Lori Drew Prosecuted for CFAA Violations–Some Comments, and a Practice Pointer

By Eric Goldman

Before I get started, let me first say that my heart goes out to Megan Meier’s family. They have suffered a devastating tragedy, and I cannot possibly fathom the pain they must feel. As a result, I feel a little awkward blogging on the situation because I fear my words could be misinterpreted as some sign of disrespect or lack of empathy towards the family. I definitely don’t intend that.

I have also passed on blogging about Megan Meier’s suicide because, until recently, I didn’t think it raised a real cyberspace issue. Assuming the publicized facts are true, MySpace played a crucial role in mediating the communications between Drew and Meier, but Drew’s ruse could have been perpetrated using a variety of communication media. Indeed, for millennia (and well before the Internet), people have been sending false messages to each other as part of some manipulative effort (Les Liaisons Dangereuses comes to mind, but we could find countless other examples). The fact that Drew chose MySpace for her scheme has always struck me as uninteresting at best. I recognize that perhaps MySpace made it easier for Drew to pull off her ruse, and perhaps Meier attached more credibility to MySpace messages than she would have attached to messages delivered in other media. But given that people can do serious harm to other people using many different types of communications media, I think it’s a mistake to treat this tragedy as a source of profound insight into the nature of cyberbullying or the evils of cyberspace.

Despite this, we know that a high-profile situation like this will spur overreactions. Of most interest for this blog post is last week’s federal indictment of Lori Drew for crimes predicated (at their core) on violations of the Computer Fraud and Abuse Act (CFAA). See the indictment. The CFAA violation putatively occurred because MySpace’s user agreement required users to:

* provide accurate registration information

* not use information obtained from MySpace to harass or abuse others

* not solicit information from kids

* not promote false/misleading information

* not promote abusive or threatening conduct

* not post photos of third parties without their consent

Allegedly, Lori Drew breached the user agreement by failing to follow these provisions; and by breaching the user agreement, she made an unauthorized criminal use of MySpace’s servers.

In the civil context, plaintiffs frequently use the CFAA to attack a defendant’s server usage in violation of a site’s user agreement. However, as far as I (and Orin) know, this is the first time the DOJ has tried to treat a user’s breach of a site’s user agreement as a CFAA crime. Not only is this theory potentially unsupported by the law (see, e.g., Orin Kerr and Dan Solove), but it puts almost all of us at risk of federal prosecution (see, e.g., Wired and the AP). Implicitly, the DOJ is saying that breaching a user agreement to provide false registration to a website or post a third party’s photo without permission can be a federal crime. If you have never done any of these activities, please email me so I can send you some angel wings. For the rest of us, the DOJ seems to think that we should avoid the Big House only out of their sheer grace.

Also, though Drew’s actions may have been heinous, her alleged breaches of the MySpace user agreement were, to be as charitable as possible, chickenscratch. Most websites like MySpace include contractual restrictions like the ones at issue simply to preserve their ability to kick off troublesome users at their discretion–not to put every non-conforming user at risk of looking down the barrel of an FBI agent’s .45.

As a result, the DOJ prosecutors appear to be trying to make the MySpace user agreement do more work than it was designed to do. In that respect, I see this case as part of a broader trend where government enforcement agencies are misreading and misusing website user agreements. Consider two other very recent examples of government folks attaching undue emphasis to restrictions in website user agreements:

* the New Jersey Attorney General’s office apparently misread restrictions in JuicyCampus’ user agreement to think they should constitute affirmative marketing representations

* Joe Lieberman thinks YouTube should wipe terrorist videos off its site because its community guidelines discourage users from posting violent videos

This disturbing trend prompts me to offer a practice pointer to those of you who draft user agreements. Many user agreements—including MySpace’s—have gotten bloated with lengthy lists of restrictive rules (a manifestation of the rule proliferation phenomenon I blogged about here). It’s pretty clear to me that government enforcement actors, either because of their fundamental misunderstanding of contract law or for their own self-aggrandizement, will treat these restrictions as expectations that the conduct won’t occur on the site. But because most websites don’t proactively enforce the restrictions they announce, this sets up a mismatch between rules and actual behavior—a mismatch that enforcers appear all too happy to exploit.

Therefore, I think it is better practice for contract-drafters to rely more heavily on general restrictive clauses in website user agreement (e.g., “we can kick you off at our convenience”) than on overly detailed/specific but underenforced lists of restrictions. I know this stance runs contrary to the prevailing sentiment among most Cyberlawyers, who seem to believe that for every bad user behavior, it’s easy enough to add a new contract prohibition that putatively eliminates the problem. But if the contracts are being misread, rule proliferation may be doing more long-term harm than good.