United States v. Drew - 259 F.R.D. 449 (C.D. Cal. 2009)

Rule:

The language of former 18 U.S.C.S. § 1030(a)(2)(C) (amended 2008) does not explicitly state (nor does it implicitly suggest) that the Computer Fraud and Abuse Act, 18 U.S.C.S. § 1030, has criminalized breaches of contract in the context of website terms of service. Normally, breaches of contract are not the subject of criminal prosecution. Thus, while ordinary people might expect to be exposed to civil liabilities for violating a contractual provision, they would not expect criminal penalties. This is especially the case where the services provided by a web service provider are in essence offered at no cost to the users and, hence, there is no specter of the users defrauding the provider in any monetary sense.

Facts:

Defendant Lori Drew entered into a conspiracy in which its members agreed to intentionally access a computer used in interstate commerce without (and/or in excess of) authorization in order to obtain information for the purpose of committing the tortious act of intentional infliction of emotional distress upon Megan Meier. Defendant, and her co-conspirators, registered and set up a profile for a fictitious 16 year old male juvenile named "Josh Evans" on the www.MySpace.com website ("MySpace"). The conspirators contacted Megan through the MySpace network (on which she had her own profile) using the Josh Evans pseudonym and began to flirt with her over a number of days. Eventually, “Josh” told Megan that he no longer liked her. Megan killed herself. Subsequently, defendant was charged with one count of conspiracy in violation of 18 U.S.C. § 371 and three counts of violating a felony portion of the CFAA, i.e., 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(ii), which prohibited accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involved an interstate or foreign communication and the offense was committed in furtherance of a crime or tortious act. The jury found that the defendant was guilty of the “lesser included” misdemeanor CFAA violation of 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A), but was acquitted of felony charges under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C.S. § 1030. Defendant moved for a judgment of acquittal pursuant to Fed. R. Crim. P. 29(c).

Issue:

Did an intentional breach of an Internet website's terms of service, without more, constitute a CFAA misdemeanor violation, and if so, did the statute survive a vagueness challenge?

Answer:

No.

Conclusion:

The Court noted that the only basis for finding defendant guilty was her violation of a terms of use agreement by deliberately creating a false profile, posting a photograph of a juvenile without his permission, and pretending to be that juvenile in order to communicate with another user. According to the Court, treating a violation of the website's terms of use agreement, without more, as a statutory violation ran afoul of the void-for-vagueness doctrine. Individuals of common intelligence were not on notice that a breach of a terms of service contract could become a crime under the CFAA as the statute's language did not provide sufficient notice, it was unclear whether any or all violations of terms of service rendered the access unauthorized, and contract law varied from state-to-state. Moreover, there was an absence of minimal guidelines to govern law enforcement where it was unclear whether every intentional breach of a website's terms of service was equivalent to an intent to access the site without authorization. Accordingly, the motion for a judgment of acquittal was granted.