By Vera Ranieri – Edited by Amanda Rice
United States v. Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009)
Opinion

On August 28, 2009, Judge Wu of the Central District of California released a written opinion outlining his reasons for granting Lori Drew’s FRCP 29(c) motion for a post-verdict acquittal, a decision he had initially announced in early July. Judge Wu’s decision overturned the jury’s conviction of Lori Drew for violating the Computer Fraud and Abuse Act (”CFAA”) by breaching the MySpace Terms of Service (”ToS”).

Ars Technica and Wired summarize the case. Eric Goldman provides a thoughtful analysis of the case, characterizing it as “a good jurisprudential development” while criticizing its lack of clarity.

The Government claimed that Drew violated MySpace’s ToS when she created a profile under a fictitious persona, contrary to terms that required her to submit only truthful and accurate information. As a result, the jury found her guilty of “accessing a computer involved in interstate or foreign communication without authorization or in excess of authorization to obtain information in violation of Title 18.”

In overturning the misdemeanor conviction, Judge Wu found the CFAA unconstitutionally vague as applied to the facts presented. Judge Wu conducted a thorough analysis of the statutory language, policy implications, and constitutional requirements in reaching his decision. First, Judge Wu examined the language of the CFAA and found that Drew’s actions had potentially violated the CFAA. He found no legislative history indicating that the words of the statute were to be given special meaning to exclude ToS violations, and indeed found that website owners had legitimate reasons to exclude certain activity on their websites through contractual agreements.

However, Judge Wu found that these violations could not be criminal, as to do so would be unconstitutionally vague. He examined the CFAA as applied to determine whether it provided sufficient notice, and whether it set guidelines for law enforcement, as required to render a law not unconstitutionally vague. He found that the law as applied violated both of these tenets.

There were several reasons why Judge Wu found that the law lacked sufficient notice. First, Judge Wu noted that applying the CFAA this case would essentially criminalize breaches of contract. Because a breach of contract is not normally considered criminal on its own, a person would not expect such activity to render her a criminal.  Second, Judge Wu noted that the MySpace ToS contained many terms that were potentially violated daily by MySpace users. Accordingly, he found that the statute was “incredibly overbroad,” failing to give the government any direction on when to prosecute. Third, allowing the website owner to determine when access was “unauthorized” could itself lead to vagueness problems. Many websites, he noted, used terms that were undefined and subject to varying standards. For example, the definition of “unfair content” was unclear and subject to varying interpretations. Finally, he noted the conflicts that arose between terms of the contract under California law and criminalization under CFAA.

Judge Wu also found that the law was unconstitutionally vague due to the lack of guidelines provided to law enforcement officials. He recognized that criminalizing breaches of ToS would render a vast majority of the Internet using population criminals.

The Volokh Conspiracy author Orin Kerr, who helped represented the defense, notes the importance of this case in ensuring civil liberties on the Internet are not curbed. Many civil liberties organizations, including the Electronic Frontier Foundation and the Center for Democracy and Technology, believed that the application CFAA to Drew’s case would have substantially threatened common Internet activities.

Lori Drew “Cyberbullying” Conviction Thrown Out

The Los Angeles Times reports that on July 2nd, a federal judge dismissed the case against “cyberbully” Lori Drew, saying that the clear terms of the Computer Fraud and Abuse Act (CFAA) preclude a guilty verdict. The Lori Drew case received widespread media attention eight months ago when the 50 year-old mother was found guilty of “unauthorized computer access” under the CFFA for aiding her daughter in creating a fake MySpace account that led to another girl’s suicide. The guilty verdict was ardently criticized for criminalizing violations of websites’ terms of service, which few users actually read when creating accounts, essentially allowing websites to make their own law.

China’s Mandatory Client-Side Censoring Program Delayed

Only a day before the previously announced July 1st deadline, the Chinese government announced, through official news agency Xinhua, a delay in the requirement that PC makers pre-install a web-filtering program called “Green Dam Youth Escort.” The Wall Street Journal reports that the project is not abandoned, but merely delayed. Green Dam was first released several months ago as a pornography-filtering program and didn’t evolve into a requirement until the beginning of June, much to the chagrin of PC manufacturers. After the University of Michigan discovered serious security holes, which would open computers to remote code execution, PC manufacturers began to worry about liability issues and possibly acquiring reputations for supporting censorship. So far, only Sony has shipped computers with the software pre-installed in advance of the July 1st deadline.

Supreme Court Allows Remote Storage DVR

Ars Technica and Wired both report that the Supreme Court declined to hear a final appeal in the Cablevision DVR case on the final day of its term. The Second Circuit had allowed Cablevision to continue offering its customers a recording system that is different from traditional recording only in that it stores the customers’ recordings of copyrighted content remotely on Cablevision’s servers. Because the consumer maintains control over the recordings, rather than accessing an on-demand library provided by Cablevision, the court ruled that the recordings were still fair use. Television networks called the case the most important since the 1984 ruling that consumer VHS recording of copyrighted movies falls under fair use. The Supreme Court’s silence aligns with the filing by the Obama administration suggesting that this case was not the appropriate forum to “clarify” the legal issues of fair use.

Another Nesson-RIAA Continue to Clash over File-Sharing

As reported by Ars Technica, Harvard Law professor Charlie Nesson is once more facing off against the RIAA’s MediaSentry in the illegal file-sharing suit against Joel Tenenbaum. Tenenbaum, like Jammie Thomas-Rasset before him, is accused of sharing songs illegally on KaZaa. Nesson and his associates aim to try the same legal tactic that has failed them in the past, namely attempting to discredit the evidence brought by the RIAA as being gathered illegally. The high-profile cases, including controversial high damage awards and internal defense disputes, have been part of a larger attempt to establish solid legal precedent, or prompt a legislative solution, for future file-sharing disputes.

Lawsuit Against Brooks Brothers for Falsely Marketing Ties Dismissed

The 271 Patent Blog reports that on May 14, a district court granted Brooks Brothers’ motion to dismiss an action for false marketing. Pro se plaintiff Raymond Stauffer sued Brooks Brothers under section 292 of the Patent Act, which allows damages of “not more than $500″ for each false claim that unpatented items are protected by patent. Under the Act, damages are split between the plaintiff and the government. In Brooks Brothers’ case, the unpatented items were bow ties whose patents expired in 1956.  The district court granted the motion to dismiss based on a lack of “actual or imminent, not conjectural or hypothetical,” injury to the public from Brooks Brothers’ marketing claims.

Red Hat-Led Group Appeals Swiss Government’s Award of No-Bid Microsoft Contract

On May 21, Red Hat announced that a group of 18 technology companies filed an appeal with the Swiss Federal Administration Court. The appeal protests the Swiss government’s award of a three-year contract to Microsoft without a bidding process. eWeek explains that the Swiss Federal Bureau for Building and Logistics may award contracts without a bidding process when there is no adequate alternative available. The Red Hat-led group protested the assertion that no alternatives existed, pointing to many competing open source companies, some already used by the Swiss government. PCWorld discusses the rising strength of alternatives to Microsoft software.

Massachusetts Court Holds that TOS Violations Don’t Establish Probable Cause

The Electronic Frontier Foundation reports that on May 21, the Massachusetts Supreme Court granted defendant Riccardo Calixte’s motion to quash a search warrant that allowed police to seize the Boston College student’s computers and other devices. The court found no probable cause for the warrant, noting that violating a website’s terms of service (”TOS”) is not “obtaining computer services by fraud.” LinuxJournal provides a triumphant, but one-sided account of the decision. The issue of TOS violations recently received widespread media coverage in the Lori Drew “cyber-bullying” case, where a jury found that TOS violations can support criminal charges under the Computer Fraud and Abuse Act.

By Sharona Hakimi – Edited by Stephanie Weiner
A.V. v. iParadigms, L.L.C., April 16, 2009, No. 08-1424
Opinion

On April 16, the US Court of Appeals for the Fourth Circuit affirmed a summary judgment ruling by the US District Court for the Eastern District of Virginia, holding that archiving of student works by commercial plagiarism detection website TurnItIn.com is a “fair use” under the Copyright Act, and therefore does not violate the students’ copyrights in their work. Additionally, Circuit Judge Traxler remanded the case to lower court to reconsider the defendant’s counterclaim for monetary damages under the Computer Fraud and Abuse Act, 18 U.S.C. 1030, based on one plaintiff’s unauthorized access to the site.

The case arose when the plaintiffs were forced by their high school teachers to electronically submit their written work and assent to an online agreement with TurnItIn.com. The website compares student papers to a database of other essays to find instances of plagiarism. At issue was whether the website, operated by defendant iParadigms L.L.C., violated the students’ copyright rights to their work when it archived them for future comparison with other student works.

David Kravets of Wired summarizes the opinion. Nate Anderson, writer for Ars Technica (and a former teacher), analyzes the case and its potential revolutionary effects on education. A recent magazine interview with John M. Barrie, CEO of iParadigms, expresses Barrie’s goals for plagiarism detection services. A 2007 news article discusses the original filing of the case.

The Fourth Circuit held that TurnItIn’s use of the papers was “fair” under the exception provided in 17 U.S.C. § 504. The court considered each of § 504’s four factors, finding: 1) Commercial use can be fair use, and, citing Perfect 10 Inc. v. Amazon.com Inc., use can be transformative “in function or purpose without altering or actually adding to the original work.” TurnItIn transformed the work by using the papers to prevent plagiarism and not for factual knowledge; 2) The website’s use does not diminish or discourage the author’s creativity or supplant the students’ rights to first publication; 3) Using the entirety of the papers did not preclude fair use; and 4) TurnItIn’s use does not affect marketability.

Though the lower court also held that the use was legal because students entered into a binding agreement with TurnItIn.com by assenting to a “clickwrap” contract, the Court of Appeals declined to address that issue because the website was protected under fair use.

A more contentious holding in the case concerned the defendant’s counterclaim. iParadigm alleged that one student made an unauthorized access to TurnItIn.com in violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, offering evidence that plaintiff A.V. submitted a work to the website as a student of a university he did not attend. Unaware that the plaintiff had found the username and password posted on the internet, iParadigms underwent an investigation, fearing a technical glitch in the TurnItIn system. iParadigms sued for loss of man-hours spent responding to this concern. While the District Court dismissed this counterclaim on the ground that any damages were merely “consequential,” the Fourth Circuit remanded the case for further investigation, finding consequential damages to be recoverable under CFAA.

Thomas O’Toole of E-Commerce and Tech-law critiques the decision on the counterclaim: “If mere fear about the possibility of a technical glitch can put a defendant on hook for a week’s worth of technical assistance, CFAA claims will become even more attractive.”

Thousands of educational institutions in about 90 countries use the California-based plagiarism detection service, and perhaps now that the service is protected under fair use, iParadigm’s Jim Barrie may be right that an educational “revolution” against cheating students is underway.

A federal jury convicted Lori Drew on November 26th on three of four misdemeanor counts of unauthorized computer access under the Computer Fraud and Abuse Act (”CFAA”), 18 U.S.C. § 1030, for violating the MySpace terms of service. Drew was acquitted of three felony counts of accessing computers without authorization to inflict emotional harm under the same act. The case has raised widespread objection to the use of criminal liability for violating website terms of service.

The case revolves around the 2006 suicide of 13-year-old Megan Meier following an argument she had on MySpace with “Josh Evans,” a fictional 16-year-old boy whose profile was created under the supervision of Lori Drew. During the 28 days that the account was active, “Josh” established an online relationship with Meier that ended with harsh words and the involvement of other MySpace users. Creation of the fictional account using false information was a violation of the MySpace terms of service, which served as the basis for the computer fraud charges. The prosecution argued, and the jury found, that Drew’s subsequent visits to the MySpace site, in violation of the terms of service, were “unauthorized access” under the terms of the CFAA. Critics point out that this is a very creative use of the CFAA, which is typically used to target hacking and trademark theft. This is the first time it has been used in this fashion.

The New York Times describes the trial outcome, building on an earlier piece from 2007 that gives more factual background on the events. Court documents for the case are hosted on Citizen Media Law Project.

Kim Zetter, at Wired: Threat Level, has covered the trial exhaustively, including the most recent revelation from Valentina Kunasz, the jury foreman that the jury would have convicted Drew on the felony charges if the prosecution had been able to introduce more evidence.

The jury found that Drew did not act with malicious intent; but it found that a violation of a website’s terms of service alone is a tortuous act, even if only done indirectly. Though she encouraged the creation and was present for 50% of the communications from “Josh Evans,” Drew did not create the fictional account. It was proposed and created by Ashley Grills, an 18-year-old former employee of Drew’s (who was granted immunity to testify for the prosecution), with Drew and her then 13-year-old daughter watching. Thus, many critics have pointed out, Drew was convicted of criminally violating a terms of service agreement that she never read or agreed to.

Previously, the violation of terms of service would have been entirely the realm of contract law. Groklaw has posted an amicus brief with extensive commentary on the potential ramifications of website authors having the power to “make criminal law” by writing terms of service that unwitting visitors may violate. Orin Kerr, a GW law professor and formal federal prosecutor, joined Drew’s defense team in order to combat what he considers a misuse of the CFAA. Kerr claims the verdict is “strikingly broad and can’t possibly be what Congress intended with the statute,” and has stated that it is unlikely to survive appellate review. Kerr, speaking on Volokh Conspiracy, illustrates the extent to which this ruling would expose almost all Internet users to criminal liability under the CFAA by changing the terms of service.

Drew’s defense attorney, H. Dean Steward, is waiting for presiding Judge George Wu to decide an outstanding motion for a directed acquittal before filing an appeal with the 9th U.S. Circuit Court. Drew must appear before the court again on December 29th, where she could face a maximum sentence of a year in jail and $100,000 for each of the three misdemeanor counts.

Drew is charged with conspiracy and with three counts of violating the Computer Fraud and Abuse Act (”CFAA”), 18 U.S.C. § 1030, after creating a fake MySpace account, purporting to be a teenaged boy.  Drew, along with others, contacted Meier through MySpace, befriending the girl and eventually entering into a “relationship” online. Drew subsequently broke the relationship off and Meier committed suicide shortly thereafter.  On Monday, November 10, Judge Wu indicated in pretrial conference that he was inclined to exclude evidence of Meier’s suicide on the grounds of lack of relevance and potentially prejudicial effects on the jury.  On Friday November 14, after hearing counsels’ arguments, Judge Wu ruled that the evidence was admissible.  No order has yet been issued explaining Judge Wu’s reasoning.

The Citizen Media Law Project hosts court documents. For background on the case, The New York Times featured a summary of the events leading up to Meier’s death in November 2007 and the WSJ Law Blog has posted several items on the subsequent case.

The AP covers Judge Wu’s decision to admit evidence of Meier’s suicide, reporting that he said he was convinced many jurors would already be aware of the suicide from news reports or a recent Law & Order episode that contained similar facts.   

GW Law professor Orin Kerr, wrote in May in favor of granting Drew’s motion to dismiss the case.  He argues that the that the CFAA’s criminal prohibition against accessing a computer “without authorization” should not be interpreted as extending to instances of individual violations of a website’s Terms of Service. Professor Kerr has since joined Drew’s defense team. 

Concurring Opinions wrote a piece in May largely agreeing with Kerr’s conclusion but slightly diverging in its reasoning, and wrote recently arguing that the case should not be going to trial.  Simple Justice also covers the recent ruling to admit the evidence.  

The prosecution’s argument uses Drew’s violation of MySpace’s Terms of Service to allege that she accessed protected computers without authorization to further a tortious act, in this case, intentional infliction of emotional distress, in violation of the CFAA.  MySpace’s Terms of Service require members to provide accurate information in their profiles and prohibit harassment and abusive behavior.  The government argues that by violating these Terms of Service, Drew was accessing MySpace’s computers without authorization when she logged onto her account.

Drew’s defense team argued in their motion to exclude that the evidence of Meier’s suicide should be found inadmissible because it is (1) irrelevant and (2) unfairly prejudicial.  They argue that the suicide does not go to any element of the crimes charged under the CFAA, and that the government is seeking to admit the evidence with the intent of prejudicing the jury and to punish Drew for Meier’s death. 

The government argued that the court should deny Drew’s motion because (1) Meier’s suicide is highly probative on the issue of Drew’s intent and provides context for Drew’s conduct after Meier’s death and (2) the substantial probative value is not outweighed by the limited prejudicial effect.  The government contended that Meier’s suicide helps prove Drew intended to inflict emotional distress on the girl, and demonstrates that Drew’s use of MySpace was in furtherance of the tort.  The government contends that the possible prejudicial effect of the evidence could be mitigated by voir dire and appropriate jury instructions. 

United States v. Kernell
E.D. Tenn., October 7, 2008, No. 3:08-CR-142
Indictment

On October 7, 2008 a Tennessee grand jury charged David C. Kernell with violating 18 U.S.C. § 2701 (part of the Stored Communications Act) and 18 U.S.C § 1030(a)(2) (a subsection of the Computer Fraud and Abuse Act) for allegedly accessing the Yahoo e-mail account of Alaska Governor Sarah Palin, the Republican vice-presidential nominee, without authorization. Images and information from Gov. Palin’s e-mail account first hit the Internet on September 17^th, and began making headlines shortly thereafter. Several websites, including Wikileaks.org and popular blog network Gawker.com, posted screen shots and content from the hacked e-mail account.

Professor Orin S. Kerr, of the George Washington University Law School and the Volokh Conspiracy blog, sees a potential problem with the indictment. He notes that in order to charge the case as a felony, the government must claim Kernell accessed the account “to further criminal or tortuous activity.” According to Kerr, however,

[T]he indictment doesn’t exactly state what the crime or tort is that the intrusion was designed to further. It just states that the intrusion was “in furtherance of the commission of a criminal act in violation of the laws of the United States, including 18 U.S.C. Section 2701 and 18 U.S.C. Section 1030(a)(2)” But Section 2701 and Section 1030 are the intrusion statutes themselves! It makes no sense to allow a felony enhancement for a crime committed in furtherance of the crime itself . . . .

Info/Law draws parallels between this case and the Lori Drew MySpace case.

Professor Paul Ohm, of Colorado Law, believes that the breach of Gov. Palin’s e-mail account will be a “watershed event” in Internet privacy law. He notes that historically, privacy protection legislation follows on the heels of “sensationalized” privacy breaches. Furthermore, he predicts a “fierce First Amendment debate” arising from both Gawker.com and Wikileaks’ involvement in disseminating the hacked e-mail content.

Kernell, the son of a Democratic Tennessee state legislator, plead not guilty on Thursday, October 9^th, and was released without bond. If convicted, he faces up to five years in jail and $250,000 in fines. Trial is set to begin December 16^th.

Mass. Bay Transp. Auth. v. Anderson
D. Mass., August 9th, 2008, No. 08-11364-GAO
Temporary Restraining Order (Hosted by EFF)  

On August 9th, Judge Woodlock of the U.S. District Court, District of Massachusetts granted the Massachusetts Bay Transportation Authority (”MBTA”) a temporary restraining order against Zack Anderson, RJ Ryan, and Alessandro Chiesa, undergraduates at the Massachusetts Institute of Technology (”MIT”). The order “enjoined and restrained” the undergraduates from “providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security” of the MBTA fare system’s CharlieCard and CharlieTicket.  CharlieCards are reusable stored-value cards, which allow Boston subway riders access at ticket terminals by waiving the card over a designated reader. The system operates wirelessly, and allows riders to add money to their cards both at subway terminals and through online accounts. 

Anderson, Ryan and Chiesa reportedly uncovered several vulnerabilities with the MTBA’s CharlieTicket system while doing research for a Computer and Network Security class. Using this research, the students devised a way in which the CharlieCards can be reprogrammed using $200 worth of equipment; theoretically, this method could increase the stored-value on a card   to more than $600.  The students also discovered that the CharlieCards, which store balance and other information internally, can be read using non-MTBA wireless equipment. Furthermore, according to documents on their research, the three had written software capable of generating and analyzing CharlieCards in order to crack the card’s encryption. 

The MIT students were scheduled to present their research at DEFCON, “one of the oldest running hacker conventions around.” It was this presentation which prompted the August 8th complaint filed by the MBTA against Anderson, Ryan and Chiesa and MIT. The complaint alleges that the students

“(i) claim to have circumvented the security features of the MBTA’s computerized CharlieTicket and CharlieCard fare media systems; (ii) publicly offered ‘free subway rides for life‘ to interested parties over the Internet; and (iii) plan to allow others to duplicate their claimed ‘breaking’ of the Fare Media’s security systems by presenting a paper, releasing software tools, and giving demonstrations at the DEFCON hackers convention this Sunday, August 10, in Las Vegas.”

The complaint further alleges that the students did not provide information regarding how they circumvented the security system to the MBTA and that public dissemination of the information before the MBTA has had an opportunity to correct the flaws will cause “significant damage to the MBTA’s transit system.”  

The MIT Tech covers the story, noting that while  the presentation at DEFCON was cancelled, the presentation slides and confidential vulnerability report the students wrote for the MBTA “are widely available online.” The Tech further reports that the students are being represented by the Electronic Frontier Foundation (EFF) and not by MIT’s lawyers.

In an August 9th press release, the EFF called the restraining order a violation of the students’ “First Amendment right to discuss their important research” and “blatantly unconstitutional.” According to the release, the students had planned to withhold a “key detail” of their results so that their research could not be used for malicious purposes.

A fact sheet released by the MBTA Press Office states 

“The MBTA does not wish to detract from the MIT Undergrads First Amendment Rights or academic freedom. The principle that the MBTA seeks to enforce here is the principle of ‘responsible disclosure.’”

The MBTA describes “responsible disclosure” as an “industry accepted practice” where, when a computer security vulnerability is discovered, the vendor of the vulnerable system is first informed of the vulnerability and then given an opportunity to repair the vulnerability before the information is made public.

The MBTA fact sheet is available via the MIT Tech here, along with all court documents and the slides from the students’ presentation. 

Parallel hosting of relevant documents by EFF available here.

Update: 

Upon review before the district court on August 14th, Judge O’Toole left the restraining order in place, and ordered Anderson, Ryan and Chisea to turn over additional documents to help the court evaluate whether the students could discuss their research publicly. The court continued the scheduled hearing until Tuesday, August 19th in order to consider this new information. 

The Boston Globe reports on the case, including comments by both parties as well as background on the CharlieCard system.