Cyber Bullies & Script Kiddies – Crime 2.0
By George Hayes, Ayush Khanna and Niranjan Krishnamurthi
Our readings describe two very different approaches to cyber crime. In the US v. Drew case, the implications of one being convicted for violating ToS was lost in the perceived connection between the crime that Drew was charged with and what actually transpired. On the other hand in the Universal Studios v. Reimerdes case, there is conflict between the Constitutional right of Free Speech and Fair Use and the use or distribution of tools to circumvent copyright protection. Lastly we briefly discuss the connections, exceptions and implications of current cyber crime law.
In United States of America v. Lori Drew the core issue of the case was whether or not violating the Terms of Service of a site like MySpace constitutes “fraud” under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. When this story broke in 2007 a clear narrative was described by the media, that in a way obscured the true importance of what was being tried. The public was presented with a disturbing story of an older woman, and neighbor of 13 year old Megan Meier, overseeing the creation of a false online identity that was used to deceive Meir. This online identity, “Josh Evans”, used multiple online services such as AOL Instant Messanger and MySpace to befriend Meirs, find out what whether she spread rumors about Drew’s daughter and then to end their friendship in a potentially hurtful way. This narrative is typified by Suburban Journals, a local news organization serving the greater St. Louis, Missouri area, which wrote an article about this story from a the very personal view point of the Meier’s family and received an outpouring of response from their community. Articles such as this create an incredibly biased view of the story, getting into details of Megan Meier’s struggle with depression, weight and friendship and how her relationship with “Josh Evans” potentially put her over the edge, causing her to commit suicide.
What Lori Drew was being charged with was not causing the death of Megan Meier, but instead with violating 18 U.S.C. § 1030 (a)(2)(c) and (c)(2)(b)(2) by violating MySpace’s terms of service by providing false information and then using this to intentionally inflict emotional distress upon a user. She violated the Terms of Service by providing a fake name, using this fake name to obtain information about a juvenile, and then by using the information they found to “torment” the juvenile. Drew was being charged with criminal charges but the implications of her being found guilty would have been far more significant than that of potentially reducing cyber bullying. As Judge Wu addresses on pages 29-30 of his opinion granting Drew’s motion for an acquittal, Megan Meier herself was also in violation of MySpace’s Terms of Service and therefore violating the same laws which Lori Drew was being convicted of. Judge Wu also describes the many ways in which people could potentially violate MySpace’s Terms of Service and questions where they could be considered criminals.
What would it mean to be able to be charged criminally once you broke a Terms of Service agreement on websites such as MySpace, and more importantly would it be possible to regulate and enforce these rules if they were criminal? It’s easy to see what Lori Drew did was morally reprehensible, the jury foreman in her initial trial Valentina Kunasz told Wired Magazine on December 1st, 2008, “Trust me, I was so for this woman going away for 20 years. However, on the harsher felony charge, it was very hard to find her guilty on the specific [evidence] given to us.”. Though what Lori Drew may have seemed wrong, it is in our collective best interests not to be considered criminals for breaking Terms of Service and for companies like MySpace to be able to determine what it is we can and cannot do online.
The DMCA came into place in the United States as this country’s implementation of the World Intellectual Property Organization (WIPO) Copyright Treaty, but, as mentioned in here at chillingeffects.org, this implementation is “in a much stricter fashion than required, giving copyright owners broader protection than was intended in the international treaty.”
In the second case that we look at, Universal City Studios, Inc. v. Reimerdes, the defendant, Eric Corley, posted on 2600.com, a description, source code, object code and links to other sites where people could download the program DeCSS. Using the DMCA Section 1201, Universal Studios obtained injunctions to have the defendant remove any ability for people to access the said program.
From the case, we realize that one can be in violation of the DMCA Section 1201 if one provides access or traffics in copyright protection circumvention tools. This may not be a concern for the majority of people who do not produce, distribute or provide access to such tools. On the other hand, the average person should be concerned about the use of these tools, even if the end result of using them does not infringe on the rights of the copyright holder, as the DMCA Section 1201 makes circumvention prohibitions distinct from copyright infringement. Say, for example, you wanted to use DeCSS to make copies of legitimately purchased DVDs for your own personal use. Would you be violating the law for having the copies for your personal use? Most probably not, as this falls under the traditional concept of fair use. Unfortunately, you would be violating the law for using DeCSS. So, in reality, its ok to make copies of your DVDs for personal use but not ok to use a tool that facilitates you in doing so, unless it so happens that the tool falls under the exception of the DMCA Section 1201 (a)(1)(C).
Taking things a step further, even if the Librarian of Congress, under the DMCA Section 1201 (a)(1)(C), allows for the use of such circumvention tools, nothing is set in place in the DMCA to protect the development or distribution of such tools. An example of this is the use of the DMCA by cellphone service providers to sue people who purchased or unlocked their cellphones until an exemption was won. However as mentioned in Wired Magazine, “The problem is that the exemption protects unlockers, but it doesn’t apply to those entities that distribute unlocking tools or provide unlocking services to others. Even when the Copyright Office grants exemptions for non-infringing or fair uses, customers usually still suffer because in most cases, including unlocking, only the small number of persons who have the technical know-how to circumvent can do so.”
Copyright holders are entitled to enjoy the exclusive rights to distribute their protected materials for economic gain but enforcement of the DMCA can have negative impact on the fair use of access control measures. In his ruling on Universal City Studios, Inc. v. Reimerdes, District Judge Lewis A. Kaplan addresses this conflict by stating “.. they (the defendants) have raised a legitimate concern about the possible impact on traditional fair use of access control measures in the digital era. Each side is entitled to its views. In our society, however, clashes of competing interests like this are resolved by Congress. For now, at least, Congress has resolved this clash in the DMCA and in plaintiffs’ favor. Given the peculiar characteristics of computer programs for circumventing encryption and other access control measures, the DMCA as applied to posting and linking here does not contravene the First Amendment.”
One of the biggest concerns we see going forward, is how well equipped these laws are to understand an increasingly open, participative web. Let’s take this example, for instance: “Script Kiddies” started unlocking iPhones to enable use on other telephone networks. Of course, AT&T chose to sue these people. Their rationale? The DMCA’s anti-circumvention clause prevents you from circumventing locks in place in order to gain access to copyrighted works. The intended use, however, was limited to protecting copyrighted works of music and movie artists. Eventually, the hackers won: an exception was granted in case the purpose was “lawfully connecting to a wireless telecomunication network”. It can also be argued that, the US v. Drew case was significant here: the Apple/AT&T ToS violation would otherwise have been the plaintiff’s next course of action. There is a catch here though: what about people who sell/distribute this software? It could be said that their “purpose” is entirely different: profit. Where does the law stand on that? There is no convincing answer.
Another interesting scenario arises from the Boardfirst v. Southwest case mentioned in the US v. Drew opinion. Boardfirst was allowing Southwest passengers to check in to particular seats of their choice, for commercial gain. The court ruled against Boardfirst on count of violation of Southwest’s Terms of Service, which stated that the data on their site could not be used for commercial gain. What are the implications of this decision in today’s scenario? We have an plethora of social media tools, each with their own utilities. There is also a fair degree of overlap – You Tweet your Foursquare update via your Facebook account. Can a user be held liable for inadvertently violating the Terms of Service in this maze? The problem is only worsened when we consider how often these ToS evolve. Another parallel from the Boardfirst case: the Southwest flight information was essentially public data, just like much social network data. Can access to such information be “unauthorized”? The broadness – and resulting vagueness of the CFAA was the focal point of the discussion of the US v. Drew case, and this will perhaps be indicative of further tensions between what a user does online and what is considered a crime.
Comments Off on Cyber Bullies & Script Kiddies – Crime 2.0