contracts prohibit users from making negative comments about the company. "If you write on a blog something disparaging about that company, are you in violation of criminal law?"

Other contracts have prohibited visitors to a website from linking to that site.

Matwyshyn says the Drew case is an especially creative use of the Computer Fraud and Abuse Act, given that the aggrieved party in this case is not really MySpace, the putative victim, but Meier.

The case is being prosecuted only because there is so much pressure to see justice done in the Meier tragedy, but existing law doesn't provide an immediate solution, she says.

Matwyshyn says she understands the impulse, but is concerned that if successfully prosecuted the case could set a bad precedent for turning breach-of-contract civil cases into criminal ones.

"Terms of use have been progressively getting more Draconian and restrictive," she notes. "So as these provisions get drafted and users agree to them, we may find ourselves in a situation where a company that drafts one may try to leverage this kind of case law to take a breach-of-contract action and turn it into a computer-intrusion [case]."

Granick agrees. "The real problem is that something tragic happened, but the harm that occurred doesn't have anything to do with the way they've charged the offense," she says.

"Normally you charge tax evasion because someone didn't pay taxes," says Granick. "Or you charge a computer intrusion because someone broke into a computer.... By overreaching legally the indictment makes some very extreme leaps."

When asked if this is the kind of case Granick would want to litigate, she said, "If [Drew] calls me I'd be very interested in talking with her about this case. I think there is such an extreme reading here, and I do think it's dangerously flawed for other cases. I think it's scary and it's wrong and something should be done about it."

See Also: