Thursday, November 27, 2008

MySpace suicide bully found guilty of.. hacking???

The Register reports that in this extremely bizarre case, Lorie Drew has been found guilty of unauthorised access to the MySpace website, ie a crime rather than a civil infringement - because in breach of its terms and conditions, she pretended to be someone she was not in order to bully a teenage girl and eventually incite her to commit suicide.

The facts are so crazy I'm just going to paste from El Reg here..

"The case was heard in Los Angeles because that is where the MySpace servers are.

Lori Drew created a fake MySpace profile in the name of Josh Evans. She used the persona to flirt with a thirteen year old girl called Megan Meier, who her daughter had previously fallen out with.

After weeks of flirting Drew then sent her message which said: "You’re a shitty person, and the world would be a better place without you in it." Hours later Meier hung herself in her bedroom.

Local police in Missouri would not charge Drew and the LA prosecutor has been accused of grandstanding. The charges were downgraded from felonies to misdemeanors - three counts of accessing a computer without authorization - but Drew could still face jail, the New York Times reports.

The case has split legal observers with some welcoming extension of the use of the Computer Fraud Act to social networking sites. But Matthew L Levine, a defense lawyer in New York, told the NYT: “As a result of the prosecutor’s highly aggressive, if not unlawful, legal theory, it is now a crime to ‘obtain information’ from a website in violation of its terms of service. This cannot be what Congress meant when it enacted the law, but now you have it.” MySpace T&Cs oblige users to be truthful in information they post."

This is a good example of how hard cases make really bad law. The problem here apparently was that Missouri had no relevant criminal stalking law - which would have been the obvious way to deal with this. So Missouri passed, and an ambitious LA prosecutor saw a way to go for a conviction under their equivalent of the UK's Computer Misuse Act 1990, s 1 - an "unauthorised access" law, which was clearly originally designed for hacking.

What is "unauthorised" has been a bugbear throughout the history of these kind of laws. Originally , "unauthorised" in most jurisdictions contemplated outsiders breaking into a computer or system. In the UK, some of the earliest CMA cases ruled that unauthorised access could occur even where an insider - say a disgruntled employee - used a password or simply physical access rights to get into a computer system to say, defraud the employer or commit e-vandalism. A serious problem is whether you are authorised simply to access a sustem, or to access it for a particular purpose. A number of cases, eg, dealt with policemen abusing their rights of access to the Police National Computer to wreak private justice on ex girlfriends and the like.

More recently in the famous Lennon case, a court also had to decide if sending a few million emails as a DOS attack to a mail server was "unauthorised". The first instance court said no: mail servers offer a standing permission to receive mail, don't they? The appeal court more pragmatically said, yes, but they don't authorise receiving several million emails sent with a malicious intent. I warned at the time that, although useful as extending s 1 of the CMA to fight DOS and DDOS, this approach would have consequences. And here, sort of , they are.

What the UK has never really come to grips with - and the Drew case does - is whether "unauthorised" is also what you do when you break the contractual rules relating to access to a website (whether express ie in the EULA, or AUP, or T & C - or implied - as in Lennon).

Let's have an example. Blogger's content policy says that images of nudity should be posted only behind a Friends-lock. What if I post a (harmless, non child porn, non violent, non criminal) nude picture here for the world to see? (Like say this one?) By all means Blogger should have the right to throw me off its site - that's their contractual privilege. But should I be open to a criminal prosecution under s 1 of the CMA for "unauthorised access"? I don't think so.

Blogger's content policy (which is I think the same as Google's now) is pretty sensible in fact. I had to look quite hard to find an example of what I might do that would breach their T & C and not already be an criminal offense, eg, incitement to racial hatred. But remember that unlike the criminal law, what a site puts in its EULA or T & C is its privilege, and need not confirm to popular views as to what is societally unacceptable or wrong.

This is why it is crucially important to keep civil sanctions for breach of contract quite seperate from criminal sanctions for crininal behaviour, even though there is obviously an overlap in the actual types ofconduct. In the Drew case, the answer could have lain with using stalking laws rather than hacking laws to prosecute the undoubtedly evil accused; in the UK the answer could be to clarify exactly what "unauthorised" means (or to abandon the s 1 offense of "pure" hacking, and allow it as an offense only when used to pursue an illegal subsequent activity?).

I hope this US case will be seen as what it is: an unfortunate aberration.

EDIT: Link on (US) legal opinions on whether suicide-watching online (not the same as instigation , at least necessarily) is illegal inducemnt or abetting of suicide.

EDIT: Link from Making Light giving more info about the Drew case.