If The Drew Fits, Charge It?

Originally posted on the Faculty Blog on November 11, 2008.

Being fascinated with both the use (and misuse) of technology and criminal law in general, I have been intently following the Lori Drew case. For those of you who haven’t, however, Drew is the Missouri mother who — as a response to some animus between 13-year-old Megan Meier and Drew’s daughter — created a false persona, “Josh Evans,” on Myspace to flirt with and gain the trust of Meier, then insulted and demeaned her to the point where Meier committed suicide. Missouri state officials reviewed the case, but felt that there was no appropriate state statute under which to bring charges against Drew; federal prosecutors in Missouri declined to charge the case for similar reasons. However, federal prosecutors in California (where Myspace’s servers are located) disagreed; claiming jurisdiction, they charged and were subsequently able to indict Drew under 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (CFAA). Specifically, the U.S. Attorney’s Office in California is charging her with violating 18 U.S.C. § 1030 (a)(2)(C), which makes it a crime for anyone to

intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer if the conduct involved an interstate or foreign communication.

The indictment can be found here, if anyone is interested in reading it, but the gist of the argument that the AUSAs in California are making is that by giving fictitious profile information, Drew violated Myspace’s Terms of Service, thus “exceeding” the access authorized by Myspace. Then, as she used this fictitious profile to “obtain information” from Myspace’s servers — personal information about Megan, as best as I can tell — to commit the tort of infliction of emotional distress upon Meier, and since to access Myspace’s servers she was required to send packets of data across state lines, she met all the elements of the crime.

Let’s ignore for a moment the “packet hopping” argument; it’s absolutely ridiculous — since I could send an e-mail to a professor at this law school while sitting yards away from him or her and have the packets cross state lines — but it’s a well-accepted way of establishing interstate communication, and in this case the servers were in a different state than Drew anyway. I’d also be willing to concede the “obtaining information” point, though I’d note that I really haven’t seen anything in the published e-mails between the two accounts that suggest any information was obtained that wasn’t immediately obvious to Drew, given that she lived only a few houses up the street from Meier and that the Meier and Drew families were good friends before this incident. Let’s even ignore the fact that the legislative intent of the CFAA was, quite simply, to criminalize hacking into servers to get information the server owners didn’t want a person to have; in fact, the vast majority of cases prosecuted under the CFAA involve exactly that.

But stop and think for a moment about the accusation that Lori Drew exceeded her authorized access of Myspace’s servers by violating its Terms of Service. Or, more accurately, think about the ramifications of the precedent set if the court allows this argument to carry the day. Does that put an end to Dateline NBC’s “To Catch A Predator” series, since the watchdog organization that carries on the chats (Perverted Justice) creates underage profiles and waits for the pedophiles to engage them? For that matter, what about the police stings in which officers have done the same thing? What about the recent Craigslist prostitution stings by the Milwaukee Police Department? And it’s not just deliberate decoy situations that this causes problems for. Marquette’s IT Acceptable Use Policy states that users may not

Send email chain letters or mass mailings for purposes other than official university business.

Engage in activities that harass, degrade, intimidate, demean, slander, defame, interfere with, or threaten others.

Hence, when someone sent a Republican friend of mine a chain letter mocking McCain, and he responded “I’m a diehard Republican, you idiot,” both the sender and the recipient violated the CFAA based on the arguments set forth by the AUSAs in the Drew case; the sender did so by sending the chain letter, and the recipient did so by demeaning the sender in his response. Another friend of mine placed a fake personal ad on Craigslist as a joke, to which she received half a dozen e-mails from local guys infatuated with her based on her (fake) photo. Some gave names, heights, weights, hobbies, etc. Should she be prosecuted? What about anyone who rounds down their weight in an instant message conversation with someone they like? At what point does the slippery slope end?

Let’s be clear for a moment: I find what Lori Drew did to be reprehensible. I don’t know if there’s enough here to warrant a wrongful death suit on behalf of Megan Meier, but I’d certainly support one if it came. But this prosecution under the CFAA reeks of desperation, a spaghetti approach (i.e., “throw everything against the wall and see what sticks”) to prosecution. It’s a crime that doesn’t address anything about the tragic suicide of Meier; in fact, it can’t, as the court ruled today, because evidence of the suicide has nothing to do with the crime charged and is unquestionably prejudicial. It’s time for the AUSAs in California to recognize what the people of Missouri did from the beginning: this was a horrible act, but one that was legal at the time it occurred. The way to keep Megan Meier from having died in vain isn’t to prosecute her offender under anything you can think of, but rather to close the loopholes by passing legislation criminalizing cyberbullying, which Missouri did this past July. To do anything but that is to sacrifice the principles of our criminal justice system for the sake of righting a perceived wrong.