United States v. Drew

Last updated

United States v. Drew
Full case nameUnited States v. Lori Drew
DecidedAugust 28, 2009
Docket nos. 2:08-cr-00582
Citation(s)259 F.R.D. 449
Court membership
Judge(s) sitting George H. Wu

United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009), [1] was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-year-old neighbor, Megan Meier, who had committed suicide. [1] [2] The jury deadlocked on a felony conspiracy count and acquitted Drew of three felony CFAA violations, but found her guilty of lesser included misdemeanor violations; the judge overturned these convictions in response to a subsequent motion for acquittal by Drew.

Contents

Allegations leading to indictment and trial

In 2006, Lori Drew (née Shreeves) [3] lived in St. Charles County, Missouri, with her husband Curt and their teenaged daughter, Sarah. Megan Meier, who at one time had been friends with Sarah Drew, lived down the street from Drew. [4]

During the summer of 2006, Drew reportedly became concerned that Meier was spreading false statements about her daughter. Lori Drew, Sarah Drew, and Drew's employee, Ashley Grills, allegedly decided to create a fake Myspace account of a 16-year-old boy under the alias "Josh Evans". [5] They allegedly used that account to discover whether Meier was spreading false statements about Sarah Drew. [6]

Drew allegedly used the Myspace account to contact Meier, who apparently believed that "Josh Evans" was a 16-year-old boy. "Josh Evans" communicated with Meier through October 16, 2006, via the Myspace account in a manner described by the prosecution as flirtatious. [6]

On October 16, 2006, "Josh Evans" allegedly sent Meier a message to the effect that the world would be a better place without her. Additional Myspace members whose profiles reflected links with the "Josh Evans" profile also began to send Meier negative messages. Subsequently, Meier's mother discovered that her daughter had hanged herself in her bedroom closet. [4]

After Meier's death, according to the indictment, Lori Drew removed the fake "Josh Evans" account and commanded a juvenile who knew about the fake account "keep her mouth shut". [7]

In early December 2007, Missouri prosecutors announced they would not file charges against Lori Drew in connection with Megan Meier's death. At a press conference, St. Charles County Prosecutor Jack Banas stated there was not enough evidence to bring the charges. [8] As a result, the federal government decided to pursue the case in Los Angeles, where Myspace is based. [9]

The Meiers did not file a civil lawsuit. [10]

Indictment

Thomas O'Brien, U.S. Attorney for the Central District of California, undertook prosecution of federal charges in connection with the case. [11] [9] On May 15, 2008, Drew was indicted by the Grand Jury of the United States District Court for the Central District of California on four counts. [6] The first count alleged a conspiracy arising out of a charged violation of 18 U.S.C. § 371, namely that Drew and her co-conspirators agreed to violate the CFAA by intentionally accessing a computer used in interstate commerce "without authorization" and in "excess of authorized use", and by using interstate communication to obtain information from the computer in order to inflict emotional distress in violation of 18 U.S.C. § 1030(a)(2)(C). Counts Two through Four allege that Drew violated the CFAA by accessing MySpace servers to obtain information regarding Meier in breach of the Myspace Terms of Service, on September 20, 2006, and October 16, 2006.

Amicus brief in support of defendant

On September 4, 2008, the Electronic Frontier Foundation filed an amicus brief in support of Drew's motion to dismiss the indictment. [12] The brief argued that Drew's indictment was wrongful because Drew's alleged violation of the Myspace terms and conditions was not an "unauthorized access" or a use that "exceeds authorized access" under the CFAA statute; that applying the CFAA to Drew's conduct would constitute a serious encroachment of civil liberties; and that interpreting the CFAA to apply to a breach of a website's Terms of Service would violate the Due Process protections of the Constitution and thereby render the statute void on the grounds of vagueness and lack of fair notice.

Jury trial and split verdict

This jury announced on November 26, 2008 [1] that it was deadlocked on Count One for Conspiracy. It unanimously found Drew not guilty of Counts Two through Four, but convicted her of lesser included misdemeanor offenses on those three counts. [6] [11] [13]

Motion for acquittal granted

On November 23, 2008, Drew filed a motion for acquittal. [14] On August 28, 2009, U.S. District Judge George H. Wu formally granted Drew's motion for acquittal, overturning the jury's guilty verdict on the three misdemeanor CFAA violations. [1]

In his opinion, Wu examined each element of the misdemeanor offense, noting that a misdemeanor conviction under 18 U.S.C. § 1030(a)(2)(C) requires that:

  1. The defendant intentionally have accessed a computer without authorization, or have exceeded authorized access of a computer
  2. The access of the computer involved an interstate or foreign communication
  3. By engaging in this conduct, the defendant obtained information from a computer used in interstate or foreign commerce or communication

Wu found that many courts have held that any computer that provides a web-based application accessible through the internet would satisfy the interstate communication requirement of the second element, and that the third element is met whenever a person using a computer contacts an internet website and reads any part of that website.

The only issue arose with respect to the first element, and the meaning of the undefined term "unauthorized access". Wu noted the government's concession that its only basis for claiming that Drew had intentionally accessed Myspace's computers without authorization was the creation of the false "Josh Evans" alias in violation of the MySpace Terms of Service. Wu reasoned that, if a conscious violation of the Terms of Service was not sufficient to satisfy the first element, Drew's motion for acquittal would have to be granted for that reason alone. Wu found that an intentional breach of the Myspace Terms of Service could possibly satisfy the definition of an unauthorized access or access exceeding authorization, but that rooting a CFAA misdemeanor violation in an individual's conscious violation of a website's Terms of Service would render the statute void for vagueness because there were insufficient guidelines to govern law enforcement as well as a lack of actual notice to the public.

Wu cited several reasons an individual would be lacking in actual notice:

Wu summed up his opinion by stating that allowing a violation of a website's Terms of Service to constitute an intentional access of a computer without authorization or exceeding authorization would "result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals." [1] For these reasons, Wu granted Drew's motion for acquittal. The Government did not appeal. [15]

Legislative responses

Missouri legislators amended the state's harassment law to include penalties for bullying via computers, other electronic devices, or text messages. The bill was approved on May 16, 2008. [16] [17] More than twenty states have enacted legislation to address bullying that occurs through electronic media. [17] These laws include statutes that mandate that school boards must adopt policies to address cyberbullying, statutes that criminalize harassing minors online, and statutes providing for cyberbullying education. [18] California enacted Cal. Educ. Code §32261 that encourages schools and other agencies to develop strategies, programs and activities that will reduce bullying via electronic and other means. [19]

A bill was introduced in Congress in 2009 (H.R. 1966) [20] to set a federal standard definition for the term cyberbullying, [21] but the proposal was criticized as overbroad and did not advance.

Reactions

Legal experts expressed concern that the prosecution sought effectively to criminalize any violation of web site terms of service. [22] Andrew M. Grossman, senior legal analyst for The Heritage Foundation, said, "If this verdict stands ... it means that every site on the Internet gets to define the criminal law. That's a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions." [1]

Law professor Orin Kerr, one of Drew's pro bono attorneys, commented that he was "very pleased" with the vacated guilty verdict as the case was "an extremely important test case for the scope of the computer crime statutes, with tremendously high stakes for the civil liberties of every Internet user". [23]

See also

Related Research Articles

<span class="mw-page-title-main">Computer Fraud and Abuse Act</span> 1986 United States cybersecurity law

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

<span class="mw-page-title-main">Sock puppet account</span> Online identity used for purposes of deception

A sock puppet is a false online identity used for deceptive purposes. The term originally referred to a hand puppet made from a sock. Sock puppets include online identities created to praise, defend, or support a person or organization, to manipulate public opinion, or to circumvent restrictions such as viewing a social media account that a user is blocked from. Sock puppets are unwelcome in many online communities and forums.

Final Exit Network, Inc. (FEN) is an American 501(c)(3) nonprofit right to die advocacy group incorporated under Florida law. It holds that mentally competent adults who suffer from a terminal illness, intractable pain, or irreversible physical conditions have a right to voluntarily end their lives. In cases deemed valid, Final Exit Network arranges what it refers to as "self deliverances". Typically, the network assigns two "exit guides" to a client and are present when they die, but the network states, and has proven in court, that it does not provide physical assistance in anyone's death; rather, their role is that of compassionate advisors and witnesses.

<span class="mw-page-title-main">Suicide of Megan Meier</span> Suicide of American cyberbullied teenager

Megan Taylor Meier was an American teenager who died by suicide by hanging herself three weeks before her 14th birthday. A year later, Meier's parents prompted an investigation into the matter and her suicide was attributed to cyberbullying through the social networking website MySpace. Lori Drew, the mother of a classmate of Meier, was found guilty of cyberbullying in the 2009 case United States v. Drew. However, her conviction was overturned by the judge.

Sergey Aleynikov is a former Goldman Sachs computer programmer. Between 2009 and 2016, he was prosecuted by NY Federal and State jurisdictions for the same conduct of allegedly copying proprietary computer source code from his employer, Goldman Sachs, before joining a competing firm. His first prosecution in federal court in New York ultimately resulted in acquittal by the United States Court of Appeals for the Second Circuit. The outcome of his second prosecution and trial in New York state court was a split verdict dismissed by court, which acquitted him on all counts. One count in that order of dismissal was later overturned by New York Court of Appeals, which took a very broad interpretation of the statute, and on recommendation of prosecutors he was sentenced to time served without punishment. The same New York Court of Appeals denied his petition to appeal on double jeopardy grounds. His story inspired Michael Lewis's bestseller Flash Boys.

Cyberstalking and cyberbullying are relatively new phenomena, but that does not mean that crimes committed through the network are not punishable under legislation drafted for that purpose. Although there are often existing laws that prohibit stalking or harassment in a general sense, legislators sometimes believe that such laws are inadequate or do not go far enough, and thus bring forward new legislation to address this perceived shortcoming. In the United States, for example, nearly every state has laws that address cyberstalking, cyberbullying, or both.

<i>LVRC Holdings LLC v. Brekka</i>

LVRC Holdings v. Brekka 581 F.3d 1127, 1135 is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 and are the current law in this circuit.

<i>United States v. LaMacchia</i>

United States v. LaMacchia 871 F.Supp. 535 was a case decided by the United States District Court for the District of Massachusetts which ruled that, under the copyright and cybercrime laws effective at the time, committing copyright infringement for non-commercial motives could not be prosecuted under criminal copyright law.

<i>United States v. Nosal</i> United States Court of Appeals for the Ninth Circuit decision

United States v. Nosal, 676 F.3d 854 was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

<i>United States v. John</i> (2010)

In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.

<i>International Airport Centers, L.L.C. v. Citrin</i>

In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.

<i>United States v. Swartz</i> American court case

In United States of America v. Aaron Swartz, Aaron Swartz, an American computer programmer, writer, political organizer and Internet activist, was prosecuted for multiple violations of the Computer Fraud and Abuse Act of 1986 (CFAA), after downloading academic journal articles through the MIT computer network from a source (JSTOR) for which he had an account as a Harvard research fellow. Facing trial and the possibility of imprisonment, Swartz died by suicide, and the case was consequently dismissed.

Lee v. PMSI, Inc., No. 10-2094, was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

<i>Craigslist Inc. v. 3Taps Inc.</i> 2013 Northern District of California Court case

Craigslist Inc. v. 3Taps Inc., 942 F.Supp.2d 962 was a Northern District of California Court case in which the court held that sending a cease-and-desist letter and enacting an IP address block is sufficient notice of online trespassing, which a plaintiff can use to claim a violation of the Computer Fraud and Abuse Act.

<i>Pulte Homes, Inc. v. Laborers International Union</i>

Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295, is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.

<span class="mw-page-title-main">Catfishing</span> Deceptive online social network presence

Catfishing refers to the creation of a fictitious online persona, or fake identity, with the intent of deception, usually to mislead a victim into an online romantic relationship or to commit financial fraud. Perpetrators, usually referred to as catfish, generally use fake photos and lie about their personal lives to present themselves as more attractive for financial gain, personal satisfaction, evasion of legal consequences, or to troll. Public awareness surrounding catfishing has increased in recent years, partially attributed an increase in the occurrence of the practice combined with a number of high-profile instances.

People v. Marquan M., 2014 WL 2931482 was the first case in which a US court weighed the constitutionality of criminalizing cyberbullying. In People v. Marquan M., the New York Court of Appeals struck down an Albany County law that criminalized cyberbullying, declaring its restrictions overly broad and thus in violation of the Free Speech Clause of the First Amendment.

<i>United States v. Valle</i> 2015 criminal case

United States v. Valle was a criminal case in the Southern District of New York concerning Gilberto Valle, a New York City Police Department officer who had discussed on online fetish chatrooms his fantasies about kidnapping, torturing, raping, killing, and cannibalizing various women he knew, and had used a police database to find the addresses of some. Dubbed the "Cannibal Cop" by the media, Valle was convicted by a jury of conspiracy to commit kidnapping and, for the use of the police database, violations of the Computer Fraud and Abuse Act (CFAA). The presiding judge, however, acquitted Valle on the conspiracy charges notwithstanding the verdict, ruling that the prosecution had not proven that Valle's online communications went beyond "fantasy role-play". On appeal, the United States Court of Appeals for the Second Circuit upheld the judge's judgment of acquittal and further ruled Valle's misuse of the police database did not constitute a violation of the CFAA, thus acquitting him of the lesser charge.

<i>United States v. Kane</i> United States federal court case involving video poker software

United States v. Kane, No 11-mj-00001, is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss.

Van Buren v. United States, 593 U.S. ___ (2021), was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.

References

  1. 1 2 3 4 5 6 United States v. Drew, 259F.R.D.449 ( C.D. Cal. 2009).
  2. Stelter, Brian (November 27, 2008). "Guilty Verdict in Cyberbullying Case Provokes Many Questions Over Online Identity". The New York Times.
  3. Kim Zetter (July 2, 2009). "Judge Acquits Lori Drew in Cyberbullying Case, Overrules Jury". Wired. Retrieved December 29, 2018 via www.wired.com.
  4. 1 2 Maag, Christopher (November 28, 2007). "A Hoax Turned Fatal Draws Anger but No Charges". The New York Times .
  5. United States District Court for the Central District of California (May 15, 2008), Federal Indictment (Case 2:08-cr-00582-GW Document 1), p. 7 via scribd.com
  6. 1 2 3 4 United States District Court for the Central District of California (November 10, 2008), Government's Trial Memorandum (Case 2:08-cr-00582-GW Document 64)
  7. United States District Court for the Central District of California (May 15, 2008), Federal Indictment (Case 2:08-cr-00582-GW Document 1), p. 8 via scribd.com
  8. "Prosecutor: No Criminal Charges in MySpace Suicide". Fox News. December 3, 2007.
  9. 1 2 "Megan's Law; Cyber-bullying and the courts". The Economist. July 11, 2009.
  10. Pokin, Steven (November 11, 2007). "'MySpace' Hoax Ends with Suicide of Dardenne Prairie Teen". Suburban Journals.
  11. 1 2 Zetter, Kim (November 26, 2008), Lori Drew Not Guilty of Felonies in Landmark Cyberbullying Trial, Wired
  12. Brief of Amici Curiae: ELECTRONIC FRONTIER FOUNDATION, ET AL., IN SUPPORT OF DEFENDANT'S MOTION TO DISMISS INDICTMENT FOR FAILURE TO STATE AN OFFENSE AND FOR VAGUENESS (PDF), September 4, 2008
  13. McCarthy, Tom; Michels, Scott (July 1, 2009). "Lori Drew MySpace Suicide Hoax Conviction Thrown Out" . Retrieved December 5, 2021.
  14. United States District Court, Central District of California (Western Division − Los Angeles), Criminal Docket for Case No. CR 08-0582-GW
  15. Zetter, Kim (November 20, 2009), Prosecutors Drop Plans to Appeal Lori Drew Case, Wired
  16. "Missouri Lawmakers Pass Bill Against Cyber-harassment after MySpace Suicide Case". Los Angeles Times . Associated Press. May 17, 2008.
  17. 1 2 "Cyberbullying: Responses". National Coalition Against Censorship. October 1, 2009. Archived from the original on June 6, 2015.
  18. "Cyberbullying: Statutes and Policies". National Coalition Against Censorship. July 6, 2010.
  19. "Education Code, Section 32260-32262". Official California Legislative Information.
  20. 111th Congress (2009-2010) (April 2, 2009). "Bill Text: H.R.1966". Archived from the original on August 11, 2009. Retrieved December 1, 2009.{{cite web}}: CS1 maint: numeric names: authors list (link)
  21. Wertheimer, Linda (April 5, 2009), Prosecuting Cyber Bullies (Radio Broadcast on "Weekend Edition Sunday"), National Public Radio
  22. Zetter, Kim (May 15, 2008). "Experts Say MySpace Suicide Indictment Sets 'Scary' Legal Precedent". Wired.
  23. Kerr, Orin (August 29, 2009). "Lori Drew Opinion Handed Down – Judge Grants Motion to Dismiss on Vagueness Grounds". The Volokh Conspiracy.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.