Wednesday, June 18, 2008

Using anti-hacking law to punish cyberstalking

(via The Guardian) An interesting case is taking place in the United States. Megan Meier was a 13-year-old girl from Missouri who had a MySpace page and an active web presence. She received a friend invitation from a 16-year-old called Josh Evans (16), and they exchanged messages and flirted for several weeks. At some point, Josh told Megan that he was leaving town, Meier expressed her love for him, but his messages grew darker. At some point he commented that "The world would be a better place without you". She killed herself one hour after receiving that message.

Sounds like a tragic story of teenage love gone seriously wrong, but this one has a twist. Josh Evans was actually Ms Lori Drew (49), Megan's next-door neighbour. The mind boggles at the mindset that makes someone act so callously, but as someone said, being mean online is not a crime, or is it? In principle, Ms Drew's actions, as reprehensible as they are, do not seem to fall into any criminal type, so her cyberstalking (or cyberbullying?) had gone unchallenged in the courts. However, prosecutors are bringing Federal charges under the Computer Fraud and Abuse Act on one count of conspiracy and three counts of "accessing protected computers without authorization to obtain information to inflict emotional distress". Each count carries a maximum five years in prison, and the case is being heard in the Central District of California because MySpace is based in Beverly Hills.

The legal reasoning behing the indictment is disturbing for various reasons. How can legislation designed to curb hacking and illicit access to a computer be used to accuse a person who has used an online persona to inflict emotional distress? The reasoning from the U.S. Attorny making the charges state that:

"The indictment alleges that Drew, along with others, registered as a member of MySpace under the name “Josh Evans.” Drew and her co-conspirators then used the Josh Evans account to contact M.T.M. and began what the girl believed was an on-line romance with a 16-year-old boy. In taking those actions, the indictment alleges, Drew and her co-conspirators violated MySpace’s “terms of service” (TOS) that prohibit users from, among other things, using fraudulent registration information, using accounts to obtain personal information about juvenile members, and using the MySpace communication services to harass, abuse or harm other members."
This implies, strike that, this clearly states that lying in application forms and therefore violating terms of service is a crime. Say what? This practice is used every single day by thousands and thousands in discussion boards around the world! The prosecutors seem to be stretching the law to breaking point on this one. Specifically, I have read the relevant sections in the Computer Fraud and Abuse Act, and the legislation is clearly geared towards hacking and unauthorised access. Since when is breach of TOS equivalent to hacking?

This case is part of a growing line of murders and suicides where online annonimity, play-acting and misidentification have played a part. There was the strange case of an online suicide pact, or the bizarre case of IM deceit that led to a murder in upsate New York. Therefore, there may be some justification about enacting legislation to protect teenagers against cyber-bullying and cyberstalking, something that U.S. legislators appear to be keen on doing. However, tragic the case is, abusing anti-hacking law to try to punish some reprehensible actions is excessive.

On a semi-related note, it is strange reading some of my old posts. I sound rather unsophisticated!

No comments: