The Lori Drew Case: Does the CFAA Require Knowledge?
posted by Daniel Solove
Over at Wired’s Threat Level Blog, Kim Zetter is providing great coverage of the Lori Drew case.
Here’s her post about Tina Meier’s testimony (the mother of Megan Meier).
Zetter’s most recent post describes the direct examination of Ashley Gill, one of the people who participated with Lori Drew in the creation of the fake MySpace profile.
The young woman who typed the final, cruel message to 13-year-old Megan Meier the day she killed herself took the stand to testify against her former employer and confidant, Lori Drew, on Thursday.
But several moments in 20-year-old Ashley Grill’s 80-minutes of testimony seemed to undermine the government’s case. The most damaging statement: that it was her idea, not Drew’s, to create a fake MySpace account to befriend Megan.
Though the jury doesn’t have to find that Drew instigated the plan to convict her of conspiracy, the revelation is nonetheless at odds with the government’s position that the 39-year-old Drew took a leading role in creating a MySpace account for “Josh Evans,” a purported 16-year-old boy who flirted with the emotionally-vulnerable Megan, and ultimately turned on her. The statement came as Grill described the genesis of the hoax, which unfolded at Drew’s home in September 2006.
Grill was in the kitchen with Drew and Sarah, Lori Drew’s daughter, when she proposed creating a fake MySpace account to get information on Megan. Drew applauded the plan, and thought it was funny, but not herself conceive it, Grill said.
The three of them crowded around Drew’s computer as Grill set up the profile. None of the three read MySpace’s terms-of-service first. As Ashley began, Lori and Sarah left for soccer practice, urging Grill to finish up in their absence.
There are several interesting things here. First, the hurtful emails, the ones that led to Meier’s suicide, were not penned by Drew but by Grill, the prosecution’s own witness. Second, and more importantly, the government’s witness conceded that Drew had not read MySpace’s terms of service. Unless the CFAA is a strict liability statute, or can be violated negligently or recklessly, then the prosecution must prove that Drew knew she was violating the terms of service. Thus far, I haven’t heard anything to indicate she knew it was a violation of MySpace’s terms of service to create a fake profile. If knowledge is required, and if knowledge isn’t proven, then the prosecution’s case shouldn’t survive a directed verdict motion.
I only know a little about the CFAA, so I ask the experts: Am I correct that knowledge that one accesses a site without authorization is required for there to be a CFAA violation, even under the prosecution’s warped interpretation of the statute?
November 20, 2008 at 10:08 pm
Posted in: Privacy, Privacy (Gossip & Shaming), Social Network Websites, Web 2.0
Print This Post
Responses (7)
A.W, - November 21, 2008 at 8:58 am
Yeesh, Daniel, your jihad against this prosecution is really starting to drag down your analysis.
Knowledge? She knew there was an TOS agreement and one of them surely clicked “I agree.” The fact they skipped over it doesn’t excuse them, then.
To quote one of many cases on the concept of Willful Ignorance: “One who, knowing or strongly suspecting that he is involved in shady dealings, takes steps to make sure that he does not acquire full or exact knowledge of the nature and extent of those dealings is held to have a criminal intent,” In re Aimster Copyright Litigation, 334 F.3d 643 (7th Cir., 2003)
So the answer is, she knew the TOS existed, and chose not to read it, she was willfully blind as to whether her conduct was criminal, and thus has, as a matter of law, knowledge.
Daniel J. Solove - November 21, 2008 at 11:48 am
A.W., The willful blindness is an interesting theory, but to prove knowledge for the CFAA violation, the prosecution must prove that she knew she used the site in an unauthorized manner. Merely not reading the TOS doesn’t establish beyond a reasonable doubt that a person was willfully blind to every conceivable unauthorized use. Willful blindness is a fairly limited doctrine, and it basically applies when one is fairly close to knowing, but deliberately sticks his/her head in the sand to avoid finding out the complete story (the willful blindness jury instruction is also referred to as the “ostrich instruction”). Basically, it involves something akin to partial knowledge, and the defendant deliberately avoiding finding out more. I doubt many courts would find that merely ignoring the TOS, something that nearly everyone does (I think that less than 10% of users actually read the TOS), would be sufficient for willful blindness. Moreover, the doctrine requires deliberate avoidance, sometimes even taking steps to avoid finding out more (or going out of one’s way to avoid finding out more). Merely ignoring the TOS will likely not constitute taking such steps.
If you can find an analogous case with willful blindness, I’ll stand corrected, but under my understanding of the doctrine, it won’t work.
Regarding my critique of this prosecution more generally, I’m fairly certain that the case will either (1) be dismissed on a directed verdict motion if the judge gets his act together, either on the theory in my post or on an interpretation of the CFAA that will narrow the overbroad statute; or (2) be dismissed on appeal if there’s a conviction. If Drew is convicted, and the case stands up on appeal, I’ll be stunned, and then the message will be clear: Millions of Internet users will face potential prosecution! I’m not exaggerating — this is why I find the prosecution’s theory of the case so troubling. And if the courts adopt your theory of willful blindness, then even more Internet users will be in trouble, for hardly anyone reads TOS.
Bruce Boyden - November 21, 2008 at 12:35 pm
Dan, as you probably know, Orin Kerr thinks the answer is yes also — or rather, he says the violation of the TOS must be intentional, which I presume requires knowledge of its contents: http://volokh.com/archives/archive_2008_05_11-2008_05_17.shtml#1210889188
The only case I’m aware of off the top of my head that involved a remotely similar question is from the equivalent language under the ECPA, not the CFAA: Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817 (E.D. Mich. 2000). But there there was no agreement at all governing access; the question was whether the defendant should have inferred that his access was no longer authorized to a certain portion of a third party’s computer network containing the plaintiff’s data after his contract with the plaintiffs was terminated. The court said no, you need a more specific signal than that. That doesn’t tell us whether, where there *is* an agreement that the defendant (hypothetically) didn’t read and didn’t have constructive knowledge of, that unread agreement provides the more specific signal.
A.W., you’re going too fast. First of all, the idea that you can’t escape liability by not reading a contract is true as a matter of *contract law*, but that doesn’t necessarily apply to other fields. E.g., criminal law, which usually requires some level of intent. Constructive knowledge of the terms or of relevant norms of access might suffice, but I’m not sure it’s quite so obvious that you can’t provide any false registration information to your average social networking site, particularly given that it’s free and there’s no requirement that you use your real name as your account name. Unlike Aimster, I’m not aware of any facts here that would indicate the basis for such constructive knowledge, e.g. major news stories and well-publicized litigation holding people liable for providing false registration information on free social networking sites.
A.W. - November 21, 2008 at 12:39 pm
The failure to read the TOS when you are up to something sneaky using that site is about as clear an example of willfull blindness as you can get, citing that case as one example of many.
as for the claim that millions of people will be criminals, given that you have to be gaining access to that computer in an unauthorized manner in order to committ a tort, i’m not sure how many people will fall under it, and those who do, well, then, they deserve it.
For instance, suppose you log onto my space and then committ defamation. Well, unless they can prove that at the moment of log on, you intended to committ the defamation; so if you decided to committe the tort spontaneously, no criminal liability.
And so what if people can go to jail over this? you know, maybe it would be a good thing if people start watching what they say on the web, and stop lying. I keep waiting for people to wise up to the fact that you can’t trust everything you read on the web, but every day you hear of people who read some idiot site and decide 9-11 was a US government conspiracy, or something stupid like that. I mean, my God, there are people who will quote wikipedia to me, ignoring the fact that any idiot can write one of those entries. So maybe making people a little afraid of writing BS is a good thing.
And besides we all know it is NOT going to be applied to every internet defamor, but selectively to outrageous conduct, such as the Palin email hacking case, or the Lori Drew case. And if it bothers you to see the prosecutors be allowed that much discretion, well, that is just how it has been on many topics for a long time.
Bruce Boyden - November 21, 2008 at 12:51 pm
Keep in mind that under the government’s theory, mere breach of the TOS by itself, that results in obtaining information or causing “loss” of $5,000 (broadly defined), is a misdemeanor, subject to a fine and up to a year in jail, regardless of whether there is some further tort or crime anticipated. So, say Dan puts a new term, linked to at the bottom of Concurring Opinions home page: “A.W. is no longer allowed to access this site.” Without reading the TOS, you access the site repeatedly to read blog posts (obtain information) and submit comments. Are you guilty of a misdemeanor? I would say no.
A.W. - November 21, 2008 at 4:46 pm
the actual provision requires a desire to committ a tort. now if i go to concurring opinions to look for tips on how best to defame someone, well, then, yeah, i deserve whatever happens to me. why are we so eager to excuse bad conduct?
I mean, a girl is dead, and they pretty directly urged her to committ suicide.
Steven M. Bellovin - November 22, 2008 at 4:15 pm
There was some discussion of the scienter issue in the CFAA by the Court of Appeals many years ago, in the Morris Internet Worm case — see 928 F.2d 504. Of course, the law has been amended a number of times since 1991; I haven’t checked if the relevant language has changed.
Leave a Reply