[Infowarrior] - The Drew Verdict Makes Us All Hackers

Richard Forno rforno at infowarrior.org
Tue Jan 13 13:05:38 UTC 2009 

The Drew Verdict Makes Us All Hackers
Mark Rasch, 2009-01-09

http://www.securityfocus.com/columnists/489?ref=rss

Last month, Lori Drew — the middle-aged Missouri mother who  
participated in a plan to deceive a 13-year-old girl that ultimately  
led to the girl's suicide — was convicted by a Los Angeles federal  
jury of several misdemeanor counts of unauthorized access to MySpace's  
computers.

The ultimate verdict was perhaps the worst possible outcome, from both  
a legal and a social standpoint. The final ruling could pose a genuine  
threat of widespread civil and criminal litigation against almost  
everyone, especially security researchers and white-hat hackers.

The government argued that Drew, together with her daughter and a post- 
adolescent employee, created a fictitious MySpace user account in the  
name of a 16-year-old boy, and used that account not only to obtain  
information about the girl, but ultimately to "intentionally inflict  
severe emotional distress," the indictment charges.

However, the jury didn't buy it. They rejected the government's  
argument about motive, noting to at least one reporter that there was  
no evidence that the messages Drew sent through MySpace were  
malicious. However, the jury did convict Drew of electronic trespass —  
that is, hacking.

What is left of the government's theory is that, if you violate the  
terms-of-service of any online agreement, you are using the services  
in excess of your authorization. While the risks of an actual criminal  
prosecution may be minimal, from a legal perspective the precedent is  
disastrous.  For example, the Google TOS expressly says that you have  
to have the capacity to contract before you can use the service: Thus,  
a 16-year-old boy who does a Google search technically violates the  
TOS and commits a crime. What is worse is that, if I am asked for  
legal advice, I would have to say that it is technically a crime, but  
that you would be unlikely to be prosecuted.

This undoubtedly will have a chilling effect on all kinds of conduct  
that should be permitted even though it is technically in violation of  
some provision of a terms-of-service agreement.
A legal pretzel

When the Federal Computer Fraud and Abuse Act, 18 USC 1030 was drafted  
in the early 1980s, it was intended to fix a loophole in the law.

If a person "broke in" to a house, an office, a store, or some  
physical place, they could be convicted of criminal trespass. If they  
did so with the intent to commit some crime, they could be convicted  
of a more serious crime — say, for example, burglary.  But there was  
no similar crime for breaking in to a computer, computer system, or  
computer network. Hence, the new statute.

Originally, the statute distinguished between breaking in (accessing  
without authorization) and stealing something (obtaining certain kinds  
of protected information), recognizing that not all kinds of  
information should be protected under federal criminal law.

Over the years however, the requirements of the statute were  
progressively weakened.  Accessing a computer without authorization —  
never a particularly well-defined concept to begin with — morphed into  
the even more ambiguous "exceeding the scope of authorization" to  
access a computer. Instead of protecting certain classes of  
information — such as financial transaction or classified secrets —  
the statute now permits prosecution of people who obtained any kind of  
information, including publicly available information.

Moreover, the misdemeanor provisions of the federal law now make it a  
crime to, in interstate commerce, intentionally exceed authorized  
access to a computer and thereby obtain information.

Essentially, the new statute took vague, ambiguous, and undefined  
concepts of authorization, access, computer, and information, and made  
them even more convoluted. It vests in the prosecutor and the jury the  
sole discretion about whether or not a particular action constitutes a  
crime.
Felonies and misdemeanors

Had the jury been convinced that the government had proven that Lori  
Drew intended to commit some crime or tort in creating the fictitious  
account, then a felony conviction would have at least been  
understandable.  The jury wanted to "punish" Drew.

The problem is that the jury stated that they were not convinced that  
Drew had intent to commit any crime or tort.  Lori Drew was ultimately  
convicted only of having exceeded the scope of her permission to use  
the MySpace account by violating the MySpace's terms-of-service  
agreement. They were likewise not persuaded that Drew hadn't  
"intentionally" exceeded the scope of her authorization, because she  
never saw the terms-of-service. One juror commented to Wired News that  
"I always read the terms of service ... If you choose to be lazy and  
not go though that entire agreement or contract of agreement then  
absolutely you should be held liable."

So what we are left with is a plain vanilla breach of contract case  
leading to incarceration. This is made all the worse by the fact that,  
unlike the Drew juror claims, most of us either do not read or do not  
strictly comply with the terms-of-service agreement, which are written  
by lawyers to both protect the website or hosting service or, at a  
minimum, to limit their liability.  Thus, things like allowing your  
children to do a Google search violates criminal law. Using a work  
computer for a non-business purpose may be grounds not only for  
dismissal, but also for incarceration, even if no harm results.

The same concept has been repeatedly used in civil lawsuits claiming  
that a breach of a terms of service constitutes a "trespass to  
chattels." Thus, a corporate website which says something like "by  
using this website, you agree never to criticize this company" would  
not only open someone to breach of contract liability, but also to  
trespass prosecution.

Of course, the federal criminal law does have an exception. It permits  
authorized law enforcement or intelligence activities, so that the  
cops can lie. Entities like Perverted Justice, which pose as  
adolescents online to lure child predators would be repeat criminals  
themselves.  Children who themselves lie about their identities to  
ward off predators would similarly be subject to prosecution.

While the threat of actual criminal prosecution for any of these terms- 
of-service breaches is small, if you were to ask me — based on the  
Drew case — whether any of these actions were "legal," I would have to  
answer "no."

While we clearly do not want to encourage or reward irresponsible and  
malicious conduct like that Drew alleged committed, we similarly do  
not want to criminalize essentially innocent conduct, which is for  
what she was convicted.  This would have a chilling effect on a range  
of otherwise permissible behavior.

The trial judge has the option to dismiss the charges — either on  
factual or legal grounds.  Factually, there is scant evidence that  
Drew personally created the fictitious account or read — or had the  
opportunity to read — the terms-of-service agreement she is convicted  
of violating. For the judge to overturn the verdict from a legal  
standpoint, he would have to conclude that merely exceeding the scope  
of a terms-of-service agreement does not itself constitute a violation  
of a statute which makes it a misdemeanor to, in interstate commerce,  
"intentionally exceed authorized access to a computer and thereby  
obtain information."

We make lots of things crimes in this country. Spitting on the  
sidewalk, jaywalking, and even double parking.  Let's not add breach  
of terms-of-service agreements to the mix.

More information about the Infowarrior mailing list