decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.


To read comments to this article, go here
An Amicus Brief: Issues in the Cyberbullying Case That Affect You - Updated 3Xs
Friday, November 28 2008 @ 05:50 AM EST

I was trying to figure out how to explain to you all that is involved in the case of the U.S. v. Lori Drew, the cyberbullying case that so many lawyers are expressing concerns about. I felt I needed a lawyer to explain it, but where would I find one who felt like doing some unpaid work, and over the Thanksgiving holiday to boot?

Then I had a brainstorm. I could show you the amicus brief [PDF] submitted in the case by the Electronic Frontier Foundation, the Center for Democracy and Technology, and Public Citizen, which was also signed by "14 individual faculty members listed in Appendix A who research, teach and write scholarly articles and books about internet law, cybercrime, criminal law and related topics at law schools nationwide". Appendix A is at the very end. If you look at the list, you'll see that it's some of the finest and most knowledgeable lawyers and law professors specializing in cyberlaw. The brief was written by Jennifer Granick of EFF and Philip R. Malone of Harvard Law School's Berkman Center for Internet and Society's Cyberlaw Clinic.

I think when you read it, it will turn your hair white. It did me. In fact, I don't think it's overstating it a bit to say that unless this case is overturned, it is time to get off the Internet completely, because it will have become too risky to use a computer. At a minimum, I'd feel I'd need to avoid signing up for membership at any website, particularly MySpace. Why particularly MySpace? The Times Online has their statement:

MySpace, which is a division of News Corporation, owner of The Times, said in a statement that it “respects the jury's decision and will continue to work with industry experts to raise awareness of cyber-bullying and the harm it can potentially cause.”
If it respects this decision, I don't feel safe there. I didn't even want to visit its web site to try to find its terms of use. But according to this article, MySpace gets to be the one that decides if we've violated their terms:
MySpace users agree that the social networking site has the final say on deciding whether content posted by users violates a long list of regulations contained in the agreement.
There is no recourse. They make the law and if you mess up, you go to jail. You used a computer, after all, didn't you, and their server isn't yours, and if they say you have violated their terms, you have. I'd also never upload anything to YouTube, and I wouldn't use anyone's blogging software. I'd definitely stay out of the Cloud, because I don't own those computers either, leaving me open to Computer Fraud & Abuse Act allegations, which is what Drew was charged with. In short, it'd be time for me to just pack up and leave, if this verdict stands. If you think EULAs were bad, imagine after this ruling if they can be tied to the CFAA. Do you think it'll be long before folks are tossed in jail for defining fair use in ways a copyright owner doesn't like? Would Microsoft hesitate to criminalize its EULA terms? You think? You trust?

The case is not yet done, in that there is a motion that the judge took under advisement and said he will rule on this coming Monday. And there are other developments, as reported by St. Louis Today:
Drew lawyer H. Dean Steward has filed a motion to dismiss the case, arguing repeatedly that prosecutors in Los Angeles over-reached and that Drew could only be prosecuted if she both read MySpace's terms and knowingly and intentionally violated them. Wu has appeared to lean towards granting that motion in court, although he has declined prior chances to do so. Steward has also filed a motion for a new trial, which could lead to a federal appeals court tossing out the case.
Wu is the judge, the Honorable George H. Wu. There are some serious issues, legal issues, raised by the case, in other words. The legal issues are not about who is or isn't morally awful; the legislative branch can always write new laws to address a new issue that they realize someone needs to write a law for. The legal issues raised are what happens to everyone who uses a computer if the Computer Fraud & Abuse Act is applied to actions that were not contemplated as covered by the legislators when they drafted the act. Here's the analysis by the US Departmenet of Justice of the CFAA, dated long before this case. More reactions:
"The statute was never intended to cover this kind of conduct," says Michael Scott, professor of law at Southwestern School of Law, Los Angeles. "Lori Drew did not do the key acts that the prosecution alleged, but rather a third party did, so it seems strange that the person who pulled the trigger is not prosecuted but the one standing next to her is."

Or at least criminalize it before you prosecute anyone. Andrew Grossman goes to the heart of the matter, in the Christian Science Monitor:

"What happened to Megan Meier was a tragedy, not a crime," says Andrew Grossman, senior legal policy analyst in the Center for Legal and Judicial Studies at the Heritage Foundation in Washington. "This case should never have been brought. The strongest evidence for the prosecution had nothing or little to do with the charges. This verdict is a loss for civil liberties and leaves all Internet users at risk of prosecution under federal law. It is a prime example of overcriminalization."
[Grossman explains what he means by overcrimilaization in detail in this article.] And that's why it'd be time to get off the Internet and go back to a typewriter. Really. You read a great deal about judges and how they shouldn't be allowed to be activists and use their positions to create law. But the amicus brief raises a serious question: what about prosecutors? Is society in safe hands if prosecutors get to broadly interpret a law retroactively in creative and aggressive ways to make it apply to activities that have nothing to do with what the law was written to address? How about web sites? If violating a web site's terms of use is criminalized by the CFAA, have we not given private companies the ability to write the criminal laws? Do you feel safe if they are allowed to arbitrarily decide what is or isn't criminal? And then change it whenever they feel like it, without notice to you? Here's a question for you, from AlmostLegally:
At my office, the company I work for says “don’t send personal email from your work computer.” But if I do, is that a federal crime?

For example, Groklaw has terms of use. I ask you not to post comments about politics and not to troll or spam or personally attack anyone. If you violate those terms, should I apply the CFAA to you and send you to jail? One year for each misdemeanor and a $100,000 fine, because you violate something I made up to suit myself? On what basis should I be given such power? Have we lost our minds? I surely don't want any such powers.

Note that's one of the concerned comments in the New York Times article I linked to at the very beginning, a comment by Andrew M. Grossman, senior legal policy analyst for the Heritage Foundation, again:

"If this verdict stands, it means that every site on the Internet gets to define the criminal law," Grossman told The Times. "That's a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions."

Did you ever think you could be criminally prosecuted for not abiding by a web site's terms of use? Neither did I. And that raises another question. Do I now have a responsibility to police you and make sure you are abiding by my 'laws'? Does anybody know? And there's another point that the brief raises: can you retroactively define something as criminal and put people in jail for conduct they had no notice was criminal conduct before they did it?

The law is not supposed to surprise or ambush you. The law draws a line in the sand, as drawn by the legislators, who draw it where they think they need to to accomplish something very specific. They don't write laws that say, "Don't do bad stuff." If they did, it'd be likely found unconstitutional, on the grounds of vagueness, because who knows what "bad stuff" is if it isn't defined?

Did you know that YouTube's Terms of Use say not to do "bad stuff"? I didn't either, never having read it, because like the majority of you, I rarely read terms of use. But the brief tells us that it says that. If we apply the CFAA to that web site's terms of use, is it now a crime to do "bad stuff"? Actually, yes, if you use a computer to do it, whatever it is that someone someday might conceivably define as "bad stuff". Who gets to define "bad stuff"? Google? Some prosecutor somewhere you don't even live? A blogger mob? An enemy who can't sleep without inventing new and mean ways to ruin your life? Does the CFAA not empower such conduct?

Do you actually want a world like that? In some ways, it's worse than lawlessness, worse than the old Wild West. Why worse? Because in the West in the old days, might made "right". That's clear enough, and you knew where you stood. Practice shooting, or move East where there were laws. But if the law is vague or retroactively redefined just to get you, because someone in power decides you deserve it, you have laws but you can't rely upon them, because they are not necessarily fairly applied or reliably defined, so you are in constant danger of having a law used just to get you personally, because someone doesn't like the way you part your hair.

Like that never happens in real life.

The entire point of the rule of law is that it's dependable and predictable and it applies equally to everyone. You don't wake up to a knock on your door, and find the police have defined you mysteriously as a criminal without warning. I'm not talking about this case's specifics now. Everyone agrees that bullying is not a good thing, and I sympathize with prosecutors. I've known some, and I liked them all. They are men and women, in my experience, who care deeply about the victims of crime, and that's a beautiful quality. But the rule of law is beautiful too, but only if it's dependable, fair, and applied without favoritism. Not to mention Constitutional. Anonymous speech is protected under the US Constitution, as the brief points out. PCWorld quotes some more lawyers:

If the charges against Drew are upheld, it will be a serious blow to anyone who wants to remain anonymous on the Internet, said Brock Meeks, a CDT spokesman. "Everybody that is sympathetic to this case and saying finally we've got something to nail her on here, they're not looking hard enough at the fact that the Justice Department blundered by using this anti-hacker law," he said.

The charges suggest that anyone who uses a fake name to sign up for a Web service like Yahoo or Gmail could be charged with a federal crime, Meeks said. "If that's a federal crime, then I'm certainly guilty of a federal crime and there are probably a million other people out there who are probably also guilty."

Is it not Kafkaesque if you can be dragged into court on a whim in any location in the world, if the computer you are alleged to have misused is located there, even if it's half a country or even a world away from where you reside and they can put you in jail for a crime that wasn't defined as a crime at the time of your conduct in question? It'd be one thing if you were given a notice that this was the new interpretation; but if you just wake up to find out you are a retroactive criminal, you might as well be in a Kafka novel, because there is absolutely no way to ever know what the definition of criminal conduct will be tomorrow or when it can retroactively be applied to you. Drew, according to reports of the testimony at trial, never read the terms of use. Yes, but she should have known, said the prosecutor. She must have. How do you know? Should the law guess? We can be put in prison because although there is no proof we knew something, we might have or could have or must have?

If you think I am overstating what the brief is saying, feel free to say so, but do read it. At least then, you'll know what the uproar is all about. I know from some of your comments that you think the verdict was all about Lori Drew. I don't think so. I think it's about us.

Update: I remembered reading a detail about the case in one of the first articles about it, if not the first, namely that Megan was underage when she opened her MySpace account, and that her mother allowed her to do so, despite it being a violation of the web site's Terms of Use, and I found it now, from the St. Charles Journal:

MySpace has rules. A lot of them. There are nine pages of terms and conditions. The long list of prohibited content includes sexual material. And users must be at least 14.

"Are you joking?" Tina asks. "There are fifth-grade girls who have MySpace accounts."

As for sexual content, Tina says, most parents have no clue how much there is. And Megan wasn't 14 when she opened her account. To join, you are asked your age but there is no check. The accounts are free.

As Megan's 14th birthday approached, she pleaded for her mom to give her another chance on MySpace, and Tina relented.

She told Megan she would be all over this account, monitoring it. Megan didn't always make good choices because of her ADD, Tina says. And this time, Megan's page would be set to private and only Mom and Dad would have the password.

If only the parents would have the password, it means to me that they were the ones who set it up. And at the time of the suicide, Megan was still not yet 14, the age limit MySpace sets for opening an account. "This time" is referring to an earlier account that the parents had shut down, so they apparently allowed her to have an account even earlier, or she just opened it herself. Either way, it was a violation of the web site's terms of use:
Tina Meier was wary of the cyber-world of MySpace and its 70 million users. People are not always who they say they are.

Tina knew firsthand. Megan and the girl down the block, the former friend, once had created a fake MySpace account, using the photo of a good-looking girl as a way to talk to boys online, Tina says. When Tina found out, she ended Megan's access.

So the girl herself set up a fake account as well as violating the terms of use by opening an account when she was underage. Excuse me for pointing this out, but shouldn't this mother also be prosecuted for violating MySpace's Terms of Use, now found a violation of a criminal statute, the Computer Fraud & Abuse Act? Before you answer, remember that Drew was found not guilty of intent to cause harm. If not, I'd like to hear your arguments. That same article, by the way, tells us about an incident that makes me wonder just what exactly caused the suicide:
Monday, Oct. 16, 2006, was a rainy, bleak day. At school, Megan had handed out invitations to her upcoming birthday party and when she got home she asked her mother to log on to MySpace to see if Josh had responded.

Why did he suddenly think she was mean? Who had he been talking to?

Tina signed on. But she was in a hurry. She had to take her younger daughter, Allison, to the orthodontist.

Before Tina could get out the door it was clear Megan was upset. Josh still was sending troubling messages. And he apparently had shared some of Megan's messages with others.

Tina recalled telling Megan to sign off.

"I will Mom," Megan said. "Let me finish up."

Tina was pressed for time. She had to go. But once at the orthodontist's office she called Megan: Did you sign off?

"No, Mom. They are all being so mean to me."

"You are not listening to me, Megan! Sign off, now!"

Fifteen minutes later, Megan called her mother. By now Megan was in tears.

"They are posting bulletins about me." A bulletin is like a survey. "Megan Meier is a slut. Megan Meier is fat."

Megan was sobbing hysterically. Tina was furious that she had not signed off.

Once Tina returned home she rushed into the basement where the computer was. Tina was shocked at the vulgar language her daughter was firing back at people.

"I am so aggravated at you for doing this!" she told Megan.

Megan ran from the computer and left, but not without first telling Tina, "You're supposed to be my mom! You're supposed to be on my side!"

Am I the only parent who notices that this child was left alone on the Internet, with admonitions to stop but delayed enforcement? And can you *prove* in a court of law that it was not the mother's failure to support her, as the child apparently viewed it, that actually caused the death? This child had tried to kill herself before, the article points out, an attempt that had nothing to do with the cyberbullying. No doubt that's why the local authorities didn't prosecute, since they said there was no way to actually say what exactly caused the suicide:
"We did not have a charge to fit it," McGuire says. "I don't know that anybody can sit down and say, 'This is why this young girl took her life.'"
Incidentally, Megan's mother was quoted in that article saying this:
"I don't feel their intentions were for her to kill herself. But that's how it ended."
That is what the jury found, actually, that Drew had no intention of causing a suicide. She didn't set up the account, according to testimony at trial, or send the messages. But if the mother recognized that there was no intention to cause the suicide, why did she not tell the court that and prevent the prosecutor from going after Drew for intent to cause the suicide?

Update 2: Orin Kerr, one of Drew's attorneys, has posted his summary of what happened and what happens next:

The jury agreed that it is a federal crime to intentionally violate the Terms of Service on a website, and that Drew directly or indirectly did so, but it acquitted Drew of having violated Terms of Service in furtherance of the tortious act. That is, the jury ruled that Drew is guilty of relatively lower-level crimes for violating MySpacs Terms of Service (for being involved in the setting up of a fake MySpace account). It acquitted Drew for any role in inflicting distress on Meier or for anything related to Meier's suicide. The maximum allowed penalty for the misdemeanor violations are one year in prison for each violation, although the majority of federal misdemeanors result in a sentence of probation.

The next step in the case is that the trial judge will rule on whether there was enough evidence for the jury to find that Drew violated the Terms of Service intentionally, or whether the TOS violation was only negligent or reckless or knowing. If the judge agrees that there was enough evidence for the jury to find that Drew violated the Terms of Service intentionally, the case will go on to sentencing for the crime of having violated MySpace's Terms of Service.

After sentencing, if that happens, the sentence will be followed by an appeal before the Ninth Circuit on the legal question of whether it is in fact a federal crime to violate the Terms of Service of a website. For those not following my coverage of the case, I am one of Drew's attorneys, and yes, if there is an appeal, I will be very heavily involved in it.

The local prosecutor in Missouri investigated the matter, by the way, and then explained why they didn't prosecute:
In December 3rd, after his review of the case, Jack Banas announced that no charges would be brought. In Banas’s reckoning, the Drews are conclusively guilty of little except egregious judgment that set off a chain of horrible events, and deep insensitivity in their aftermath. He invoked the Duke lacrosse case as a cautionary example of due process succumbing to the passions of a community inflamed. “Are you going to hug this lady, say she did something great?” he told me. “No. She made a huge, fatal mistake by trusting these kids. But there are undisputed facts and disputed facts, and even if you believe all of them they still don’t give you a criminal fact pattern in the state of Missouri.”

The Meiers do not hold Ashley Grills responsible, nor do they blame Michele Mulford’s daughter, who sent the message that kicked off the online melee on October 15th. “If you don’t think that child wishes she could go back and change that . . . ” Tina said. “It could easily have been Megan doing that.”

Update 3: You might find it helpful to read the indictment [PDF] and the memorandum, points of law and authorities. The charges she was found guilty of were accessing MySpace without authorization, due to violating the terms of use.

For example, here's Count 4, on page 10 of the indictment: "Count 4, 10/16/06: Unauthorized Access: In violation of MySpace TOS, accessed MySpace servers to obtain information regarding M.T.M."

She did that on three occasions, according to the indictment, accounting for charges 2-4, so that's three years in prison and $300,000 in fines, potentially. Here's why the prosecutor thought she could be charged, despite her never reading the terms of use, since she didn't open the account and testified she never saw the terms, from page 4:

A copy of the applicable MySpace TOS was readily available to prospective members, members, and users of the website, who could click on a link titled "Terms of Service" or "Terms" to be directed to a web page where prospective members, members, and users of the website could review those rules.
Also, I found the motion for acquittal [PDF] and the prosecutor's opposition [PDF].

Final Update, Sept. 1, 2009: The judge's ruling -- acquittal [PDF]. Some analysis by Eric Goldman.

*****************************

JENNIFER STISA GRANICK (California Bar No. 168423 )
[email]
ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax)

PHILLIP R. MALONE (California Bar No. 163969)
[email]
CYBERLAW CLINIC
BERKMAN CENTER FOR INTERNET AND SOCIETY
HARVARD LAW SCHOOL
[address, phone)

Amici Curiae

UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA

_____________________

UNITED STATES,

Plaintiff,

v.

LORI DREW

Defendant.

_____________________

Case No. CR-08-0582-GW

BRIEF OF AMICI CURIAE ELECTRONIC FRONTIER
FOUNDATION, ET AL., IN
SUPPORT OF DEFENDANT'S
MOTION TO DISMISS
INDICTMENT FOR FAILURE TO
STATE AN OFFENSE AND FOR
VAGUENESS

Date: September 4, 2008
Time:. 8:30 AM

Honorable Judge George H. Wu

_____________________

TABLE OF CONTENTS

TABLE OF CONTENTS .............................................................................................................I

TABLE OF AUTHORITIES .....................................................................................................III

STATEMENT OF INTEREST OF AMICI CURIAE ................................................................. 1

FACTS AND SUMMARY OF THE ARGUMENT.................................................................... 3

I. THIS COURT SHOULD DISMISS THE COMPUTER FRAUD AND ABUSE ACT CHARGES AGAINST DEFENDANT DREW BECAUSE HER ALLEGED VIOLATION OF THE MYSPACE TERMS OF USE DOES NOT CONSTITUTE "UNAUTHORIZED ACCESS" OR "EXCEEDING AUTHORIZED ACCESS" UNDER THE STATUTE ............6

A. BY ITS PLAIN TERMS, THE COMPUTER FRAUD AND ABUSE ACT PROHIBITS TRESPASS AND THEFT, NOT MERE CONTRACTUAL VIOLATIONS OF TERMS OF USE ...........................................................................................................................................6

B. THE LEGISLATIVE HISTORY SUPPORTS THE VIEW THAT THE CFAA PROHIBITS TRESPASS AND THEFT, NOT IMPROPER MOTIVE OR USE. .......................8

C. COURTS ARE JUSTIFIABLY WARY EVEN OF CIVIL ENFORCEMENT OF WEBSITE TERMS OF SERVICE ...........................................................................................10

D. IMPOSING CRIMINAL LIABILITY FOR IGNORING OR VIOLATING TERMS OF SERVICE WOULD BE AN UNPRECEDENTED, EXTRAORDINARY AND DANGEROUS EXTENSION OF FEDERAL CRIMINAL LAW.....................................................................12

E. THE BETTER VIEW, SUPPORTED BY MORE RECENT CASES, REJECTS CFAA LIABILITY FOR AUTHORIZED USERS ACTING OUTSIDE THE TERMS AND CONDITIONS OF THAT AUTHORIZATION .......................................................................14

1. MORE RECENT, BETTER-REASONED CASES ADOPT A NARROWER VIEW OF "EXCEEDING AUTHORIZED ACCESS"...........................................................................14

2. OLDER CASES WRONGLY ADOPTED A BROADER VIEW OF "EXCEEDING AUTHORIZED ACCESS" ....................................................................................................17

F. THE RULE OF LENITY REQUIRES THE NARROWER INTERPRETATION OF THE CFAA'S "ACCESS" LANGUAGE .........................................................................................20

G. THE GOVERNMENT'S PREVIOUS ATTEMPT IN THIS DISTRICT TO EXPAND CIVIL CASES INTERPRETING THE CFAA INTO THE CRIMINAL CONTEXT LED TO THE WRONGFUL CONVICTION AND INCARCERATION OF AN INDIVIDUAL FOR CONSTITUTIONALLY PROTECTED ACTIVITIES.............................................................21

II. APPLYING THE CFAA TO DEFENDANT'S CONDUCT IN THIS CASE WOULD CONSTITUTE A SERIOUS ENCROACHMENT ON FUNDAMENTAL CIVIL LIBERTIES, INCLUDING FREEDOM OF SPEECH ............................................................ 23
A. THE FIRST AMENDMENT ASSURES THE RIGHT TO SPEAK ANONYMOUSLY ONLINE ..................................................................................................................................23

i

B. CONSTITUTIONAL AVOIDANCE DICTATES A NARROW READING OF "ACCESS" UNDER THE CFAA ...............................................................................................................26
III. APPLICATION OF THE CFAA WHEN A USER IGNORES OR VIOLATES WEBSITE TERMS OF SERVICE WOULD VIOLATE DUE PROCESS AND RENDER THE STATUTE VOID FOR VAGUENESS AND LACK OF FAIR NOTICE.......................26
A. WEB SITE TERMS OF SERVICE ARE ROUTINELY IGNORED OR NOT FULLY READ OR UNDERSTOOD.....................................................................................................28

B. WEB SITE TERMS ARE FREQUENTLY AND ARBITRARILY CHANGED BY SITE OWNERS WITH LITTLE OR NO LIKELIHOOD OF ACTUAL NOTICE TO USERS .........31

C. WEB SITE TERMS MAY THEMSELVES BE ARBITRARY, VAGUE, OR FRIVOLOUS AND ARE CREATED BY PRIVATE SITE OWNERS FOR A MYRIAD OF BUSINESS OR PERSONAL REASONS HAVING NOTHING TO DO WITH REGULATING "ACCESS" FOR CFAA PURPOSES..........................................................................................................33

D. BASING CRIMINAL LIABILITY ON PRIVATE CONTRACT TERMS INEVITABLY WILL LEAD TO ARBITRARY AND DISCRIMINATORY ENFORCEMENT .....................34

ii

TABLE OF AUTHORITIES

CASES

ACLU of Ga. v. Miller, 977 F. Supp. 1228 (N.D. Ga. 1997) .................................... 24

ACLU v. Johnson, 4 F. Supp. 2d 1029 (D.N.M. 1998) ............................................ 24

America Online Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998) ............... 19

ApolloMEDIA Corp. v. Reno, 526 U.S. 1061 (1999) ............................................... 24

Ashcroft v. Free Speech Coal., 535 U.S. 234 (2002) ............................................... 25

Brett Senior & Associates, P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007) ........................................ 8, 14, 16

Canada Dry Corp. v. Nehi Beverage Co., 723 F.2d 512 (7th Cir. 1983).................. 25

Christensen v. C.I.R., 523 F.3d 957 (9th Cir. 2008)................................................... 7

City of Chicago v. Morales, 527 U.S. 41 (1999)................................................ 27, 33

Coates v. City of Cincinnati, 402 U.S. 611, (1971).................................................. 34

Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573 (N.D. Cal. 1999).................. 24

Crowell v. Benson, 285 U.S. 22 (1932) ...................................................... 26

D. H. Overmyer Co. v. Frick Co., 405 U.S. 174 (1972) ........................................... 25

Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007) 14, 15

Doe v. TheMart.com Inc., 140 F. Supp. 2d 1088 (W.D. Wash. 2001).................... 24

Doe v. Cahill, 884 A.2d 451 (Del. 2005)............................................. 25

Douglas v. U.S. Dist. Court for Cent. Dist. Calif., 495 F.3d 1062 (9th Cir. 2007) ... 32

Educ'al Testing Service v. Stanley H. Kaplan, Educ'al Center., Ltd., 965 F. Supp. 731 (D. Md. 1997) .............................. 17

EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001)................... 19

EF Cultural Travel BV v. Zefer Corp. , 318 F.3d 58 (1st Cir. 2003).......................... 19

Foti v. City of Menlo Park, 146 F.3d 629 (9th Cir. 1998) ........................................ 28

Gibson v. Fla. Legislative Investigative Comm., 372 U.S. 539 (1963)..................... 24

Global Telemedia Int'l v. Does, 132 F. Supp. 2d 1261 (C.D. Cal. 2001) ................. 24

Grayned v. Rockford, 408 U.S. 104 (1972).................................................... 27

iii

Humanitarian Law Project v. Mukasey, 509 F.3d 1122 (9th Cir. 2007)................... 28

Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D.Md 2005) ....................... passim

Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) ............................ 18

Lanzetta v. New Jersey, 306 U.S. 451 (1939) .......................................................... 27

Leocal v. Ashcroft, 543 U.S. 1 (2004).......................................................... 20

Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D. Fla. Aug. 1, 2006) . ....8, 14, 15

McIntyre v. Ohio Elections Comm'n, 514 U.S. 334 (1995)...................................... 24

McNally v. United States, 483 U.S. 350 (1987) ....................................................... 20

Nunez v. City of San Diego, 114 F.3d 935 (9th Cir. 1997) ....................................... 27

Ohio Bell Tel. Co. v. Public Utilities Comm'n, 301 U.S. 292 (1937) ....................... 25

Pasquantino v. United States, 544 U.S. 349 (2005) ................................................. 20

Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000) .................. 19

Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004)................................. 19

Reno v. ACLU, 521 U.S. 844 (1997) ......................................................... 24

Shamrock Foods v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) ................8, 16, 20, 21

Shurgard Storage Ctrs, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000)..................................... 17, 18

Snepp v. United States, 444 U.S. 507 (1980) ....................................................... 25

Southwest Airlines Co. v. FareChase Inc., 318 F. Supp. 2d 435 (N.D.Tex. 2004) ... 19

Talley v. California, 362 U.S. 60 (1960)............................. 24

Ting v. AT & T, 182 F. Supp. 2d 902 (N.D. Cal. 2002)............................................ 30

United States v. Batchelder, 442 U.S. 114 (1979).................................................... 27

United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)......................................... 5

United States v. Drew, No. 08-00582 (C.D. Cal. May 15, 2008) ............................... 3

United States v. Harriss, 347 U.S. 612 (1954)................................................ 27

United States v. LaMacchia, 871 F. Supp. 535 (D. Mass. 1994).......................... 5, 21

United States v. McDanel, Ninth Circuit Case No. 03-50135, Central District of 28 California Case No. CR-01-638-LGB ..................................................... 5, 22

iv

United States v. Miranda-Lopez, 2008 WL 2762392 (9th Cir. July 17, 2008) ......... 21

United States v. Riggs, 739 F. Supp. 414 (N.D. Ill. 1990).......................................... 9

United States v. Sutcliffe, 505 F.3d 944 (9th Cir. 2007)........................................... 27

United States v. Thompson/Center Arms Co., 504 U.S. 505 (1992) ......................... 20

United States v. Winstar Corp. , 518 U.S. 839 (1996) .............................................. 25

United States v. Wunsch , 84 F.3d 1110 (9th Cir. 1996) ........................................... 28

ViChip Corp. v. Lee , 438 F. Supp. 2d 1087 (N.D. Cal. 2006) .................................. 18

Zadvydas v. Davis , 533 U.S. 678 (2001) ........................................................... 26, 28

STATUTES

18 U.S.C. § 1030(a)(2)(C).................................................... 3, 17, 18

18 U.S.C. § 1030(e)(6) .................................................................... 7

18 U.S.C. § 2701(a)................................................................ 17

18 U.S.C. § 1030(a)(5)(A).......................................................... 21

18 U.S.C. § 1343................................................................... 5

47 U.S.C. § 223(A)(1)(C)......................................................... 3

Pub.L. No. 98-473, ß 2102(a), 98 Stat. (1984)........................................................... 8

OTHER AUTHORITIES

Alan M. White & Cathy Lesser Mansfield, Literacy and Contract, 13 Stan. L. & Pol'y Rev. 233, (2002)..................................... 11, 31

Andrew Robertson, The Limits of Voluntariness in Contract, 29 Melbourne L. Rev. 21 179, (April 2005) ..................................................................... 30

Antony Savvas, Social Network Users Hide Identities, Computer Weekly, Sept. 25, 2007............................................................. 23

Jeff Gelles, Internet Privacy Issues Extend to Adware, Newark Star-Ledger, July 31, 2005................................................................. 30

Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459, (2006) ................... 11, 20, 31

Melvin Aron Eisenberg, The Limits of Cognition and the Limits of Contract, 47 Stan. L. Rev. 211, (1995)......................................................... 30, 31

v

Michael I. Meyerson, The Reunification of Contract Law: The Objective Theory of Consumer Form Contracts, 47 U. Miami L. Rev. 1263, 1269 & nn.28-29 (1993)............................................................ 30, 31

Nathaniel Good et al., Commentary, User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware, 2 I/S: J.L. & Pol'y for Info. Soc'y 283, (2006) ........................ 29

Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003)................................. 12

Oxford English Dictionary, Oxford University Press ................................................ 9

Pew Internet & American Life Project, Teens, Privacy and Online Social Networks: How teens manage their online identities and personal information in the age of MySpace, April 18, 2007, at 23-24, at http://www.pewinternet.org/pdfs/PIP_Teens_Privacy_SNS_Report_Final.pdf ...... 4

Restatement (Second) of Agency, § 112 (1958) ....................................................... 18

Restatement (Second) of Contracts, § 211 cmt. b (1981).......................................... 29

Robert A. Hillman & Jeffrey J. Rachlinski, Standard-Form Contracting in the Electronic Age, 77 N.Y.U. L. Rev. 429, (2002) ................................................... 30

Robert L. Oakley, Fairness in Electronic Contracting: Minimum Standards for Non-Negotiated Contracts, 42 Hous. L. Rev. 1041, 1051 (2005)................................. 29

Robert W. Gomulkiewicz, Getting Serious About User-Friendly Mass Market Licensing for Software, 12 Geo. Mason L. Rev. 687, (2004).......................... 11, 31

Russell Korobkin, Bounded Rationality, Standard Form Contracts, and Unconscionability, 70 U. Chi. L. Rev. 1203 (2003) ............................................. 31

United States v. McDanel, Government Brief............................................................ 6

LEGISLATIVE MATERIALS

141 Cong. Rec. S9423.................................................................... 9

142 Cong. Rec. E1621.................................................................... 9

H.R. Rep. No. 98-894 (1984) ......................................................................... 8

S. Rep. No. 99-432 (1986)................................................................... 8, 9

INTERNET SOURCES

AOL Terms of Use, http://about.aol.com/ aolnetwork/aolcom_terms ......................... 32

Child Exploitation and Online Protection Centre, Thinkuknow: Social Networking, http://www.thinkuknow.co.uk/(X()S(zuckbyrpokhbemgzsglhm))/_/control /social.aspx......................................................... 4

vi

Facebook Terms of Use, http://www.facebook.com/terms.php................................ 13

Google Terms of Service, § 2.3, http://www.google.com/accounts/TOS..................12

Match.com Terms of Use Agreement, http://www.match.com/registration/membagr.aspx ..............................................13

Network Solutions Terms of Service, http://www.networksolutions.com/legal/ static-service-agreement.jsp .................................................................29

Terms and Conditions -- MySpace.com, http://www.myspace.com/ index.cfm?fuseaction=misc.terms ..................... 3, 29, 32

West Terms of Use, http://west.thomson.com/about/terms-of- use/default.aspx?promcode=0 ............................................................... 32

YouTube Community Guidelines, http://www.youtube.com/t/community_guidelines............................33

vii

STATEMENT OF INTEREST OF AMICI CURIAE

Amici are three organizations, the Electronic Frontier Foundation, the Center for Democracy and Technology and Public Citizen, and the 14 individual faculty members listed in Appendix A who research, teach and write scholarly articles and books about internet law, cybercrime, criminal law and related topics at law schools nationwide. None received any compensation for participating in this brief. Amici's sole interest in this case is in the evolution of sound and principled interpretation and application of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). Amici believe that this brief will assist the Court in its consideration of the proper interpretation and application of the CFAA in this case.

Electronic Frontier Foundation ("EFF") is a non-profit, member-supported civil liberties organization working to protect free speech and privacy rights. As part of that mission, EFF has served as counsel or amicus in key cases addressing privacy issues and rights as applied to the Internet and other new technologies. With more than 13,000 dues-paying members, EFF represents the interests of technology users in both court cases and in broader policy debates surrounding the application of law in the digital age, and publishes a comprehensive archive of digital civil liberties information at one of the most linked-to web sites in the world, www.eff.org.

Center for Democracy & Technology ("CDT") is a non-profit public interest and Internet policy organization. CDT represents the public's interest in an open,

1

decentralized Internet reflecting constitutional and democratic values of free expression, privacy, and individual liberty. In particular, CDT works to protect online free speech, including the right to speak anonymously and to engage in robust communication and debate without inappropriate threats of criminal sanctions.

Public Citizen is a non-profit, public interest organization that has defended the rights of citizens and consumers since its founding in 1971. Public Citizen has stood against the enforceability of abusive terms in one-sided contracts of adhesion and strongly rejects the proposition that criminal liability should attach to violations of contractual fine print. Since 1999, Public Citizen has also defended the First Amendment right of citizens to communicate anonymously in online forums without the threat of unjustified liability.

2

FACTS AND SUMMARY OF THE ARGUMENT

Defendant Lori Drew is a Missouri resident charged in the Central District of California with violating the Computer Fraud and Abuse Act ("CFAA"). The Government alleges that in the fall of 2006, Defendant created a MySpace account under the name of "Josh Evans." Indictment, United States v. Drew, No. 08-00582, 6 (C.D. Cal. May 15, 2008). Through the "Josh Evans" account, Defendant communicated and developed an online relationship with Megan Meier, a 13-year-old girl also living in Missouri. Indictment at 6. At some point during their communications "Josh Evans" said hurtful things to Miss Meier. Id. at 7-8. Tragically, Miss Meier took her own life.

There are state and federal statutes that regulate harassing and otherwise harmful speech, carefully identifying speech that falls outside of First Amendment protection. See, e.g., 47U.S.C. § 223(a)(1)(C); R.S.Mo. 565.090 (former).1 Neither of those statutes appears to criminalize the communications from "Josh Evans" to Miss Meier here. In the absence of applicable First Amendment-compliant criminal statutes, the Government has chosen to indict Defendant for violating the CFAA, 18 U.S.C. § 1030(a)(2)(C), and for conspiring to violate it. The Government theory is that Defendant's use of a fictitious name and registration information and her hurtful speech violated the MySpace terms of service (TOS). See Terms and Conditions -- MySpace.com, http://www.myspace.com/index.cfm?fuseaction=misc.terms (last modified Feb. 28, 2008). Defendant allegedly failed to provide truthful and accurate registration information; failed to refrain from using any information obtained from MySpace services to harass, abuse, or harm other people; failed to refrain from soliciting personal information from anyone under 18; failed to refrain from

3

promoting information that she knew was false or misleading; and failed to refrain from posting photographs of other people without their consent, all in violation of the terms of use. Indictment at 6-7. On the Government's view, account holders who use their MySpace accounts in violation of the TOS are accessing the company servers "without authorization" or "in excess of authorization." In this way, Defendant victimized MySpace when "Josh Evans" did not follow its terms of service.

The Government's novel and unprecedented response to what everyone recognizes as a tragic situation would create a reading of the CFAA that has dangerous ramifications far beyond the facts here. Terms of service include prohibitions both trivial and profound. As detailed in examples below, the Government's theory would attach criminal penalties to minors under the age of 18 who use the Google search engine, as well as to many individuals who legitimately exercise their First Amendment rights to speak anonymously online. This effort to stretch the computer crime law in order to punish Defendant Drew for Miss Meier's death would convert the millions of internet-using Americans who disregard the terms of service associated with online services into federal criminals. Indeed, survey evidence shows that the majority of teenage MySpace users have entered at least some false information into MySpace, and would thus be subject to prosecution under the Government's theory. Pew Internet & American Life Project, Teens, Privacy and Online Social Networks: How teens manage their online identities and personal information in the age of MySpace, 23-24, http://www.pewinternet.org/pdfs/PIP_ibiblios_Privacy_SNS_Report_Final.pdf (Apr. 18, 2007). In fact, child safety advocates like the Child Exploitation and Online Protection Centre of the British government specifically encourage children to protect themselves by providing misleading identifying information instead of real names on social networking sites. See Child Exploitation and Online Protection Centre, Thinkuknow: Social Networking,

4

http://www.thinkuknow.co.uk/(X()S(z4uckb3yrpokhbemgzsglhm2))/8_10/control/s ocial.aspx (last visited July 31, 2008) ("It's a good idea to use a nickname rather than your real name."). To the best of amici's knowledge, never before in the 22-year history of the CFAA has a criminal prosecution been based on such a theory.

The case is reminiscent of United States v. LaMacchia, 871 F.Supp. 535 (D. Mass. 1994), where the district court rejected a Government attempt to stretch the scope of the federal wire fraud statute, U.S.C. § 1343, to cover the unauthorized, non-commercial distribution of copyrighted software products over the internet by an MIT student. At the time, copyright law did not contain criminal provisions against non-commercial infringement. Noting that the key question was whether, metaphorically, "new wine can be poured into an old bottle," id. at 536, the court recognized that:

[w]hat the Government is seeking to do is to punish conduct that reasonable people might agree deserves the sanctions of the criminal law. . . . While the Government's objective is a laudable one, particularly when the facts alleged in this case are considered, its interpretation of the wire fraud statute would serve to criminalize the conduct of not only persons like LaMacchia, but also the myriad of home computer users who succumb to the temptation to copy even a single software program for private use.
Id. at 544.2

The case is also reminiscent of United States v. McDanel, prosecuted by this same United States Attorney's office under a different provision of the CFAA before ___________

5

the Government admitted error on appeal and moved to overturn the defendant's conviction. See United States v. McDanel, Government Brief, attached as Exhibit A, at 6, 8. In McDanel, the Government stretched the definition of "harm to the integrity" of a computer system to cover truthful reports about a security vulnerability that could endanger a customer's private communications. The Government's proposed interpretation of the CFAA in this case is a similar stretch, one that is unsupported by case law or Congressional intent, is overbroad and unconstitutionally vague, and would punish constitutionally protected activities. This Court should reject the unwarranted expansion of the CFAA and dismiss the indictment.

I. THIS COURT SHOULD DISMISS THE COMPUTER FRAUD AND ABUSE ACT CHARGES AGAINST DEFENDANT DREW BECAUSE HER ALLEGED VIOLATION OF THE MYSPACE TERMS OF USE DOES NOT CONSTITUTE "UNAUTHORIZED ACCESS" OR "EXCEEDING AUTHORIZED ACCESS" UNDER THE STATUTE

A MySpace account holder does not gain unauthorized access or exceed authorized access to MySpace servers by disregarding conditions set forth in that service's terms of service (TOS). The CFAA criminalizes unauthorized access to a computer system or to information on the system. Both the plain language of the statute and the legislative history show that the statute is meant to punish trespassers and "hackers," not users who ignore or violate sites' contracts or customers who misuse the service.

A. By Its Plain Terms, The Computer Fraud And Abuse Act Prohibits Trespass And Theft, Not Mere Contractual Violations Of Terms Of Use
The fundamental question in this case is when access to a highly popular, everyday web site is "without authorization" or in excess of authorized access.3 The

6

plain language of the CFAA does not criminalize an account holder's use of a computer in violation of TOS, but rather a trespasser's access to computer systems or areas of computer networks without permission. In other words, the statute prohibits trespass and theft, not improper motive or use. Every exercise of statutory interpretation begins with an examination of the plain language of the statute. Christensen v. C.I.R., 523 F.3d 957, 962 (9th Cir. 2008) (Courts look to the plain language of a statute, and to legislative history). The Government charged Defendant with 18 U.S.C. 1030 (a)(2)(C), which states:
(a) Whoever-- ...(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--...(C) information from any protected computer if the conduct involved an interstate or foreign communication; ...shall be punished as provided in subsection (c) of this section.
Although Congress did not define the phrase "without authorization," it did so for the phrase "exceeds authorized access". The term "exceeds authorized access" means: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6) (2008).

The plain language of the statute prohibits trespass, either by outsiders who have no rights to the computer system, or by "insiders" who have some rights to access the computer system, but have limited rights to access or alter information on that same system. The Indictment in this case does not allege whether the defendant's access to the MySpace service was "without authorization" or "in excess of authorized access" or both. Regardless, both prongs of 1030(a)(2)(C) are straightforward prohibitions against computer trespass. The first covers outsiders who have no rights to the computer system, and the second covers "insiders" who have some rights to access the computer system, but do not have rights to access or alter certain files or information on that same system. If the computer owner gives

7

the user the ability to access to particular information, then the user does not exceed his authorization by accessing that information, regardless of the purpose or manner of such access. Lockheed Martin Corp. v. Speed, 2006 WL 2683058, *5 (M.D. Fla. Aug. 1, 2006) (plain reading of "exceeds authorized access" means "those [who go] above [their] authorization, meaning those that go beyond the permitted access granted to them typically insiders exceeding whatever access is permitted to them"). The plain language of Section 1030(a)(2) targets "the unauthorized procurement or alteration of information, not its misuse or misappropriation." Shamrock Foods v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) (citing Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377 (E.D. Pa. July 13, 2007)).
B. The Legislative History Supports The View That The CFAA Prohibits Trespass And Theft, Not Improper Motive Or Use.
The legislative history confirms that Congress intended the CFAA to criminalize intruders who trespassed on computers and computer networks. Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 495-96 (D.Md 2005) (citing S. Rep. No. 99-432, at 4 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482 (explaining that the CFAA "is a consensus bill aimed at deterring and punishing certain 'high-tech' crimes")). The CFAA was originally called the Counterfeit Access Device and Computer Fraud and Abuse Act and was enacted in 1984. Counterfeit Access Device and Computer Fraud and Abuse Act, Pub. L. No. 98-473, Title II, § 2102(a), 98 Stat. 1937 (1984) (prior to 1986 amendment). The 1984 House Committee emphasized that "section 1030 deals with an 'unauthorized access' concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of 'breaking and entering' rather than using a computer . . . in committing the offense." H.R. Rep. No. 98-894 at 20 (1984) reprinted in 1984 U.S.C.C.A.N. 3689, 3706. Consequently, the committee report emphasized concerns about "hackers" who "trespass into" computers and the inability of "password codes" to protect against this threat. Id. at

8

10-11, reprinted in 1984 U.S.C.C.A.N. 3689, 3695-97. The 1984 version of the law criminalized actions of one who gains "unauthorized access" or who "having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend."

In 1986, Congress deleted the part of the statute that prohibited those with authorization from using the system for unauthorized purposes and substituted the phrase "exceeds authorized access." Werner-Masuda, 390 F. Supp. 2d , 479, 499 n. 12 (D. Md. 2005) (quoting S. Rep. No. 99-432, at 9 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2486). As the court in Werner-Masuda explains:

By enacting this amendment, and providing an express definition for "exceeds authorized access," the intent was to "eliminate coverage for authorized access that aims at `purposes to which such authorization does not extend,'" thereby "removing from the sweep of the statute one of the murkier grounds of liability, under which a [person's] access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization.
Id. at 499 n.12 (quoting S. Rep. No. 99-432, at 21, 1986 U.S.C.C.A.N. 2479, 2494-95) (alterations in original). Congress used the "exceeds authorized access" language to avoid extending criminal liability to employees where administrative sanctions were more appropriate. Id.

This intention is further supported by the fact that, when discussing the CFAA, and specifically section (a)(2)(C), legislators often referred to "hackers" and the need to protect sensitive information from theft. See, e.g., 142 Cong. Rec. E1621-03 (daily ed. Sept. 17, 1996) (statement of Rep. Goodlatte); see also 14 Cong. Rec. S9423 (daily ed. June 29, 1995) (statement of Sen. Leahy). The modern, conventional usage of "hacker" is usually someone who gains unauthorized access to a computer typically to obtain information of value he or she is not entitled to obtain, or to cause damage. See, e.g., Oxford English Dictionary, Oxford Univ. Press (defining, inter alia, a hacker as "a person who uses his skill with computers to try to gain unauthorized access to computer files or networks"); see also United States v.

9

Riggs, 739 F. Supp. 414, 423-24 (N.D. Ill. 1990) (citing approvingly to sources that define hackers as those using computer skills to gain unauthorized access to a computer system). The legislative history makes no mention of unauthorized or excessive access obtained through ignorance or disregard of private terms of service.

The legislative history supports the conclusion that the CFAA criminalizes trespasses in which the user gains access to computer services or information to which he is not entitled, not those in which an authorized individual uses the services or information in an impermissible manner. Defendant Drew had an account on MySpace, a free interactive internet-based social network open to anyone who signs up for the service. There are no fees, no vetting, no checks on who may use the service. Usernames and passwords are deployed, not to keep people off MySpace, but to give users control over their own account profiles and keep such profiles separate. Defendant Drew allegedly used her account to access MySpace services and information. She had no special skill with computers and did not circumvent any security measures, technological or otherwise. As is any member of the public who signs up and holds an account, she was authorized to use the service and to access the system, including information stored there. The way she used her account, if the allegations are true, was reprehensible. But unless her hateful speech rises to the level of harassment or stalking, it is not criminal and cannot be punished; attempting instead to punish that speech under the CFAA merely because it took place on the internet in contravention to a private terms of service is improper.

C. Courts Are Justifiably Wary Even Of Civil Enforcement Of Website Terms Of Service
Adopting the erroneous view of the CFAA propounded by the prosecution in this case would criminalize the actions of internet users or web service account holders who violate a mere contractual promise to use a computer in a certain way or who ignore or disregard terms of service hidden behind a "legal notices" hyperlink at the bottom of a webpage. As detailed in Section III.A, infra, many, perhaps most,

10

internet users do not even read or understand these documents, which are often long, riddled with legalese, and poorly organized and formatted or typically are written at a level of difficulty that exceeds the ability of most consumers to understand. Accord Robert W. Gomulkiewicz, Getting Serious About User-Friendly Mass Market Licensing for Software, 12 Geo. Mason L. Rev. 687, 692-94, 701-02 (2004); Alan M. White & Cathy Lesser Mansfield, Literacy and Contract, 13 Stan. L. & Pol'y Rev. 233, 235-42 (2002). Significantly, the Government in this case has not alleged that the Defendant or co-conspirators ever read or even looked at the MySpace terms, but only that the terms "were readily available" to users "who could click on a link titled 'Terms of Service' or 'Terms' to be directed to a web page where [they] could review those rules." Indictment at 4 (emphasis added).4

Indeed, the current prosecution would impose criminal liability for merely ignoring or violating terms of service at a time that courts and academics continue to debate the extent to which and under what circumstances such documents should be enforced as a matter of regular civil contract law. See, e.g., Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459, 462-63, 475-76 (2006) (citing cases and noting differences in enforceability between corporate-entity defendants and individuals). Among the thorny issues that are presented by such cases are whether the user receives adequate actual or constructive notice of the terms, whether the user effectively consents and whether the terms are unconscionable. Whatever the merits of recognizing private, civil contract obligations and remedies in such situations, however, the imposition of serious criminal liability in light of these problems would be fundamentally unfair.

11

D. Imposing Criminal Liability For Ignoring Or Violating Terms Of Service Would Be An Unprecedented, Extraordinary And Dangerous Extension Of Federal Criminal Law
George Washington University Law Professor Orin Kerr has argued thoughtfully and persuasively that "unauthorized access" should not include access to a computer in violation of a contract or terms of service. Doing so would:
threaten a dramatic and potentially unconstitutional expansion of criminal liability in cyberspace. Because Internet users routinely ignore the legalese that they encounter in contracts governing the use of websites, Internet Service Providers (ISPs), and other computers, broad judicial interpretations of unauthorized access statutes could potentially make millions of Americans criminally liable for the way they send e- mails and surf the Web.
Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1599 (2003). Consider the remarkable and disturbing results that a contract-based approach to authorized access can create under the CFAA:
Imagine that a website owner announces that only right-handed people can view his website, or perhaps only friendly people. Under the contract-based approach, a visit to the site by a left-handed or surly person is an unauthorized access that may trigger state and federal criminal laws. A computer owner could set up a public web page, announce that "no one is allowed to visit my web page," and then refer for prosecution anyone who clicks on the site out of curiosity. By granting the computer owner essentially unlimited authority to define authorization, the contract standard delegates the scope of criminality to every computer owner.
Id. at 1650-51.

Professor Kerr's concerns are not merely hypothetical. There are many surprising terms of service provisions that, if violated, would convert authorized users into federal criminals. Take for example, two of the internet's most popular websites' terms of service:

  • "You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google," Google Terms of Service, § 2.3, http://www.google.com/accounts/TOS (last modified Apr. 16, 2007).

12

  • "[Y]ou agree to . . . provide accurate, current and complete information about you as may be prompted by any registration forms on the Site ("Registration Data") . . . [and] maintain and promptly update the Registration Data, and any other information you provide to Company, to keep it accurate, current and complete . . . ." Facebook Terms of Use, http://www.facebook.com/terms.php (last modified June 7, 2008).

On the Government's view, a user who is under the age of majority violates the CFAA every time she enters a search query on the Google.com webpage and obtains information. Under Facebook's terms of use, if a user changes jobs or addresses or even her thoughts on what her favorite movie is, she would need to immediately tell Facebook, as this is information she has provided to the company, or run the risk that her continued use of the site could lead to criminal sanctions.5

In another example, the Electronic Frontier Foundation reports that terms of service for the popular dating site Match.com require users of either the website or the dating service to be single or separated from their spouses. See, e.g., Match.com Terms of Use Agreement, http://www.match.com/registration/membagr.aspx ("You must be at least eighteen (18) years of age and single or separated from your spouse to register as a member of Match.com or use the Website.") (last visited July 30, 2008). The brief's author has not been able to visit the site to confirm the report; because she remains happily married, doing so would be a violation of the site's terms, potentially a criminal act under the interpretation of the CFAA advanced by the Government here.

13

E. The Better View, Supported By More Recent Cases, Rejects CFAA Liability For Authorized Users Acting Outside the Terms and Conditions of That Authorization
Professor Kerr's concern about applying the CFAA to contract violations followed holdings by several courts in civil cases that a disloyal employee's use of a computer or a competitor's automated searching of a system for commercial purposes could violate the statute. However, the more recent and better view, consistent with Kerr's well-reasoned analysis, rejects the idea that authorized access becomes unauthorized, and thus criminal, when the user acts with his own purposes, rather than those of the computer owner, in mind. See, e.g., Werner-Masuda, 390 F. Supp. 2d at 495-96; Brett Senior & Assocs., 2007 WL 2043377; Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007); Lockheed Martin Corp., 2006 WL 2683058. This better view rejects CFAA liability even where the defendant is a former employee violating a negotiated employment contract or confidentiality agreement by transferring confidential information to a rival company for the employee's own economic benefit and to the detriment of the computer owner. The instant case is a far easier one: all that is alleged here is that the defendant violated the standard MySpace service terms of use, and did so without any purpose to gather trade secrets or commercial or proprietary data, or to gain any economic advantage.

1. More Recent, Better-Reasoned Cases Adopt A Narrower View Of "Exceeding Authorized Access"
The better-reasoned cases hold that if a user is authorized to access a computer and information stored there, then doing so is not criminal, even if that access is in violation of a contractual agreement or non-negotiated terms of use. For example, in Werner-Masuda the plaintiff argued that the defendant, a union officer, exceeded her authorization to use the union computer when she accessed a membership list to send to a rival union, and not for legitimate union business. The defendant had signed an agreement promising that she would not access union computers "contrary to the

14

policies and procedures of the [union] Constitution". Werner-Masuda, 390 F. Supp. 2d at 495 (D. Md. 2005). The District Court rejected this argument, holding that even if the defendant breached a contract, that breach of a promise not to use information stored on union computers in a particular way did not mean her access to that information was unauthorized or criminal.
Thus, to the extent that Werner-Masuda may have breached the Registration Agreement by using the information obtained for purposes contrary to the policies established by the [union] Constitution, it does not follow, as a matter of law, that she was not authorized to access the information, or that she did so in excess of her authorization in violation of the [Stored Communications Act] or the CFAA. . . . Although Plaintiff may characterize it as so, the gravamen of its complaint is not so much that Werner-Masuda improperly accessed the information contained in VLodge, but rather what she did with the information once she obtained it. . . . Nor do [the] terms [of the Stored Communications Act and the CFAA] proscribe authorized access for unauthorized or illegitimate purposes. (citations omitted)
Id. at 499.

Here, too, the gravamen of the Government's complaint is not that Defendant improperly obtained information to which she was not entitled on the MySpace servers, but rather that she used the MySpace service for an unauthorized or illegitimate purpose. The CFAA does not proscribe authorized access for unauthorized or illegitimate purposes. Thus, to the extent that Defendant may have breached the Terms of Service by using a MySpace account contrary to the policies established by the company, it does not follow that she was not authorized to access the MySpace servers in violation of the CFAA.

Subsequent cases have followed the reasoning of Werner-Masuda based on either plain language or legislative history. In Lockheed Martin Corp. the court found no CFAA violation under the plain language of the statute. "Exceeds authorized access," the opinion states, refers to those employees "that go beyond the permitted access granted to them typically insiders exceeding whatever access is permitted to them." Lockheed Martin Corp., 2006 WL 2683058, at *5.

In Diamond Power Int'l, Inc. v. Davidson, the District Court similarly rejected

15

a CFAA claim against an employee who violated an employment agreement by using his access to his employer computer system to steal data for a competitor. The defendant transferred information from password-protected computer drives to his new employer while still employed with the former company in violation of a confidentiality agreement. Davidson, 540 F. Supp. 2d at 1327-31. Correctly identifying the narrower interpretation of "exceeding authorized access" as "the more reasoned view," the court held that "a violation for accessing `without authorization' occurs only where initial access is not permitted. And a violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted." Id. at 1343.

In Brett Senior & Assocs., an employer alleged that its former employee misused confidential information at his new employer in violation of the CFAA. While still working with his former employer, the employee interviewed with a rival company and showed it a list of his employer's clients and those the details of those clients' business with the company. Before leaving to join the new firm, the employee then contacted 20 of his clients and convinced 15 of them to come with him to the new firm. Brett Senior & Assocs., P.C., 2007 WL 2043377 at *1. The court relied on the legislative history to reject the former employer's CFAA claim. The employee defendant had full access to information contained in the computer system until his departure, and the court concluded that a CFAA violation is a trespass offense, not a misuse of services offense. Id. at *3.

In Shamrock Foods v. Gast, under similar facts, the District Court relied on Davidson and Werner-Masuda to hold that the defendant did not access the information at issue "without authorization" or in a manner that "exceed[ed] authorized access." Shamrock Foods, 535 F. Supp. 2d at 968. The defendant had an employee account on the computer he used at his employer Shamrock and was permitted to view the specific files he allegedly emailed to himself. The CFAA did not apply, even though the emailing was for the improper purpose of benefiting

16

himself and a rival company in violation of the defendant's Confidentiality Agreement.6 See Werner-Masuda, 390 F.Supp. 2d at 496 (interpreting the same language "prohibit[ing] only unauthorized access and not the misappropriation or disclosure of information" in the Stored Communications Act (SCA), 18 U.S.C. § 2701(a) to mean that "there is no violation of section 2701 for a person with authorized access to the database no matter how malicious or larcenous his intended use of that access." (quoting Educ'al Testing Service v. Stanley H. Kaplan, Educ'al Ctr., Ltd., 965 F. Supp. 731, 740 (D. Md. 1997) ("[I]t appears evident that the sort of trespasses to which the [SCA] applies are those in which the trespasser gains access to information to which he is not entitled to see, not those in which the trespasser uses the information in an unauthorized way."))).
2. Older Cases Wrongly Adopted A Broader View Of "Exceeding Authorized Access"
The cases discussed above contrast with and reject earlier decisions, most importantly Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000), which introduced an agency theory of authorization under the CFAA that several courts have followed. Shurgard follows neither the plain language nor the legislative intent of the CFAA and would lead to a variety of troubling and potentially unconstitutional results. See id. The reasoning in Werner-Masuda is both persuasive and correct and, to the extent that Shurgard takes a different approach, this Court should reject it.

In Shurgard, the District Court denied a motion to dismiss a CFAA claim brought by an employee that took employer information from the computer system

17

with him to his next job. Id. at 1129. The court relied on the Restatement (Second) of Agency, § 112 (1958), to hold that when the plaintiff's former employees accepted new jobs with the defendant, the employees "lost their authorization and were 'without authorization' [under the CFAA] when they allegedly obtained and sent [the plaintiff's] proprietary information to the defendant via e-mail"). Shurgard, 119 F. Supp. 2d at 1125. The court examined the Senate report accompanying Congress's 1996 amendments to the CFAA, and concluded that Congress intended the statute to have "broad meaning" that was intended to cover the situation under dispute. Id. at 1129. But the 1996 amendments were of little relevance to the authorization issues in Shurgard or here, as those amendments replaced the term "federal interest computer" with "protected computer." 18 U.S.C. § 1030(a)(2)(C) (2008). In contrast the district court in Werner-Masuda relied heavily on the 1986 Senate report accompanying the CFAA. Werner-Masuda, 390 F. Supp. 2d at 497-499. The 1986 amendments are the relevant ones because those are the amendments that added the term "exceeds authorized access." 16 U.S.C. § 1030(a)(2)(C) (2008). This is the term at issue here because it is the part of the statute that reaches insiders who are allowed access for some purposes, but not for others. For this reason, Werner- Masuda's take on the legislative history of the CFAA is far more persuasive than that of the court in Shurgard on the critical issue of whether Defendant Drew gained unauthorized access or exceeding authorized access.

A few cases find that, in the civil employment context, the principles of agency mean that an employee accesses a computer "without authorization" if, without knowledge of the employer, the employee uses the employers computer system in a manner adverse to the employer's interests. See, e.g., Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-421 (7th Cir. 2006); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006). Several earlier cases also found a CFAA violation for non-employees, but only after clear and repeated warnings that the user's conduct was not authorized, and only under circumstances where the user

18

either had a fiduciary duty to the computer owner or where the access was for competitive commercial gain, facts significantly absent in this case. See EF Cultural Travel BV v. Zefer Corp. 318 F.3d 58 (1st Cir. 2003), (rejecting a CFAA claim based on a "reasonable expectations" test but stating in dicta that "a lack of authorization could be established by an explicit statement on the website restricting access"); EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001) (finding CFAA liability where the defendant poached an ex-EF employee, who in turn revealed confidential information about his former employer which improved the competitor's use of automated tools to search and "systematically glean company's prices from [competitor's] website"); Southwest Airlines Co. v. FareChase Inc., 318 F. Supp. 2d 435 (N.D. Tex. 2004) (defendant created an automated tool that "scraped" web site information and allowed corporate travelers to search online for airline fares, including Southwest's. despite the plaintiff's "repeated warnings and requests" to cease); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000) (court enjoined automatic searching of the registrant contact information contained in domain registry database after lawyers specifically objected to the defendant's use and sent out a terms of use letter to the defendant), aff'd in part as modified by Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004) (reversing the trial court's CFAA finding on the basis that there was insufficient likelihood of showing the $5,000 damage threshold necessary for private claims, but upholding a trespass to chattels claim); America Online Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998) ("AOL"), (the defendant transmitted more than 92 million unsolicited and bulk e-mail messages advertising their pornographic Web sites to AOL members in violation of AOL's email policies and terms of use).

These civil cases are readily distinguished from the criminal prosecution of Defendant Drew here because all but AOL involve actual prior notice to the defendant that their computer access was unauthorized, rather than the mere posting of terms of service on a website which could be ignored or violated by a user. These

19

cases also all involve use of the plaintiff's computer service for the defendant's commercial advantage to the detriment of the computer system owner. See Lemley, 91 Minn. L. Rev. at 476-77 (noting a greater willingness of some courts to enforce terms against businesses than against consumers). Here, Defendant Drew allegedly failed to provide truthful and accurate registration information; failed to refrain from using any information obtained from MySpace services to harass, abuse, or harm other people; failed to refrain from soliciting personal information from anyone under 18; failed to refrain from promoting information that she knew was false or misleading; and failed to refrain from posting photographs of other people without their consent. The indictment does not allege even that Defendant had seen or knew of these terms in the MySpace TOS, but she certainly did not receive any direct warnings to stop. Nor was she acting for commercial advantage in a way that could be seen as unfairly competing with or harming MySpace's business, factors important to the decisions in virtually all the above cases.

Apart from these important factual distinctions, for the reasons stated, these cases were wrongly decided, in light of the plain language and the legislative history of the CFAA.

F. The Rule Of Lenity Requires The Narrower Interpretation Of The CFAA's "Access" Language
The rule of lenity should guide the construction of section 1030 (a)(2)(C) in this case because the CFAA is first and foremost a criminal statute. See Leocal v. Ashcroft, 543 U.S. 1, 12 n. 8 (2008); United States v. Thompson/Center Arms Co., 504 U.S. 505, 517-18 (1992). The rule of lenity "requires a court confronted with two rational readings of a criminal statute, one harsher than the other, to choose the harsher only when Congress has spoken in clear and definite language." Shamrock Foods, 535 F. Supp. 2d at 965-67 (plain language of the statute, legislative history and rule of lenity support a narrow view of the CFAA); see Pasquantino v. United States, 544 U.S. 349, 383 (2005); McNally v. United States, 483 U.S. 350, 359-60

20

(1987).

Here, because Congress has not proactively specified that the CFAA's "access" provisions criminalize mere violations of terms of service, the rule of lenity requires that courts adopt the "less harsh" interpretation. See, e.g., United States v. Miranda-Lopez, 2008 WL 2762392 at *5 (9th Cir. July 17, 2008) ("the 'longstanding' rule of lenity requires us to resolve any ambiguity in the scope of a criminal statute in favor of the defendant" (citations omitted)). This is the approach taken by the court in Shamrock Foods Co. in adopting the narrower interpretation of "accesses . . . without authorization or exceeds authorized access." The court there used the rule of lenity to reject imposition of CFAA liability on a disloyal former employee, concluding "[t]he approach advanced by Shamrock would sweep broadly within the criminal statute breaches of contract involving a computer. . . . The Court declines the invitation to open the doorway to federal court so expansively when this reach is not apparent from the plain language of the CFAA." Shamrock Foods at 967 (emphasis added). United States v. LaMacchia reached a similar result as the rule of lenity would require. Because Congress had failed to criminalize non-commercial distribution of copyrighted materials, the Government was not entitled to stretch a broader statute regulating a different kind of conduct to punish admittedly bad conduct. LaMacchia, 871 F. Supp. 535 (D. Mass. 1994). If Congress wanted to criminalize the conduct at issue here, it could have. If Congress wanted to give the force of law to terms of service agreements, it can. But it did not, and the rule of lenity does not permit the Government to use the CFAA to reach that result.

G. The Government's Previous Attempt In This District To Expand Civil Cases Interpreting the CFAA into the Criminal Context Led To The Wrongful Conviction And Incarceration Of An Individual For Constitutionally Protected Activities
In a disturbingly similar expansion of civil CFAA cases to support a criminal prosecution under a different section of the CFAA, 18 U.S.C. § 1030(a)(5)(A), the United States Attorney's Office in this district from 2001 to 2003 prosecuted

21

computer programmer Bret McDanel, United States v. McDanel, Ninth Circuit Case No. 03-50135, Central District of California Case No. CR-01-638-LGB. McDanel worked for a Tornado, a Los Angeles firm that provided Web-based email and voice mail services. While employed there, he discovered a serious security flaw in the company's email system, which intruders could exploit to read customers' private messages. He brought the flaw to the company's attention, but it wasn't fixed. After he left Tornado, McDanel sent an anonymous email to Tornado customers, describing the security flaw, and directing customers to a website McDanel had set up providing more information. The Government indicted McDanel for violating the CFAA, alleging that because he sent emails to customers' Tornado.com email addresses, and these emails gave customers information that the company did not want its users to have, McDanel intentionally caused damage to the integrity of Tornado's email server. The Government relied heavily on Shurgard's agency law theory, arguing that McDanel acted without the best interests of Tornado in mind, so his emails were improper. McDanel was convicted and sentenced to 16 months in prison.

On appeal to the Ninth Circuit,7 the Government reversed its position, "confess[ed] error," and moved to dismiss the charges against McDanel. (See United States v. McDanel, Government Brief, attached as Exhibit A, at 6, 8). While McDanel sent information to Tornado's servers, and while that information caused harm to Tornado's business (by reducing customer confidence in the privacy and security of their messages), the Government admitted that that type of harm could not be a CFAA violation unless it was intended to help someone illegally access the system or change data there. Id. at 8. The flaw in the current prosecution and that of McDanel is the same. The Government seeks to extend the reasoning of disfavored civil law cases from the employment or commercial context to argue that any use of

22

a computer server in a manner contrary to the interests of the server owner is a crime.

As with the prosecution of Mr. McDanel, this prosecution is in error.

II. APPLYING THE CFAA TO DEFENDANT'S CONDUCT IN THIS CASE WOULD CONSTITUTE A SERIOUS ENCROACHMENT ON FUNDAMENTAL CIVIL LIBERTIES, INCLUDING FREEDOM OF SPEECH

A. The First Amendment Assures The Right To Speak Anonymously Online
Individuals have the qualified right to speak anonymously, including on the internet, so criminal prosecution for failing to supply accurate identifying information to an online communications service endangers First Amendment rights. Yet one of the alleged violations of the MySpace terms of service on which the Government bases this Indictment is Defendant's use of a fictitious name in registering for an account. See Indictment at 6.

Average internet users may have numerous valid reasons for wanting to keep their identities secret. Individuals may want to protect themselves from unwanted attention or from unwanted advertising, even while the service providers hope to sell customer's personally indentifying information or send advertising. They may wish to avoid having their views stereotyped according to their racial, ethnic or class characteristics, or their gender. They may be associated with an organization but want to express an opinion of their own, without running the risk that readers will assume that the group feels the same way. They may want to say or imply things about themselves that they are unwilling to disclose otherwise. And they may wish to present provocative ideas that they fear could subject them to retaliation. Not surprisingly, in a recent survey, almost one-third of social network users admitted to providing false information to protect their identities. Antony Savvas, Social Network Users Hide Identities, Computer Weekly, Sept. 25, 2007.

The Supreme Court has consistently upheld the right to anonymous speech in a variety of contexts, noting that "[a]nonymity is a shield from the tyranny of the majority . . . [that] exemplifies the purpose [of the First Amendment] to protect

23

unpopular individuals from retaliation ... at the hand of an intolerant society." McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 357 (1995); see also id. at 342 ("an author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment."); Gibson v. Fla. Legislative Investigative Comm., 372 U.S. 539, 544 (1963) ("[I]t is ... clear that [free speech guarantees] ... encompass[] protection of privacy association ..."); Talley v. California, 362 U.S. 60, 64 (1960) (finding a municipal ordinance requiring identification on hand-bills unconstitutional, and noting that "[a]nonymous pamphlets, leaflets, brochures and even books have played an important role in the progress of mankind.").

The First Amendment applies fully to internet communications, including email and the World Wide Web. Reno v. ACLU, 521 U.S. 844, 870 (1997) (there is "no basis for qualifying the level of First Amendment protection that should be applied to" the internet). Numerous courts have specifically upheld the right to communicate anonymously on the internet. See, e.g., Doe v. TheMart.com Inc., 140 F. Supp. 2d 1088, 1092 (W.D. Wash. 2001) ("The right to speak anonymously extends to speech via the internet. Internet anonymity facilitates the rich, diverse, and far ranging exchange of ideas."); ACLU v. Johnson, 4 F. Supp. 2d 1029, 1033 (D.N.M. 1998); ACLU of Ga. v. Miller, 977 F. Supp. 1228, 1230 (N.D. Ga. 1997); see also ApolloMEDIA Corp. v. Reno, 526 U.S. 1061 (1999), aff'd 19 F. Supp. 2d 1081, 1085 n.5 (C.D. Cal. 1998) (protecting anonymous denizens of a web site at www.annoy.com, a site "created and designed to annoy" legislators through anonymous communications); Global Telemedia Int'l v. Does, 132 F. Supp. 2d 1261, 1267 (C.D. Cal. 2001) (striking complaint based on anonymous postings on Yahoo! message board based on California's anti-SLAPP statute).

It is true that the constitutional privilege to remain anonymous is not absolute. Plaintiffs may properly seek information necessary to pursue reasonable and meritorious litigation. Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 578

24

(N.D. Cal. 1999) (First Amendment does not protect anonymous internet users from liability for tortious acts such as defamation); Doe v. Cahill, 884 A.2d 451, 456 (Del. 2005) ("Certain classes of speech, including defamatory and libelous speech, are entitled to no constitutional protection."). Also, individuals can choose to waive their free speech rights, and courts may enforce confidentiality agreements over a First Amendment defense. See Snepp v. United States, 444 U.S. 507, 510 (1980) (per curiam). However, the law does not presume a waiver of constitutional rights in contract so courts give heightened scrutiny to the enforceability of such agreements. Ohio Bell Tel. Co. v. Public Utilities Comm'n, 301 U.S. 292, 307 (1937). To enforce such a contract, the waiver must not undermine the relevant public interest. See D. H. Overmyer Co. v. Frick Co., 405 U.S. 174, 187-88 (1972).

In this case, even assuming, arguendo, that the MySpace TOS is privately enforceable in spite of its contractual infirmities and restrictions on protected anonymous speech, monetary damages, not criminal convictions and prison sentences, "are always the default remedy for breach of contract." United States v. Winstar Corp., 518 U.S. 839, 885 (1996) (plurality opinion). "Our system of contract remedies rejects, for the most part, compulsion of the promisor as a goal. It does not impose criminal penalties on one who refuses to perform his promise, nor does it generally require him to pay punitive damages." Canada Dry Corp. v. Nehi Beverage Co., 723 F.2d 512, 526 (7th Cir.1983 ). Yet the Government's construction of "without authorization or exceeds authorized access" in this case, based in part on Defendant Drew's alleged failure to supply "truthful and accurate registration information," Indictment at 5, 7, would make the assertion of protected anonymity the basis for criminal liability. While "[t]he Government may violate [the First Amendment] in many ways, . . . imposing criminal penalties on protected speech is a stark example of speech suppression." Ashcroft v. Free Speech Coal., 535 U.S. 234, 244 (2002).

The First Amendment problems begin with, but do not end with, the right to

25

speak anonymously. Under the Government's construction of the CFAA, speech that violates any terms of service would be unauthorized or in excess of authorization and potentially criminal. If the comment policy of a web site specified "no comments favorable to Democrats" or "no comments that are off-topic" or "no bad stuff" those expressions too would be swept into the reach of the CFAA.

B. Constitutional Avoidance Dictates A Narrow Reading Of "Access" Under The CFAA
This Court need not decide whether enforcing the CFAA would violate the First Amendment in this case. The mere fact that the question arises, however, requires this Court to interpret "exceeds authorized access" narrowly, so as to avoid a potentially unconstitutional application. "'[I]t is a cardinal principle' of statutory interpretation . . . that when an Act of Congress raises 'a serious doubt' as to its constitutionality, `this Court will first ascertain whether a construction of the statute 62 is fairly possible by which the question may be avoided.'" Zadvydas v. Davis, 533 U.S. 678, 689 (2001) (quoting Crowell v. Benson, 285 U.S. 22, 62 (1932)). A narrow construction of "unauthorized access" and "exceeds authorized access" one which does not punish the failure to use truthful identification information when using online services that indicate an interest in collecting this data in their terms of use is both possible and otherwise compelled by the statutory language and history of the CFAA.

III. APPLICATION OF THE CFAA WHEN A USER IGNORES OR VIOLATES WEBSITE TERMS OF SERVICE WOULD VIOLATE DUE PROCESS AND RENDER THE STATUTE VOID FOR VAGUENESS AND LACK OF FAIR NOTICE

Grounding criminal liability under section 1030(a)(2)(C), as the Government seeks to do here, on an interpretation of "access without authorization" and/or "exceeds authorized access" that is based entirely on whether a person has fully complied with the vagaries of privately created, frequently unread, generally lengthy and impenetrable terms of service would strip the statute of adequate notice to citizens of what conduct is criminally prohibited and render it hopelessly and

26

unconstitutionally vague. If the Government's proposed construction of 18 U.S.C. 1030(a)(2)(C) in this case is correct, not only the defendant but also potentially millions of otherwise innocent internet users would be committing frequent criminal violations of the CFAA through ordinary, indeed routine, online behavior which they have been given no reason to believe would make them felons. The lack of notice under the Government's interpretation is stark; counsel for amici are not aware of a single criminal prosecution or conviction in the entire years of the CFAA's existence that has attempted to base criminal liability on disregard for the contractual terms of service on a website.

The Supreme Court has stated that,

"[i]t is a fundamental tenet of due process that '[n]o one may be required at peril of life, liberty or property to speculate as to the meaning of penal statutes.' Lanzetta v. New Jersey, 306 U.S. 451, 453 (1939). A criminal statute is therefore invalid if it 'fails to give a person of ordinary intelligence fair notice that his contemplated conduct is forbidden.' United States v. Harriss, 347 U.S. 612, 617 (1954)."
United States v. Batchelder, 442 U.S. 114, 123 (1979); see also Grayned v. Rockford, 408 U.S. 104, 108-09 (1972). A plurality of the Supreme Court has further specified that "[v]agueness may invalidate a criminal law for either of two independent reasons. First, it may fail to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; second, it may authorize and even encourage arbitrary and discriminatory enforcement." City of Chicago v. Morales, 527 U.S. 41, 56 (1999) (Stevens, J., plurality opinion).

In the Ninth Circuit, "[t]o survive vagueness review, a statute must '(1) define the offense with sufficient definiteness that ordinary people can understand what conduct is prohibited; and (2) establish standards to permit police to enforce the law in a non-arbitrary, non-discriminatory manner.'" United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir. 2007) (quoting Nunez v. City of San Diego, 114 F.3d 935, 940 (9th Cir. 1997). "Vague statutes are invalidated for three reasons: '(1) to avoid punishing people for behavior that they could not have known was illegal; (2) to avoid

27

subjective enforcement of laws based on 'arbitrary and discriminatory enforcement' by government officers; and (3) to avoid any chilling effect on the exercise of First Amendment freedoms.'" Humanitarian Law Project v. Mukasey, 509 F.3d , 1122, 1133 (9th Cir. 2007) (quoting Foti v. City of Menlo Park, 146 F.3d 629, 638 (9th Cir. 1998)).8

Nothing in § 1030(a)(2)(C), its legislative history, or the case law interpreting it provides any sort of "fair notice" to citizens, including the defendant here, that such everyday behavior could constitute a federal crime. For at least the following four reasons the interpretation advanced by the Government would fall short of providing required notice and avoiding vagueness. Given that courts should adopt a narrow construction of a statute to avoid vagueness and other unconstitutional infirmities, see Zadvydas v. Davis, 533 U.S. at 689, the Government's proposed view of the CFAA must be rejected.

A. Web Site Terms of Service are Routinely Ignored or Not Fully Read or Understood
The fallacy of any notion that internet users are on "fair notice" that disregarding the terms of service of the many web sites and web services they visit puts them at risk of serious criminal liability is revealed by the widespread (and widely accepted) understanding that large numbers of users never read these terms, or read and understand only limited portions of them.

First, terms are often poorly accessible. Many web sites or web-based services post their terms behind a "legal notices" or "terms of service" hyperlink which users can only access by scrolling to the bottom of the page and clicking on the link. To access the MySpace terms of use, for example, one must scroll down to find a hyperlink labeled "terms". See MySpace.com Home Page, http://www.myspace.com/

28

(last visited July 28, 2008). Nothing about the link indicates that it is exceptionally important, much less that failure to click on it and read the underlying terms could subject the user to criminal penalties.

Second, the terms of service presented by many web sites and other online services are lengthy and impenetrable. In one particularly daunting example, Network Solutions, the domain name registrar, has a TOS that takes up 115 pages when pasted into a single spaced, 12-point font Microsoft Word document. See Network Solutions Terms of Service, http://www.networksolutions.com/legal/static-service-agreement.jsp (last visited July 28, 2008). The MySpace terms at issue here contain over 60 separate paragraphs or subparagraphs and takes up roughly ten pages when pasted into a Word document. See Terms and Conditions--MySpace.com, http://www.myspace.com/ index.cfm?fuseaction=misc.terms (last visited July 28, 2008).

Not surprisingly, then, many commentators recognize that few consumers actually take the time to read and understand digital terms of service (or similar software download agreements) before saying they agree to them. See Restatement (Second) of Contracts § 211, cmt. b (1981) ("Customers do not . . . ordinarily understand or even read the standard terms."); Robert L. Oakley, Fairness in Electronic Contracting: Minimum Standards for Non-Negotiated Contracts, 42 Hous. L. Rev. 1041, 1051 (2005) ("Clickwrap licenses are ubiquitous today, and most people click to accept without reading the text."); Robert A. Hillman & Jeffrey J. Rachlinski, Standard-Form Contracting in the Electronic Age, 77 N.Y.U. L. Rev. 429, 429-31 (2002) ("with increasing alacrity, people agree to terms [in clickwrap contracts] by clicking away at electronic standard forms on web sites and while installing software"); Michael I. Meyerson, The Reunification of Contract Law: The Objective Theory of Consumer Form Contracts, 47 U. Miami L. Rev. 1263, 1269 & nn. 28-29 (1933) (citing cases recognizing the failure of most consumers to read form

29

contracts).9 In one notable example, public disregard for license terms was graphically illustrated by a software company that surreptitiously inserted into its license agreement an offer to pay $1000 to the first person to send an email to a particular address. It took four months and more than 3000 installations before someone noticed the offer and claimed the prize. Jeff Gelles, Internet Privacy Issues Extend to Adware, Newark Star-Ledger, July 31, 2005, at 5. See also Ting v. AT & T, 182 F. Supp. 2d 902, 930 (N.D. Cal. 2002) (holding a customer service agreement procedurally unconscionable because lack of notice contributed to surprise, the court acknowledged that "AT & T's own research found that only 30% of its customers would actually read the entire CSA [consumer service agreement] and 10 % of its customers would not read it at all").

Similarly, empirical research confirms that, in the online context, a majority of users ignored the EULA entirely when installing such popular software as Google Toolbar on their home computers. Nathaniel Good et al., Commentary, User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware, 2 I/S: J.L. & Pol'y for Info. Soc'y 283, 321 (2006). Furthermore, even the few people who do read the terms of service are unlikely to take notice of more than a handful of the provisions. Due to human cognitive limitations, even rational consumers will be ignorant of non-salient terms in form contracts. Melvin Aron Eisenberg, The Limits of Cognition and the Limits of Contract, 47 Stan. L. Rev. 211, 244 (1995).

Moreover, as noted earlier, most website terms, like other form contracts, are long, written in impenetrable legalese and poorly organized. See Robert W. Gomulkiewicz, Getting Serious About User-Friendly Mass Market Licensing for

30

Software, 12 Geo. Mason L. Rev. 687, 692-94, 701-02 (2004). Such contracts often written at a level of difficulty that exceeds the ability of most consumers to understand. See Alan M. White & Cathy Lesser Mansfield, Literacy and Contract, 13 Stan. L. Rev. 233, 235-42 (2002). Drafters of these agreements give little attention to readability, instead relying heavily on legal boilerplate and including restrictive terms primarily designed to limit the company's exposure to liability. See Gomulkiewicz, supra, at 692-94, 701-02; Russell Korobkin, Bounded Rationality, Standard Form Contracts, and Unconscionability, 70 U. Chi. L. Rev. 1203 (2003). Given the difficulty of comprehending form contracts, and the typically low-dollar amount of the transactions to which they apply, a consumers' decision to forego reading a website's terms of use is not only common, but entirely rational. Eisenberg, 47 Stan. L. Rev. at 240-44; Meyerson, 47 U. Miami L. Rev. at 1269-70. Thus, even persons who are conscientious about reading the terms of service may be unaware of some of the provisions. Under these circumstances, whatever the validity of holding such contracts enforceable for purposes of contract law, the transformation of their terms into the defining criteria for serious criminal violations creates serious risks of criminal sanctions for unwitting violations that cannot pass vagueness and notice review.10
B. Web Site Terms Are Frequently And Arbitrarily Changed By Site Owners With Little Or No Likelihood Of Actual Notice To Users
Many terms of service contain clauses which state that the website owner can unilaterally change the terms at any time, and that continued use of the website implies acceptance of the new terms. For example, the MySpace terms at issue here, even if actually read and understood by a user when he or she visits or signs up for

31

an account, expressly state that they can be changed without further notice to the user merely by updating the agreement on the MySpace website the user is then presumably obligated to review the entire terms for changes every time he or she visits. See Terms and Conditions--MySpace.com, http://www.myspace.com/index.cfm?fuseaction=misc.terms (last visited July 28, 2008) ("MySpace may modify this Agreement from time to time and such modification shall be effective upon posting by MySpace on the MySpace Website. Your continued use of the MySpace Services after MySpace posts a revised Agreement signifies your acceptance of the revised Agreement. It is therefore important that you review this Agreement regularly to ensure you are updated as to any changes.")11 Under the Government's expansive view of the CFAA, a person's access to MySpace would be unauthorized or would exceed their authorization if that person used MySpace and inadvertently violated a newly added or updated provision of the terms that had been inserted since the last visit. However challenging such a view of notice to a contract's terms may be for civil contract law, it fundamentally cannot be said to constitute adequate "fair notice" for due process vagueness purposes. See Douglas v. U.S. Dist. Court for Cent. Dist. Calif., 495 F.3d 1062, 1066 & n.1 (9th Cir. 2007) (holding that website users are not required to continually monitor a site's terms of use for possible changes).

32

C. Web Site Terms May Themselves Be Arbitrary, Vague, or Frivolous And Are Created by Private Site Owners for a Myriad of Business or Personal Reasons Having Nothing To Do With Regulating "Access" for CFAA Purposes
Many web site terms contain conditions that are themselves vague, arbitrary or even fanciful. They are not written by their private drafters with the precision and care that would be expected -- indeed required -- of operative provisions in a criminal statute. Yet operative criminal provisions are precisely what routine business terms would be transformed into under the Government's interpretation of § 1030(a)(2)(C). This fact multiplies the likelihood that such an interpretation cannot satisfy the due process requirement that a statute not "fail to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits," Morales, 527 U.S. at 56, since the statute will itself in turn rely for its essential meaning on the existence and clarity of separate contractual terms.

Web site owners and internet businesses draft specific web site and web service terms of use provisions for a variety of reasons that have nothing to do with regulating "access" to their sites, and certainly nothing to do with preventing the sort of unauthorized hacking or trespass or theft of private data with which the CFAA is properly concerned. Google, for example, presumably included the terms of use provision described earlier barring use of its services by minors -- to protect itself against liability and to try to ensure its terms were binding in the event of a litigated dispute. Surely it did not mean or imagine that tens of millions of minors in fact would never use its services to obtain information or would do so at the risk of criminal liability. In another example, YouTube's Community Guidelines, expressly incorporated into the site's terms of use, prohibit "bad stuff." YouTube Community Guidelines, http://www.youtube.com/t/community_guidelines (last visit July 28, 2008). Uploading "bad stuff" would violate YouTube's terms which, under the Government's theory here, would constitute unauthorized access or exceeding authorized access to the site. Surely YouTube did not draft the "bad stuff"

33

prohibition with CFAA access control in mind. The meaning of "bad stuff" is the essence of vagueness, and it is not even clear whose determination --YouTube's? A jury's? -- would be required. To make sense and to avoid fatal vagueness problems, the terms "without authorized access" and "exceeds authorized access" in the CFAA must be limited to clear, proper purposes consistent with the statute's goals, and not whatever commercial or personal purpose motivates a site owner to draft a provision in a terms of service document.

D. Basing Criminal Liability On Private Contract Terms Inevitably Will Lead To Arbitrary And Discriminatory Enforcement
Allowing the provisions of privately created, sometimes arbitrary or even frivolous web site terms of use to prescribe the legally critical CFAA standard for when a person has gained unauthorized access or exceeded authorized access to computers can only lead to arbitrary and discriminatory enforcement of the CFAA. Statutes that create the likelihood of such arbitrary and discriminatory enforcement are invalid. See, e.g., Coates v. City of Cincinnati, 402 U.S. 611, 614 (1971) (law disallowing three people to congregate if it is annoying to others was unconstitutionally vague, "not in the sense that it requires person to conform his conduct to an imprecise but comprehensible normative standard, but rather in the sense that no standard of conduct is specified at all").

Choosing, as the Government has here, to prosecute under the CFAA a single, isolated instance of violating terms or service out of literally millions of similar, ongoing violations illustrates the dangers of arbitrary enforcement. In a world where each violation or neglect of a web site's terms could constitute unauthorized or excessive access and be the basis for criminal prosecution, there simply is no limiting principle that would restrain the exercise of this enforcement discretion and prevent arbitrary or discriminatory application of the law.

34

CONCLUSION

Megan Meier's death was a terrible tragedy, and there is an understandable desire to hold the Defendant somehow accountable for it, if Defendant's conduct was as alleged. But a dangerously overbroad construction of the CFAA would criminalize the everyday conduct of millions of internet users. The novel -- indeed, unprecedented in the history of the CFAA -- interpretation of § 1030(a)(2)(C) advanced in the indictment cannot be squared with the plain language of the statute, its legislative history, and the constitutional requirements that criminal statutes provide citizens fair notice, avoid vagueness and comport with the First Amendment. Consequently, amici urge the Court to dismiss the Indictment.

DATED: August 1, 2008

By ______________________
Jennifer Stisa Granick (California Bar No. 168423)

ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax]

35

Certificate of Compliance with Circuit Rule 32-1

Pursuant to Rules 29(c)(5) and 32(a)(7)(C) of the Federal Rules of Appellate Procedure and Ninth Circuit Rule 32-1, I hereby certify that the foregoing brief uses 14-point Times New Roman spaced type; the text is double-spaced; and footnotes are single-spaced. This brief complies with the type-volume limitations of Federal Rules of Appellate Procedure 29(d) and 32(a)(7)(B) because there are no limits on the length of party briefs in support of motions to dismiss in criminal cases under Rule 12. This brief contains approximately 11,000 words.

DATED: August 1, 2008

By ________________
Jennifer Stisa Granick For Amici Curiae Electronic Frontier
Foundation

APPENDIX A

LAW FACULTY AMICI CURIAE

Amici file this brief in their individual capacities, and not as representatives of the institutions with which they are affiliated. Institutional affiliations are listed for identification purposes only.

Susan Brenner
NCR Distinguished Professor of Law and Technology
University of Dayton School of Law

Lauren Gelman
Executive Director
Center for Internet and Society
Stanford Law School

Llewellyn Joseph Gibbons
Associate Professor
University of Toledo College of Law

Eric Goldman
Assistant Professor of Law
Director, High Tech Law Institute
Santa Clara University School of Law

Mark A. Lemley
William H. Neukom Professor of Law
Stanford Law School
Director, Stanford Program in Law, Science and Technology

Phillip R. Malone
Everett Street
Cambridge, MA

Paul K. Ohm
Associate Professor of Law
University of Colorado Law School

Malla Pollack
Professor of Law
Barkley School of Law
Paducah, Kentucky

Michael Risch
Associate Professor of Law
Project Director - Entrepreneurship, Innovation and Law Program
West Virginia University College of Law

Jason Schultz
Acting Director
Samuelson, Law, Technology & Public Policy Clinic
UC Berkeley School of Law

Brian G. Slocum
Associate Professor of Law
University of the Pacific
McGeorge School of Law

Daniel J. Solove
Professor of Law
George Washington University Law School

William McGeveran
Associate Professor
University of Minnesota Law School

Robert Weisberg
Edwin E. Huddleson, Jr. Professor of Law
Director, Stanford Criminal Justice Center
Stanford Law School


1 The Missouri legislature amended the statute following this case in recognition that the laws in effect at the time would not prohibit the conduct alleged here. The new statute, which requires proof of intent to do harm to another (as the First Amendment requires), may or may not criminalize Defendant's alleged conduct.

2 Accord United States v. Czubinski, 106 F.3d 1069, (1st Cir. 1997) (reversing CFAA and fraud convictions for browsing through IRS files but not sending or obtaining any information, the court added "a cautionary note. The broad language of the mail and wire fraud statutes are both their blessing and their curse. They can address new forms of serious crime that fail to fall within more specific legislation. . . . On the other hand, they might be used to prosecute kinds of behavior that, albeit offensive to the morals or aesthetics of federal prosecutors, cannot reasonably be expected by the instigators to form the basis of a federal felony. The case at bar falls within the latter category.")

3 Another issue is whether the Government must plead and prove that Defendant intended that her access be unauthorized, or merely that she intended to access, and the access also happened to be unauthorized. Criminalizing unintentional computer trespass raises serious due process problems, but amici do not take up that issue here.

4 This failure to allege that Defendant had any actual notice or awareness of the terms of service, her violation of which allegedly constitutes the sole basis for "unauthorized" use and criminal CFAA liability, would appear to undermine the sufficiency of the indictment, given Section 1030(a)(2)(C)'s requirement that one "intentionally" access a computer without authorization or exceed authorized access, However, amici do not focus further on this issue.

5 It is of no import that the Government might not bring these cases. The inability to distinguish in a meaningful and principled way between the terms of service violations of the Defendant here and the myriad other similar violations of terms like those of MySpace or Facebook that occur every day starkly reveals the unconstitutional vagueness and potential for arbitrary enforcement the statute would suffer under the Government's interpretation. See Section III, infra. Moreover, because the CFAA provides for a civil cause of action, the Government's interpretation would enable Google and Facebook and any other affected web site owner to bring suit.

6Of course, a plaintiff may be able to bring a valid claim under state law for misappropriation of trade secrets. That claim would be subject to the safeguards built into the trade secret liability rules, including allowances for reverse engineering and for disclosure of information that is not, in fact, secret. The CFAA violation has no safeguards; under the Government's view in this case it would put all the power in the hands of the corporation drafting the terms of use.

7 Jennifer Granick, Civil Liberties Director with amicus Electronic Frontier Foundation, represented Mr. McDanel on appeal.

8 See also United States v. Wunsch, 84 F.3d 1110, 1119 (9th Cir. 1996) (finding that requirement in state bar statute incorporated in local rule to "abstain from all offensive personality" was unconstitutionally vague in the context of district court sanction of attorney).

9 In fact, research has shown that even participants in sophisticated business transactions routinely fail to read the terms of form contracts. Andrew Robertson, The Limits of Voluntariness in Contract, 29 Melbourne L. Rev. 179, 188 (April 2005) (surveying empirical research).

10See Mark A. Lemley, Terms of Use, 91 Minn. L. Rev. 459, 465, 475-76 (2006) (observing that in civil cases "in today's electronic environment, the requirement of assent has withered to the point where a majority of courts now reject any requirement that a party take any action at all demonstrating agreement to or even awareness of terms in order to be bound by those terms.") (emphasis added). A similar lax view simply cannot provide "fair notice" in the criminal context.

11See, also e.g., West Terms of Use, http://west.thomson.com/about/ terms-of-use/default.aspx?promcode=571404 (last visited July 28, 2008) ("By accessing, browsing, or using this website, you acknowledge that you have read, understood, and agree to be bound by these Terms. We may update these Terms at any time, without notice to you. Each time you access this website, you agree to be bound by the Terms then in effect."); AOL Terms of Use, http://about.aol.com/aolnetwork/ aolcom_terms (last visited July 28, 2008) ("You are responsible for checking these terms periodically for changes. If you continue to use AOL.COM after we post changes to these Terms of Use, you are signifying your acceptance of the new terms.")


  View Printable Version


Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )