I was trying to figure out how to explain to you all that is involved in the case of the U.S. v. Lori Drew, the
cyberbullying case that so many lawyers are expressing concerns about. I felt I needed a lawyer to explain it, but where would I find one who felt like doing some unpaid work, and over the Thanksgiving holiday to boot? Then I had a brainstorm. I could show you the amicus brief [PDF] submitted in the case by the Electronic Frontier Foundation, the Center for Democracy and Technology, and Public Citizen, which was also signed by "14 individual faculty members listed in Appendix A who research, teach and write scholarly articles and books about internet law, cybercrime, criminal law and related topics at law schools nationwide". Appendix A is at the very end. If you look at the
list, you'll see that it's some of the finest and most knowledgeable lawyers and law professors specializing in cyberlaw. The brief was written by Jennifer Granick of EFF and Philip R. Malone of Harvard Law School's Berkman Center for Internet and Society's Cyberlaw Clinic. I think when you read it, it will turn your hair white. It did me. In fact, I don't think it's overstating it a bit to say that unless this case is overturned, it is time to get off the Internet completely, because it will have become too risky to use a computer. At a minimum, I'd feel I'd need to avoid signing up for membership at any website, particularly MySpace. Why particularly MySpace? The Times Online has their statement: MySpace, which is a division of News Corporation, owner of The Times, said in a statement that it “respects the jury's decision and will continue to work with industry experts to raise awareness of cyber-bullying and the harm it can potentially cause.” If it respects this decision, I don't feel safe there. I didn't even want to visit its web site to try to find its terms of use. But according to this article, MySpace gets to be the one that decides if we've violated their terms: MySpace users agree that the social networking site has the final say on deciding whether content posted by users violates a long list of regulations contained in the agreement. There is no recourse. They make the law and if you mess up, you go to jail. You used a computer, after all, didn't you, and their server isn't yours, and if they say you have violated their terms, you have. I'd also never upload anything to YouTube, and I wouldn't use anyone's blogging software. I'd definitely stay out of the Cloud, because I don't own those computers either, leaving me open to Computer Fraud & Abuse Act allegations, which is what Drew was charged with. In short, it'd be time for me to just pack up and leave, if this verdict stands. If you think EULAs were bad, imagine after this ruling if they can be tied to the CFAA. Do you think it'll be long before folks are tossed in jail for defining fair use in ways a copyright owner doesn't like? Would Microsoft hesitate to criminalize its EULA terms? You think? You trust?
The case is not yet done, in that there is
a motion that the judge took under advisement and said he will rule on this coming Monday. And there are other developments, as reported by St. Louis Today:Drew lawyer H. Dean Steward has filed a motion to dismiss the case, arguing repeatedly that prosecutors in Los Angeles over-reached and that Drew could only be prosecuted if she both read MySpace's terms and knowingly and intentionally violated them. Wu has appeared to lean towards granting that motion in court, although he has declined prior chances to do so. Steward has also filed a motion for a new trial, which could lead to a federal appeals court tossing out the case.
Wu is the judge, the Honorable George H. Wu. There are some serious issues, legal issues, raised by the case, in other words. The legal issues are not about who is or isn't morally awful; the legislative branch can always write new laws to address a new issue that they realize someone needs to write a law for. The legal issues raised are what happens to everyone who uses a computer if the Computer Fraud & Abuse Act is applied to actions that were not contemplated as covered by the legislators when they drafted the act. Here's the analysis by the US Departmenet of Justice of the CFAA, dated long before this case. More reactions:"The statute was never intended to cover this kind of conduct," says Michael Scott, professor of law at Southwestern School of Law, Los Angeles. "Lori Drew did not do the key acts that the prosecution alleged, but rather a third party did, so it seems strange that the person who pulled the trigger is not prosecuted but the one standing next to her is." Or at least criminalize it before you prosecute anyone. Andrew Grossman goes to the heart of the matter,
in the Christian Science Monitor: "What happened to Megan Meier was a tragedy, not a crime," says Andrew Grossman, senior legal policy analyst in the Center for Legal and Judicial Studies at the Heritage Foundation in Washington. "This case should never have been brought. The strongest evidence for the prosecution had nothing or little to do with the charges. This verdict is a loss for civil liberties and leaves all Internet users at risk of prosecution under federal law. It is a prime example of overcriminalization." [Grossman explains what he means by overcrimilaization in detail in this article.] And that's why it'd be time to get off the Internet and go back to a typewriter. Really. You read a great deal about judges and how they shouldn't be allowed to be activists and use their positions to create law. But the amicus brief raises a serious question: what about prosecutors? Is society in safe hands if prosecutors get to broadly interpret a law retroactively in creative and aggressive ways to make it apply to activities that have nothing to do with what the law was written to address? How about web sites? If violating a web site's terms of use is criminalized by the CFAA, have we not given private companies the ability to write the criminal laws? Do you feel safe if they are allowed to arbitrarily decide what is or isn't criminal? And then change it whenever they feel like it, without notice to you? Here's a question for you, from AlmostLegally:At my office, the company I work for says “don’t send personal email from your work computer.” But if I do, is that a federal crime? For example, Groklaw has terms of use. I ask you not to post comments about politics and not to troll or spam or personally attack anyone. If you violate those terms, should I apply the CFAA to you and send you to jail? One year for each misdemeanor and a $100,000 fine, because you violate something I made up to suit myself? On what basis should I be given such power? Have we lost our minds? I surely don't want any such powers. Note that's one of the concerned comments in the New York Times article I linked to at the very beginning, a comment by Andrew M. Grossman, senior legal policy analyst for the Heritage Foundation, again:
"If this verdict stands, it means that every site on the Internet gets to define the criminal law," Grossman told The Times. "That's a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions."
Did you ever think you could be criminally prosecuted for not abiding by a web site's terms of use? Neither did I. And that raises another question. Do I now have a responsibility to police you and make sure you are abiding by my 'laws'? Does anybody know? And there's another point that the brief raises: can you retroactively define something as criminal and put people in jail for conduct they had no notice was criminal conduct before they did it?
The law is not supposed to surprise or ambush you. The law draws a line in the sand, as drawn by the legislators, who draw it where they think they need to to accomplish something very specific. They don't write laws that say, "Don't do bad stuff." If they did, it'd be likely found unconstitutional, on the grounds of vagueness, because who knows what "bad stuff" is if it isn't defined? Did you know that YouTube's Terms of Use say not to do "bad stuff"? I didn't either, never having read it, because like the majority of you, I rarely read terms of use. But the brief tells us that it says that. If we apply the CFAA to that web site's terms of use, is it now a crime to do "bad stuff"? Actually, yes, if you use a computer to do it, whatever it is that someone someday might conceivably define as "bad stuff". Who gets to define "bad stuff"? Google? Some prosecutor somewhere you don't even live? A blogger mob? An enemy who can't sleep without inventing new and mean ways to ruin your life? Does the CFAA not empower such conduct?
Do you actually want a world like that? In some ways, it's worse than lawlessness, worse than the old Wild West. Why worse? Because in the West in the old days, might made "right". That's clear enough, and you knew where you stood. Practice shooting, or move East where there were laws. But if the law is vague or retroactively redefined just to get you, because someone in power decides you deserve it, you have laws but you can't rely upon them, because they are not necessarily fairly applied or reliably defined, so you are in constant danger of having a law used just to get you personally, because someone doesn't like the way you part your hair.
Like that never happens in real life.
The entire point of the rule of law is that it's dependable and predictable and it applies equally to everyone. You don't wake up to a knock on your door, and find the police have defined you mysteriously as a criminal without warning. I'm not talking about this case's specifics now. Everyone agrees that bullying is not a good thing, and I sympathize with prosecutors. I've known some, and I liked them all. They are men and women, in my experience, who care deeply about the victims of crime, and that's a beautiful quality. But the rule of law is beautiful too, but only if it's dependable, fair, and applied without favoritism. Not to mention Constitutional. Anonymous speech is protected under the US Constitution, as the brief points out. PCWorld quotes some more lawyers: If the charges against Drew are upheld, it will be a serious blow to anyone who wants to remain anonymous on the Internet, said Brock Meeks, a CDT spokesman. "Everybody that is sympathetic to this case and saying finally we've got something to nail her on here, they're not looking hard enough at the fact that the Justice Department blundered by using this anti-hacker law," he said.
The charges suggest that anyone who uses a fake name to sign up for a Web service like Yahoo or Gmail could be charged with a federal crime, Meeks said. "If that's a federal crime, then I'm certainly guilty of a federal crime and there are probably a million other people out there who are probably also guilty."
Is it not Kafkaesque if you can be dragged into court on a whim in any location in the world, if the computer you are alleged to have misused is located there, even if it's half a country or even a world away from where you reside and they can put you in jail for a crime that wasn't defined as a crime at the time of your conduct in question? It'd be one thing if you were given a notice that this was the new interpretation; but if you just wake up to find out you are a retroactive criminal, you might as well be in a Kafka novel, because there is absolutely no way to ever know what the definition of criminal conduct will be tomorrow or when it can retroactively be applied to you. Drew, according to reports of the testimony at trial, never read the terms of use. Yes, but she should have known, said the prosecutor. She must have. How do you know? Should the law guess? We can be put in prison because although there is no proof we knew something, we might have or could have or must have? If you think I am overstating what the brief is saying, feel free to say so, but do read it. At least then, you'll know what the uproar is all about. I know from some of your comments that you think the verdict was all about Lori Drew. I don't think so. I think it's about us.
Update: I remembered reading a detail about the case in one of the first articles about it, if not the first, namely that Megan was underage when she opened her MySpace account, and that her mother allowed her to do so, despite it being a violation of the web site's Terms of Use, and I
found it now, from the St. Charles Journal:
MySpace has rules. A lot of them. There are nine pages of terms and conditions. The long list of prohibited content includes sexual material. And users must be at least 14.
"Are you joking?" Tina asks. "There are fifth-grade girls who have MySpace accounts."
As for sexual content, Tina says, most parents have no clue how much there is. And Megan wasn't 14 when she opened her account. To join, you are asked your age but there is no check. The accounts are free.
As Megan's 14th birthday approached, she pleaded for her mom to give her another chance on MySpace, and Tina relented.
She told Megan she would be all over this account, monitoring it. Megan didn't always make good choices because of her ADD, Tina says. And this time, Megan's page would be set to private and only Mom and Dad would have the password. If only the parents would have the password, it means to me that they were the ones who set it up. And at the time of the suicide, Megan was still not yet 14, the age limit MySpace sets for opening an account. "This time" is referring to an earlier account that the parents had shut down, so they apparently allowed her to have an account even earlier, or she just opened it herself. Either way, it was a violation of the web site's terms of use: Tina Meier was wary of the cyber-world of MySpace and its 70 million users. People are not always who they say they are.
Tina knew firsthand. Megan and the girl down the block, the former friend, once had created a fake MySpace account, using the photo of a good-looking girl as a way to talk to boys online, Tina says. When Tina found out, she ended Megan's access.
So the girl herself set up a fake account as well as violating the terms of use by opening an account when she was underage. Excuse me for pointing this out, but shouldn't this mother also be prosecuted for violating MySpace's Terms of Use, now found a violation of a criminal statute, the Computer Fraud & Abuse Act? Before you answer, remember that Drew was found not guilty of intent to cause harm. If not, I'd like to hear your arguments. That same article, by the way, tells us about an incident that makes me wonder just what exactly caused the suicide:Monday, Oct. 16, 2006, was a rainy, bleak day. At school, Megan had handed out invitations to her upcoming birthday party and when she got home she asked her mother to log on to MySpace to see if Josh had responded.
Why did he suddenly think she was mean? Who had he been talking to?
Tina signed on. But she was in a hurry. She had to take her younger daughter, Allison, to the orthodontist.
Before Tina could get out the door it was clear Megan was upset. Josh still was sending troubling messages. And he apparently had shared some of Megan's messages with others.
Tina recalled telling Megan to sign off.
"I will Mom," Megan said. "Let me finish up."
Tina was pressed for time. She had to go. But once at the orthodontist's office she called Megan: Did you sign off?
"No, Mom. They are all being so mean to me."
"You are not listening to me, Megan! Sign off, now!"
Fifteen minutes later, Megan called her mother. By now Megan was in tears.
"They are posting bulletins about me." A bulletin is like a survey. "Megan Meier is a slut. Megan Meier is fat."
Megan was sobbing hysterically. Tina was furious that she had not signed off.
Once Tina returned home she rushed into the basement where the computer was. Tina was shocked at the vulgar language her daughter was firing back at people.
"I am so aggravated at you for doing this!" she told Megan.
Megan ran from the computer and left, but not without first telling Tina, "You're supposed to be my mom! You're supposed to be on my side!"
Am I the only parent who notices that this child was left alone on the Internet, with admonitions to stop but delayed enforcement? And can you *prove* in a court of law that it was not the mother's failure to support her, as the child apparently viewed it, that actually caused the death? This child had tried to kill herself before, the article points out, an attempt that had nothing to do with the cyberbullying. No doubt that's why the local authorities didn't prosecute, since they said there was no way to actually say what exactly caused the suicide:"We did not have a charge to fit it," McGuire says. "I don't know that anybody can sit down and say, 'This is why this young girl took her life.'"
Incidentally, Megan's mother was quoted in that article saying this:
"I don't feel their intentions were for her to kill herself. But that's how it ended." That is what the jury found, actually, that Drew had no intention of causing a suicide. She didn't set up the account, according to testimony at trial, or send the messages. But if the mother recognized that there was no intention to cause the suicide, why did she not tell the court that and prevent the prosecutor from going after Drew for intent to cause the suicide?
Update 2: Orin Kerr, one of Drew's attorneys, has posted his summary of what happened and what happens next:
The jury agreed that it is a federal crime to intentionally violate the Terms of Service on a website, and that Drew directly or indirectly did so, but it acquitted Drew of having violated Terms of Service in furtherance of the tortious act. That is, the jury ruled that Drew is guilty of relatively lower-level crimes for violating MySpacs Terms of Service (for being involved in the setting up of a fake MySpace account). It acquitted Drew for any role in inflicting distress on Meier or for anything related to Meier's suicide. The maximum allowed penalty for the misdemeanor violations are one year in prison for each violation, although the majority of federal misdemeanors result in a sentence of probation.
The next step in the case is that the trial judge will rule on whether there was enough evidence for the jury to find that Drew violated the Terms of Service intentionally, or whether the TOS violation was only negligent or reckless or knowing. If the judge agrees that there was enough evidence for the jury to find that Drew violated the Terms of Service intentionally, the case will go on to sentencing for the crime of having violated MySpace's Terms of Service.
After sentencing, if that happens, the sentence will be followed by an appeal before the Ninth Circuit on the legal question of whether it is in fact a federal crime to violate the Terms of Service of a website. For those not following my coverage of the case, I am one of Drew's attorneys, and yes, if there is an appeal, I will be very heavily involved in it.
The local prosecutor in Missouri investigated the matter, by the way, and then explained why they didn't prosecute:
In December 3rd, after his review of the case, Jack Banas announced that no charges would be brought. In Banas’s reckoning, the Drews are conclusively guilty of little except egregious judgment that set off a chain of horrible events, and deep insensitivity in their aftermath. He invoked the Duke lacrosse case as a cautionary example of due process succumbing to the passions of a community inflamed. “Are you going to hug this lady, say she did something great?” he told me. “No. She made a huge, fatal mistake by trusting these kids. But there are undisputed facts and disputed facts, and even if you believe all of them they still don’t give you a criminal fact pattern in the state of Missouri.”
The Meiers do not hold Ashley Grills responsible, nor do they blame Michele Mulford’s daughter, who sent the message that kicked off the online melee on October 15th. “If you don’t think that child wishes she could go back and change that . . . ” Tina said. “It could easily have been Megan doing that.”
Update 3: You might find it
helpful to read the indictment [PDF] and the memorandum, points of law and authorities. The charges she
was found guilty of were accessing MySpace without
authorization, due to violating the terms of use. For example, here's Count 4, on page 10 of the indictment: "Count 4, 10/16/06: Unauthorized Access: In violation of MySpace TOS, accessed MySpace servers to obtain information regarding M.T.M."
She did that on three occasions, according to the indictment, accounting for charges 2-4, so that's three years in prison and $300,000 in fines, potentially. Here's why the prosecutor thought she could be charged, despite her never reading the terms of use, since she didn't open the account and testified she never saw the terms, from page 4:
A copy of the applicable MySpace TOS was readily available to prospective members, members, and users of the website, who could click on a link titled "Terms of Service" or "Terms" to be directed to a web page where prospective members, members, and users of the website could review those rules.
Also, I found the motion for acquittal [PDF] and the prosecutor's opposition [PDF].
Final Update, Sept. 1, 2009: The judge's ruling -- acquittal [PDF]. Some
analysis by Eric Goldman.
*****************************
JENNIFER STISA GRANICK (California Bar No. 168423 )
[email]
ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax)
PHILLIP R. MALONE (California Bar No. 163969)
[email]
CYBERLAW CLINIC
BERKMAN CENTER FOR INTERNET AND SOCIETY
HARVARD LAW SCHOOL
[address, phone)
Amici Curiae
UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA
_____________________
UNITED STATES,
Plaintiff,
v.
LORI DREW
Defendant.
_____________________
Case No. CR-08-0582-GW
BRIEF OF AMICI CURIAE
ELECTRONIC FRONTIER
FOUNDATION, ET AL., IN
SUPPORT OF DEFENDANT'S
MOTION TO DISMISS
INDICTMENT FOR FAILURE TO
STATE AN OFFENSE AND FOR
VAGUENESS
Date: September 4, 2008
Time:. 8:30 AM
Honorable Judge George H. Wu
_____________________
TABLE OF CONTENTS
TABLE OF CONTENTS .............................................................................................................I
TABLE OF AUTHORITIES .....................................................................................................III
STATEMENT OF INTEREST OF AMICI CURIAE ................................................................. 1
FACTS AND SUMMARY OF THE ARGUMENT.................................................................... 3
I. THIS COURT SHOULD DISMISS THE COMPUTER FRAUD AND ABUSE ACT
CHARGES AGAINST DEFENDANT DREW BECAUSE HER ALLEGED VIOLATION OF
THE MYSPACE TERMS OF USE DOES NOT CONSTITUTE "UNAUTHORIZED
ACCESS" OR "EXCEEDING AUTHORIZED ACCESS" UNDER THE STATUTE ............6
A. BY ITS PLAIN TERMS, THE COMPUTER FRAUD AND ABUSE ACT PROHIBITS
TRESPASS AND THEFT, NOT MERE CONTRACTUAL VIOLATIONS OF TERMS OF
USE ...........................................................................................................................................6
B. THE LEGISLATIVE HISTORY SUPPORTS THE VIEW THAT THE CFAA
PROHIBITS TRESPASS AND THEFT, NOT IMPROPER MOTIVE OR USE. .......................8
C. COURTS ARE JUSTIFIABLY WARY EVEN OF CIVIL ENFORCEMENT OF
WEBSITE TERMS OF SERVICE ...........................................................................................10
D. IMPOSING CRIMINAL LIABILITY FOR IGNORING OR VIOLATING TERMS OF
SERVICE WOULD BE AN UNPRECEDENTED, EXTRAORDINARY AND DANGEROUS
EXTENSION OF FEDERAL CRIMINAL LAW.....................................................................12
E. THE BETTER VIEW, SUPPORTED BY MORE RECENT CASES, REJECTS CFAA
LIABILITY FOR AUTHORIZED USERS ACTING OUTSIDE THE TERMS AND
CONDITIONS OF THAT AUTHORIZATION .......................................................................14
1. MORE RECENT, BETTER-REASONED CASES ADOPT A NARROWER VIEW OF
"EXCEEDING AUTHORIZED ACCESS"...........................................................................14
2. OLDER CASES WRONGLY ADOPTED A BROADER VIEW OF "EXCEEDING
AUTHORIZED ACCESS" ....................................................................................................17
F. THE RULE OF LENITY REQUIRES THE NARROWER INTERPRETATION OF THE
CFAA'S "ACCESS" LANGUAGE .........................................................................................20
G. THE GOVERNMENT'S PREVIOUS ATTEMPT IN THIS DISTRICT TO EXPAND
CIVIL CASES INTERPRETING THE CFAA INTO THE CRIMINAL CONTEXT LED TO
THE WRONGFUL CONVICTION AND INCARCERATION OF AN INDIVIDUAL FOR
CONSTITUTIONALLY PROTECTED ACTIVITIES.............................................................21
II. APPLYING THE CFAA TO DEFENDANT'S CONDUCT IN THIS CASE WOULD
CONSTITUTE A SERIOUS ENCROACHMENT ON FUNDAMENTAL CIVIL
LIBERTIES, INCLUDING FREEDOM OF SPEECH ............................................................ 23
A. THE FIRST AMENDMENT ASSURES THE RIGHT TO SPEAK ANONYMOUSLY
ONLINE ..................................................................................................................................23
i
B. CONSTITUTIONAL AVOIDANCE DICTATES A NARROW READING OF "ACCESS"
UNDER THE CFAA ...............................................................................................................26
III. APPLICATION OF THE CFAA WHEN A USER IGNORES OR VIOLATES
WEBSITE TERMS OF SERVICE WOULD VIOLATE DUE PROCESS AND RENDER
THE STATUTE VOID FOR VAGUENESS AND LACK OF FAIR NOTICE.......................26
A. WEB SITE TERMS OF SERVICE ARE ROUTINELY IGNORED OR NOT FULLY
READ OR UNDERSTOOD.....................................................................................................28
B. WEB SITE TERMS ARE FREQUENTLY AND ARBITRARILY CHANGED BY SITE
OWNERS WITH LITTLE OR NO LIKELIHOOD OF ACTUAL NOTICE TO USERS .........31
C. WEB SITE TERMS MAY THEMSELVES BE ARBITRARY, VAGUE, OR FRIVOLOUS
AND ARE CREATED BY PRIVATE SITE OWNERS FOR A MYRIAD OF BUSINESS OR
PERSONAL REASONS HAVING NOTHING TO DO WITH REGULATING "ACCESS"
FOR CFAA PURPOSES..........................................................................................................33
D. BASING CRIMINAL LIABILITY ON PRIVATE CONTRACT TERMS INEVITABLY
WILL LEAD TO ARBITRARY AND DISCRIMINATORY ENFORCEMENT .....................34
ii
TABLE OF AUTHORITIES
CASES
ACLU of Ga. v. Miller, 977 F. Supp. 1228 (N.D. Ga. 1997) .................................... 24
ACLU v. Johnson, 4 F. Supp. 2d 1029 (D.N.M. 1998) ............................................ 24
America Online Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998) ............... 19
ApolloMEDIA Corp. v. Reno, 526 U.S. 1061 (1999) ............................................... 24
Ashcroft v. Free Speech Coal., 535 U.S. 234 (2002) ............................................... 25
Brett Senior & Associates, P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007) ........................................ 8, 14, 16
Canada Dry Corp. v. Nehi Beverage Co., 723 F.2d 512 (7th Cir. 1983).................. 25
Christensen v. C.I.R., 523 F.3d 957 (9th Cir. 2008)................................................... 7
City of Chicago v. Morales, 527 U.S. 41 (1999)................................................ 27, 33
Coates v. City of Cincinnati, 402 U.S. 611, (1971).................................................. 34
Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999).................. 24
Crowell v. Benson, 285 U.S. 22 (1932) ...................................................... 26
D. H. Overmyer Co. v. Frick Co., 405 U.S. 174 (1972) ........................................... 25
Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007) 14, 15
Doe v. TheMart.com Inc., 140 F. Supp. 2d 1088 (W.D. Wash. 2001).................... 24
Doe v. Cahill, 884 A.2d 451 (Del. 2005)............................................. 25
Douglas v. U.S. Dist. Court for Cent. Dist. Calif., 495 F.3d 1062 (9th Cir. 2007) ... 32
Educ'al Testing Service v. Stanley H. Kaplan, Educ'al Center., Ltd., 965 F. Supp.
731 (D. Md. 1997) .............................. 17
EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001)................... 19
EF Cultural Travel BV v. Zefer Corp. , 318 F.3d 58 (1st Cir. 2003).......................... 19
Foti v. City of Menlo Park, 146 F.3d 629 (9th Cir. 1998) ........................................ 28
Gibson v. Fla. Legislative Investigative Comm., 372 U.S. 539 (1963)..................... 24
Global Telemedia Int'l v. Does, 132 F. Supp. 2d 1261 (C.D. Cal. 2001) ................. 24
Grayned v. Rockford, 408 U.S. 104 (1972).................................................... 27
iii
Humanitarian Law Project v. Mukasey, 509 F.3d 1122 (9th Cir. 2007)................... 28
Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp.
2d 479 (D.Md 2005) ....................... passim
Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) ............................ 18
Lanzetta v. New Jersey, 306 U.S. 451 (1939) .......................................................... 27
Leocal v. Ashcroft, 543 U.S. 1 (2004).......................................................... 20
Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D. Fla. Aug. 1, 2006) . ....8, 14, 15
McIntyre v. Ohio Elections Comm'n, 514 U.S. 334 (1995)...................................... 24
McNally v. United States, 483 U.S. 350 (1987) ....................................................... 20
Nunez v. City of San Diego, 114 F.3d 935 (9th Cir. 1997) ....................................... 27
Ohio Bell Tel. Co. v. Public Utilities Comm'n, 301 U.S. 292 (1937) ....................... 25
Pasquantino v. United States, 544 U.S. 349 (2005) ................................................. 20
Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000) .................. 19
Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004)................................. 19
Reno v. ACLU, 521 U.S. 844 (1997) ......................................................... 24
Shamrock Foods v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) ................8, 16, 20, 21
Shurgard Storage Ctrs, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121
(W.D. Wash. 2000)..................................... 17, 18
Snepp v. United States, 444 U.S. 507 (1980) ....................................................... 25
Southwest Airlines Co. v. FareChase Inc., 318 F. Supp. 2d 435 (N.D.Tex. 2004) ... 19
Talley v. California, 362 U.S. 60 (1960)............................. 24
Ting v. AT & T, 182 F. Supp. 2d 902 (N.D. Cal. 2002)............................................ 30
United States v. Batchelder, 442 U.S. 114 (1979).................................................... 27
United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)......................................... 5
United States v. Drew, No. 08-00582 (C.D. Cal. May 15, 2008) ............................... 3
United States v. Harriss, 347 U.S. 612 (1954)................................................ 27
United States v. LaMacchia, 871 F. Supp. 535 (D. Mass. 1994).......................... 5, 21
United States v. McDanel, Ninth Circuit Case No. 03-50135, Central District of
28 California Case No. CR-01-638-LGB ..................................................... 5, 22
iv
United States v. Miranda-Lopez, 2008 WL 2762392 (9th Cir. July 17, 2008) ......... 21
United States v. Riggs, 739 F. Supp. 414 (N.D. Ill. 1990).......................................... 9
United States v. Sutcliffe, 505 F.3d 944 (9th Cir. 2007)........................................... 27
United States v. Thompson/Center Arms Co., 504 U.S. 505 (1992) ......................... 20
United States v. Winstar Corp. , 518 U.S. 839 (1996) .............................................. 25
United States v. Wunsch , 84 F.3d 1110 (9th Cir. 1996) ........................................... 28
ViChip Corp. v. Lee , 438 F. Supp. 2d 1087 (N.D. Cal. 2006) .................................. 18
Zadvydas v. Davis , 533 U.S. 678 (2001) ........................................................... 26, 28
STATUTES
18 U.S.C. § 1030(a)(2)(C).................................................... 3, 17, 18
18 U.S.C. § 1030(e)(6) .................................................................... 7
18 U.S.C. § 2701(a)................................................................ 17
18 U.S.C. § 1030(a)(5)(A).......................................................... 21
18 U.S.C. § 1343................................................................... 5
47 U.S.C. § 223(A)(1)(C)......................................................... 3
Pub.L. No. 98-473, ß 2102(a), 98 Stat. (1984)........................................................... 8
OTHER AUTHORITIES
Alan M. White & Cathy Lesser Mansfield, Literacy and Contract, 13 Stan. L. &
Pol'y Rev. 233, (2002)..................................... 11, 31
Andrew Robertson, The Limits of Voluntariness in Contract, 29 Melbourne L. Rev.
21 179, (April 2005) ..................................................................... 30
Antony Savvas, Social Network Users Hide Identities, Computer Weekly, Sept. 25,
2007............................................................. 23
Jeff Gelles, Internet Privacy Issues Extend to Adware, Newark Star-Ledger, July 31, 2005................................................................. 30
Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459, (2006) ................... 11, 20, 31
Melvin Aron Eisenberg, The Limits of Cognition and the Limits of Contract, 47 Stan.
L. Rev. 211, (1995)......................................................... 30, 31
v
Michael I. Meyerson, The Reunification of Contract Law: The Objective Theory of
Consumer Form Contracts, 47 U. Miami L. Rev. 1263, 1269 & nn.28-29 (1993)............................................................ 30, 31
Nathaniel Good et al., Commentary, User Choices and Regret: Understanding
Users' Decision Process About Consensually Acquired Spyware, 2 I/S: J.L. &
Pol'y for Info. Soc'y 283, (2006) ........................ 29
Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in
Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003)................................. 12
Oxford English Dictionary, Oxford University Press ................................................ 9
Pew Internet & American Life Project, Teens, Privacy and Online Social Networks:
How teens manage their online identities and personal information in the age of
MySpace, April 18, 2007, at 23-24, at
http://www.pewinternet.org/pdfs/PIP_Teens_Privacy_SNS_Report_Final.pdf ...... 4
Restatement (Second) of Agency, § 112 (1958) ....................................................... 18
Restatement (Second) of Contracts, § 211 cmt. b (1981).......................................... 29
Robert A. Hillman & Jeffrey J. Rachlinski, Standard-Form Contracting in the
Electronic Age, 77 N.Y.U. L. Rev. 429, (2002) ................................................... 30
Robert L. Oakley, Fairness in Electronic Contracting: Minimum Standards for Non-Negotiated Contracts, 42 Hous. L. Rev. 1041, 1051 (2005)................................. 29
Robert W. Gomulkiewicz, Getting Serious About User-Friendly Mass Market
Licensing for Software, 12 Geo. Mason L. Rev. 687, (2004).......................... 11, 31
Russell Korobkin, Bounded Rationality, Standard Form Contracts, and
Unconscionability, 70 U. Chi. L. Rev. 1203 (2003) ............................................. 31
United States v. McDanel, Government Brief............................................................ 6
LEGISLATIVE MATERIALS
141 Cong. Rec. S9423.................................................................... 9
142 Cong. Rec. E1621.................................................................... 9
H.R. Rep. No. 98-894 (1984) ......................................................................... 8
S. Rep. No. 99-432 (1986)................................................................... 8, 9
INTERNET SOURCES
AOL Terms of Use, http://about.aol.com/
aolnetwork/aolcom_terms ......................... 32
Child Exploitation and Online Protection Centre, Thinkuknow: Social Networking,
http://www.thinkuknow.co.uk/(X()S(zuckbyrpokhbemgzsglhm))/_/control
/social.aspx......................................................... 4
vi
Facebook Terms of Use, http://www.facebook.com/terms.php................................ 13
Google Terms of Service, § 2.3, http://www.google.com/accounts/TOS..................12
Match.com Terms of Use Agreement,
http://www.match.com/registration/membagr.aspx ..............................................13
Network Solutions Terms of Service, http://www.networksolutions.com/legal/
static-service-agreement.jsp .................................................................29
Terms and Conditions -- MySpace.com,
http://www.myspace.com/
index.cfm?fuseaction=misc.terms ..................... 3, 29, 32
West Terms of Use, http://west.thomson.com/about/terms-of-
use/default.aspx?promcode=0 ............................................................... 32
YouTube Community Guidelines, http://www.youtube.com/t/community_guidelines............................33
vii
STATEMENT OF INTEREST OF AMICI CURIAE
Amici are three organizations, the Electronic Frontier Foundation, the Center
for Democracy and Technology and Public Citizen, and the 14 individual faculty
members listed in Appendix A who research, teach and write scholarly articles and
books about internet law, cybercrime, criminal law and related topics at law schools
nationwide. None received any compensation for participating in this brief. Amici's
sole interest in this case is in the evolution of sound and principled interpretation and
application of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). Amici
believe that this brief will assist the Court in its consideration of the proper
interpretation and application of the CFAA in this case.
Electronic Frontier Foundation ("EFF") is a non-profit, member-supported
civil liberties organization working to protect free speech and privacy rights. As part
of that mission, EFF has served as counsel or amicus in key cases addressing privacy
issues and rights as applied to the Internet and other new technologies. With more
than 13,000 dues-paying members, EFF represents the interests of technology users
in both court cases and in broader policy debates surrounding the application of law
in the digital age, and publishes a comprehensive archive of digital civil liberties
information at one of the most linked-to web sites in the world, www.eff.org.
Center for Democracy & Technology ("CDT") is a non-profit public interest
and Internet policy organization. CDT represents the public's interest in an open,
1
decentralized Internet reflecting constitutional and democratic values of free
expression, privacy, and individual liberty. In particular, CDT works to protect
online free speech, including the right to speak anonymously and to engage in robust
communication and debate without inappropriate threats of criminal sanctions.
Public Citizen is a non-profit, public interest organization that has defended the
rights of citizens and consumers since its founding in 1971. Public Citizen has stood
against the enforceability of abusive terms in one-sided contracts of adhesion and
strongly rejects the proposition that criminal liability should attach to violations of
contractual fine print. Since 1999, Public Citizen has also defended the First
Amendment right of citizens to communicate anonymously in online forums without
the threat of unjustified liability.
2
FACTS AND SUMMARY OF THE ARGUMENT
Defendant Lori Drew is a Missouri resident charged in the Central District of
California with violating the Computer Fraud and Abuse Act ("CFAA"). The
Government alleges that in the fall of 2006, Defendant created a MySpace account
under the name of "Josh Evans." Indictment, United States v. Drew, No. 08-00582, 6
(C.D. Cal. May 15, 2008). Through the "Josh Evans" account, Defendant
communicated and developed an online relationship with Megan Meier, a 13-year-old girl also living in Missouri. Indictment at 6. At some point during their
communications "Josh Evans" said hurtful things to Miss Meier. Id. at 7-8.
Tragically, Miss Meier took her own life.
There are state and federal statutes that regulate harassing and otherwise
harmful speech, carefully identifying speech that falls outside of First Amendment
protection. See, e.g., 47U.S.C. § 223(a)(1)(C); R.S.Mo. 565.090 (former).1
Neither
of those statutes appears to criminalize the communications from "Josh Evans" to
Miss Meier here. In the absence of applicable First Amendment-compliant criminal
statutes, the Government has chosen to indict Defendant for violating the CFAA,
18 U.S.C. § 1030(a)(2)(C), and for conspiring to violate it. The Government theory is
that Defendant's use of a fictitious name and registration information and her hurtful
speech violated the MySpace terms of service (TOS). See Terms and Conditions --
MySpace.com, http://www.myspace.com/index.cfm?fuseaction=misc.terms (last
modified Feb. 28, 2008). Defendant allegedly failed to provide truthful and accurate
registration information; failed to refrain from using any information obtained from
MySpace services to harass, abuse, or harm other people; failed to refrain from
soliciting personal information from anyone under 18; failed to refrain from
3
promoting information that she knew was false or misleading; and failed to refrain
from posting photographs of other people without their consent, all in violation of
the terms of use. Indictment at 6-7. On the Government's view, account holders
who use their MySpace accounts in violation of the TOS are accessing the company
servers "without authorization" or "in excess of authorization." In this way,
Defendant victimized MySpace when "Josh Evans" did not follow its terms of
service.
The Government's novel and unprecedented response to what everyone
recognizes as a tragic situation would create a reading of the CFAA that has
dangerous ramifications far beyond the facts here. Terms of service include
prohibitions both trivial and profound. As detailed in examples below, the
Government's theory would attach criminal penalties to minors under the age of
18 who use the Google search engine, as well as to many individuals who legitimately
exercise their First Amendment rights to speak anonymously online. This effort to
stretch the computer crime law in order to punish Defendant Drew for Miss Meier's
death would convert the millions of internet-using Americans who disregard the
terms of service associated with online services into federal criminals. Indeed, survey
evidence shows that the majority of teenage MySpace users have entered at least
some false information into MySpace, and would thus be subject to prosecution
under the Government's theory. Pew Internet & American Life Project, Teens,
Privacy and Online Social Networks: How teens manage their online identities and
personal information in the age of MySpace, 23-24,
http://www.pewinternet.org/pdfs/PIP_ibiblios_Privacy_SNS_Report_Final.pdf (Apr.
18, 2007). In fact, child safety advocates like the Child Exploitation and Online
Protection Centre of the British government specifically encourage children to
protect themselves by providing misleading identifying information instead of real
names on social networking sites. See Child Exploitation and Online Protection
Centre, Thinkuknow: Social Networking,
4
http://www.thinkuknow.co.uk/(X()S(z4uckb3yrpokhbemgzsglhm2))/8_10/control/s
ocial.aspx (last visited July 31, 2008) ("It's a good idea to use a nickname rather than
your real name."). To the best of amici's knowledge, never before in the 22-year
history of the CFAA has a criminal prosecution been based on such a theory.
The case is reminiscent of United States v. LaMacchia, 871 F.Supp. 535 (D.
Mass. 1994), where the district court rejected a Government attempt to stretch the
scope of the federal wire fraud statute, U.S.C. § 1343, to cover the unauthorized,
non-commercial distribution of copyrighted software products over the internet by an
MIT student. At the time, copyright law did not contain criminal provisions against
non-commercial infringement. Noting that the key question was whether,
metaphorically, "new wine can be poured into an old bottle," id. at 536, the court
recognized that:
[w]hat the Government is seeking to do is to punish conduct that
reasonable people might agree deserves the sanctions of the criminal
law. . . . While the Government's objective is a laudable one,
particularly when the facts alleged in this case are considered, its
interpretation of the wire fraud statute would serve to criminalize the
conduct of not only persons like LaMacchia, but also the myriad of
home computer users who succumb to the temptation to copy even a
single software program for private use.
Id. at 544.2
The case is also reminiscent of United States v. McDanel, prosecuted by this
same United States Attorney's office under a different provision of the CFAA before ___________
5
the Government admitted error on appeal and moved to overturn the defendant's
conviction. See United States v. McDanel, Government Brief, attached as Exhibit A,
at 6, 8. In McDanel, the Government stretched the definition of "harm to the
integrity" of a computer system to cover truthful reports about a security
vulnerability that could endanger a customer's private communications.
The Government's proposed interpretation of the CFAA in this case is a
similar stretch, one that is unsupported by case law or Congressional intent, is
overbroad and unconstitutionally vague, and would punish constitutionally protected
activities. This Court should reject the unwarranted expansion of the CFAA and
dismiss the indictment.
I. THIS COURT SHOULD DISMISS THE COMPUTER FRAUD AND
ABUSE ACT CHARGES AGAINST DEFENDANT DREW BECAUSE
HER ALLEGED VIOLATION OF THE MYSPACE TERMS OF USE
DOES NOT CONSTITUTE "UNAUTHORIZED ACCESS" OR
"EXCEEDING AUTHORIZED ACCESS" UNDER THE STATUTE
A MySpace account holder does not gain unauthorized access or exceed
authorized access to MySpace servers by disregarding conditions set forth in that
service's terms of service (TOS). The CFAA criminalizes unauthorized access to a
computer system or to information on the system. Both the plain language of the
statute and the legislative history show that the statute is meant to punish trespassers
and "hackers," not users who ignore or violate sites' contracts or customers who
misuse the service.
A. By Its Plain Terms, The Computer Fraud And Abuse Act Prohibits
Trespass And Theft, Not Mere Contractual Violations Of Terms Of
Use
The fundamental question in this case is when access to a highly popular,
everyday web site is "without authorization" or in excess of authorized access.3 The
6
plain language of the CFAA does not criminalize an account holder's use of a
computer in violation of TOS, but rather a trespasser's access to computer systems or
areas of computer networks without permission. In other words, the statute prohibits
trespass and theft, not improper motive or use. Every exercise of statutory
interpretation begins with an examination of the plain language of the statute.
Christensen v. C.I.R., 523 F.3d 957, 962 (9th Cir. 2008) (Courts look to the plain
language of a statute, and to legislative history). The Government charged
Defendant with 18 U.S.C. 1030 (a)(2)(C), which states:
(a) Whoever-- ...(2) intentionally accesses a computer without
authorization or exceeds authorized access, and thereby obtains--...(C)
information from any protected computer if the conduct involved an
interstate or foreign communication; ...shall be punished as provided in
subsection (c) of this section.
Although Congress did not define the phrase "without authorization," it did so for
the phrase "exceeds authorized access". The term "exceeds authorized access"
means: "to access a computer with authorization and to use such access to obtain or
alter information in the computer that the accessor is not entitled so to obtain or
alter." 18 U.S.C. § 1030(e)(6) (2008).
The plain language of the statute prohibits trespass, either by outsiders who
have no rights to the computer system, or by "insiders" who have some rights to
access the computer system, but have limited rights to access or alter information on
that same system. The Indictment in this case does not allege whether the
defendant's access to the MySpace service was "without authorization" or "in excess
of authorized access" or both. Regardless, both prongs of 1030(a)(2)(C) are
straightforward prohibitions against computer trespass. The first covers outsiders
who have no rights to the computer system, and the second covers "insiders" who
have some rights to access the computer system, but do not have rights to access or
alter certain files or information on that same system. If the computer owner gives
7
the user the ability to access to particular information, then the user does not exceed
his authorization by accessing that information, regardless of the purpose or manner
of such access. Lockheed Martin Corp. v. Speed, 2006 WL 2683058, *5 (M.D. Fla.
Aug. 1, 2006) (plain reading of "exceeds authorized access" means "those [who go]
above [their] authorization, meaning those that go beyond the permitted access
granted to them typically insiders exceeding whatever access is permitted to
them"). The plain language of Section 1030(a)(2) targets "the unauthorized
procurement or alteration of information, not its misuse or misappropriation."
Shamrock Foods v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) (citing Brett
Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007)).
B. The Legislative History Supports The View That The CFAA
Prohibits Trespass And Theft, Not Improper Motive Or Use.
The legislative history confirms that Congress intended the CFAA to
criminalize intruders who trespassed on computers and computer networks. Int'l
Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 495-96
(D.Md 2005) (citing S. Rep. No. 99-432, at 4 (1986), reprinted in 1986
U.S.C.C.A.N. 2479, 2482 (explaining that the CFAA "is a consensus bill aimed at
deterring and punishing certain 'high-tech' crimes")). The CFAA was originally
called the Counterfeit Access Device and Computer Fraud and Abuse Act and was
enacted in 1984. Counterfeit Access Device and Computer Fraud and Abuse Act,
Pub. L. No. 98-473, Title II, § 2102(a), 98 Stat. 1937 (1984) (prior to 1986
amendment). The 1984 House Committee emphasized that "section 1030 deals with
an 'unauthorized access' concept of computer fraud rather than the mere use of a
computer. Thus, the conduct prohibited is analogous to that of 'breaking and
entering' rather than using a computer . . . in committing the offense." H.R. Rep.
No. 98-894 at 20 (1984) reprinted in 1984 U.S.C.C.A.N. 3689, 3706. Consequently,
the committee report emphasized concerns about "hackers" who "trespass into"
computers and the inability of "password codes" to protect against this threat. Id. at
8
10-11, reprinted in 1984 U.S.C.C.A.N. 3689, 3695-97. The 1984 version of the law
criminalized actions of one who gains "unauthorized access" or who "having
accessed a computer with authorization, uses the opportunity such access provides
for purposes to which such authorization does not extend."
In 1986, Congress deleted the part of the statute that prohibited those with
authorization from using the system for unauthorized purposes and substituted the
phrase "exceeds authorized access." Werner-Masuda, 390 F. Supp. 2d , 479, 499 n. 12
(D. Md. 2005) (quoting S. Rep. No. 99-432, at 9 (1986), reprinted in
1986 U.S.C.C.A.N. 2479, 2486). As the court in Werner-Masuda explains:
By enacting this amendment, and providing an express definition for
"exceeds authorized access," the intent was to "eliminate coverage for
authorized access that aims at `purposes to which such authorization
does not extend,'" thereby "removing from the sweep of the statute one
of the murkier grounds of liability, under which a [person's] access to
computerized data might be legitimate in some circumstances, but
criminal in other (not clearly distinguishable) circumstances that might
be held to exceed his authorization.
Id. at 499 n.12 (quoting S. Rep. No. 99-432, at 21, 1986 U.S.C.C.A.N. 2479, 2494-95) (alterations in original). Congress used the "exceeds authorized access" language
to avoid extending criminal liability to employees where administrative sanctions
were more appropriate. Id.
This intention is further supported by the fact that, when discussing the CFAA,
and specifically section (a)(2)(C), legislators often referred to "hackers" and the need
to protect sensitive information from theft. See, e.g., 142 Cong. Rec. E1621-03
(daily ed. Sept. 17, 1996) (statement of Rep. Goodlatte); see also 14 Cong. Rec.
S9423 (daily ed. June 29, 1995) (statement of Sen. Leahy). The modern,
conventional usage of "hacker" is usually someone who gains unauthorized access to
a computer typically to obtain information of value he or she is not entitled to obtain,
or to cause damage. See, e.g., Oxford English Dictionary, Oxford Univ. Press
(defining, inter alia, a hacker as "a person who uses his skill with computers to try to
gain unauthorized access to computer files or networks"); see also United States v.
9
Riggs, 739 F. Supp. 414, 423-24 (N.D. Ill. 1990) (citing approvingly to sources that
define hackers as those using computer skills to gain unauthorized access to a
computer system). The legislative history makes no mention of unauthorized or
excessive access obtained through ignorance or disregard of private terms of service.
The legislative history supports the conclusion that the CFAA criminalizes
trespasses in which the user gains access to computer services or information to
which he is not entitled, not those in which an authorized individual uses the services
or information in an impermissible manner. Defendant Drew had an account on
MySpace, a free interactive internet-based social network open to anyone who signs
up for the service. There are no fees, no vetting, no checks on who may use the
service. Usernames and passwords are deployed, not to keep people off MySpace,
but to give users control over their own account profiles and keep such profiles
separate. Defendant Drew allegedly used her account to access MySpace services
and information. She had no special skill with computers and did not circumvent any
security measures, technological or otherwise. As is any member of the public who
signs up and holds an account, she was authorized to use the service and to access
the system, including information stored there. The way she used her account, if the
allegations are true, was reprehensible. But unless her hateful speech rises to the
level of harassment or stalking, it is not criminal and cannot be punished; attempting
instead to punish that speech under the CFAA merely because it took place on the
internet in contravention to a private terms of service is improper.
C. Courts Are Justifiably Wary Even Of Civil Enforcement Of
Website Terms Of Service
Adopting the erroneous view of the CFAA propounded by the prosecution in
this case would criminalize the actions of internet users or web service account
holders who violate a mere contractual promise to use a computer in a certain way or
who ignore or disregard terms of service hidden behind a "legal notices" hyperlink at
the bottom of a webpage. As detailed in Section III.A, infra, many, perhaps most,
10
internet users do not even read or understand these documents, which are often long,
riddled with legalese, and poorly organized and formatted or typically are written at
a level of difficulty that exceeds the ability of most consumers to understand.
Accord Robert W. Gomulkiewicz, Getting Serious About User-Friendly Mass
Market Licensing for Software, 12 Geo. Mason L. Rev. 687, 692-94, 701-02 (2004);
Alan M. White & Cathy Lesser Mansfield, Literacy and Contract, 13 Stan. L. &
Pol'y Rev. 233, 235-42 (2002). Significantly, the Government in this case has not
alleged that the Defendant or co-conspirators ever read or even looked at the
MySpace terms, but only that the terms "were readily available" to users "who could
click on a link titled 'Terms of Service' or 'Terms' to be directed to a web page
where [they] could review those rules." Indictment at 4 (emphasis added).4
Indeed, the current prosecution would impose criminal liability for merely
ignoring or violating terms of service at a time that courts and academics continue to
debate the extent to which and under what circumstances such documents should be
enforced as a matter of regular civil contract law. See, e.g., Mark A. Lemley, Terms
of Use, 91 Minn. L. Rev. 459, 462-63, 475-76 (2006) (citing cases and noting
differences in enforceability between corporate-entity defendants and individuals).
Among the thorny issues that are presented by such cases are whether the user
receives adequate actual or constructive notice of the terms, whether the user
effectively consents and whether the terms are unconscionable. Whatever the merits
of recognizing private, civil contract obligations and remedies in such situations,
however, the imposition of serious criminal liability in light of these problems would
be fundamentally unfair.
11
D. Imposing Criminal Liability For Ignoring Or Violating Terms Of
Service Would Be An Unprecedented, Extraordinary And
Dangerous Extension Of Federal Criminal Law
George Washington University Law Professor Orin Kerr has argued
thoughtfully and persuasively that "unauthorized access" should not include access
to a computer in violation of a contract or terms of service. Doing so would:
threaten a dramatic and potentially unconstitutional expansion of
criminal liability in cyberspace. Because Internet users routinely ignore
the legalese that they encounter in contracts governing the use of
websites, Internet Service Providers (ISPs), and other computers, broad
judicial interpretations of unauthorized access statutes could potentially
make millions of Americans criminally liable for the way they send e-
mails and surf the Web.
Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in
Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1599 (2003). Consider the
remarkable and disturbing results that a contract-based approach to authorized access
can create under the CFAA:
Imagine that a website owner announces that only right-handed people
can view his website, or perhaps only friendly people. Under the
contract-based approach, a visit to the site by a left-handed or surly
person is an unauthorized access that may trigger state and federal
criminal laws. A computer owner could set up a public web page,
announce that "no one is allowed to visit my web page," and then refer
for prosecution anyone who clicks on the site out of curiosity. By
granting the computer owner essentially unlimited authority to define
authorization, the contract standard delegates the scope of criminality to
every computer owner.
Id. at 1650-51.
Professor Kerr's concerns are not merely hypothetical. There are many
surprising terms of service provisions that, if violated, would convert authorized
users into federal criminals. Take for example, two of the internet's most popular
websites' terms of service: -
"You may not use the Services and may not accept the Terms if (a) you are not
of legal age to form a binding contract with Google," Google Terms of
Service, § 2.3, http://www.google.com/accounts/TOS (last modified Apr. 16,
2007).
12
-
"[Y]ou agree to . . . provide accurate, current and complete information about
you as may be prompted by any registration forms on the Site ("Registration
Data") . . . [and] maintain and promptly update the Registration Data, and any
other information you provide to Company, to keep it accurate, current and
complete . . . ." Facebook Terms of Use, http://www.facebook.com/terms.php
(last modified June 7, 2008).
On the Government's view, a user who is under the age of majority violates
the CFAA every time she enters a search query on the Google.com webpage and
obtains information. Under Facebook's terms of use, if a user changes jobs or
addresses or even her thoughts on what her favorite movie is, she would need to
immediately tell Facebook, as this is information she has provided to the company,
or run the risk that her continued use of the site could lead to criminal sanctions.5
In another example, the Electronic Frontier Foundation reports that terms of
service for the popular dating site Match.com require users of either the website or
the dating service to be single or separated from their spouses. See, e.g., Match.com
Terms of Use Agreement, http://www.match.com/registration/membagr.aspx ("You
must be at least eighteen (18) years of age and single or separated from your spouse
to register as a member of Match.com or use the Website.") (last visited July 30,
2008). The brief's author has not been able to visit the site to confirm the report;
because she remains happily married, doing so would be a violation of the site's
terms, potentially a criminal act under the interpretation of the CFAA advanced by
the Government here.
13
E. The Better View, Supported By More Recent Cases, Rejects CFAA
Liability For Authorized Users Acting Outside the Terms and
Conditions of That Authorization
Professor Kerr's concern about applying the CFAA to contract violations
followed holdings by several courts in civil cases that a disloyal employee's use of a
computer or a competitor's automated searching of a system for commercial
purposes could violate the statute. However, the more recent and better view,
consistent with Kerr's well-reasoned analysis, rejects the idea that authorized access
becomes unauthorized, and thus criminal, when the user acts with his own purposes,
rather than those of the computer owner, in mind. See, e.g., Werner-Masuda, 390 F.
Supp. 2d at 495-96; Brett Senior & Assocs., 2007 WL 2043377; Diamond Power
Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007); Lockheed Martin
Corp., 2006 WL 2683058. This better view rejects CFAA liability even where the
defendant is a former employee violating a negotiated employment contract or
confidentiality agreement by transferring confidential information to a rival company
for the employee's own economic benefit and to the detriment of the computer
owner. The instant case is a far easier one: all that is alleged here is that the
defendant violated the standard MySpace service terms of use, and did so without
any purpose to gather trade secrets or commercial or proprietary data, or to gain any
economic advantage.
1. More Recent, Better-Reasoned Cases Adopt A Narrower View Of
"Exceeding Authorized Access"
The better-reasoned cases hold that if a user is authorized to access a computer
and information stored there, then doing so is not criminal, even if that access is in
violation of a contractual agreement or non-negotiated terms of use. For example, in
Werner-Masuda the plaintiff argued that the defendant, a union officer, exceeded her
authorization to use the union computer when she accessed a membership list to send
to a rival union, and not for legitimate union business. The defendant had signed an
agreement promising that she would not access union computers "contrary to the
14
policies and procedures of the [union] Constitution". Werner-Masuda, 390 F. Supp.
2d at 495 (D. Md. 2005). The District Court rejected this argument, holding that even
if the defendant breached a contract, that breach of a promise not to use information
stored on union computers in a particular way did not mean her access to that
information was unauthorized or criminal.
Thus, to the extent that Werner-Masuda may have breached the
Registration Agreement by using the information obtained for purposes
contrary to the policies established by the [union] Constitution, it does
not follow, as a matter of law, that she was not authorized to access the
information, or that she did so in excess of her authorization in violation
of the [Stored Communications Act] or the CFAA. . . . Although
Plaintiff may characterize it as so, the gravamen of its complaint is not
so much that Werner-Masuda improperly accessed the information
contained in VLodge, but rather what she did with the information once
she obtained it. . . . Nor do [the] terms [of the Stored Communications
Act and the CFAA] proscribe authorized access for unauthorized or
illegitimate purposes. (citations omitted)
Id. at 499.
Here, too, the gravamen of the Government's complaint is not that Defendant
improperly obtained information to which she was not entitled on the MySpace
servers, but rather that she used the MySpace service for an unauthorized or
illegitimate purpose. The CFAA does not proscribe authorized access for
unauthorized or illegitimate purposes. Thus, to the extent that Defendant may have
breached the Terms of Service by using a MySpace account contrary to the policies
established by the company, it does not follow that she was not authorized to access
the MySpace servers in violation of the CFAA.
Subsequent cases have followed the reasoning of Werner-Masuda based on
either plain language or legislative history. In Lockheed Martin Corp. the court
found no CFAA violation under the plain language of the statute. "Exceeds
authorized access," the opinion states, refers to those employees "that go beyond the
permitted access granted to them typically insiders exceeding whatever access is
permitted to them." Lockheed Martin Corp., 2006 WL 2683058, at *5.
In Diamond Power Int'l, Inc. v. Davidson, the District Court similarly rejected
15
a CFAA claim against an employee who violated an employment agreement by
using his access to his employer computer system to steal data for a competitor. The
defendant transferred information from password-protected computer drives to his
new employer while still employed with the former company in violation of a
confidentiality agreement. Davidson, 540 F. Supp. 2d at 1327-31. Correctly
identifying the narrower interpretation of "exceeding authorized access" as "the
more reasoned view," the court held that "a violation for accessing `without
authorization' occurs only where initial access is not permitted. And a violation for
`exceeding authorized access' occurs where initial access is permitted but the access
of certain information is not permitted." Id. at 1343.
In Brett Senior & Assocs., an employer alleged that its former employee
misused confidential information at his new employer in violation of the CFAA.
While still working with his former employer, the employee interviewed with a rival
company and showed it a list of his employer's clients and those the details of those
clients' business with the company. Before leaving to join the new firm, the
employee then contacted 20 of his clients and convinced 15 of them to come with
him to the new firm. Brett Senior & Assocs., P.C., 2007 WL 2043377 at *1. The
court relied on the legislative history to reject the former employer's CFAA claim.
The employee defendant had full access to information contained in the computer
system until his departure, and the court concluded that a CFAA violation is a
trespass offense, not a misuse of services offense. Id. at *3.
In Shamrock Foods v. Gast, under similar facts, the District Court relied on
Davidson and Werner-Masuda to hold that the defendant did not access the
information at issue "without authorization" or in a manner that "exceed[ed]
authorized access." Shamrock Foods, 535 F. Supp. 2d at 968. The defendant had an
employee account on the computer he used at his employer Shamrock and was
permitted to view the specific files he allegedly emailed to himself. The CFAA did
not apply, even though the emailing was for the improper purpose of benefiting
16
himself and a rival company in violation of the defendant's Confidentiality
Agreement.6 See Werner-Masuda, 390 F.Supp. 2d at 496 (interpreting the same
language "prohibit[ing] only unauthorized access and not the misappropriation or
disclosure of information" in the Stored Communications Act (SCA), 18 U.S.C. § 2701(a) to mean that "there is no violation of section 2701 for a person with
authorized access to the database no matter how malicious or larcenous his intended
use of that access." (quoting Educ'al Testing Service v. Stanley H. Kaplan, Educ'al
Ctr., Ltd., 965 F. Supp. 731, 740 (D. Md. 1997) ("[I]t appears evident that the sort of
trespasses to which the [SCA] applies are those in which the trespasser gains access
to information to which he is not entitled to see, not those in which the trespasser
uses the information in an unauthorized way."))).
2. Older Cases Wrongly Adopted A Broader View Of "Exceeding
Authorized Access"
The cases discussed above contrast with and reject earlier decisions, most
importantly Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.
Supp. 2d 1121 (W.D. Wash. 2000), which introduced an agency theory of
authorization under the CFAA that several courts have followed. Shurgard follows
neither the plain language nor the legislative intent of the CFAA and would lead to a
variety of troubling and potentially unconstitutional results. See id. The reasoning in
Werner-Masuda is both persuasive and correct and, to the extent that Shurgard takes
a different approach, this Court should reject it.
In Shurgard, the District Court denied a motion to dismiss a CFAA claim
brought by an employee that took employer information from the computer system
17
with him to his next job. Id. at 1129. The court relied on the Restatement (Second)
of Agency, § 112 (1958), to hold that when the plaintiff's former employees accepted
new jobs with the defendant, the employees "lost their authorization and were
'without authorization' [under the CFAA] when they allegedly obtained and sent [the
plaintiff's] proprietary information to the defendant via e-mail"). Shurgard, 119 F.
Supp. 2d at 1125. The court examined the Senate report accompanying Congress's 1996
amendments to the CFAA, and concluded that Congress intended the statute to
have "broad meaning" that was intended to cover the situation under dispute. Id. at 1129.
But the 1996 amendments were of little relevance to the authorization issues in
Shurgard or here, as those amendments replaced the term "federal interest computer"
with "protected computer." 18 U.S.C. § 1030(a)(2)(C) (2008). In contrast the
district court in Werner-Masuda relied heavily on the 1986 Senate report
accompanying the CFAA. Werner-Masuda, 390 F. Supp. 2d at 497-499. The 1986
amendments are the relevant ones because those are the amendments that added the
term "exceeds authorized access." 16 U.S.C. § 1030(a)(2)(C) (2008). This is the
term at issue here because it is the part of the statute that reaches insiders who are
allowed access for some purposes, but not for others. For this reason, Werner-
Masuda's take on the legislative history of the CFAA is far more persuasive than that
of the court in Shurgard on the critical issue of whether Defendant Drew gained
unauthorized access or exceeding authorized access.
A few cases find that, in the civil employment context, the principles of
agency mean that an employee accesses a computer "without authorization" if,
without knowledge of the employer, the employee uses the employers computer
system in a manner adverse to the employer's interests. See, e.g., Int'l Airport Ctrs.,
L.L.C. v. Citrin, 440 F.3d 418, 420-421 (7th Cir. 2006); ViChip Corp. v. Lee, 438 F.
Supp. 2d 1087, 1100 (N.D. Cal. 2006). Several earlier cases also found a CFAA
violation for non-employees, but only after clear and repeated warnings that the
user's conduct was not authorized, and only under circumstances where the user
18
either had a fiduciary duty to the computer owner or where the access was for
competitive commercial gain, facts significantly absent in this case. See EF Cultural
Travel BV v. Zefer Corp. 318 F.3d 58 (1st Cir. 2003), (rejecting a CFAA claim based
on a "reasonable expectations" test but stating in dicta that "a lack of authorization
could be established by an explicit statement on the website restricting access"); EF
Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001) (finding CFAA
liability where the defendant poached an ex-EF employee, who in turn revealed
confidential information about his former employer which improved the competitor's
use of automated tools to search and "systematically glean company's prices from
[competitor's] website"); Southwest Airlines Co. v. FareChase Inc., 318 F. Supp. 2d 435
(N.D. Tex. 2004) (defendant created an automated tool that "scraped" web site
information and allowed corporate travelers to search online for airline fares,
including Southwest's. despite the plaintiff's "repeated warnings and requests" to
cease); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000) (court
enjoined automatic searching of the registrant contact information contained in
domain registry database after lawyers specifically objected to the defendant's use
and sent out a terms of use letter to the defendant), aff'd in part as modified by
Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004) (reversing the trial
court's CFAA finding on the basis that there was insufficient likelihood of showing
the $5,000 damage threshold necessary for private claims, but upholding a trespass
to chattels claim); America Online Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va.
1998) ("AOL"), (the defendant transmitted more than 92 million unsolicited and bulk
e-mail messages advertising their pornographic Web sites to AOL members in
violation of AOL's email policies and terms of use).
These civil cases are readily distinguished from the criminal prosecution of
Defendant Drew here because all but AOL involve actual prior notice to the
defendant that their computer access was unauthorized, rather than the mere posting
of terms of service on a website which could be ignored or violated by a user. These
19
cases also all involve use of the plaintiff's computer service for the defendant's
commercial advantage to the detriment of the computer system owner. See Lemley,
91 Minn. L. Rev. at 476-77 (noting a greater willingness of some courts to enforce
terms against businesses than against consumers). Here, Defendant Drew allegedly
failed to provide truthful and accurate registration information; failed to refrain from
using any information obtained from MySpace services to harass, abuse, or harm
other people; failed to refrain from soliciting personal information from anyone
under 18; failed to refrain from promoting information that she knew was false or
misleading; and failed to refrain from posting photographs of other people without
their consent. The indictment does not allege even that Defendant had seen or knew
of these terms in the MySpace TOS, but she certainly did not receive any direct
warnings to stop. Nor was she acting for commercial advantage in a way that could
be seen as unfairly competing with or harming MySpace's business, factors
important to the decisions in virtually all the above cases.
Apart from these important factual distinctions, for the reasons stated, these
cases were wrongly decided, in light of the plain language and the legislative history
of the CFAA.
F. The Rule Of Lenity Requires The Narrower Interpretation Of The
CFAA's "Access" Language
The rule of lenity should guide the construction of section 1030 (a)(2)(C) in
this case because the CFAA is first and foremost a criminal statute. See Leocal v.
Ashcroft, 543 U.S. 1, 12 n. 8 (2008); United States v. Thompson/Center Arms Co.,
504 U.S. 505, 517-18 (1992). The rule of lenity "requires a court confronted with
two rational readings of a criminal statute, one harsher than the other, to choose the
harsher only when Congress has spoken in clear and definite language." Shamrock
Foods, 535 F. Supp. 2d at 965-67 (plain language of the statute, legislative history
and rule of lenity support a narrow view of the CFAA); see Pasquantino v. United
States, 544 U.S. 349, 383 (2005); McNally v. United States, 483 U.S. 350, 359-60
20
(1987).
Here, because Congress has not proactively specified that the CFAA's
"access" provisions criminalize mere violations of terms of service, the rule of lenity
requires that courts adopt the "less harsh" interpretation. See, e.g., United States v.
Miranda-Lopez, 2008 WL 2762392 at *5 (9th Cir. July 17, 2008) ("the
'longstanding' rule of lenity requires us to resolve any ambiguity in the scope of a
criminal statute in favor of the defendant" (citations omitted)). This is the approach
taken by the court in Shamrock Foods Co. in adopting the narrower interpretation of
"accesses . . . without authorization or exceeds authorized access." The court there
used the rule of lenity to reject imposition of CFAA liability on a disloyal former
employee, concluding "[t]he approach advanced by Shamrock would sweep broadly
within the criminal statute breaches of contract involving a computer. . . . The Court
declines the invitation to open the doorway to federal court so expansively when this
reach is not apparent from the plain language of the CFAA." Shamrock Foods at 967
(emphasis added). United States v. LaMacchia reached a similar result as the
rule of lenity would require. Because Congress had failed to criminalize
non-commercial distribution of copyrighted materials, the Government was not entitled to
stretch a broader statute regulating a different kind of conduct to punish admittedly
bad conduct. LaMacchia, 871 F. Supp. 535 (D. Mass. 1994). If Congress wanted to
criminalize the conduct at issue here, it could have. If Congress wanted to give the
force of law to terms of service agreements, it can. But it did not, and the rule of
lenity does not permit the Government to use the CFAA to reach that result.
G. The Government's Previous Attempt In This District To Expand
Civil Cases Interpreting the CFAA into the Criminal Context Led
To The Wrongful Conviction And Incarceration Of An Individual
For Constitutionally Protected Activities
In a disturbingly similar expansion of civil CFAA cases to support a criminal
prosecution under a different section of the CFAA, 18 U.S.C. § 1030(a)(5)(A), the
United States Attorney's Office in this district from 2001 to 2003 prosecuted
21
computer programmer Bret McDanel, United States v. McDanel, Ninth Circuit Case
No. 03-50135, Central District of California Case No. CR-01-638-LGB. McDanel
worked for a Tornado, a Los Angeles firm that provided Web-based email and voice
mail services. While employed there, he discovered a serious security flaw in the
company's email system, which intruders could exploit to read customers' private
messages. He brought the flaw to the company's attention, but it wasn't fixed. After
he left Tornado, McDanel sent an anonymous email to Tornado customers,
describing the security flaw, and directing customers to a website McDanel had set
up providing more information. The Government indicted McDanel for violating the
CFAA, alleging that because he sent emails to customers' Tornado.com email
addresses, and these emails gave customers information that the company did not
want its users to have, McDanel intentionally caused damage to the integrity of
Tornado's email server. The Government relied heavily on Shurgard's agency law
theory, arguing that McDanel acted without the best interests of Tornado in mind, so
his emails were improper. McDanel was convicted and sentenced to 16 months in
prison.
On appeal to the Ninth Circuit,7 the Government reversed its position,
"confess[ed] error," and moved to dismiss the charges against McDanel. (See
United States v. McDanel, Government Brief, attached as Exhibit A, at 6, 8). While
McDanel sent information to Tornado's servers, and while that information caused
harm to Tornado's business (by reducing customer confidence in the privacy and
security of their messages), the Government admitted that that type of harm could
not be a CFAA violation unless it was intended to help someone illegally access the
system or change data there. Id. at 8. The flaw in the current prosecution and that of
McDanel is the same. The Government seeks to extend the reasoning of disfavored
civil law cases from the employment or commercial context to argue that any use of
22
a computer server in a manner contrary to the interests of the server owner is a crime.
As with the prosecution of Mr. McDanel, this prosecution is in error.
II. APPLYING THE CFAA TO DEFENDANT'S CONDUCT IN THIS
CASE WOULD CONSTITUTE A SERIOUS ENCROACHMENT ON
FUNDAMENTAL CIVIL LIBERTIES, INCLUDING FREEDOM OF
SPEECH
A. The First Amendment Assures The Right To Speak Anonymously
Online
Individuals have the qualified right to speak anonymously, including on the
internet, so criminal prosecution for failing to supply accurate identifying
information to an online communications service endangers First Amendment rights.
Yet one of the alleged violations of the MySpace terms of service on which the
Government bases this Indictment is Defendant's use of a fictitious name in
registering for an account. See Indictment at 6.
Average internet users may have numerous valid reasons for wanting to keep
their identities secret. Individuals may want to protect themselves from unwanted
attention or from unwanted advertising, even while the service providers hope to sell
customer's personally indentifying information or send advertising. They may wish
to avoid having their views stereotyped according to their racial, ethnic or class
characteristics, or their gender. They may be associated with an organization but
want to express an opinion of their own, without running the risk that readers will
assume that the group feels the same way. They may want to say or imply things
about themselves that they are unwilling to disclose otherwise. And they may wish to
present provocative ideas that they fear could subject them to retaliation. Not
surprisingly, in a recent survey, almost one-third of social network users admitted to
providing false information to protect their identities. Antony Savvas, Social
Network Users Hide Identities, Computer Weekly, Sept. 25, 2007.
The Supreme Court has consistently upheld the right to anonymous speech in
a variety of contexts, noting that "[a]nonymity is a shield from the tyranny of the
majority . . . [that] exemplifies the purpose [of the First Amendment] to protect
23
unpopular individuals from retaliation ... at the hand of an intolerant society."
McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 357 (1995); see also id. at 342
("an author's decision to remain anonymous, like other decisions concerning
omissions or additions to the content of a publication, is an aspect of the freedom of
speech protected by the First Amendment."); Gibson v. Fla. Legislative Investigative
Comm., 372 U.S. 539, 544 (1963) ("[I]t is ... clear that [free speech guarantees] ...
encompass[] protection of privacy association ..."); Talley v. California, 362 U.S.
60, 64 (1960) (finding a municipal ordinance requiring identification on hand-bills
unconstitutional, and noting that "[a]nonymous pamphlets, leaflets, brochures and
even books have played an important role in the progress of mankind.").
The First Amendment applies fully to internet communications, including
email and the World Wide Web. Reno v. ACLU, 521 U.S. 844, 870 (1997) (there is
"no basis for qualifying the level of First Amendment protection that should be
applied to" the internet). Numerous courts have specifically upheld the right to
communicate anonymously on the internet. See, e.g., Doe v. TheMart.com Inc., 140
F. Supp. 2d 1088, 1092 (W.D. Wash. 2001) ("The right to speak anonymously
extends to speech via the internet. Internet anonymity facilitates the rich, diverse,
and far ranging exchange of ideas."); ACLU v. Johnson, 4 F. Supp. 2d 1029, 1033
(D.N.M. 1998); ACLU of Ga. v. Miller, 977 F. Supp. 1228, 1230 (N.D. Ga. 1997);
see also ApolloMEDIA Corp. v. Reno, 526 U.S. 1061 (1999), aff'd 19 F. Supp. 2d 1081, 1085
n.5 (C.D. Cal. 1998) (protecting anonymous denizens of a web site at
www.annoy.com, a site "created and designed to annoy" legislators through
anonymous communications); Global Telemedia Int'l v. Does, 132 F. Supp. 2d 1261, 1267
(C.D. Cal. 2001) (striking complaint based on anonymous postings on Yahoo!
message board based on California's anti-SLAPP statute).
It is true that the constitutional privilege to remain anonymous is not absolute.
Plaintiffs may properly seek information necessary to pursue reasonable and
meritorious litigation. Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 578
24
(N.D. Cal. 1999) (First Amendment does not protect anonymous internet users from
liability for tortious acts such as defamation); Doe v. Cahill, 884 A.2d 451, 456 (Del.
2005) ("Certain classes of speech, including defamatory and libelous speech, are
entitled to no constitutional protection."). Also, individuals can choose to waive their
free speech rights, and courts may enforce confidentiality agreements over a First
Amendment defense. See Snepp v. United States, 444 U.S. 507, 510 (1980) (per
curiam). However, the law does not presume a waiver of constitutional rights in
contract so courts give heightened scrutiny to the enforceability of such agreements.
Ohio Bell Tel. Co. v. Public Utilities Comm'n, 301 U.S. 292, 307 (1937). To enforce
such a contract, the waiver must not undermine the relevant public interest. See D.
H. Overmyer Co. v. Frick Co., 405 U.S. 174, 187-88 (1972).
In this case, even assuming, arguendo, that the MySpace TOS is privately
enforceable in spite of its contractual infirmities and restrictions on protected
anonymous speech, monetary damages, not criminal convictions and prison
sentences, "are always the default remedy for breach of contract." United States v.
Winstar Corp., 518 U.S. 839, 885 (1996) (plurality opinion). "Our system of
contract remedies rejects, for the most part, compulsion of the promisor as a goal. It
does not impose criminal penalties on one who refuses to perform his promise, nor
does it generally require him to pay punitive damages." Canada Dry Corp. v. Nehi
Beverage Co., 723 F.2d 512, 526 (7th Cir.1983 ). Yet the Government's
construction of "without authorization or exceeds authorized access" in this case,
based in part on Defendant Drew's alleged failure to supply "truthful and accurate
registration information," Indictment at 5, 7, would make the assertion of protected
anonymity the basis for criminal liability. While "[t]he Government may violate [the
First Amendment] in many ways, . . . imposing criminal penalties on protected
speech is a stark example of speech suppression." Ashcroft v. Free Speech Coal.,
535 U.S. 234, 244 (2002).
The First Amendment problems begin with, but do not end with, the right to
25
speak anonymously. Under the Government's construction of the CFAA, speech
that violates any terms of service would be unauthorized or in excess of authorization
and potentially criminal. If the comment policy of a web site specified "no
comments favorable to Democrats" or "no comments that are off-topic" or "no bad
stuff" those expressions too would be swept into the reach of the CFAA.
B. Constitutional Avoidance Dictates A Narrow Reading Of "Access"
Under The CFAA
This Court need not decide whether enforcing the CFAA would violate the
First Amendment in this case. The mere fact that the question arises, however,
requires this Court to interpret "exceeds authorized access" narrowly, so as to avoid
a potentially unconstitutional application. "'[I]t is a cardinal principle' of statutory
interpretation . . . that when an Act of Congress raises 'a serious doubt' as to its
constitutionality, `this Court will first ascertain whether a construction of the statute
62 is fairly possible by which the question may be avoided.'" Zadvydas v. Davis,
533 U.S. 678, 689 (2001) (quoting Crowell v. Benson, 285 U.S. 22, 62 (1932)). A
narrow construction of "unauthorized access" and "exceeds authorized access" one
which does not punish the failure to use truthful identification information when
using online services that indicate an interest in collecting this data in their terms of
use is both possible and otherwise compelled by the statutory language and history
of the CFAA.
III. APPLICATION OF THE CFAA WHEN A USER IGNORES OR
VIOLATES WEBSITE TERMS OF SERVICE WOULD VIOLATE DUE
PROCESS AND RENDER THE STATUTE VOID FOR VAGUENESS
AND LACK OF FAIR NOTICE
Grounding criminal liability under section 1030(a)(2)(C), as the Government
seeks to do here, on an interpretation of "access without authorization" and/or
"exceeds authorized access" that is based entirely on whether a person has fully
complied with the vagaries of privately created, frequently unread, generally lengthy
and impenetrable terms of service would strip the statute of adequate notice to
citizens of what conduct is criminally prohibited and render it hopelessly and
26
unconstitutionally vague. If the Government's proposed construction of 18 U.S.C.
1030(a)(2)(C) in this case is correct, not only the defendant but also potentially
millions of otherwise innocent internet users would be committing frequent criminal
violations of the CFAA through ordinary, indeed routine, online behavior which they
have been given no reason to believe would make them felons. The lack of notice
under the Government's interpretation is stark; counsel for amici are not aware of a
single criminal prosecution or conviction in the entire years of the CFAA's
existence that has attempted to base criminal liability on disregard for the contractual
terms of service on a website.
The Supreme Court has stated that,
"[i]t is a fundamental tenet of due process that '[n]o one may be
required at peril of life, liberty or property to speculate as to the
meaning of penal statutes.' Lanzetta v. New Jersey, 306 U.S. 451,
453 (1939). A criminal statute is therefore invalid if it 'fails to give a person
of ordinary intelligence fair notice that his contemplated conduct is
forbidden.' United States v. Harriss, 347 U.S. 612, 617 (1954)."
United States v. Batchelder, 442 U.S. 114, 123 (1979); see also Grayned v.
Rockford, 408 U.S. 104, 108-09 (1972). A plurality of the Supreme Court has
further specified that "[v]agueness may invalidate a criminal law for either of two
independent reasons. First, it may fail to provide the kind of notice that will enable
ordinary people to understand what conduct it prohibits; second, it may authorize and
even encourage arbitrary and discriminatory enforcement." City of Chicago v.
Morales, 527 U.S. 41, 56 (1999) (Stevens, J., plurality opinion).
In the Ninth Circuit, "[t]o survive vagueness review, a statute must '(1) define
the offense with sufficient definiteness that ordinary people can understand what
conduct is prohibited; and (2) establish standards to permit police to enforce the law
in a non-arbitrary, non-discriminatory manner.'" United States v. Sutcliffe, 505 F.3d 944, 953
(9th Cir. 2007) (quoting Nunez v. City of San Diego, 114 F.3d 935, 940 (9th
Cir. 1997). "Vague statutes are invalidated for three reasons: '(1) to avoid punishing
people for behavior that they could not have known was illegal; (2) to avoid
27
subjective enforcement of laws based on 'arbitrary and discriminatory enforcement'
by government officers; and (3) to avoid any chilling effect on the exercise of First
Amendment freedoms.'" Humanitarian Law Project v. Mukasey, 509 F.3d ,
1122, 1133 (9th Cir. 2007) (quoting Foti v. City of Menlo Park, 146 F.3d 629, 638 (9th Cir.
1998)).8
Nothing in § 1030(a)(2)(C), its legislative history, or the case law interpreting
it provides any sort of "fair notice" to citizens, including the defendant here, that
such everyday behavior could constitute a federal crime. For at least the following
four reasons the interpretation advanced by the Government would fall short of
providing required notice and avoiding vagueness. Given that courts should adopt a
narrow construction of a statute to avoid vagueness and other unconstitutional
infirmities, see Zadvydas v. Davis, 533 U.S. at 689, the Government's proposed view
of the CFAA must be rejected.
A. Web Site Terms of Service are Routinely Ignored or Not Fully Read
or Understood
The fallacy of any notion that internet users are on "fair notice" that
disregarding the terms of service of the many web sites and web services they visit
puts them at risk of serious criminal liability is revealed by the widespread (and
widely accepted) understanding that large numbers of users never read these terms,
or read and understand only limited portions of them.
First, terms are often poorly accessible. Many web sites or web-based services
post their terms behind a "legal notices" or "terms of service" hyperlink which users
can only access by scrolling to the bottom of the page and clicking on the link. To
access the MySpace terms of use, for example, one must scroll down to find a
hyperlink labeled "terms". See MySpace.com Home Page, http://www.myspace.com/
28
(last visited July 28, 2008). Nothing about the link indicates that it is exceptionally
important, much less that failure to click on it and read the underlying terms could
subject the user to criminal penalties.
Second, the terms of service presented by many web sites and other online
services are lengthy and impenetrable. In one particularly daunting example,
Network Solutions, the domain name registrar, has a TOS that takes up 115 pages
when pasted into a single spaced, 12-point font Microsoft Word document. See
Network Solutions Terms of Service, http://www.networksolutions.com/legal/static-service-agreement.jsp (last visited July 28, 2008). The MySpace terms at issue here
contain over 60 separate paragraphs or subparagraphs and takes up roughly ten pages
when pasted into a Word document. See Terms and Conditions--MySpace.com,
http://www.myspace.com/
index.cfm?fuseaction=misc.terms (last visited July 28,
2008).
Not surprisingly, then, many commentators recognize that few consumers
actually take the time to read and understand digital terms of service (or similar
software download agreements) before saying they agree to them. See Restatement
(Second) of Contracts § 211, cmt. b (1981) ("Customers do not . . . ordinarily
understand or even read the standard terms."); Robert L. Oakley, Fairness in
Electronic Contracting: Minimum Standards for Non-Negotiated Contracts,
42 Hous. L. Rev. 1041, 1051 (2005) ("Clickwrap licenses are ubiquitous today, and
most people click to accept without reading the text."); Robert A. Hillman & Jeffrey
J. Rachlinski, Standard-Form Contracting in the Electronic Age, 77 N.Y.U. L. Rev.
429, 429-31 (2002) ("with increasing alacrity, people agree to terms [in clickwrap
contracts] by clicking away at electronic standard forms on web sites and while
installing software"); Michael I. Meyerson, The Reunification of Contract Law: The
Objective Theory of Consumer Form Contracts, 47 U. Miami L. Rev. 1263, 1269 &
nn. 28-29 (1933) (citing cases recognizing the failure of most consumers to read form
29
contracts).9 In one notable example, public disregard for license terms was
graphically illustrated by a software company that surreptitiously inserted into its
license agreement an offer to pay $1000 to the first person to send an email to a
particular address. It took four months and more than 3000 installations before
someone noticed the offer and claimed the prize. Jeff Gelles, Internet Privacy Issues
Extend to Adware, Newark Star-Ledger, July 31, 2005, at 5. See also Ting v. AT &
T, 182 F. Supp. 2d 902, 930 (N.D. Cal. 2002) (holding a customer service agreement
procedurally unconscionable because lack of notice contributed to surprise, the court
acknowledged that "AT & T's own research found that only 30% of its customers
would actually read the entire CSA [consumer service agreement] and 10 % of its
customers would not read it at all").
Similarly, empirical research confirms that, in the online context, a majority of
users ignored the EULA entirely when installing such popular software as Google
Toolbar on their home computers. Nathaniel Good et al., Commentary, User
Choices and Regret: Understanding Users' Decision Process About Consensually
Acquired Spyware, 2 I/S: J.L. & Pol'y for Info. Soc'y 283, 321 (2006). Furthermore,
even the few people who do read the terms of service are unlikely to take notice of
more than a handful of the provisions. Due to human cognitive limitations, even
rational consumers will be ignorant of non-salient terms in form contracts. Melvin
Aron Eisenberg, The Limits of Cognition and the Limits of Contract, 47 Stan. L. Rev.
211, 244 (1995).
Moreover, as noted earlier, most website terms, like other form contracts, are
long, written in impenetrable legalese and poorly organized. See Robert W.
Gomulkiewicz, Getting Serious About User-Friendly Mass Market Licensing for
30
Software, 12 Geo. Mason L. Rev. 687, 692-94, 701-02 (2004). Such contracts often
written at a level of difficulty that exceeds the ability of most consumers to
understand. See Alan M. White & Cathy Lesser Mansfield, Literacy and Contract,
13 Stan. L. Rev. 233, 235-42 (2002). Drafters of these agreements give little
attention to readability, instead relying heavily on legal boilerplate and including
restrictive terms primarily designed to limit the company's exposure to liability. See
Gomulkiewicz, supra, at 692-94, 701-02; Russell Korobkin, Bounded Rationality,
Standard Form Contracts, and Unconscionability, 70 U. Chi. L. Rev. 1203 (2003).
Given the difficulty of comprehending form contracts, and the typically low-dollar
amount of the transactions to which they apply, a consumers' decision to forego
reading a website's terms of use is not only common, but entirely rational.
Eisenberg, 47 Stan. L. Rev. at 240-44; Meyerson, 47 U. Miami L. Rev. at 1269-70.
Thus, even persons who are conscientious about reading the terms of service may be
unaware of some of the provisions. Under these circumstances, whatever the
validity of holding such contracts enforceable for purposes of contract law, the
transformation of their terms into the defining criteria for serious criminal violations
creates serious risks of criminal sanctions for unwitting violations that cannot pass
vagueness and notice review.10
B. Web Site Terms Are Frequently And Arbitrarily Changed By Site
Owners With Little Or No Likelihood Of Actual Notice To Users
Many terms of service contain clauses which state that the website owner can
unilaterally change the terms at any time, and that continued use of the website
implies acceptance of the new terms. For example, the MySpace terms at issue here,
even if actually read and understood by a user when he or she visits or signs up for
31
an account, expressly state that they can be changed without further notice to the user
merely by updating the agreement on the MySpace website the user is then
presumably obligated to review the entire terms for changes every time he or she
visits. See Terms and Conditions--MySpace.com,
http://www.myspace.com/index.cfm?fuseaction=misc.terms (last visited July 28,
2008) ("MySpace may modify this Agreement from time to time and such
modification shall be effective upon posting by MySpace on the MySpace Website.
Your continued use of the MySpace Services after MySpace posts a revised
Agreement signifies your acceptance of the revised Agreement. It is therefore
important that you review this Agreement regularly to ensure you are updated as to
any changes.")11
Under the Government's expansive view of the CFAA, a person's
access to MySpace would be unauthorized or would exceed their authorization if that
person used MySpace and inadvertently violated a newly added or updated provision
of the terms that had been inserted since the last visit. However challenging such a
view of notice to a contract's terms may be for civil contract law, it fundamentally
cannot be said to constitute adequate "fair notice" for due process vagueness
purposes. See Douglas v. U.S. Dist. Court for Cent. Dist. Calif., 495 F.3d 1062, 1066
& n.1 (9th Cir. 2007) (holding that website users are not required to continually
monitor a site's terms of use for possible changes).
32
C. Web Site Terms May Themselves Be Arbitrary, Vague, or
Frivolous And Are Created by Private Site Owners for a Myriad of
Business or Personal Reasons Having Nothing To Do With
Regulating "Access" for CFAA Purposes
Many web site terms contain conditions that are themselves vague, arbitrary or
even fanciful. They are not written by their private drafters with the precision and
care that would be expected -- indeed required -- of operative provisions in a criminal
statute. Yet operative criminal provisions are precisely what routine business terms
would be transformed into under the Government's interpretation of § 1030(a)(2)(C).
This fact multiplies the likelihood that such an interpretation cannot satisfy the due
process requirement that a statute not "fail to provide the kind of notice that will
enable ordinary people to understand what conduct it prohibits," Morales, 527 U.S.
at 56, since the statute will itself in turn rely for its essential meaning on the
existence and clarity of separate contractual terms.
Web site owners and internet businesses draft specific web site and web
service terms of use provisions for a variety of reasons that have nothing to do with
regulating "access" to their sites, and certainly nothing to do with preventing the sort
of unauthorized hacking or trespass or theft of private data with which the CFAA is
properly concerned. Google, for example, presumably included the terms of use
provision described earlier barring use of its services by minors -- to protect itself
against liability and to try to ensure its terms were binding in the event of a litigated
dispute. Surely it did not mean or imagine that tens of millions of minors in fact
would never use its services to obtain information or would do so at the risk of
criminal liability. In another example, YouTube's Community Guidelines, expressly
incorporated into the site's terms of use, prohibit "bad stuff." YouTube Community
Guidelines, http://www.youtube.com/t/community_guidelines (last visit July 28,
2008). Uploading "bad stuff" would violate YouTube's terms which, under the
Government's theory here, would constitute unauthorized access or exceeding
authorized access to the site. Surely YouTube did not draft the "bad stuff"
33
prohibition with CFAA access control in mind. The meaning of "bad stuff" is the
essence of vagueness, and it is not even clear whose determination --YouTube's? A
jury's? -- would be required. To make sense and to avoid fatal vagueness problems,
the terms "without authorized access" and "exceeds authorized access" in the CFAA
must be limited to clear, proper purposes consistent with the statute's goals, and not
whatever commercial or personal purpose motivates a site owner to draft a provision
in a terms of service document.
D. Basing Criminal Liability On Private Contract Terms Inevitably
Will Lead To Arbitrary And Discriminatory Enforcement
Allowing the provisions of privately created, sometimes arbitrary or even
frivolous web site terms of use to prescribe the legally critical CFAA standard for
when a person has gained unauthorized access or exceeded authorized access to
computers can only lead to arbitrary and discriminatory enforcement of the CFAA.
Statutes that create the likelihood of such arbitrary and discriminatory enforcement
are invalid. See, e.g., Coates v. City of Cincinnati, 402 U.S. 611, 614 (1971) (law
disallowing three people to congregate if it is annoying to others was
unconstitutionally vague, "not in the sense that it requires person to conform his
conduct to an imprecise but comprehensible normative standard, but rather in the
sense that no standard of conduct is specified at all").
Choosing, as the Government has here, to prosecute under the CFAA a single,
isolated instance of violating terms or service out of literally millions of similar,
ongoing violations illustrates the dangers of arbitrary enforcement. In a world where
each violation or neglect of a web site's terms could constitute unauthorized or
excessive access and be the basis for criminal prosecution, there simply is no
limiting principle that would restrain the exercise of this enforcement discretion and
prevent arbitrary or discriminatory application of the law.
34
CONCLUSION
Megan Meier's death was a terrible tragedy, and there is an understandable
desire to hold the Defendant somehow accountable for it, if Defendant's conduct was
as alleged. But a dangerously overbroad construction of the CFAA would
criminalize the everyday conduct of millions of internet users. The novel -- indeed,
unprecedented in the history of the CFAA -- interpretation of § 1030(a)(2)(C)
advanced in the indictment cannot be squared with the plain language of the statute,
its legislative history, and the constitutional requirements that criminal statutes
provide citizens fair notice, avoid vagueness and comport with the First Amendment.
Consequently, amici urge the Court to dismiss the Indictment.
DATED: August 1, 2008
By ______________________
Jennifer Stisa Granick (California Bar No. 168423)
ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax]
35
Certificate of Compliance with Circuit Rule 32-1
Pursuant to Rules 29(c)(5) and 32(a)(7)(C) of the Federal Rules of Appellate
Procedure and Ninth Circuit Rule 32-1, I hereby certify that the foregoing brief uses
14-point Times New Roman spaced type; the text is double-spaced; and footnotes
are single-spaced. This brief complies with the type-volume limitations of Federal
Rules of Appellate Procedure 29(d) and 32(a)(7)(B) because there are no limits on
the length of party briefs in support of motions to dismiss in criminal cases under
Rule 12. This brief contains approximately 11,000 words.
DATED: August 1, 2008
By ________________
Jennifer Stisa Granick
For Amici Curiae Electronic Frontier
Foundation
APPENDIX A
LAW FACULTY AMICI CURIAE
Amici file this brief in their individual capacities, and not as representatives of
the institutions with which they are affiliated. Institutional affiliations are listed for
identification purposes only.
Susan Brenner
NCR Distinguished Professor of Law and Technology
University of Dayton School of Law
Lauren Gelman
Executive Director
Center for Internet and Society
Stanford Law School
Llewellyn Joseph Gibbons
Associate Professor
University of Toledo College of Law
Eric Goldman
Assistant Professor of Law
Director, High Tech Law Institute
Santa Clara University School of Law
Mark A. Lemley
William H. Neukom Professor of Law
Stanford Law School
Director, Stanford Program in Law, Science and Technology
Phillip R. Malone
Everett Street
Cambridge, MA
Paul K. Ohm
Associate Professor of Law
University of Colorado Law School
Malla Pollack
Professor of Law
Barkley School of Law
Paducah, Kentucky
Michael Risch
Associate Professor of Law
Project Director - Entrepreneurship, Innovation and Law Program
West Virginia University College of Law
Jason Schultz
Acting Director
Samuelson, Law, Technology & Public Policy Clinic
UC Berkeley School of Law
Brian G. Slocum
Associate Professor of Law
University of the Pacific
McGeorge School of Law
Daniel J. Solove
Professor of Law
George Washington University Law School
William McGeveran
Associate Professor
University of Minnesota Law School
Robert Weisberg
Edwin E. Huddleson, Jr. Professor of Law
Director, Stanford Criminal Justice Center
Stanford Law School
1
The Missouri legislature amended the statute following this case in recognition that
the laws in effect at the time would not prohibit the conduct alleged here. The new
statute, which requires proof of intent to do harm to another (as the First
Amendment requires), may or may not criminalize Defendant's alleged conduct.
2
Accord United States v. Czubinski, 106 F.3d 1069, (1st Cir. 1997) (reversing
CFAA and fraud convictions for browsing through IRS files but not sending or
obtaining any information, the court added "a cautionary note. The broad language
of the mail and wire fraud statutes are both their blessing and their curse. They can
address new forms of serious crime that fail to fall within more specific legislation.
. . . On the other hand, they might be used to prosecute kinds of behavior that,
albeit offensive to the morals or aesthetics of federal prosecutors, cannot reasonably
be expected by the instigators to form the basis of a federal felony. The case at bar
falls within the latter category.")
3 Another issue is whether the Government must plead and prove that Defendant intended that her access be unauthorized, or merely that she intended to access, and the access also happened to be unauthorized. Criminalizing unintentional computer trespass raises serious due process problems, but amici do not take up that issue here.
4 This failure to allege that Defendant had any actual notice or awareness of the terms of service, her violation of which allegedly constitutes the sole basis for "unauthorized" use and criminal CFAA liability, would appear to undermine the sufficiency of the indictment, given Section 1030(a)(2)(C)'s requirement that one "intentionally" access a computer without authorization or exceed authorized access, However, amici do not focus further on this issue.
5 It is of no import that the Government might not bring these cases. The inability to
distinguish in a meaningful and principled way between the terms of service
violations of the Defendant here and the myriad other similar violations of terms like
those of MySpace or Facebook that occur every day starkly reveals the
unconstitutional vagueness and potential for arbitrary enforcement the statute would
suffer under the Government's interpretation. See Section III, infra. Moreover,
because the CFAA provides for a civil cause of action, the Government's
interpretation would enable Google and Facebook and any other affected web site
owner to bring suit.
6Of course, a plaintiff may be able to bring a valid claim under state law for
misappropriation of trade secrets. That claim would be subject to the safeguards
built into the trade secret liability rules, including allowances for reverse engineering
and for disclosure of information that is not, in fact, secret. The CFAA violation has
no safeguards; under the Government's view in this case it would put all the power
in the hands of the corporation drafting the terms of use.
7
Jennifer Granick, Civil Liberties Director with amicus Electronic Frontier
Foundation, represented Mr. McDanel on appeal.
8
See also United States v. Wunsch, 84 F.3d 1110, 1119 (9th Cir. 1996) (finding that
requirement in state bar statute incorporated in local rule to "abstain from all
offensive personality" was unconstitutionally vague in the context of district court
sanction of attorney).
9 In fact, research has shown that even participants in sophisticated business
transactions routinely fail to read the terms of form contracts. Andrew Robertson,
The Limits of Voluntariness in Contract, 29 Melbourne L. Rev. 179, 188 (April 2005) (surveying empirical research).
10See Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459, 465, 475-76 (2006)
(observing that in civil cases "in today's electronic environment, the requirement of
assent has withered to the point where a majority of courts now reject any
requirement that a party take any action at all demonstrating agreement to or even
awareness of terms in order to be bound by those terms.") (emphasis added). A
similar lax view simply cannot provide "fair notice" in the criminal context.
11See, also e.g., West Terms of Use, http://west.thomson.com/about/
terms-of-use/default.aspx?promcode=571404 (last visited July 28, 2008) ("By accessing,
browsing, or using this website, you acknowledge that you have read, understood,
and agree to be bound by these Terms. We may update these Terms at any time,
without notice to you. Each time you access this website, you agree to be bound by
the Terms then in effect."); AOL Terms of Use,
http://about.aol.com/aolnetwork/
aolcom_terms (last visited July 28, 2008) ("You
are responsible for checking these terms periodically for changes. If you continue to
use AOL.COM after we post changes to these Terms of Use, you are signifying
your acceptance of the new terms.")
|