You are currently browsing the monthly archive for May 2008.


In general, I agree with you and Professor Kerr. There is no question that this case involves despicable conduct that should not go unpunished. It is an open question, however, as to how the law should punish this kind of conduct. I believe that the government in this case is wrong in looking to 18 U.S.C. § 1030 to ground its legal theory. As Professor Kerr notes in his post, this statutory section clearly deals with cyberfraud involving compromised information that leads to a loss of value and not the sort of harassment/cyberbulling we saw in this case. (Note the statute’s persistent reference to “information of value.”)

If § 1030 does not help the prosecution here, then where should it look? Tim, you have rightly mentioned a tort law theory known as “intentional infliction of emotional distress” (IIED). Generally, the legal standard in this area is difficult to meet; conduct that falls within the definition of IIED is that which may be characterized as “outrageous” or “beyond the bounds of human decency.” Here, the facts of the case are so damning (defendant used an online pseudonym to defraud and harass victim, telling victim at one point that the world would be better off without her) that I would think the IIED standard would be satisfied.

Given that the prosecution likely has a viable theory for IIED, how should we proceed as a policy matter? First, as the prosecution suggests, we could read into § 1030 a cause of action for cyberbullying, effectively linking up IIED claims (and likely cyberbullying that falls short of IIED) with § 1030 claims. As you and Professor Kerr have argued, this is probably the wrong path to pursue, as it would effectively re-write a statute well beyond its intended scope, potentially creating a criminal cause of action for breach of online terms of use in the context of harassment. Second, we could simply require prosecutors to rely on traditional tort law theories such as IIED. This is the simplest solution, but it may not go far enough in addressing the very real problem of cyberbullying. The Internet has facilitated the speed, geographic scope, and anonymity of all manners of transactions. The result has been both positive (commerce has expanded rapidly and knowledge has been disseminated more freely) and negative (cases such as this one are, sadly, becoming increasingly common).

Perhaps, then, new legislation is necessary to “beef up” the punishment for cyberbullying beyond what tort law already provides. This possibility is fraught with difficult questions. For instance, what, exactly should constitute cyberbullying? Would the statute contain is own definition (necessitating some very difficult line-drawing) or would it rely more heavily on common law, non-Internet-related tort concepts? What role would websites terms of service play? Finally, what are the risks and benefits with the legislative approaches taken in the United Kingdom and in Ireland?

Related question (to which Tim previously alluded): what about the integrity of the Internet in this context?

Daniel Corbett


Suspending judgment momentarily on what the law and scope should be in regard to unauthorized access to data, I would like the examine what the law can be in the Meier case. §1030 could be used to cover the case. Whether it is wise to do so – again – let me suspend for a moment.

Technically speaking, Drew was unauthorized to use the MySpace servers in the way she did. An analogy can be drawn with passwords and authorization. If someone was granted a password to use a particular system, they are authorized to use the system. However, that authorization is not boundless. For instance, in the Allison case (R v Bow Street Magistrates’ Court and Allison ex p USA [2000] 2 AC 216) a credit analyst employed by American Express used her access to steal credit card numbers which she passed on to defraud AmEx and customers of US$1million. Her password gave her access but she was unauthorized to do what she did. The House of Lords (UK) said she was authorized only for her work purposes, not illegal purposes. This case – like the Meier case – is a violation of a contract which lead to unauthorized access to data.

<< Judgment unsuspended >>

Kerr argues that authorization should be code-based not contract-based. See in his posts and his article ‘Cybercrime’s scope: Interpreting “access” and “authorization” in computer misuse statutes.’ (2003) 78 NYULR 1596.

The argument – again – is the unauthorized access to data statutes should not be used in this way. The better way to proceed on these types of cases would be, for example in the Allison case above, to proceed under some fraud statute. Similarly, as I stated before, the Meier case would proceed better under a harassment or intentional infliction of emotional distress sort of claim.

It seems too broad to use the statutes in this way. I would suspect that most of us are violating terms and conditions – many of which we never or rarely read – every day. Should that be criminalized by this type of statute? It just doesn’t sit right with me. Proceed under copyright infringement, harassment, defamation – whatever the relevant offense. Leave the unauthorized access to data statute for hacking and similar offenses.

Timothy DeHaut

There has been a lot of talk in the news and in the blogosphere on the Megan Meier case in the last couple of days since the indictment [available here or].

To show a bit of the discussion: [], [], [], [].

The case is a sad/disturbing one but involves some very interesting legal issues. Many areas of the law are incorporated including Internet law, contract, tort, criminal, and even some reasonably significant constitutional issues. Some of the issues overlap in interesting ways.

In this initial post, I would like to limit my discussion to the area of cybercrime and personal safety on the Internet for a number of reasons. First, I have not had the time to really read up on the issues such as the autonomy on the Internet, etc. It is not that I don’t find these areas extremely interesting, but I am currently studying for exams and don’t have the time. I’ll stick to something I am more familiar with. That said, in the near future, I’d like to get a discussion going on the other issues. If you can’t wait for me, have a read about the issues from the links above. Some of it is very good. Finally, I have an Internet Law and Regulation Exam on Tuesday and one of the topics which will come up will be cybercrime and personal safety on the Internet in the US, Ireland, and the UK. The post may reflect my dual purpose of studying for that exam and discussing a very interesting case.

The facts of the case

A 49-year-old woman, Lori Drew, is alleged to have helped create a false-identity on a MySpace account to contact Megan Meier. Megan Meier was a 13-year-old girl who thought she was chatting with a 16-year-old boy named Josh Evans. Josh Evans was the false MySpace account holder. The Josh Evans account and Megan Meier engaged in flirtatious conversation for some period. The two had a falling out. Then after receiving cruel messages from the Josh Evans account, including one that stated the world would be better off without her, Megan Meier hung herself in October 2006.

Legal issues

“The indictment is not charging Drew with harassment. Nor are they charging her with homicide. Rather, the government’s theory in this case is that Drew criminally trespassed onto MySpace’s server by using MySpace in a way that violated MySpace’s Terms of Service (TOS). Here’s the idea. The TOS required Drew to provide accurate registration information, not to harass or harm other people, and not to promote conduct that was abusive. She didn’t comply with these terms, the theory goes, so she was criminally trespassing onto MySpace’s computer when she was logging into her account. The indictment turns this into a federal felony conspiracy charge by arguing that she did this in concert with others to obtain information and to further tortious conduct — intentional infliction of emotional distress — violating the felony provisions of 18 U.S.C. 1030(a)(2).” [Kerr at Volokh, see above link.]

Personal Safety on the Internet

The case falls under a category of cyberbullying. Harassment can happen quite easily on the Internet. It also might be less noticed by those not directly involved because of the nature of Internet use. The Internet has been quite an effective means of bullying.[1] So what are the legal remedies within the US, the UK, and Ireland for cyberbullying?

Within the US, there is no federal law on cyberbullying. Here are the options that have potential for this case on the criminal law side: Harassment, I believe, could have been charged under state law. There are also two US suicide-related crimes: causing someone to commit suicide and assisting someone with committing suicide. This would probably not have worked though, see reasoning. On the tort side: intentional infliction of emotional distress seems the likely candidate. Indeed, that is what the indictment used to go via 18 U.S.C. §1030. Under §1030, something “to further tortious conduct” is needed. The family would most likely have a tort claim, as has been stated by others (somewhere) in the blogosphere. §1030 is an odd way to go about the prosecution, see below.

Within the UK and Ireland, harassment is a criminal activity.[2] While the legislation is not Internet specific, there is no reason why it could not be applied as such. The harassment legislation could prove to be quite powerful if used to its full extent. On indictment and conviction, unlimited fines and 7 years imprisonment could be imposed under the Irish legislation. Intentional infliction of emotional distress would again seem to be the likely civil law remedy.

The weird way they are prosecuting the case

It appears as though the prosecutors are prosecuting in an interesting way. The prosecutorial reading of §1030 does not seem to the intended purpose of the statute. The case, if prosecuted similarly in the UK and Ireland, would seem equally as odd. The relevant statues in those countries would be the §5 of the Criminal Damage Act 1991 (IR) and the §1 of the Computer Misuse Act 1990 (UK). Basically, unauthorized access to data – the content of all these statutes – seems to intend to cover hacking and related crimes. It seems as though the prosecution is using §1030 to get it under criminal because the case is – quite obviously – one that is morally deplorable. But the way to go about it would be to bring the cause under some type of harassment / cyberbullying law. Here the UK and Ireland have the statute and would be able to successfully prosecute. The US federal law lacks this. However, I am still unsure why the authorities did not proceed under the state law. There is a reason – and it’s out there. I read it; I just forgot what it said. If you find it, comment. Ultimately I this way of prosecuting it will probably prove unsuccessful because making the contractual violation into a criminal offense is an extension that seems unwise. I generally agree with Kerr at

Much more to talk on this case, but hopefully there will be more to come from me and others.

– Timothy DeHaut

[1] see Hedley, The Law of Electronic Commerce and the Internet in the UK and Ireland, Cavendish, 2006 pg 151; see also ‘Modern bullies are seeking victims through cyberspace’, Times, 25 September 2004.

[2] Protection from Harassment Act 1997 (UK); Non-Fatal Offences against the Person Act 1997 (IR); see also Hedley, pg 152.

May 2008
« Jan   Jun »

Erin Pyles Photography

Blog Stats

  • 12,929 hits
Bloggers' Rights at EFF

Creative Commons License
This work is licensed under a Creative Commons License.