• Groklaw
• Prof. Goldman
• cNet
• Volokh
  

Briefing on the latest motion can be accessed here - both fairly short and worth reading to get a sense of the issues.  (Access the EFF's amicus brief here [pdf]. It's a good read, but I felt like it expanded the scope of issues unnecessarily.)

The basic facts are that Ms. Drew is being prosecuted for using a fake MySpace page to cause harm to her daughter’s friend who committed suicide.  (Well, not exactly, she’s not even being charged with the suicide, which makes the whole thing clunky.)  There’s definitely an argument to be made that the prosecutors are stretching the statute to fit the facts.

Somehow the discussion has shifted from whether it's appropriate to use Ms. Drew's commission of a tort to support a CFAA conviction to whether the CFAA should cover access in excess of a website's terms of use.  Two conceptually distinct issues that people tend to conflate.  (I don't think the EFF's brief helps much in this regard from the point of view of the average reader.)

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act is a federal statute which was originally enacted to address conventional hacking.  There's not much dispute about this.  Things have changed in the days since the statute was enacted, and it has been used (successfully) by private litigants to prevent “unauthorized access” to a website or network.  Good examples involve instances of scraping, spam, and repeatedly accessing a competitor’s computer to slam the servers.   There is a lot of lower level caselaw in the civil context which basically says that if you use a website in excess of the terms of service, you could be violating the CFAA (assuming other jurisdictional thresholds are satisfied).  (See, e.g., Register/Verio; Ticketmaster; AOL v. LCGM.)

I'm guessing most people don't disagree with the proposition that if you set up a website you should be able to dictate the terms of its access.  Why then the hue and cry?  I think most people don't understand the extent to which the CFAA has been used by companies to police their networks, and the extent to which violations of a terms of service can constitute a violation of the CFAA.    Most tellingly, the lack of an outcry when companies like Facebook and MySpace use terms of use violations to police their networks (see, e.g., Ars Technica here) is some indication that people intuitively are OK with networks policing access through a terms of service. 

(I can see different rules coming into play in the criminal and the civil context, and vagueness issues that may arise when using a violation of the potentially shifting TOS to support a criminal violation.  Such concerns exist to a much lesser degree in the civil context.  Also, the issue raised in the briefs of the paries is much narrower and surrounds the precise mental state required by the statute.)

Jurisdictional Issues

To those who are crying that they risk liability based on this decision, the first thing I would say is . . . “this is nothing new” (at least, in the civil context).  Take a look at some of the CFAA cases and you’ll realize that you were running the risk on the civil side long before US v. Drew.  I think the statute has been stretched and used improperly by litigants in the civil context and I can see how reasonable people disagree with many of the decisions, but the bottom line is that for some time now, you could colorably be a CFAA defendant based on a TOS violation. 

Another reason why the people critiquing the decision are crying chicken little is that there’s some sort of a jurisdictional threshold in the CFAA.  In the civil context, you have to cause a certain amount or a certain type of damage before you can be held liable.  If you are accessing someone’s website and you cause 5K worth of damage, do people really think that you should not be held liable?  (My recollection from the cases was that at least a few cases say that you actually have to cause damage to the computer or the network – at least in the civil context - in excess of a certain amount or of a certain type in order to trigger CFAA liability.  Note - Wikipedia which is not always the most reliable source says the statute has been recently amended.)

I’m not sure what the jurisdictional threshold is in the criminal context, but this is definitely a tweak in the Drew case.  It sounds like the government is using a vague catchall “access computer + furtherance of a tort” to support the CFAA violation.  From reading the reports, it sounds like everyone agreed that she was not being tried for the suicide so she’s now being tried for causing “emotional distress”.  This is the part of the case this should most disturb people.  From a read of the govt.’s brief, it sounds like the government is arguing that it may use any old vague tort or “improper act” for the tack-on offense in order to argue CFAA criminal liability.  To me, this is what struck me as most problematic about the case (and is quite distinct from the issue of whether a violation of a TOS should constitute unauthorized access). Another thing that's problematic is that the government admitted that she didn't read the TOS (but argued that this was not necessary).

_

I guess it’s not that shocking to me for civil liability to attach based on violations of a terms of service.  I don’t necessarily agree with those decisions, but they’re not totally off the wall and more importantly, they are not new.  In the private realm, there are natural checks in play most of the time to prevent pursuit of unwarranted lawsuits.  Here, it sounds maybe like the prosecution stretched the statute to fit a set of facts to which the statute probably doesn’t apply.  But the disagreement with the decision should stem from whether (i) it’s appropriate to consider a vague tort as an underlying offense or (ii) whether there's some sort of jurisdictional limitation to the government's argument here (or from whether Ms. Drew actually read the terms or intended to violate the terms – which is discussed in the briefing), and not from whether access beyond the scope of the terms constitutes "unauthorized access".  Somehow the discussion got focused on the evil/oppressive terms of use, and the fact that this prosecution somehow places all of us at risk for engaging in criminal violations of the CFAA.  I’m not sure this focus is healthy.

I guess we should hear from the court soon but in the meantime, the internets should take a breath of fresh air.

Also:  here's the post from Julian Sanchez that got me thinking ("So is it time to burn your modem - or hire an attorney to shoulder-surf the Web with you?").