By Tim Nelson and Robert Milligan

A highly publicized cyberbullying case recently came to an apparent end with the acquittal of a Missouri woman who was accused of violating the Computer Fraud and Abuse Act (“CFAA”).

In the case, a Central District of California court addressed the novel issue of whether a computer user’s violations of an Internet website’s terms of service constitute a crime under the CFAA, 18 U.S.C. § 1030. United States v. Drew, — F.R.D. —, 2009 WL 2872855 (C.D. Cal. Aug. 28, 2009).

According to the indictment in Drew, Lori Drew, a resident of O’Fallon, Missouri, allegedly was a member of a conspiracy to intentionally access a computer used in interstate commerce without (and/or in excess of) authorization in order to obtain information for the purpose of committing the tortious act of intentional infliction of emotional distress upon a 13-year old girl named Megan Meier, also a resident of O’Fallon, Missouri. Id.at *1. 

Megan was a classmate of Drew’s daughter, Sarah. Pursuant to the conspiracy, the conspirators established a profile for a fictitious 16 year old male named “Josh Evans” on the website www.myspace.com, on or about September 20, 2006. The conspirators also posted a photo of a boy on this website without that boy’s knowledge or permission. This conduct violated the terms of service of the Myspace website, which prohibited providing information that the user knew was false or misleading, and also prohibited including a photograph of another person that was posted without that person’s consent. 

The conspirators contacted Megan and flirted with her through the Myspace website using the “Josh Evans” profile over several days. Eventually, the conspirators informed Megan that “Josh” was moving away. The conspirators also informed Megan that “Josh” no longer liked her and that “the world would be a better place without her in it.” Later the day this message was delivered, Megan committed suicide. After learning that Megan had killed herself, Drew caused the “Josh Evans” Myspace account to be deleted. Id.

Lori Drew was charged with one count of conspiracy in violation of 18 U.S.C. § 371 and three counts of violating a felony portion of the CFAA (18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(ii)), which prohibits accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involves an interstate or foreign communication and the offense is committed in furtherance of a crime or tortious act. 

The jury was instructed that they could consider whether Drew was guilty of the lesser included misdemeanor CFAA violation (which involved accessing a protected computer without authorization or in excess of authorization). The jury deadlocked on the conspiracy charge, and found Drew not guilty on the three felony counts of violating the CFAA. The jury did, however, find Drew guilty of the three misdemeanor counts of violating the CFAA. Drew’s attorneys filed a motion for a judgment of acquittal under Federal Rule of Criminal Procedure 29(c).

Judge Wu of the Central District of California addressed the central question raised by Drew: whether a computer user’s intentional violation of one or more provisions in an Internet website’s terms of service satisfies the first element of section 1030(a)(2)(C) (whether the computer access was without authorization or exceeded authorized access). Id.at *6.  The court  noted that the latter two elements of section 1030(a)(2)(C) (obtaining information from a “protected computer” and the accessing of the computer must involve an interstate or foreign communication) would always be met when an individual using a computer contacts or communicates with an Internet website. Id.

To address the central question raised in Drew, the court analyzed and applied the void-for-vagueness doctrine, which has two prongs: 1) a definitional/notice sufficiency requirement; and 2) a guideline setting element to govern law enforcement. Id.at *12. 

The court, quoting Justice Holmes, observed that, as to criminal statutes, there is a “fair warning” requirement:

Although it is not likely that a criminal will care-fully consider the text of the law before he murders or steals, it is reasonable that a fair warning should be given to the world in language that the common world will understand, of what the law intends to do if a certain line is passed. To make the warning fair, so far as possible the line should be clear.

Id. (citing McBoyle v. United States. 283 U.S. 25, 27 (1931)).

The court found that basing a CFAA violation upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine, because of the absence of minimal guidelines to govern law enforcement and because of actual notice deficiencies. Id.at *14. The court found that if any conscious breach of a website’s terms of service is sufficient to constitute a violation of the CFAA, the law would afford too much discretion to the police and too little notice to citizens who wish to use the Internet. Id.at *17.

The Drew decision is significant because it recognizes the limitations of the CFAA and is a victory for internet privacy proponents. According the court, the government’s interpretation of the CFAA in Drew “would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.” Id.at *16. The court recognized that breaching a website’s terms of service, alone, was not sufficient to violate the CFAA.

One news source has indicated that the U.S. Attorney will determine whether the government will appeal after reviewing the written ruling.