Lori Drew Conviction Reflections, Part 1 of 3: Why MySpace Might Regret the Conviction

By Eric Goldman

[As I’ve mentioned before, I think Lori Drew’s conviction is a tragic denouement to an already tragic situation. After thinking more about the conviction, I initially planned to blog some brief additional commentary to my initial post. However, that post grew so long that I decided to split it into a special three-part series. This post, Part 1, explains why MySpace, the putative victim of Lori Drew’s crime, might end up regretting the conviction. Part 2 will address some problems with holding Lori Drew responsible for a contract she never clicked through. Part 3 will discuss some lessons for Cyberlawyers who draft online user agreements.]

On this year’s Cyberlaw exam, I tested students on the federal crimes exception to 47 USC 230. As I’ve thought more about that, I realized that once Lori Drew was convicted of a federal crime, everyone else associated with Drew lacks 47 USC 230 protection if the government decides to prosecute them as well.

As a result, if overzealous prosecutors decided to prosecute any of Lori Drew’s online support vendors—such as, say, her Internet access provider—these additional defendants cannot defend using 47 USC 230. Of course, prosecutors may not be able to establish a prima facie claim against these third parties, but the point remains that companies that normally expect to rely on 47 USC 230 for user behavior now face a new exposure risk.

The most obvious potential defendant who might fear this consequence is MySpace, which facilitated the fateful conversation between Drew/Grills and Meier. However, Drew was convicted of violating the Computer Fraud & Abuse Act, which protects against harms to computer servers. This means that, as a matter of criminal law, MySpace was the victim of Drew’s crime in this case.

It’s easy to forget that MySpace is the victim. First, for a victim of such a high profile case, MySpace has been surprisingly quiet in this matter. I believe MySpace provided some support to the prosecution and made a few public remarks critical of Drew, but overall my impression is that they have tried to avoid public scrutiny of their role in this tragedy. Second, it stretches credibility to believe that Drew harmed MySpace. MySpace is hardly a sympathetic victim; and if anything, given the serious problems taking place on MySpace (1, 2, 3, 4, 5), many Americans probably view MySpace as part of the problem, not a victim.

Ironically, then, MySpace could go from victim in this case to defendant in the next. For example, if any of its users use the MySpace network to commit a similarly de minimis Computer Fraud & Abuse violation against a third party website, MySpace may not be able to invoke the 47 USC 230 shield that it normally depends upon. As a result, MySpace may have to rely on prosecutorial discretion to avoid a high-risk and expensive criminal prosecution. As highlighted by Drew’s prosecution, we all know how comforting that is.

More generally, I realize that the federal crimes exception to 47 USC 230 is underexplored (making it another good paper topic if you’re looking for one). I’ve only blogged on it a few times, including my comments to the SEC anti-linking proposal, the Google and Yahoo settlement regarding gambling ads and civil plaintiffs’ (failed) arguments that civil claims deriving from federal criminal laws are not preempted (they are) (1, 2). I could see why this dearth of material might change: the angst about 47 USC 230’s broad immunization inevitably will put more pressure the immunity’s few exclusions.

(Parts 2 and 3 will follow next week).