As originally reported by Orin Kerr at The Volokh Conspiracy, a federal district judge in California issued an opinion on Friday overturning the jury verdict finding Lori Drew guilty of a misdemeanor violation of the Computer Fraud and Abuse Act (CFAA). Judge Wu ruled that accepting the government's theory — and the jury's finding — that Drew violated the CFAA merely by intentionally violating MySpace's terms of use would render the statute unconstitutionally vague. As a result, he granted Drew's motion for a judgment of acquittal, ending the government's case against her. The judge previously announced in July that he planned on reversing the conviction.
In the first part of his analysis, Judge Wu gave the CFAA's language a broad reading, finding that it could encompass the facts of Drew's case. The relevant provision of the CFAA prohibits "intentionally access[ing] a computer without authorization or exceed[ing] authorized access" and thereby obtaining "information" from a computer used in interstate commerce. 18 U.S.C. 1030(a)(2)(C). The court found that "accessing" a computer simply means transmitting and receiving electronic signals from it, not working around code-based controls or gaining entry into non-public files or areas. Judge Wu thought a narrower approach might be "preferable," but found no support for this view in the case law or legislative history. Slip Op. at 17-18. The court also held that, putting constitutional concerns aside, an intentional breach of website terms could constitute accessing a computer or server "without authorization" or "in excess of authorization." See id. at 19-22.
From there, the court turned to the constitutional question, noting that criminal statutes must give "fair warning" to individuals of "common intelligence" that the conduct in question is criminal. Id. at 22-24. The judge cited several reasons why the statute failed to provide sufficient notice that terms of use violations could be criminal: (1) the language of the CFAA doe not explicitly state that it has "'criminalized breaches of contract' in the context of website terms of service," id. at 25; (2) "it is unclear whether any or all violations of terms of service will render the access unauthorized, or whether only certain ones will," id. at 26; (3) website owners would ultimately define criminal conduct — sometimes using vague terms like "unfair" or "sexually suggestive" — and would be able to change the definition with minimal notice to users, id. at 27; and (4) it's not clear as a matter of contract law whether breaching any particular term automatically terminates the contract and revokes access or simply gives the website owner some other remedy, like damages, id. at 27-28.
The court explained that treating any and all terms violations as revoking access might solve the vagueness problem, but would transform the CFAA into "an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals" and provide no meaningful guidelines for law enforcement. Id. at 26-27, 29. Judge Wu seemed particularly concerned by the prospect of the unbounded statute allowing federal prosecutors "to pursue their personal predilections":
[I]f every such breach does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. Given the "standardless sweep" that results, federal law enforcement entities would be improperly free "to pursue their personal predilections."
Id. at 31-32 (citations omitted).
The overturning of Drew's conviction is encouraging for those of us who worried that the awful facts of Drew's case would lead to bad law on this issue of great importance for every Internet user. The court's holding, however, is narrow and only addresses the misdemeanor violation found by the jury. Judge Wu apparently adheres to his (puzzling) view that the scienter requirement for a felony conviction under 18 U.S.C. § 1030(c)(2)(B)(ii) — that the "offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State" — eliminates the constitutional objection to criminally punishing Drew for violating MySpace's terms of use. Slip Op. at 2. If I'm reading the first two pages of the decision right, it is only because the jury acquitted Drew on the felony charge that the court felt justified in revisiting the constitutional question. This leaves the door ajar for future felony convictions based on terms of use violations, at least in Judge Wu's court.
For background on the case and copies of many of the court documents, see our database entry, United States v. Drew.
