Bad facts make for bad law. The unfortunate alleged facts of this case involved fibbing about actual identities, playing with a young girl's emotions, and the girl's eventual suicide. As recited by the District Court
The Indictment included the following allegations (not all of which were established by the evidence at trial). Drew entered into a conspiracy in which its members agreed to intentionally access a computer used in interstate commerce without (and/or in excess of) authorization in order to obtain information for the purpose of committing the tortious act of intentional infliction of emotional distress upon Megan Meier. Megan was a 13 year old girl who had been a classmate of Drew’s daughter Sarah. Pursuant to the conspiracy, on or about September 20, 2006, the conspirators registered and set up a profile for a fictitious 16 year old male juvenile named “Josh Evans” on the www.MySpace.com website, and posted a photograph of a boy without that boy’s knowledge or consent. Such conduct violated MySpace’s terms of service. The conspirators contacted Megan through the MySpace network (on which she had her own profile) using the Josh Evans pseudonym and began to flirt with her over a number of days. On or about October 7, 2006, the conspirators had “Josh” inform Megan that he was moving away. On or about October 16, 2006, the conspirators had “Josh” tell Megan that he no longer liked her and that “the world would be a better place without her in it.” Later on that same day, after learning that Megan had killed herself, Drew caused the Josh Evans MySpace account to be deleted.
Lacking a specific law that the defendant violated, the US attorney distorted the Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act was designed to smack hackers who gain unauthorized access to computers and networks. CFAA prosecutions involve individuals who break through computer security or who go beyond signs that say "None Shall Pass."
According to the prosecutor, Defendant violated the CFAA, not through hacking, not through cracking, not by defeating a security system. No, defendant violated the CFAA by violating MySpace's terms of service. Defendant (a) lied about Defendant's age, (b) lied about defendant's name and (c) uploaded without permission a picture of someone else. By violating the TOS, prosecutor argued, Defendant had never actually gained permissive use of the computer system. Therefore, Defendant's use of MySpace was unauthorized and constituted a criminal violation of the Computer Fraud and Abuse Act.
The prosecutor's argument was met by a backlash of individuals and experts who claimed that, based on the prosecutors argument, anyone who has violated a terms of service of any site in any way was a criminal. Use a pseudonym, you're a criminal. Lie about your age, you're a criminal. Upload a fake address, you're a criminal. Indeed, many of the actions individuals regularly take in order to protect their identity and privacy would equally make them a criminal.
After a drawn-out legal proceeding, the district court finally agreed. The US Attorney's crow barring of the CFAA to meet the facts of this case would have produced bad law. In the words of the court,
Treating a violation of a website's terms of service, without more, to be sufficient to constitute “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals. . . .
One need only look to the MSTOS terms of service to see the expansive and elaborate scope of such provisions whose breach engenders the potential for criminal prosecution. Obvious examples of such breadth would include: 1) the lonely-heart who submits intentionally inaccurate data about his or her age, height and/or physical appearance, which contravenes the MSTOS prohibition against providing “information that you know is false or misleading”; 2) the student who posts candid photographs of classmates without their permission, which breaches the MSTOS provision covering “a photograph of another person that you have posted without that person's consent”; and/or 3) the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter's girl scout cookies, which transgresses the MSTOS rule against “advertising to, or solicitation of, any Member to buy or sell any products or services through the Services.” However, one need not consider hypotheticals to demonstrate the problem. In this case, Megan (who was then 13 years old) had her own profile on MySpace, which was in clear violation of the MSTOS which requires that users be “14 years of age or older.”No one would seriously suggest that Megan's conduct was criminal or should be subject to criminal prosecution.
. . . . .
In sum, if any conscious breach of a website's terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].”
On August 28, 2009, with the above opinion, the District Court dismissed the US Attorney's prosecution. On November 20, 2009, the US Attorney's Office filed papers with the 9th Circuit Court of Appeals indicating it will not appeal its case against Lori Drew.
Perhaps, now that we have a more technologically sophisticated administration that can appreciate how this prosecution would have led to bad implications, the US Attorney thought better of its prosecution. In the words of Prof. Orin Kerr, "The case should have never been filed, and it was a stretch from the beginning."