Lori Drew was indicted on Thursday for her alleged role in a hoax on MySpace directed at Megan Meier, a 13-year-old neighbor of Drew's who committed suicide in October 2006 after a "boy" she met on MySpace abruptly turned on her and ended their relationship. The boy was allegedly Lori Drew, who pretended to be 16-year-old "Josh Evans" to gain the trust of Megan, who had been fighting with Drew's daughter.
I've blogged about this tragic story several times and noted in January that the Los Angeles Times was reporting that a federal grand jury in Los Angeles had begun issuing subpoenas in the case. The grand jury has now charged Drew with conspiracy and three counts of accessing protected computers without authorization in violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The indictment charges that
[o]n or about the following dates, defendant DREW, using a computer in O'Fallon, Missouri, intentionally accessed and caused to be accessed a computer used in interstate commerce, namely, the MySpace servers located in Los Angeles County, California, within the Central District of California, without authorization and in excess of authorized access, and, by means of interstate commerce obtained and caused to be obtained information from that computer to further tortious acts, namely intentional infliction of emotional distress on [Meier].
The Associated Press provides a bit more background on the indictment, noting that Drew has denied creating the account or sending messages to Meier:
Drew will be arraigned in St. Louis and then moved to Los Angeles for trial.
The indictment says MySpace members agree to abide by terms of service that include, among other things, not promoting information they know to be false or misleading; soliciting personal information from anyone under age 18 and not using information gathered from the Web site to "harass, abuse or harm other people."
Drew and others who were not named conspired to violate the service terms from about September 2006 to mid-October that year, according to the indictment. It alleges they registered as a MySpace member under a phony name and used the account to obtain information on the girl.
Drew and her coconspirators "used the information obtained over the MySpace computer system to torment, harass, humiliate, and embarrass the juvenile MySpace member," the indictment charged.
The United States Attorney prosecuting the case, Thomas P. O'Brien, has said this is the first time the CFAA, which is normally used to address hacking, has been applied in a social-networking case. Not surprisingly, there is some doubt as to whether the CFAA even applies to the conduct Drew is alleged to have engaged in.
Orin Kerr and Daniel Solove at Volokh Conspiracy and Concurring Opinions, respectively, have parsed the language in the CFAA and concluded that while Drew's alleged conduct is reprehensible, it is not illegal. Both Kerr and Solove argue that to predicate a criminal prosecution on the violation of a site's terms of service is a big stretch.
While the CFAA generally prohibits accessing a computer "without authorization" or "exceeding authorized access," it takes a pretty broad reading of the Act to conclude that it encompasses a violation of a site's terms of service. If a website's terms of service require civility, for example, is it a crime to behave rudely? Moreover, as Kerr points out,
there is no evidence that Drew even read the TOS [terms of service]. Most people don't, of course; I would be surprised if 1 person in 100 actually tried reading it. If Drew wasn't aware that she was violating the TOS, she couldn't be exceeding her authorized access intentionally.