The written decision follows an oral ruling from the bench along the same lines earlier this year.
Defendant Lori Drew was convicted of a misdemeanor under the federal statute against computer hacking, called the Computer Fraud and Abuse Act. The prosecution argued that because Drew and her daughter had been involved in creating a fictional character on MySpace, therefore the mother had accessed a computer without authorization, a misdemeanor under the CFAA.
“The pivotal issue herein is whether basing a CFAA misdemeanor violation upon the conscious violation of a
website’s terms of service runs afoul of the void-for-vagueness doctrine,” wrote Judge George Wu in a 32-page decision. “This Court concludes that it does.”
The parent would in that case be violating the MySpace prohibition on “advertising to, or solicitation of, any Member to buy or sell any products or services through the Services.”
The suicide victim had herself violated the terms because she was too young when she signed up for an account at the age of 13.
“If every such breach does qualify, then there is absolutely no limitation or criteria as to which of the breaches should merit criminal prosecution. All manner of situations will be covered from the more serious (e.g. posting child pornography) to the more trivial (e.g. posting a picture of friends without their permission). All can be prosecuted. Given the `standardless sweep’ that results, federal law enforcement entities would be improperly free `to pursue their personal predilections.’ Kolender, 461 U.S. at 358 (citing Smith v. Goguen, 415 U.S. 566, 575 (1994)). (See editorial)
“In sum, if any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law `that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].’ City of Chicago, 527 U.S. at 64.”