Lori Drew Convicted on Three Misdemeanor Counts of Violating MySpace Terms of Service in “Cyberbullying” Case
By Brian Kozlowski – Edited By Stephanie Weiner
United States v. Drew, 08-CR-582
A federal jury convicted Lori Drew on November 26th on three of four misdemeanor counts of unauthorized computer access under the Computer Fraud and Abuse Act (”CFAA”), 18 U.S.C. § 1030, for violating the MySpace terms of service. Drew was acquitted of three felony counts of accessing computers without authorization to inflict emotional harm under the same act. The case has raised widespread objection to the use of criminal liability for violating website terms of service.
The case revolves around the 2006 suicide of 13-year-old Megan Meier following an argument she had on MySpace with “Josh Evans,” a fictional 16-year-old boy whose profile was created under the supervision of Lori Drew. During the 28 days that the account was active, “Josh” established an online relationship with Meier that ended with harsh words and the involvement of other MySpace users. Creation of the fictional account using false information was a violation of the MySpace terms of service, which served as the basis for the computer fraud charges. The prosecution argued, and the jury found, that Drew’s subsequent visits to the MySpace site, in violation of the terms of service, were “unauthorized access” under the terms of the CFAA. Critics point out that this is a very creative use of the CFAA, which is typically used to target hacking and trademark theft. This is the first time it has been used in this fashion.
The New York Times describes the trial outcome, building on an earlier piece from 2007 that gives more factual background on the events. Court documents for the case are hosted on Citizen Media Law Project.
Kim Zetter, at Wired: Threat Level, has covered the trial exhaustively, including the most recent revelation from Valentina Kunasz, the jury foreman that the jury would have convicted Drew on the felony charges if the prosecution had been able to introduce more evidence.
The jury found that Drew did not act with malicious intent; but it found that a violation of a website’s terms of service alone is a tortuous act, even if only done indirectly. Though she encouraged the creation and was present for 50% of the communications from “Josh Evans,” Drew did not create the fictional account. It was proposed and created by Ashley Grills, an 18-year-old former employee of Drew’s (who was granted immunity to testify for the prosecution), with Drew and her then 13-year-old daughter watching. Thus, many critics have pointed out, Drew was convicted of criminally violating a terms of service agreement that she never read or agreed to.
Previously, the violation of terms of service would have been entirely the realm of contract law. Groklaw has posted an amicus brief with extensive commentary on the potential ramifications of website authors having the power to “make criminal law” by writing terms of service that unwitting visitors may violate. Orin Kerr, a GW law professor and formal federal prosecutor, joined Drew’s defense team in order to combat what he considers a misuse of the CFAA. Kerr claims the verdict is “strikingly broad and can’t possibly be what Congress intended with the statute,” and has stated that it is unlikely to survive appellate review. Kerr, speaking on Volokh Conspiracy, illustrates the extent to which this ruling would expose almost all Internet users to criminal liability under the CFAA by changing the terms of service.
Drew’s defense attorney, H. Dean Steward, is waiting for presiding Judge George Wu to decide an outstanding motion for a directed acquittal before filing an appeal with the 9th U.S. Circuit Court. Drew must appear before the court again on December 29th, where she could face a maximum sentence of a year in jail and $100,000 for each of the three misdemeanor counts.