Barely Legally

Confessions of a Moot Court Bailiff

Terms of Service

We’ve all heard of the Megan Meier story, yes? A thirteen year old girl killed herself because she was tormented by a fictional sixteen year old boy. The boy was actually the online alter ego of a pair of adults, one of which has just been convicted of a federal crime.

As it happens, my very first post on Almost Legally was about the silliness of the term “cyber bullying,” and yet, here we sit five months later; cyber bullying is apparently not only real, but a federal crime.

Why?

To quote myself:

In all honesty, given the name of the act (the Megan Meier Cyberbullying Prevention Act), bullying over the internet is probably perceived as more reprehensible because adults can get in on the act. While adults generally can’t go to a schoolyard and insult the kids, the former and the latter can mingle freely on various websites.

In Megan’s case, it was on MySpace.com - though this is arguably no different from allowing your child to freely interact with complete strangers who may or may not be adults. The internet is full of weird people.

As it turns out, there is no current law prohibiting cyber bullying. It’s a lot like regular bullying. You don’t arrest children on playgrounds, but you probably could arrest adults bullying on playgrounds. But if there is no law regarding cyber bullying, what was Lori Drew convicted of?

The specific crime Lori Drew the Cyber Bully was convicted of is an anti-hacking statute called the Computer Fraud and Abuse Act. (If you’d like to read a reasonably current version of the law, Cornell has kindly provided one here. It’s long, and we won’t be going over the whole thing.)

For our very oversimplified purposes, the statute prohibits unauthorized access of a computer system. In this case, Myspace’s servers are the computer system. The problem is that “unauthorized” can be kind of vague. We know what is really really really unauthorized, and what is really really really authorized, but the middle ground can be tricky.

I have an account with Gmail, and I check my email: that’s authorized. You hacked my Gibson and now my printer won’t stop spitting out LOLcats: that’s unauthorized. It’s the middle grounds that require some thought.

There are three basic tests we talked about in my Internet Law class, which have been adopted by various federal courts at various times.

No Account: the simplest kind of unauthorized access is when you don’t have an account to a computer. For instance, if I hack into Governor Palin’s email inbox, I clearly don’t have authorization from the Governor to do so. Essentially, accessing a computer system for which you don’t have an account is unauthorized.

Unintended Function: the first internet worm was created by a very bright graduate student using a bug in a program called “sendmail.” He used that bug to spread the virus from a school computer he undisputedly had access to: he had an account with his name on it. A federal court ruled that he used sendmail in an unintended manner (spreading self-replicating code), and that was unauthorized access in and of itself.

Terms of Service: as the owner of a computer system, I can authorize people to use my computer on my terms, right? I can tell my friends “yes, you may use my computer to check your email, but don’t read the sonnets I’ve written to Scarlett Johannson.” If I find one of them snickering at my sonnets, they’ve used my computer in a manner that I didn’t authorize. In fact, I expressly forbade it. So that use of my computer system is unauthorized.

Down to business, then.

The first test, “no account,” seems kind of nice. If I have an account, I am authorized to access a computer system. If not, I’m not. But I have an account with Yahoo and I’m still pretty sure I’m not authorized to read Governor Palin’s email. And what if I just guessed her password? It’s still not my account, but I’m using it anyway. We probably want to assume that an account is given by the server operator to one person, and that is as much access as that person has. It’s a relatively tidy solution.

The second test, “intended function,” is pretty common sense, too. A program for sending mail wasn’t intended to spread a worm across the internet in a way that would destroy the internet. But how do you figure out what a program is intended to do? Was “sendmail” only meant to send one email a day? Ten? Ten thousand? Is a spammer a federal criminal because “sendmail” wasn’t intended for spamming, just normal sending? The answer is probably not. It was meant to send mail. If you don’t use “sendmail” to send worms, you’re probably fine.

This brings us to the “Terms of Service,” which is the title of the post, and the reason why Lori Drew was convicted of a federal crime.

She clearly had a Myspace account: it’s the only way to send messages to Myspace users. She was using it for its intended function: she was sending messages to other users. But she was given the account on certain conditions, and she violated those conditions. That was unauthorized access of a computer system, and that made Lori Drew a federal criminal.

I have a Facebook page. I have absolutely no idea what I agreed to when I signed up, because I didn’t read the terms of service. (Which is okay, I suppose, because one of the terms of service is that they can change the terms of service any time they like.) I’m pretty sure my use of their computer system is authorized when I log in to check my messages. But if I do violate the terms of service, am I a wanted man? A federal fugitive? Should I grow a beard and jump out of dams?

At my office, the company I work for says “don’t send personal email from your work computer.” But if I do, is that a federal crime?

Lori Drew didn’t think so, either. What she did was terrible, but the solution is not to make federal crimes out of violating the Myspace terms of service. This a dangerous precedent that I sincerely hope will be appealed.