AI Case Brief
Generate an AI-powered case brief with:
Estimated cost: $0.001 - $0.003 per brief
Full Opinion
DECISION ON DEFENDANTâS F.R.CRIM.P. 29(c) MOTION
I. INTRODUCTION
This case raises the issue of whether (and/or when will) violations of an Internet websiteâs
A. Indictment
In the Indictment, Drew was charged with one count of conspiracy in violation of 18 U.S.C. § 371 and three counts of violating a felony portion of the CFAA, ie., 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(ii), which prohibit accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involves an interstate or foreign communication and the offense is committed in furtherance of a crime or tortious act. See Doc. No. 1.
The Indictment included, inter alia, the following allegations (not all of which were established by the evidence at trial). Drew, a resident of OâFallon, Missouri, entered into a conspiracy in which its members agreed to intentionally access a computer used in interstate commerce without (and/or in excess of) authorization in order to obtain information for the purpose of committing the tortious act of intentional infliction of emotional distress
B. Verdict
At the trial, after consultation between counsel and the Court, the jury was instructed that, if they unanimously decided that they were not convinced beyond a reasonable doubt as to the Defendantâs guilt as to the felony CFAA violations of 18 U.S.C. §§ 1030(a)(2)(C) and 1030(e)(2)(B)(ii), they could then consider whether the Defendant was guilty of the âlesser includedâ
At the end of the trial, the jury was deadlocked and was unable to reach a verdict as to the Count 1 conspiracy charge.
C. MySpace.com
As Jae Sung (Vice President of Customer Care at MySpace) (âSungâ) testified at trial, MySpace is a âsocial networkingâ website where members can create âprofilesâ and interact with other members. See Reporterâs Transcript of the November 21, 2008 Sung testimony (â11/21/08 Transcriptâ) at pages 40-41. Anyone with Internet access can go onto the MySpace website and view content which is open to the general public such as a music area, video section, and membersâ profiles which are not set as âprivate.â Id. at 42. However, to create a profile, upload and display photographs, communicate with persons on the site, write âblogs,â and/or utilize other services or applications on the MySpace website, one must be a âmember.â Id. at 42-43. Anyone can become a member of MySpace at no charge so long as they meet a minimum age requirement and register. Id.
In 2006, to become a member, one had to go to the sign-up section of the MySpace website and register by filling in personal information (such as name, email address, date of birth, country/state/postal code, and gender) and creating a password. Id. at 44-45. In addition, the individual had to check on the box indicating that âYou agree to the MySpace Terms of Service and Privacy Policy.â See Governmentâs
This Terms of Use Agreement (âAgreementâ) sets forth the legally binding terms for your use of the Services. By using the Services, you agree to be bound by this Agreement, whether you are a âVisitorâ (which means that you simply browse the Website) or you are a âMemberâ (which means that you have registered with MySpace.com). The term âUserâ refers to a Visitor or a Member. You are only authorized to use the Services (regardless of whether your access or use is intended) if you agree to abide by all applicable laws and to this Agreement. Please read this Agreement carefully and save it. If you do not agree with it, you should leave the Website and discontinue use of the Services immediately. If you wish to become a Member, communicate with other Members and make use of the Services, you must read this Agreement and indicate your acceptance at the end of this document before proceeding.
Id. at 1.
By using the Services, you represent and warrant that (a) all registration information you submit is truthful and accurate; (b) you will maintain the accuracy of such information; (c) you are 14 years of age or older; and (d) your use of the Services does not violate any applicable law or regulation.
Id. at 2.
The MSTOS prohibited the posting of a wide range of content on the website including (but not limited to) material that: a) âis potentially offensive and promotes racism, bigotry, hatred or physical harm of any kind against any group or individualâ; b) âharasses or advocates harassment of another personâ; c) âsolicits personal information from anyone under 18â; d) âprovides information that you know is false or misleading or promotes illegal activities or conduct that is abusive, threatening, obscene, defamatory or libelousâ; e) âincludes a photograph of another person that you have posted without that personâs consentâ; f) âinvolves commercial activities and/or sales without our prior written consentâ; g) âcontains restricted or password only access pages or hidden pages or imagesâ; or h) âprovides any phone numbers, street addresses, last names, URLs or email addressesId. at 4. MySpaee also reserved the right to take appropriate legal action (including reporting the violating conduct to law enforcement authorities) against persons who engaged in âprohibited activityâ which was defined as including, inter alia: a) âcriminal or tortious activityâ, b) âattempting to impersonate another Member or personâ, c) âusing any information obtained from the Services in order to harass, abuse, or harm another personâ, d) âusing the Service in a manner inconsistent with any and all applicable laws and regulationsâ, e) âadvertising to, or solicitation of, any Member to buy or sell any products or services through the Servicesâ, f) âselling or otherwise transferring your profileâ, or g) âcovering or obscuring the banner advertisements on your personal profile page____â Id. at 5. The MSTOS warned users that âinformation provided by other MySpace.com Members (for instance, in their Profile) may contain inaccurate, inappropriate, offensive or sexually explicit material, products or services, and MySpaee.com assumes no responsibility or liability for this material.â Id. at 1-2. Further, MySpaee was allowed to unilaterally modify the terms of service, with such modifications taking effect upon the posting of notice on its website. Id. at 1. Thus, members would have to review the MSTOS each time they logged on to the website, to ensure that they were aware of any updates in order to avoid violating some new provision of the terms of service. Also, the MSTOS provided that âany disputeâ between a visitor/member and MySpace âarising out of this Agreement must be settled by arbitrationâ if demanded by either party. Id. at 7.
At one point, MySpaee was receiving an estimated 230,000 new accounts per day and eventually the number of profiles exceeded 400 million with over 100 million unique visi
It varies depending on the situation and whatâs being reported. It can range from ... letting the user know that if they feel threatened to contact law enforcement, to us removing the profile, and in rare circumstances we would actually contact law enforcement ourselves.
Id. at 61.
Once a member is registered and creates his or her profile, the data is housed on computer servers which are located in Los Angeles County. Id. at 53. Members can create messages which can be sent to other
MySpace members, but messages cannot be sent to or from other Internet service providers such as Yahoo!. Id. at 54. All communications among MySpace members are routed from the senderâs computer through the MySpace servers in Los Angeles. Id. at 54-55.
Profiles created by adult MySpace members are by default available to any user who accesses the MySpace website. Id. at 56. The adult members can, however, place privacy settings on their accounts such that only pre-authorized âfriendsâ are able to view the membersâ profile pages and contents. Id. For members over 16 but under 18, their profiles are by default set at âprivateâ but can be changed by the member. Id. at 57. Members under 16 have a privacy setting for their profiles which cannot be altered to allow regular public access. Id. To communicate with a member whose profile has a privacy setting, one must initially send a âfriendâ request to that person who would have to accept the request. Id. at 57-58. To become a âfriendâ of a person under 16, one must not only send a âfriendâ request but must also know his or her email address or last name. Id. at 58.
According to Sung, MySpace owns the data contained in the profiles and the other content on the website.
III. APPLICABLE LAW A. F.R.CrimP. 29(c)
A motion for judgment of acquittal under F.R.Crim.P. 29(c) may be made by a
B. The CFAA
In 2006, the CFAA (18 U.S.C. § 1030) provided in relevant part that:
(a) Whoeverâ
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains â âą
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication^ [11 ]
shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is â â
* * * *
(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph; ...
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, ifâ
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000....
As used in the CFAA, the term âcomputerâ âincludes any data storage facility or communication facility directly related to or operating in conjunction with such device....â 18 U.S.C. § 1030(e)(1). The term âprotected computerâ âmeans a computerâ (A) exclusively for the use of a financial institution or the United States Government ...; or (B) which is used in interstate or foreign commerce or communication____â Id. § 1030(e)(2). The term âexceeds authorized accessâ means âto access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter ....â Id. § 1030(e)(6).
In addition to providing criminal penalties for computer fraud and abuse, the CFAA also states that â[A]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.â 18 U.S.C. § 1030(g). Because of the availability of civil remedies, much of the law as to the meaning and scope of the
IV. DISCUSSION
A. The Misdemeanor 18 U.S.C. § 1030(a)(2)(C) Crime Based on Violation of a Websiteâs Terms of Service
During the relevant time period herein,
First, the defendant intentionally [accessed without authorization] [exceeded authorized access of] a computer;
Second, the defendantâs access of the computer involved an interstate or foreign communication; and
Third, by [accessing without authorization] [exceeding authorized access to] a computer, the defendant obtained information from a computer ... [used in interstate or foreign commerce or communication]____
Ninth Circuit Model Criminal Jury Instruction 8.79 (2003 Ed.) (brackets in original).
In this case, a central question is whether a computer userâs intentional violation of one or more provisions in an Internet websiteâs terms of services (where those terms condition access to and/or use of the websiteâs services upon agreement to and compliance with the terms) satisfies the first element of section 1030(a)(2)(C). If the answer to that question is âyes,â then seemingly, any and every conscious violation of that websiteâs terms of service will constitute a CFAA misdemeanor.
Initially, it is noted that the latter two elements of the section 1030(a)(2)(C) crime will always be met when an individual using a computer contacts or communicates with an Internet website. Addressing them in reverse order, the third element requires âobtain[ing] informationâ from a âprotected computerâ â which is defined in 18 U.S.C. § 1030(e)(2)(B) as a computer âwhich is used in interstate or foreign commerce or communication....â âObtaining] information from a computerâ has been described as ââinclud[ing] mere observation of the data. Actual aspiration ... need not be proved in order to establish a violation____â S.Rep. No. 99-432. at 6-7 (1986). reprinted at 1986 U.S.C.C.A.N. 2479, 2484.â Comment, Ninth Circuit Model Criminal Instructions 8.77.
We have previously agreed that â[i]t can not be questioned that the nationâs vast network of telephone lines constitutes interstate commerce,â United States v. Holder, 302 F.Supp. 296, 298 (D.Mont. 1969)), aff'd and adopted, 427 F.2d 715 (9th Cir.1970) (per curiam), and, a fortiori, it seems clear that use of the internet is intimately related to interstate commerce. As we have noted, â[t]he Internet engenders a medium of communication that enables information to be quickly, conveniently, and inexpensively disseminated to hundreds of millions of individuals worldwide.â United States v. Pirello, 255 F.3d 728 729 (9th Cir.2001). It is âcomparable ... to both a vast library including millions of readily available and indexed publications and a sprawling mall offering goods and services,â ACLU, 521 U.S. at 853, 117 S.Ct. 2329, and is âa valuable tool in todayâs commerce,â Pirello, 255 F.3d at 730. We are therefore in agreement with the Eighth Circuitâs conclusion that â[a]s both*458 the means to engage in commerce and the method by which transactions occur, the Internet is an instrumentality and channel of interstate commerce.â United States v. Trotter, 478 F.3d 918, 921 (8th Cir.2007) (per curiam) (quoting United States v. MacEwan, 445 F.3d 237, 245 (3d Cir.2006)).
Id. at 952-53. Thus, the third element is satisfied whenever a person using a computer contacts an Internet website and reads any response from that site.
As to the second element (ie., that the accessing of the computer involve an interstate or foreign communication),
As to the first element (ie. intentionally accessing a computer without authorization or exceeding authorized access), the primary question here is whether any conscious violation of an Internet websiteâs terms of service will cause an individualâs contact with the website via computer to become âintentionally accessing] ... without authorizationâ or âexceeding authorization.â Initially, it is noted that three of the key terms of the first element (ie., âintentionally,â âaccess a computer,â and âwithout authorizationâ) are undefined, and there is a considerable amount of controversy as to the meaning of the latter two phrases. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n. 10 (1st Cir.2001) (âCongress did not define the phrase âwithout authorization,â perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive.â); Southwest Airlines Co. v. Board-
While âintentionallyâ is undefined, the legislative history of the CFAA clearly evinces Congressâs purpose in its choice of that word. Prior to 1986, 18 U.S.C. § 1030(a)(2) utilized the phrase âknowingly accesses.â See United States Code 1982 Ed. Supp. Ill at 16-17. In the 1986 amendments to the statute, the word âintentionallyâ was substituted for the word âknowingly.â See 18 U.S.C.A. § 1030 âHistorical and Statutory Notesâ at 450 (West 2000). In Senate Report No. 99^432 at 5-6, reprinted at 1986 U.S.C.C.A.N. 2479, 2483-84, it was stated that:
Section 2(a)(1) amends 18 U.S.C. 1030(a)(2) to change the scienter requirement from âknowinglyâ to âintentionally,â for two reasons. First, intentional acts of unauthorized access â rather than mistaken, inadvertent, or careless ones â -are precisely what the Committee intends to proscribe. Second, the Committee is concerned that the âknowinglyâ standard in the existing statute might be inappropriate for cases involving computer technology____ The substitution of an âintentionalâ standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another. Again, this will comport with the Senate Report on the Criminal Code, which states that â âintentionalâ means more than that one voluntarily engaged in conduct or caused a result. Such conduct or the causing of the result must have been the personâs conscious objective.â [Footnote omitted.]
Under § 1030(a)(2)(C), the ârequisite intentâ is âto obtain unauthorized access of a protected computer.â United States v. Willis, 476 F.3d 1121, 1125 (10th Cir.2007) (âThe government need not also prove that ... the information was used to any particular ends.â); see also S.Rep. No.104-357, at 7-8 (â[T]he crux of the offense under subsection 1030(a)(2)(C) ... is abuse of a computer to obtain the information.â).
As to the term âaccesses a computer,â one would think that the dictionary definition of verb transitive âaccessâ would be sufficient. That definition is âto gain or have access to; to retrieve data from, or add data to, a database.... â Websterâs New World Dictionary, Third College Edition, 7 (1988) (henceforth âWebsterâs New World Dictionaryâ). Most courts that have actually considered the issue of the meaning of the word âaccessâ in the CFAA have basically turned to the dictionary meaning. See e.g. BoardFirst, 2007 WL 4823761 at *12-13, 2007 U.S. Dist. LEXIS 96230 at *36; Role Models Am., Inc. v. Jones, 305 F.Supp.2d 564, 566-67 (D.Md. 2004); Am. Online, Inc. v. Natâl Health Care Discount, Inc., 121 F.Supp.2d 1255, 1272-73 (N.D.Iowa 2000). However, academic commentators have generally argued for a different interpretation of the word. For example, as stated in Patricia L. Bellia, Defending Cyberproperty, 79 N.Y.U.L.Rev. 2164, 2253-54 (2004):
We can posit two possible readings of the term âaccess.â First, it is possible to adopt a broad reading, under which âaccessâ means any interaction between two computers. In other words, âaccessingâ a computer simply means transmitting electronic signals to a computer that the computer processes in some way. A narrower understanding of âaccessâ would focus not merely on the successful exchange of electronic signals, but rather on conduct by which one is in a position to obtain privileges or information not available to the general public. The choice between these two meanings of âaccessâ obviously affects what qualifies as unauthorized conduct. If we adopt the broader reading of access, and any successful interaction between computers qualifies, then breach of policies or contractual terms purporting to outline permissible uses of a system can constitute unauthorized access to the system. Under the narrower reading of access, however,*460 only breach of a code-based restriction on the system would qualify.
Professor Bellia goes on to conclude that â[c]ourts would better serve both the statutory intent of the CFAA and public policy by limiting its application to unwanted uses only in connection with code-based controls on access.â Id. at 2258. But see Kerr, Cybercrimeâs Scope, 78 N.Y.U.L.Rev. at 1619-21, 1643, and 1646-48 (arguing for a âbroad construction of access .... as any successful interaction with the computerâ). It is simply noted that, while defining âaccessâ in terms of a code-based restriction might arguably be a preferable approach, no case has adopted it
As to the term âwithout authorization,â the courts that have considered the phrase have taken a number of different approaches in their analysis. See generally Kerr, Cybercrimeâs Scope. 78 N.Y.U.L.Rev. at 1628-40. Those approaches are usually based upon analogizing the concept of âwithout authorizationâ as to computers to a more familiar and mundane predicate presented in or suggested by the specific factual situation at hand. See e.g. United States v. Phillips, 477 F.3d 215, 219 (5th Cir.), cert. denied, 552 U.S. 820, 128 S.Ct. 119, 169 L.Ed.2d 27 (2007), (âCourts have therefore typically analyzed the scope of a userâs authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.â). Thus, for example, where a case arises in the context of employee misconduct, some courts have treated the issue as falling within an agency theory of authorization. See, e.g., International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124-25 (W.D.Wash.2000). Likewise, the Ninth Circuit (in dealing with the issue of purported consent to access emails pursuant to a subpoena obtained in bad faith in the context of the Stored Communications Act, 18 U.S.C. § 2701 et seq., and the CFAA) applied the law of trespass to determine whether a subpoenaed party had effectively authorized the defendantsâ access. See Theofel v. Farey-Jones, 359 F.3d 1066, 1072-75, 1078 (9th Cir.2004). Further, where the relationship between the parties is contractual in nature or resembles such a relationship, access has been held to be unauthorized where there has been an ostensible breach of contract. See e.g., EF Cultural Travel BV, 274 F.3d at 583-84; Phillips, 477 F.3d at 221 (â[c]ourts have recognized that authorized access typically arises only out of a contractual or agency relationship.â). But see Brett Senior & Associates v. Fitzgerald, 2007 WL 2043377 at *4, 2007 U.S. Dist. LEXIS 50833 at *13-14 (E.D.Pa.2007) (observing â in the context of an employeeâs breach of a confidentiality agreement when he copied information from his firmâs computer files to give to his new employer: âIt is unlikely that Congress, given its concern âabout the appropriate scope of Federal jurisdictionâ in the area of computer crime, intended essentially to criminalize state-law breaches of contract.â).
Within the breach of contract approach, most courts that have considered the issue have held that a conscious violation of a websiteâs terms of service/use will render the access unauthorized and/or cause it to exceed authorization. See, e.g., Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435, 439-40 (N.D.Tex.2004); Natâl Health Care Disc., Inc., 174 F.Supp.2d at 899; Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238, 247-51 (S.D.N.Y.2000), aff'd, 356 F.3d 393 (2d Cir.2004); Am. Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450 (E.D.Va. 1998); see also EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62-63 (1st Cir.2003) (âA lack of authorization could be established by an explicit statement on the website restricting access____ [W]e think that the public website provider can easily spell out explicitly what is forbidden.... â). But see BoardFirst, 2007 WL 4823761 at *13-14, 2007 U.S. Dist. LEXIS 96230 at *40 (noting that the above cases and their particular application of the law âhave received their share of criticism from eommenta
[It] is at least arguable here that Board-Firstâs access of the Southwest website is not at odds with the siteâs intended function; after all, the site is designed to allow users to obtain boarding passes for Southwest flights via the computer. In no sense can BoardFirst be considered an âoutside hacker[] who break[s] into a computerâ given that southwest.com is a publicly available website that anyone can access and use. True, the Terms posted on southwest.com do not give sanction to the particular manner in which BoardFirst uses the site â to check in Southwest customers for financial gain. But then again § 1030(a)(2)(C) does not forbid the use of a protected computer for any prohibited purpose; instead it prohibits one from intentionally accessing a computer âwithout authorizationâ. As previously explained, the term âaccessâ, while not defined by the CFAA, ordinarily means the âfreedom or ability to ... make use ofâ something. Here BoardFirst or any other computer user obviously has the ability to make use of southwest.com given the fact that it is a publicly available website the access to which is not protected by any sort of code or password. Cf. Am. Online, 121 F.Supp.2d at 1273 (remarking that it is unclear whether an AOL memberâs violation of the AOL membership agreement results in âunauthorized accessâ).[18 ]
Id. at 2007 WL 4823761 at *14-15, 2007 U.S. Dist. LEXIS 96230 at 43-44 (emphasis in original).
In this particular case, as conceded by the Government,