18 Search results

For the term ""lori drew"".

Lori Drew Case Decided

The Lori Drew case has finally been decided.  Background about the case is here.  In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” City of Chicago [v. Morales], 527 U.S. [41] at 64 [(1999)].

Congratulations to Orin Kerr, who assisted in the defense, and who is cited numerous times throughout the court’s opinion.


Lori Drew Tentatively Acquitted

Judge George Wu has ruled that he is planning to dismiss the charges against Lori Drew, the woman involved in the MySpace suicide case involving Megan Meier.  Background about the case is here.  According to an article by Kim Zetter of Wired, who has provided terrific coverage of the case:

“It basically leaves it up to a website owner to determine what is a crime,” said Wu on Thursday, echoing what critics of the case have been saying for months. “And therefore it criminalizes what would be a breach of contract.” . . . .

Wu told Assistant U.S. Attorney Mark Krause that if Drew had been convicted of the felonies, he would have let the convictions stand, and would have already sentenced her. But the misdemeanor convictions troubled him, because of the vague wording of the statute. . . .

To convict Drew of the felonies, prosecutors would have needed to prove two things: that Drew accessed MySpace “without authorization,” and did it for the purpose of committing a tortious act — in this case, to intentionally cause harm to Megan Meier.

But for the misdemeanors, the jury just had to find that Drew obtained the unauthorized access. Wu said that language, standing on its own, was too vague to pass constitutional muster in this case.

“I don’t see how the misdemeanor aspect would be constitutional,” he said. “That is the issue I’m wrestling with at this time.”

Wu also doubted that MySpace provided sufficient notice to members to hold them responsible. If a user didn’t read the terms of service, the judge asked prosecutor Krause, could they still be charged with violating them?

In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.  I’m encouraged that Judge Wu agrees, though I believe the CFAA is unconstitutionally vague not only in its misdemeanor provisions, but in its felony ones as well.

Congratulations to my colleague, Orin Kerr, who assisted in Lori Drew’s defense.

The AP story is here.


The Lori Drew Trial: Verdict

A verdict has been reached in the Lori Drew case. Kim Zetter reports:

Lori Drew, the 49-year-old woman charged in the first federal cyberbullying case, was cleared of felony computer-hacking charges by a jury Wednesday morning, but convicted of three misdemeanors. The jury deadlocked on a remaining felony charge of conspiracy.

After just over a day of deliberation, the six-man, six-woman jury acquitted Drew of three felony charges of violating the federal Computer Fraud and Abuse Act, in an emotionally charged case that stemmed from a 2006 MySpace hoax targeting a 13-year-old girl, who later committed suicide.

Tina Meier, the mother of the girl, shook her head silently from the gallery as the verdict was read.

Prosecutors claimed Drew and others obtained unauthorized access to MySpace by creating a fake profile for a nonexistent 16-year-old boy named “Josh Evans.” The account was used to flirt with, and then reject, 13-year-old old Megan Meier. The case hinged on the government’s novel argument that violating MySpace’s terms of service for the purpose of harming another was the legal equivalent of computer hacking, and Drew faced a maximum sentence of five years in prison for each charge.

But on Wednesday, jurors found Drew guilty only of three counts of gaining unauthorized access to MySpace for the purpose of obtaining information on Megan Meier — misdemeanors that potentially carry up to a year in prison, but most likely will result in no time in custody. The jury unanimously rejected the three felony computer hacking charges that alleged the unauthorized access was part of a scheme to intentionally inflict emotional distress on Megan.


The Lori Drew Case: Why Not Rule on the Motions?

According to Kim Zetter’s account of the Lori Drew trial, Judge Wu has postponed ruling on any of the legal issues until after the jury’s verdict:

When the prosecution rested its case Friday at about 2:00 p.m., defense attorney H. Dean Steward moved for an immediate dismissal, based on testimony that proved Drew never saw MySpace’s contract, and wasn’t the one who set up the account and accepted the terms.

U.S. District Judge George Wu asked both sides to file written briefs on the issue over the weekend, and allowed testimony to continue in the case.

Why not rule on it now? Judge Wu hasn’t ruled on the merits of how the CFAA should be interpreted, whether it is unconstitutionally vague, and now whether or not the prosecution, as a matter of law, has failed to prove the requisite mens rea. Why won’t he rule on any of these issues?

The only reason I can think of is that he’s waiting to see if the jury acquits Drew, which then moots the issues. This is the only scenario I can think of in which he won’t eventually have to rule on the motions.

Why not just issue a ruling one way or the other? That’s what I thought judges are supposed to do. Is there something I’m missing here about his judicial strategy?


The Lori Drew Case: Sarah Drew’s Testimony

Over at Wired’s Threat Level blog, Kim Zetter’s excellent coverage of the Lori Drew trial continues. In this post, she discusses the testimony of Lori Drew’s daughter Sarah:

The girl’s testimony, if true, supports the defense’s assertions that Lori Drew was unaware of Meier’s previous suicide attempt until after Meier killed herself in 2006.

The younger Drew, who prosecutors say was involved in the creation of the fake MySpace account through which Meier was bullied, denied playing any role in the creation of the account, although she admitted she was present when many of the messages were written and when the final message was sent to Meier telling her the world “would be a better place without you.” She insisted she told Ashley Grills, who confessed to writing the last message, not to send it, although she didn’t say why she told this to Grills.

She said it was Grills — who has been granted immunity by prosecutors — who devised the plan, created the account and sent the messages. Neither she nor her mother knew the account was created until “after the fact,” and neither one was home when Grills clicked on the terms of service to create the Josh Evans profile. She also said her mother wasn’t home when Grills sent the final message to Meier.

The girl’s words seemed designed to strike at the heart of the conspiracy charge against her mother, which asserts that she conspired with her daughter and Grills to intentionally violate the MySpace terms of service in order to inflict intentional emotional distress on Meier.

Grills had said that both Drews were with her when she created the account, but that none of them had read the terms of service. That testimony raised questions about whether Lori Drew could be convicted of conspiracy if she didn’t click to agree on the terms of service or even know they existed.


The Lori Drew Case: Does the CFAA Require Knowledge?

Over at Wired’s Threat Level Blog, Kim Zetter is providing great coverage of the Lori Drew case.

Here’s her post about Tina Meier’s testimony (the mother of Megan Meier).

Zetter’s most recent post describes the direct examination of Ashley Gill, one of the people who participated with Lori Drew in the creation of the fake MySpace profile.

The young woman who typed the final, cruel message to 13-year-old Megan Meier the day she killed herself took the stand to testify against her former employer and confidant, Lori Drew, on Thursday.

But several moments in 20-year-old Ashley Grill’s 80-minutes of testimony seemed to undermine the government’s case. The most damaging statement: that it was her idea, not Drew’s, to create a fake MySpace account to befriend Megan.

Though the jury doesn’t have to find that Drew instigated the plan to convict her of conspiracy, the revelation is nonetheless at odds with the government’s position that the 39-year-old Drew took a leading role in creating a MySpace account for “Josh Evans,” a purported 16-year-old boy who flirted with the emotionally-vulnerable Megan, and ultimately turned on her. The statement came as Grill described the genesis of the hoax, which unfolded at Drew’s home in September 2006.

Grill was in the kitchen with Drew and Sarah, Lori Drew’s daughter, when she proposed creating a fake MySpace account to get information on Megan. Drew applauded the plan, and thought it was funny, but not herself conceive it, Grill said.

The three of them crowded around Drew’s computer as Grill set up the profile. None of the three read MySpace’s terms-of-service first. As Ashley began, Lori and Sarah left for soccer practice, urging Grill to finish up in their absence.

There are several interesting things here. First, the hurtful emails, the ones that led to Meier’s suicide, were not penned by Drew but by Grill, the prosecution’s own witness. Second, and more importantly, the government’s witness conceded that Drew had not read MySpace’s terms of service. Unless the CFAA is a strict liability statute, or can be violated negligently or recklessly, then the prosecution must prove that Drew knew she was violating the terms of service. Thus far, I haven’t heard anything to indicate she knew it was a violation of MySpace’s terms of service to create a fake profile. If knowledge is required, and if knowledge isn’t proven, then the prosecution’s case shouldn’t survive a directed verdict motion.

I only know a little about the CFAA, so I ask the experts: Am I correct that knowledge that one accesses a site without authorization is required for there to be a CFAA violation, even under the prosecution’s warped interpretation of the statute?


Lori Drew and the Computer Fraud and Abuse Act

myspace1.jpgThe Lori Drew trial is set to begin this week, and it is a travesty that this trial is even taking place. The basic facts of this case are that Drew was the mother of a teenage daughter and she created a fake MySpace profile for a fictional teen boy to befriend a classmate of her daughter’s. It remains unclear what the motivation was for creating this fake profile, but from what I’ve read, it was to learn about rumors about her daughter. This classmate, Megan Meier, befriended the fake MySpace persona. At some point, the fake persona broke up with Meier, saying he no longer wanted to be friends, and Meier committed suicide.

Afterwards, there was considerable media attention in the case, although this didn’t happen until about a year later. There was outrage at Drew, with many people calling for blood. But local prosecutors determined, correctly in my opinion, that although Drew’s conduct may have been immature, shortsighted, and mean, it wasn’t criminal.

Enter an ambitious federal prosecutor, eager for fame and national attention. He indicted Lori Drew for creating a fake MySpace profile, which he contends is a violation of the Computer Fraud and Abuse Act (CFAA). The CFAA § 1020(a)(2)(C) makes it a criminal misdemeanor to “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” The CFAA § 1030(c)(2)(B)(2) make it a felony if one “intentionally accesses a computer without authorization . . . , and thereby obtains . . . information from any protected computer” and “the offense was committed in furtherance of any . . . tortious act [in this case intentional infliction of emotional distress] in violation of the . . . laws . . . of any State.”

Basically, the theory of the prosecution’s case is that Lori Drew violated the CFAA because she violated the terms of service of Myspace which prohibited creating fake profiles, and she did so in furtherance of committing the tort of intentional infliction of emotional distress.

These CFAA provisions are, in my opinion, unconstitutionally vague. I believe they either must be struck down or saved with a narrowing interpretation. I personally would strike down these parts of the statute and have Congress start over. My argument is here, and I won’t repeat much of it, but the gist is that a vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. Because the CFAA would essentially criminalize many violations of website terms of service (if not nearly all), this allows the website operators to virtually write the criminal code.

Read More


Computer Crime Law Goes to the Casino

Wired’s Kevin Poulsen has a great story whose title tells it all: Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case. Two alleged video-poker cheats, John Kane and Andre Nestor, are being prosecuted under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Theirs is a hard case, and it is hard in a way that illustrates why all CFAA cases are hard.

Read More


Orin Kerr On An Expanded Computer Fraud And Abuse Act

I know I promised to write about bugs next but I wanted to flag Orin Kerr’s important op ed in tomorrow’s Wall Street Journal.  In United States v. Lori Drew, a federal prosecutor in Los Angeles brought charges against a woman for bullying her daughter’s teenage classmate.  The case was premised on an expansive reading of the Computer Fraud And Abuse Act.  Drew allegedly violated the act by lying about her identity on the social network MySpace and contributing to a young woman’s decision to commit suicide.  A jury convicted Drew of a misdemeanor but, ultimately, the judge directed an acquittal.

In his op ed, Orin Kerr explains how Congress may be poised to expand the powers of prosecutors once again in the name of cyber-security.  According to Kerr, changes to the CFAA might make it possible to charge the Lori Drew’s of the world with a felony.  Here is an excerpt:

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like. Imagine the Democratic Party setting up a public website and announcing that no Republicans can visit. Every Republican who checked out the site could be a criminal for exceeding authorized access.

As the Drew case shows, charging someone is not the same as convicting them.  But you can certainly see the danger of an expanded CFAA.  I hope Kerr’s comments give some representatives pause.


Beware of Visiting the Volokh Conspiracy

Beware of visiting the Volokh Conspiracy, as Orin Kerr has promulgated new terms of service. If you access the site contravening any of these terms, according to the prosecution theory in the Lori Drew case, you’ve committed a federal crime. One of Orin’s terms is that you can’t be a federal employee to access the Volokh Conspiracy. So if the prosecutor in the Lori Drew case were to access the blog, I sure hope he wouldn’t be a hypocrite and would bring a prosecution against himself!