The Lori Drew Case: Does the CFAA Require Knowledge?

Daniel Solove
Founder of TeachPrivacy

Lori Drew Megan Meier Case

Over at Wired’s Threat Level Blog, Kim Zetter is providing great coverage of the Lori Drew case.

Here’s her post about Tina Meier’s testimony (the mother of Megan Meier).

Zetter’s most recent post describes the direct examination of Ashley Gill, one of the people who participated with Lori Drew in the creation of the fake MySpace profile.

The young woman who typed the final, cruel message to 13-year-old Megan Meier the day she killed herself took the stand to testify against her former employer and confidant, Lori Drew, on Thursday.

But several moments in 20-year-old Ashley Grill’s 80-minutes of testimony seemed to undermine the government’s case. The most damaging statement: that it was her idea, not Drew’s, to create a fake MySpace account to befriend Megan.

Though the jury doesn’t have to find that Drew instigated the plan to convict her of conspiracy, the revelation is nonetheless at odds with the government’s position that the 39-year-old Drew took a leading role in creating a MySpace account for “Josh Evans,” a purported 16-year-old boy who flirted with the emotionally-vulnerable Megan, and ultimately turned on her. The statement came as Grill described the genesis of the hoax, which unfolded at Drew’s home in September 2006.

Grill was in the kitchen with Drew and Sarah, Lori Drew’s daughter, when she proposed creating a fake MySpace account to get information on Megan. Drew applauded the plan, and thought it was funny, but not herself conceive it, Grill said.

The three of them crowded around Drew’s computer as Grill set up the profile. None of the three read MySpace’s terms-of-service first. As Ashley began, Lori and Sarah left for soccer practice, urging Grill to finish up in their absence.

There are several interesting things here. First, the hurtful emails, the ones that led to Meier’s suicide, were not penned by Drew but by Grill, the prosecution’s own witness. Second, and more importantly, the government’s witness conceded that Drew had not read MySpace’s terms of service. Unless the CFAA is a strict liability statute, or can be violated negligently or recklessly, then the prosecution must prove that Drew knew she was violating the terms of service. Thus far, I haven’t heard anything to indicate she knew it was a violation of MySpace’s terms of service to create a fake profile. If knowledge is required, and if knowledge isn’t proven, then the prosecution’s case shouldn’t survive a directed verdict motion.

I only know a little about the CFAA, so I ask the experts: Am I correct that knowledge that one accesses a site without authorization is required for there to be a CFAA violation, even under the prosecution’s warped interpretation of the statute?

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01