Upload
nguyenduong
View
214
Download
1
Embed Size (px)
Citation preview
MEMORANDUM OF LAW IN SUPPORTOF CEASE AND DESIST PETITION
There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.
– George Orwell, 1984 3 (Signet Classic ed. 1981)
INTRODUCTION
Recently, this Court revised its Rules of Supervision/Probation to include Rule 14, which
states the following:
I will provide my Deputy Juvenile Officer all of my user IDs and passwords to my e-mail and any social networking sites that I use (i.e. Facebook, MySpace, Bebo, YouTube, etc.). I will not establish alternate social media sites under other names. I will not post on the Internet or send/text on a cell phone, by e-mail or any other electronic device any pictures, videos or content involving weapons/ammunition, gang signs, drugs, violent acts, alcohol, nudity or sexual activity.
St. Louis Cnty. Fam. Ct. R. Supervision/Probation 14 [hereinafter Rule 14] (emphasis added).
Although this appears to be an issue of first impression – likely due to the novel and emerging
landscape of social networking sites – this Court should harbor grave concerns about imposing
such a rule. As an initial matter, the language of Rule 14 is overly vague such that “men of
common intelligence” are left to guess at its meaning, and law enforcement is given broad
discretion to ensnare innocently-intended conduct. However, even if written in a more definite
fashion, Rule 14 encroaches on the privacy rights of the juvenile, and even more egregiously, on
the rights of the juvenile’s unsuspecting social networking site “friends” and the social
1
networking site itself. Furthermore, Rule 14 disregards the prohibitions set by Facebook1 in its
terms of use – which bind both the juvenile and the Deputy Juvenile Officer (DJO) when they
log in to the site. By accessing Facebook’s computer network in an unauthorized manner in
violation of Facebook’s terms, and thereby gaining information from Facebook’s network, the
DJO and this Court are also likely running afoul of federal and Missouri computer fraud statutes
and making the juvenile an accomplice. Finally, setting aside Facebook’s terms and any
computer fraud violations, this Court must follow proper judicial procedure for gaining access to
Facebook’s network and hundreds, if not thousands, of third-party profiles, which cannot be
achieved through the consent of a single juvenile member.
ARGUMENT
I. RULE 14 IS OVERLY VAGUE – IT FAILS TO SUFFICIENTLY DEFINE “ANY SOCIAL NETWORKING SITES” OR THE BROAD SCOPE OF THE VIOLATIVE CONDUCT – SUCH THAT MEN OF COMMON INTELLIGENCE ARE LEFT TO GUESS AT ITS MEANING, AND THIS COURT AND THE DJO ARE GIVEN TOTAL DISCRETION TO ENSNARE INNOCENTLY-INTENDED CONDUCT.
Just over 80 years ago, Justice Holmes famously articulated the necessity of clarity in
criminal “rule[s] of conduct,” stating, “[I]t is reasonable that a fair warning should be given to
1 For the purposes of clarity and brevity, and because it is arguably the most robust social networking platform, we will address Facebook specifically in the main text of the remainder of this Memorandum. However, MySpace, YouTube, Bebo, and other such sites share many common features. As such, we will include language from MySpace – and to a lesser extent, YouTube and Bebo – where particularly relevant.
This Memorandum does not attempt to scratch the surface of the problems inherent in disclosing login information to mega-site Google.com, which would grant this Court and the DJO unfettered and indiscriminant access to a juvenile’s Gmail, YouTube, Google+, Google Calendars, Google Docs, Picasa, G Chat, Google Checkout, Google Talk, Google Voice, Blogger, and more, see Products, Google, http://www.google.com/intl/en/about/products/index.html, not to mention private and/or confidential e-mails from the juvenile’s attorneys, banks, physicians, cell phone providers, credit cards, and/or government, and volumes of data accumulated prior to the offense leading to probation.
2
the world in language that the common world will understand, of what the law intends to do if a
certain line is passed. To make the warning fair, so far as possible the line should be clear.”
McBoyle v. United States, 283 U.S. 25, 27 (1931). The Supreme Court has since articulated three
variations of this “fair warning” requirement, one of which is the “vagueness doctrine,” which
“bars enforcement of a statute which either forbids or requires the doing of an act in terms so
vague that men of common intelligence must necessarily guess at its meaning and differ as to its
application.” United States v. Lanier, 520 U.S. 259, 266 (1997). Furthermore, the vagueness
doctrine provides “guidance, through explicit standards,” to law enforcement, thereby “avoiding
possible arbitrary and discriminatory application.” See State v. Young, 695 S.W.2d 882, 884 (Mo.
1985) (en banc) (citations to U.S. and Mo. Supreme Court cases omitted).
Viewed through the lens of fair notice and the vagueness doctrine, Rule 14 proves
problematic. First, Rule 14 does not define “social networking sites” – other than to list four
sites, followed by the open-ended “etc.” – yet it requires that a juvenile provide the DJO with all
user IDs and passwords to any social networking sites.2 A quick Google search for a "list of
social networking sites" demonstrates why this inexplicit definition leads to vagueness and
potential for sweeping enforcement. The first result is a link to Wikipedia with a list of
approximately 200 such sites. See List of Social Networking Websites, Wikipedia,
http://en.wikipedia.org/wiki/List_of_social_networking_websites.3 That page also links to a “list
of online dating sites” and a separate list of “defunct social networking sites.” See id. Absent
from the list are sites like Amazon.com (a shopping site that also allows shoppers to post
reviews), NYTimes.com (where members can post comments), CNN.com (where members can
2 In fact, Rule 14 does not even use consistent language, requiring juveniles to provide login information to their “social networking sites” but prohibiting the establishment of “social media sites” under an alternate name. See Rule 14 (emphasis added).3 We have removed the “(last visited Oct. ##, 2011)” parenthetical from each website citation for the sake of brevity. However, all websites were visited between October 13 and 30, 2011.
3
post comments and “iReporters” can actually post user-generated stories and video),
SnapFish.com (HP’s photo-sharing and printing site), and Wikipedia itself (“the free
encyclopedia that anyone can edit”), among others. The question for a juvenile faced with the
terms of Rule 14 is then, “Which website memberships fall under this Court’s ‘etc.’ umbrella?”4
Men of common intelligence will vary widely, and reasonably, on which websites with
interactive components constitute “social networking” sites. In the absence of more explicit
guidance, the DJO and this Court are given unpredictable discretion to enforce Rule 14.
Similarly, Rule 14 bars sending or texting by any “electronic device any pictures, videos
or content involving weapons/ammunition, gang signs, drugs, violent acts, alcohol, nudity or
sexual activity.” Rule 14 (emphasis added). In addition to the ambiguous nature of the term
“involving,” the scope of this Rule is overbroad, again leaving the DJO and this Court with
complete discretion to find violations – essentially setting a juvenile up for failure. Looking at
several of the elements individually highlights the nature of this problem: (1) postings about the
movie Star Wars, the National Anthem, the War in Afghanistan or the Second Amendment could
involve “weapons/ammunition;” (2) scenes from Disney’s Beauty and the Beast, SpongeBob
SquarePants and The Bible involve “violent acts;” (3) popular television shows like Friends,
Modern Family and SNL involve “sexual activity” (another highly ambiguous word, particularly
given the likelihood of teenagers sending love letters via e-mail); and (4) given that Budweiser is
a major St. Louis business entity, is likely an employer of many juveniles’ parents, and has
bestowed its Anheuser-Busch namesake on Cardinal Stadium and Judge XXXXXX’s own alma
mater law school, many innocuous postings could involve alcohol. Furthermore, a single posting
of any given rap, country or rock music video, even by one of the most highly-regarded artists
4 As we read over the list of social networking sites listed by Wikipedia, we also came to realize we are not even sure exactly how many sites we have joined in the past, only to forget about our memberships.
4
could easily involve most, if not all, of the prohibited content5 – as could any host of other
common cultural references prevalent in American life.
We are not suggesting the DJO or this Court will act maliciously to manufacture
violations of Rule 14, and we think this Court would likely consider most of the references above
innocuous. However, the language of Rule 14 could encompass any of the above references,
making even the most common, innocent online content a violation. Common men of ordinary
intelligence – not to mention children – are left to guess where the line is and when it is crossed.
Unsure of what constitutes a “social networking site” and what content violates Rule 14, even the
most well-intentioned juvenile is destined for failure, and the only truly safe choice is: “Do not
use the internet.” Such a choice would have an intense chilling effect on a juvenile’s freedom of
expression and association through a medium that has become integral to the daily life us all –
especially juveniles, whose social contexts and development have been tied to the internet for
most of their lives. This overarching inhibition on a juvenile’s ability to use the internet free
from constant and undefined scrutiny will have the same social, educational, and developmental
impact as not to learning to read, writing with a feather pen, or opting for a horse and buggy
instead of a driver’s license.
II.A. RULE 14 ENCROACHES ON THE PRIVACY RIGHTS OF THE JUVENILE PROBATIONER BY GRANTING THE DJO BLANKET PERMISSION TO ACCESS ALL OF THE JUVENILE’S SOCIAL NETWORKING AND E-MAIL COMMUNICATION WITHOUT ANY SHOWING OF REASONABLE ARTICULABLE SUSPICION OF AN IMPENDING CRIME.
5 For example, on her debut album with the chart-topping single, “Jesus Take the Wheel,” American Idol winner, country music star, and Sesame Street guest vocalist Carrie Underwood released another popular single entitled, “Before He Cheats” – a song about keying an SUV and then slashing its tires/seats and smashing its headlights with a baseball bat as revenge against a cheating lover who is at a pool hall trying to “get lucky” with a “bleached-blonde tramp” (who “can’t shoot whiskey” but is nonetheless declaring, “I’m drunk!”). See Before He Cheats Lyrics, CowbowLyrics.com, http://www.cowboylyrics.com/lyrics/underwood-carrie/before-he-cheats-16593.html; Some Hearts (Carrie Underwood Album), Wikipedia, http://en.wikipedia.org/wiki/Some_Hearts_%28Carrie_Underwood_album%29.
5
Although probationers do not enjoy the same reasonable expectations of privacy
accorded to every other citizen under the Fourth Amendment, see United States. v. Knights, 534
U.S. 112, 119 (2001); see also Griffin v. Wisconsin, 483 U.S. 868 (1987), it does not follow that
this Court may circumscribe all of a juvenile probationer’s reasonable expectations of privacy in
the contents and operations of her social networking and e-mail accounts.
Even in the public school setting, where a juvenile’s Fourth Amendment rights are
circumscribed by the school’s need to create an environment conducive to learning, juveniles
enjoy both a legitimate privacy interest in their personal belongings and person, and a threshold
requirement of articulable reasonable suspicion before a search can be made. See Safford Unified
Sch. Dist. No. 1 v. Redding, 129. S. Ct. 2633 (2009); New Jersey v. T.L.O., 469 U.S. 325, 338-
341 (1985). In determining that there existed a reasonable expectation of privacy in Redding, the
Supreme Court emphasized the subjective experience of the juvenile, finding a reasonable
expectation of privacy in part because the young woman who was strip searched found it
“embarrassing, frightening, and humiliating.” Redding, 129. S. Ct. at 2636. The Supreme Court
also made sure to note how the young woman’s “adolescent vulnerability intensifies the
exposure’s patent intrusiveness.” Id.
Similar emotions relevant to a juvenile’s reasonable expectation of privacy are implicated
by the notion that a DJO will have access to the juvenile’s most private e-mails, messages, and
information – not to mention that of all of her friends. It is precisely because access to this media
can be restricted by the user that juveniles use it extensively to communicate in ways they expect
to remain private. See, e.g., Amy Vorenberg, Indecent Exposure: Do Warrantless Searches of a
Student’s Cell Phone Violate the Fourth Amendment? (September 13, 2011), available at
6
http://ssrn.com/abstract=1926923 (a fortiori making a similar argument for a warrant
requirement with respect to cell phones).
Indeed in the criminal court context the Supreme Court held that reasonable articulable
suspicion is generally necessary to conduct a search of a probationer’s house. Knights, 534 U.S.
at 112, 120-21. Thus it implied some manner of individualized reason is required regardless of
the express conditions of probation. Id. at 121 (“Although the Fourth Amendment ordinarily
requires the degree of probability embodied in the term ‘probable cause,’ a lesser degree satisfies
the Constitution when the balance of governmental and private interests makes such a standard
reasonable.” (citations omitted)). Likewise in Griffin, the Supreme Court upheld a warrantless
search of a probationer pursuant to a state-wide regulation, but this regulation contained a
requirement that there be “reasonable grounds to believe the presence of contraband.” Griffin,
483 U.S. at 871. This is in keeping with the Court’s position that “a search or seizure is
ordinarily unreasonable in the absence of individualized suspicion of wrongdoing.” City of
Indianapolis v. Edmond, 531 U.S. 32, 37 (2000) (citing Chandler v. Miller, 520 U.S. 305, 308
(1997)). Furthermore, as the Court in Knights noted, “the degree of individualized suspicion
required of a search is a determination of when there is a sufficiently high probability that
criminal conduct is occurring to make the intrusion on the individual's privacy interest
reasonable.” Id. at 121 (emphasis added) (citations omitted). However, very little of the behavior
included in Rule 14 – namely posting content this Court deems inappropriate for juveniles– is
criminal. In fact, most of the conduct easily falls under the First Amendment protections for
speech and expression, at least in a non-probationary context.
Similar cases implying an individualized suspicion requirement for searches of
probationers abound throughout the circuit courts. See, e.g., United States v. Henry, 429 F.3d
7
603, 614 (6th Cir. 2005) (holding that a warrantless search of probationer violated the Fourth
Amendment because officer lacked articulable reasonable suspicion of a violation of a term of
probation); United States v. Yuknavich, 419 F.3d 1302, 1310-11 (11th Cir. 2005) (holding
warrantless search of probationer’s computer was legitimate where there was reasonable
suspicion of a crime); United States. v. Giannetta, 909 F.2d 571, 576 & n.4 (1st Cir. 1990)
(interpreting Griffin to require reasonable suspicion for a search where the probation condition
does not, and observing in a footnote that “a question of coercion would arise as to any
contention that ‘agreement’ to a probation search condition constitutes a general consent to
search”). In fact, the Eighth Circuit construes Knights to hold that “when a probationer is subject
to a probationary search condition, the Fourth Amendment permits an officer to search pursuant
to that condition without a warrant based only upon that officer's reasonable suspicion that
the probationer is violating his probation's terms.” United States v. Brown, 346 F.3d 808, 811
(2003) (emphasis added).6
Rule 14 grants a blanket permission for DJOs to conduct searches of a juvenile’s private
spaces without the constitutional protections afforded in either the school or adult probationer
contexts. Juvenile probationers, like adult probationers and students, admittedly give up some
expectations of privacy on account of their circumstances. They do not, however, forfeit the
protections of the Fourth Amendment against suspicionless searches, as Rule 14 demands they
do.
6 By contrast, the Supreme Court has determined that suspicionless searches of parolees are constitutional under California’s statutory scheme, rejecting an individualized suspicion requirement in favor of a general “reasonableness” inquiry. Samson v. California, 547 U.S. 843, 846 (2006). However, the Court positioned its holding vis-à-vis Knights based on the fact that “parolees have fewer expectations of privacy than probationers, because parole is more akin to imprisonment than probation is to imprisonment,” id. at 850 (emphasis added) – thereby preserving the possibility that individualized suspicion may be a constitutional requirement for a search of probationers.
8
II.B. RULE 14 ENCROACHES ON THE RIGHTS AND PRIVATE LIVES OF HUNDREDS, IF NOT THOUSANDS, OF OTHER INNOCENT AND UNSUSPECTING SOCIAL NETWORKING SITE USERS – THE “FRIENDS” OF THE PROBATIONER JUVENILE – AS WELL AS THE RIGHTS OF THE ACTUAL SOCIAL NETWORKING SITES.
It is important to distinguish Rule 14 from the other Rules of Supervision/Probation. Due
to the nature of social networking sites, this Rule does not merely involve the rights of the
juvenile signing the acknowledgement with this Court – it involves the rights of all of the
juvenile’s Facebook “friends” and Facebook itself. A physical-world analogy will likely prove
helpful to illustrate the magnitude of the Rule 14 and the rights of the parties involved. It is as if
this Court ordered a juvenile to agree to let the DJO enter her psychologist’s office at any time of
day or night, without ever notifying the psychologist, to rifle through the files of hundreds of the
psychologist’s other patients – all of which contain personal photos, videos, private thoughts,
conversations, religious and political views, links to outside websites, phone numbers, e-mail
addresses, and even contemporaneous GPS locations. Further, while the DJO visits the office, he
shape-shifts into the physical form of the juvenile and may be spoken to personally by any of the
other patients in the waiting room who mistake him for the juvenile. Upon leaving, it is
impossible for the psychologist or the juvenile to know that the DJO entered the office posing as
the juvenile. All the while, the unsuspecting psychologist is assuring his patients – and his
patients’ parents – that such activity is prohibited, and that he takes extra precautions to protect
the privacy of his 13- to 17-year-old patients. Finally, the time period of the DJO’s access to the
psychologist’s office is indeterminate. Independent of any agreements between the psychologist
and the juvenile and/or the other patients, logic would dictate that the juvenile simply may not
single-handedly give such permission to the DJO.
9
To fully understand the implications, it is important to understand how Facebook works.
When new users visit Facebook.com, they have the opportunity to sign up by providing their first
names, last names, e-mail address, genders and full dates of birth. See Sign Up, Facebook,
http://www.facebook.com. Once users become members, they can then create their Facebook
“profiles” where they can post various content about themselves. For example, Facebook has an
“info” section where members can elect to provide information about their cities of residence,
friends and families, education and work histories, philosophical / religious views, favorite arts
and entertainment, sports, contact information and other activities and interests. Furthermore,
members can post “status updates” about what they are currently doing or thinking, they can
include information about their current whereabouts, upload photos or video, share links to
outside websites, and even interact with their Facebook accounts using outside applications – for
example, a member can use the Nike + iPod chip in her shoe in conjunction with her iPhone to
contemporaneously post information about her run to her Facebook account to solicit
congratulations and encouragement from friends,see Nike + GPS, iTunes,
http://itunes.apple.com/us/app/nike-gps/id387771637?mt=8.
The most essential aspect of Facebook is that members can become “friends” with other
members and interact – hence the name, social networking. In order to become friends, a
member must locate another member by way of a search and send that member a request, which
that other member must then accept. Once these two members become friends, they can then
interact. For example, they can identify each other in photos or videos without seeking
permission to do so (called “tagging”), they can announce they “like” each other’s status updates,
and they can post comments on each other’s “walls.” Friends can send each other private
messages, much like e-mail, and participate in instant message “chats.” Furthermore, when a
10
member logs in, the first thing she sees is her “News Feed” – an interactive, multi-level news
ticker of her friends’ Facebook activity. At the same time, her friends can now see that she is on
Facebook, just as she can see which of her friends are on Facebook, due to the chat feature. In
short, Facebook friends have the ability to share an immense world of personal data in real time.
However, despite the social nature of Facebook, its information is not necessarily
“public.” Members can choose from a number of privacy settings to restrict who may view their
information.7 See Control Over Your Profile, Facebook,
http://www.facebook.com/about/privacy/your-info-on-fb#controlprofile. For example, members
can generally elect to make their profile information “Public,” visible only to their friends, or
even “Customize” their audience. Members can even selectively choose different privacy
settings for different content within their profile. See id. Facebook further explains, “Whenever
you post content (like a status update, photo or check-in), you can select a specific audience, or
even customize your audience.” Control Each Time You Post, Facebook,
http://www.facebook.com/about/privacy/your-info-on-fb#controlpost. Furthermore, members
can control “whether people who enter [a member’s] name on a public search engine may see
[that member’s] public profile (including in sponsored results).” See Public Search Engines,
Facebook, http://www.facebook.com/about/privacy/your-info-on-other#public_search.
Speaking to the issue of the expectation of privacy – both of the juvenile and her friends
– Facebook institutes automatic privacy settings for minors (ages 13-17) that use its site.
Facebook assures parents:
The only people who can see what teens post are their Facebook friends, friends of friends, and networks (like the school they attend). We maintain added protections and security settings for teens (age 13-17) that ensure their profiles
7 MySpace provides a number of comparable privacy setting options. See Privacy Settings on MySpace, MySpace, http://www.myspace.com/pages/privacysettings.
11
and posts don’t show up in public search results. Similarly, if teens share their location through Places, only their Facebook friends can see it.
Help Your Teens Play it Safe, Facebook, http://www.facebook.com/about/privacy/your-
info-on-fb#!/safety/groups/parents; see also Sign Up, Facebook,
http://www.facebook.com (“Facebook requires all users to provide their real date of birth
to encourage authenticity and provide only age-appropriate access to content.”). Just like
adult users, these juveniles can elect to use even more restrictive privacy settings than
those already mandated by Facebook, and many of them likely do so.8
As such, by logging in as a single juvenile Facebook member, the DJO and the
State would then have inside access to hundreds of profiles, comments, photographs,
videos and contemporaneous locations of adults and minors that the State would
otherwise be unable to see. This Court would be constructively imposing Rule 14 on
hundreds of unsuspecting and innocent people – many of which will not even be residents
of St. Louis or even Missouri, and are thus well outside of this Court’s jurisdiction. Nor
are these people necessarily fellow probationers with a similarly diminished – though not
extinguished – expectation of privacy; in fact, most probably are not. While Facebook
has warned its members that the transferability of online digital content makes it difficult
for Facebook to assure total privacy, by logging in as the juvenile who has been granted
access to her friend’s profiles, the State is obliterating all of Facebook’s privacy
safeguards without notifying Facebook or its users. And because of the highly interactive
nature of Facebook – no matter what the intent of the DJO – it would be literally
8 See also Privacy Settings on Myspace, MySpace, http://www.myspace.com/pages/privacysettings (last visited Oct. 13, 2011) (“If you are under 18, you can choose to make your Profile Content available only to your friends and other users under 18.”); Bebo Privacy Policy, Bebo, http://www.bebo.com/Privacy2.jsp (“For users identifying themselves as being under the age of 18, the default setting for profiles is private.”).
12
impossible to log on as a juvenile and only view that juvenile’s content. Thus, Rule 14
grants a sweeping permission for DJOs to violate not only the reasonable expectations of
privacy of juvenile probationers, without the constitutional requirement of individualized
suspicion, but also to violate the reasonable expectations of privacy of hundreds of non-
probationers as well.
III.A. RULE 14 IGNORES FACEBOOK’S TERMS,9 WHICH PROHIBIT SITE USERS FROM SHARING LOGIN INFORMATION, TRANSFERRING AN ACCOUNT TO A THIRD PARTY, ALLOWING A THIRD PARTY TO ACCESS A USER’S ACCOUNT, OR ACCESSING AN ACCOUNT BELONGING TO SOMEONE ELSE.
In its Statement of Rights and Responsibilities (“Terms”) – which can be accessed via a
link appearing at the bottom of every Facebook page – Facebook states, “This Statement of
Rights and Responsibilities . . . governs our relationship with users and others who interact with
Facebook. By using or accessing Facebook, you agree to this Statement.” Statement of Rights
and Responsibilities, Facebook, http://www.facebook.com/terms.php?ref=pf. For clarification,
Facebook further defines an “active registered user” as “a user who has logged into Facebook at
least once in the previous 30 days.” Id. § 17.8.10
Facebook goes to great lengths to prohibit access to its site via accounts other than a
user’s own authentic account. It states the following:
9 Rule 14 requires that a juvenile provide her login information to any social networking site to which she is a member. This Court could not possibly have read or considered the terms of service of all social networking sites before putting this Rule to use, leaving juveniles open to liability this Court has not even considered.10 MySpace adopts similar – if not stronger – user language:
By accessing and/or using the Myspace Services, you agree to be bound by this Agreement, whether you are a "Visitor" (which means that you simply browse the Myspace Services, including, without limitation, through a mobile or other wireless device, or otherwise use the Myspace Services without being registered) or you are a "Member" (which means that you have registered with Myspace). The term "User" refers to a Visitor or a Member. You are authorized to use the Myspace Services (regardless of whether your access or use is intended) only if you agree to abide by all applicable laws, rules and regulations (“Applicable Law”) and the terms of this Agreement.
MySpace.com Terms of Use Agreement, MySpace, http://www.myspace.com/Help/Terms.
13
Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account: You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission. . . . You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account. You will not transfer your account (including any page or application you administer) to anyone without first getting our written permission.
Id. § 4, 4.1, 4.8-.9. Conversely, Facebook states, “You will not solicit login information or access
an account belonging to someone else.” Id. § 3.5. Facebook further states, “If you collect
information from users, you will: obtain their consent, make it clear you (and not Facebook) are
the one collecting their information, and post a privacy policy explaining what information you
collect and how you will use it.” Id. § 5.7. The site then concludes by warning users, “If you
violate the letter or spirit of this Statement, or otherwise create risk or possible legal exposure for
us, we can stop providing all or part of Facebook to you.” Id. § 14 (emphasis added).11
Facebook has gone to equally great lengths in multiple locations on its site to be clear that
while user safety, security and privacy are of the utmost importance, it provides avenues for
proper disclosure of user information for law enforcement purposes. On its Facebook and Law
Enforcement page, Facebook acknowledges its willingness to work with law enforcement. See
11 MySpace also explicitly prohibits a user from allowing a third-person to log on to that user’s account, and conversely, a third-person from accessing a user’s account. MySpace.com Terms of Use Agreement, MySpace, § 4, http://www.myspace.com/Help/Terms (“You are entirely responsible for maintaining the confidentiality of your password. You agree not to use the account, username, email address or password of another Member at any time or to disclose your password to any third party. You agree to notify Myspace immediately if you suspect any unauthorized use of your account or access to your password.”). Myspace further explicitly states that it may terminate the accounts of – and pursue legal action against – users who engage in any of the following prohibited activities:
modifying, copying, distributing, downloading, scraping or transmitting in any form or by any means . . . any Content from the Myspace Services other than your Content which you legally post on, through or in connection with the Myspace Services; . . . impersonating or attempting to impersonate . . . another Member, or person or entity[;] . . . using the account, username, or password of another Member at any time or disclosing your password to any third party or permitting any third party to access your account; . . . or otherwise transferring your profile, your email address or URL. . . .
Id. § 8, 8.22, .27, .29, .30.
14
Facebook and Law Enforcement, Facebook, http://www.facebook.com/safety/groups/law (“We
work with law enforcement where appropriate and to the extent required by law. . . .”).
However, the site also recognizes that in order for it to disclose user information, law
enforcement must follow proper legal channels:
We respect and enforce applicable laws, and the limits they place on access to Facebook data. . . . Federal law prohibits Facebook from disclosing the contents of an account (such as messages, Wall posts, photos, etc.) except in response to a civil subpoena or court order. There are ways that we can provide a limited amount of information to help law enforcement officials do their jobs.
Id. (citing Stored Communications Act, 18 U.S.C. § 2701 et seq.). Furthermore, Facebook
provides a form through its Help Center, specifically for legal officials to contact Facebook. See
How Do I Tell Law Enforcement to Get in Touch with Facebook?, Facebook,
http://www.facebook.com/help/?faq=175909845799306#How-do-I-tell-law-enforcement-to-get-
in-touch-with-Facebook? (“Please ask law enforcement agents and legal professionals
investigating a civil or criminal matter to contact Facebook through this form.”); Law
Enforcement and Third-Party Matters, Facebook, http://www.facebook.com/help/?
page=211462112226850; Legal Inquiries, Facebook,
http://www.facebook.com/help/contact.php?show_form=legal_inquiries (“[T]his form is meant
for usage by officials only[:] . . . law enforcement agent[s], or member[s] of a law office/practice
or government agency. . . .”).
As the above language indicates, Facebook clearly instructs all users of its site –
including mere visitors – that users may not access the accounts of others. Furthermore,
Facebook prohibits users of its site from “consenting” to third party access to Facebook’s site
through a user’s account. And finally, Facebook is equally clear that law enforcement is to
request access to its site via proper legal channels.
15
Without question, Facebook and other websites have the legal authority to generally bind
their users to their terms of service if certain conditions are met. Although it is “an emerging area
of the law,” courts routinely uphold such agreements and “apply traditional principles of contract
law and focus on whether the plaintiff had reasonable notice and manifested assent to the online
agreement.” Major v. McCallister, 302 S.W.3d 227, 229 (Mo. Ct. App. 2009) (quoting Burcham
v. Expedia, Inc., 2009 WL 586513, at *2 (E.D. Mo. Mar. 6, 2009)). These agreements can
generally be broken into two groups: (1) “clickwraps,” where a user must click a box or a button,
and (2) “browsewraps,” where there is an indication “in some fashion that use of the site
constitutes acceptance of its terms of service.” Id. at 229-230 (extensive citation omitted).
“Courts usually uphold browsewraps if the user has actual or constructive knowledge of a site’s
terms and conditions prior to using the site.” Id. at 230 (citing Southwest Airlines Co. v.
BoardFirst, LLC, 2007 WL 4823761, at *5 (N.D. Tex. Sept. 12, 2007), quoted in Burcham, 2009
WL 586513, at *3 n.5 and Hines v. Overstock.com, Inc. 668 F. Supp. 2d, 362, 367 (E.D.N.Y.
Sept. 8, 2009)).
When first signing up for Facebook, the final submission button to create a member
profile is located directly above a statement that says, “By clicking Sign Up, you are indicating
that you have read and agree to the Terms of Use and Privacy Policy,” and provides a hyperlinks
to the relevant Terms pages. See Sign Up, Facebook.com, http://www.facebook.com (enter all
relevant personal information in the fields on the right side of the screen and hit the “Sign Up”
button; then see the subsequent screen for final submission). Furthermore, links to those same
Terms appear on the bottom of every single Facebook page.12 The Missouri Court of Appeals for
12 Similarly, on MySpace’s sign-up page, just above the “Sign up free” button is the hyperlinked statement, “By clicking Sign up free, you agree to Myspace terms of service and privacy policy.” Sign Up, MySpace, https://www.myspace.com/signup. Hyperlinks to those terms are also available at the bottom of every MySpace page.
16
the Southern District bound a Springfield, Missouri resident to “a forum selection clause limited
to Denver County, Colorado,” McCallister, 302 S.W.3d at 228-29 & n.2, under nearly identical
Terms location facts, id. at 230; see also Burcham, 2009 WL 586513, at *1, 4 (binding a
Missouri resident to a forum selection clause in King County, Washington under similar facts).
In McCallister, the Court of Appeals further noted that Missouri recognizes the “standard
contract doctrine” that “[w]hen one party accepts the other party’s performance, it gives validity
to an agreement even if unsigned, and imposes on the accepting party the obligations
thereunder.” McCallister, 302 S.W.3d at 231 (citing R.L. Hulett & Co. v. Barth, 884 S.W.2d 309,
310 (Mo. Ct. App. 1994)). As such, there is little doubt Facebook may bind Missouri users to its
Terms as they are presented to a typical new adult user. The question then remains whether the
Terms are binding in the case of a juvenile user or a DJO logging in as that juvenile user.
III.B. FACEBOOK’S TERMS APPLY TO JUVENILE USERS – CERTAINLY AFTER A JUVENILE COMPLIES WITH RULE 14 AND CONTINUES TO USE FACEBOOK – BECAUSE FACEBOOK MUST BE ALLOWED TO DETERMINE HOW ITS USERS ACCESS AND USE ITS VOLUNTARILY-PROVIDED SITE.
Questioning the ability of a juvenile to consent to Facebook’s Terms poses a logical
conundrum in this case because the issue is presented in the context of this Court asking the
same juveniles to sign off on to its Rules of Supervision/Probation. As Judge XXXXXX
correctly noted, when a juvenile consents to this Court’s Rules of Supervision/Probation, he or
she is does so under the care of – and with the co-signatures of – his or her parent/custodian,
DJO and Judge/Commissioner, all of whom understand and appreciate the terms. These
additional parties arguably help the juvenile understand the terms and to truly give his or her
consent.
Let us assume arguendo – without conceding – that when a juvenile joins and uses
Facebook, he or she is completely unsupervised and unable to appreciate or consent to the
17
Terms.13 However, at the time the juvenile signs this Court’s Rules of Supervision/Probation, the
Judge/Commissioner has a duty to make sure a juvenile is fully aware of the implications of the
agreement signed with this Court, see, e.g., Juv. Just. Standards Annotated: Standards Relating to
Dispositions § 1.2(D) (A.B.A. 1996) (“Juveniles should be given adequate information
concerning the obligations imposed on them by all coercive dispositions and the consequences of
failure to meet such obligations. Such information should be given in the language primarily
spoken by the juvenile.”); National Council of Juvenile and Family Court Judges, Juvenile
Delinquency Guidelines, ch. VII, § I, at 144 (2005) (“The juvenile delinquency court judge
should advise the youth, parent, legal custodian, and anyone involved in providing services in the
court’s disposition, of the consequences of failing to comply with the orders. The judge should
provide an opportunity for the youth, parent, and legal custodian to ask final clarifying
questions . . . .”), as does the juvenile’s defense attorney, see Mo. Sup. Ct. R. § 4-1.4(b), 4-1.14,
4-2.1. The Judge/Commissioner and the DJO are now aware of Facebook’s Terms. Therefore, at
the time of signing, all parties should be just as informed of Facebook’s Terms as of this Court’s
Rules of Supervision/Probation. With any future use of Facebook, the juvenile would necessarily
be bound by its Terms. The juvenile would then turn over his or her login and password to the
DJO – and allow the DJO to access Facebook – in violation of those Terms.
Moreover Congress has passed the Children’s Online Privacy Protection Act of 1998, 15
U.S.C. 6501, et. seq. The Act, and the Regulations promulgated thereunder, see 16 C.F.R. §
312.1-.12, regulate the collection of personal information of children by operators of websites or
other online services. See 15 U.S.C. § 6502(a)(1), (b). In doing so Congress defined a “child” as
“an individual under the age of 13.” Id. § 6501(1). This indicates Congress contemplated
13 This supposition rests on the bold assumption that the juvenile’s parents are not involved with the juvenile’s Facebook use. This assumption is particularly difficult given the common practice of a parent and juvenile being Facebook “friends.”
18
limiting the use of websites by children less than 13 years of age. Furthermore, Congress must
have anticipated use of websites by juveniles between the ages of 13 and 17, and yet it chose not
to include these juveniles within the statute. Cf. Hartford Underwriters Ins. Co. v. Union
Planters Bank, N.A., 530 U.S. 1 (2000) (“[H]ad Congress intended the provision to be broadly
available, it could simply have said so.”) This is undoubtedly why Facebook, MySpace,
YouTube, and Bebo all require that their users be over the age of 13.14
It is important to distinguish Facebook’s Terms prohibiting unauthorized access to its
network via shared logins and passwords from the traditional, onerous contracts this Court may
wish to discount. This is not the case of Facebook attempting to enforce an arbitration clause
binding a juvenile to arbitrate all disputes with Facebook in Denver County, Colorado. See, e.g.,
McCallister, 302 S.W.3d 227 (Mo. Ct. App. 2009) (holding – in a case involving an adult – that
such a clause was valid). Rather, this is an example of Facebook setting the parameters for how
users of its site – to which Facebook is voluntarily granting access – will use its site, and these
parameters protect other users. Facebook is exercising its right to exclude by stating very clearly,
“If you violate the letter or spirit of this Statement, or otherwise create risk or possible legal
exposure for us, we can stop providing all or part of Facebook to you.” Statement of Rights and
Responsibilities, Facebook, http://www.facebook.com/terms.php?ref=pf. Similarly, while we
may not enter a “contract” with a minor under the age of 18 in Missouri, see Mo. Rev. Stat. §
431.055, we could certainly condition a minor’s visit into our homes on an agreement that the
minor may not invite others into our houses or scream racial slurs at our dogs.
14 See Statement of Rights and Responsibilities, Facebook, http://www.facebook.com/#!/terms.php (“You will not use Facebook if you are under 13.”); MySpace Terms of Use Agreement, MySpace, http://www.myspace.com/help/terms (“By using the Myspace Services, you represent and warrant that . . . you are 13 years of age or older.”); Terms of Service, YouTube, http://www.youtube.com/t/terms (“[T]he Service is not intended for children under 13. If you are under 13 years of age, then please do not use the Service.”); Terms of Service, Bebo, http://www.bebo.com/TermsOfUse2.jsp (“You must be 13 years or older to use the Bebo Service.”).
19
Even if Facebook is unable to “contract” with its juvenile users, surely it must be
afforded some rights to set its parameters of use. To hold otherwise would invite absurd results.
If Facebook cannot prevent its users between the age of 13 and 17 from granting unauthorized
access to its site by third parties, it would follow that Facebook would also be powerless to
prevent these same juveniles from “bully[ing], intimidat[ing], or harass[ing] any user[,] . . . .
post[ing] content that is hateful, threatening, or pornographic; incites violence; or contains nudity
or graphic or gratuitous violence. . . . [or] doing anything unlawful, misleading, malicious, or
discriminatory. . . .” Cf. Statement of Rights and Responsibilities, Facebook, § 3.6, 3.7, 3.10,
http://www.facebook.com/terms.php?ref=pf. In fact, if so held, Facebook would presumably be
unable to terminate its juvenile users’ accounts unless there was a proven violation of applicable
law. And even then, it would be unable to enforce its Term that “[i]f we disable your account,
you will not create another one without our permission.” Cf. id. § 4.3.
III.C. FACEBOOK’S TERMS APPLY TO AN ADULT DJO – EVEN ASSUMING THE DJO DOES NOT ALREADY HAVE HIS OWN PERSONAL ACCOUNT – BECAUSE (1) THE TERMS APPLY TO ANYONE WHO USES OR ACCESSES FACEBOOK AND (2) BY LOGGING IN AS ANOTHER USER, THE DJO IS BOUND BY THE TERMS AS A SUBLICENSEE OF THE OTHER USER’S ACCOUNT.
Independent of whether Facebook’s Terms apply to users between the ages of 13 and 17,
a DJO accessing Facebook would be bound by the Terms. As a preliminary matter, any DJO that
has a personal Facebook account in his or her own right would unequivocally be deemed a user
of Facebook, and would thus be bound by its terms. See McCallister, 302 S.W.3d at 230 (binding
a user to terms presented in an almost identical manner).
Alternatively, assuming a DJO does not have a personal Facebook account, Facebook’s
Terms clearly indicate that logging in to Facebook – if not merely visiting without logging in –
will bind the DJO. See Statement of Rights and Responsibilities, Facebook,
20
http://www.facebook.com/terms.php?ref=pf, (“This Statement of Rights and Responsibilities . . .
governs our relationship with users and others who interact with Facebook. By using or
accessing Facebook, you agree to this Statement.” (emphasis added)). By logging in, the DJO
will also be deemed an “active registered user.” See id. § 17.8 (“a user who has logged into
Facebook at least once in the previous 30 days”). Because a link to Facebook’s Terms appears on
every Facebook page, and we have now brought these Terms to this Court’s attention, the DJO
has “actual or constructive knowledge of [Facebook’s] terms and conditions prior to using the
site.” See McCallister, 302 S.W.3d at 230; Burcham, 2009 WL 586513, at *2 (E.D. Mo. Mar. 6,
2009) (“A customer on notice of contract terms available on the internet is bound by those
terms.” (citations omitted)).
Furthermore, a DJO is not only bound by the Terms as a visitor to Facebook in his own
right, he is also bound by the Terms as applied to the member account he is accessing. To hold
otherwise would lead to an absurd result. It would allow any person, even hackers, to log in as
another user – which Facebook explicitly prohibits, see Statement of Rights and Responsibilities,
Facebook, § 3.5, http://www.facebook.com/terms.php?ref=pf – and access Facebook completely
immune to its Terms. In Motise v. America Online, Inc., 346 F. Supp. 2d 563 (S.D.N.Y. 2004),
the United States District Court for the Southern District of New York reached this same
conclusion and held that a forum selection clause in AOL’s Terms of Service was binding on a
son who logged on to AOL using his stepfather’s account because the son was deemed a
sublicensee of the stepfather’s account. Id. at 564-566. The court explained that the son could not
have greater rights than those conditionally granted to his stepfather, and that “[a]ny other
conclusion would permit individuals to avoid [AOL]’s Terms of Service simply by having third
parties create accounts and then using them as [the son] did.” The United States District Court
21
for the Eastern District of Missouri agreed in Burcham v. Expedia, Inc., 2009 WL 586513 (E.D.
Mo. Marc. 6, 2009), offering a similar hypothetical:
Even assuming somehow that [plaintiff] never knew he created a [website] user account or that an account was created for him, [plaintiff] is still bound by the user agreement. . . . The user agreement specifically states that users consent to be bound to the agreement by accessing and using the website. Additionally, [plaintiff]'s attempt to hold some other anonymous individual responsible for agreeing to the terms must fail.
Burcham, 2009 WL 586513, at *4 (citing Motise, 346 F. Supp. 2d at 566).
IV. BY ACCESSING FACEBOOK’S COMPUTER NETWORK IN A MANNER EXPLICITLY UNAUTHORIZED BY FACEBOOK’S TERMS AND THEREBY GAINING INFORMATION FROM FACEBOOK’S COMPUTER NETWORK – PARTICULARLY ABOUT OTHER USERS – THIS COURT AND THE DJO RUN AFOUL OF FEDERAL AND MISSOURI COMPUTER FRAUD STATUTES AND MAKE THE CONSENTING JUVENILE AN ACCOMPLICE.
According to the federal Computer Fraud and Abuse Act, 18 U.S.C. 1030 (“CFAA”),
“[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains information from any protected computer . . . shall be punished . . .
[by] a fine under this title or imprisonment for not more than one year, or both . . . .” 18 U.S.C. §
1030(a)(2)(C), (c)(2)(A). Furthermore, “[w]hoever conspires to commit or attempts to commit an
offense” under the same provision shall be equally punished. Id. § 1030(b). A “computer” is
defined as “an electronic, magnetic, optical, electrochemical, or other high speed data processing
device performing logical, arithmetic, or storage functions, and includes any data storage facility
or communications facility directly related to or operating in conjunction with such device . . . .”
Id. § 1030(d)(1)(e)(1). A “protected computer” is one “which is used in or affecting interstate or
foreign commerce or communications . . . .” Id. § 1030(d)(1)(e)(2).
The Missouri Criminal Code criminalizes comparable – if not more expansive –
computer activities. The Criminal Code prohibits tampering with computer data (“TCD”):
22
A person commits the crime of tampering with computer data if he knowingly and without authorization or without reasonable grounds to believe that he has such authorization . . . . [1] [d]iscloses or takes a password, identifying code, personal identification number, or other confidential information about a computer system or network that is intended to or does control access to the computer system or network; [or] [2] [a]ccesses a computer, a computer system, or a computer network, and intentionally examines information about another person. . . .
Mo. Rev. Stat. § 569.095.1(4)-(5). Similarly, the Criminal Code prohibits tampering with
computer users (“TCU”): “[a] person commits the crime of tampering with computer users if he
knowingly and without authorization or without reasonable grounds to believe that he has such
authorization . . . [a]ccesses or causes to be accessed any computer, computer system, or
computer network.” Mo. Rev. Stat. § 569.099.1(1). A violation of either statute constitutes at
least a class A misdemeanor. See Mo. Rev. Stat. §§ 569.095.2, 569.099.2. The Missouri
Criminal Code also prohibits aiding such conduct:
A person is criminally responsible for the conduct of another when . . . before or during the commission of an offense with the purpose of promoting the commission of an offense, he aids or agrees to aid or attempts to aid such other person in planning, committing or attempting to commit the offense.
Mo. Rev. Stat. § 562.041.1(2). The term “computer refers to the hardware, software and data
contained in the main unit.” Id. § 556.063(2). A “computer system” is “a set of related,
connected or unconnected, computer equipment, data, or software.” Id. § 556.063(7). Finally, a
“computer network” is defined as “a complex consisting of two or more interconnected
computers or computer systems.” Id. § 556.063(5).
Although a plain reading of the elements of these laws would seem to implicate DJO
conduct under Rule 14, Missouri courts have not yet addressed the issue of website terms of
service under the federal and state computer fraud and tampering statutes. However, in
Facebook’s home state of California, courts have. As such, it is instructive to draw lessons from
the comparable California Comprehensive Computer Data Access and Fraud Act, California
23
Penal Code § 502 (“CCDAFA”) provision, which makes any person guilty of a public offense
who:
[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
Cal. Penal Code § 502(c)(2).
The elements of the federal CFAA and Missouri TCD and TCU statutes are clearly met
by a DJO acting out Rule 14. Under the CFAA, if the DJO accesses Facebook using a juvenile’s
login and password, the DJO would be intentionally accessing a computer (Facebook and its data
storage and communications facility) and thereby obtaining information from a federally
protected computer that both affects interstate and foreign commerce and/or communications.
See 18 U.S.C. §§ 1030(a)(2)(C), (d)(1)(e)(1)-(2); see, e.g., United States v. Drew, 259 F.R.D.
449, 457 (C.D. Calif. 2009) (“[T]he latter two elements of the section 1030(a)(2)(C) crime will
always be met when an individual using a computer contacts or communicates with an Internet
website.”). Similarly, under Missouri TCD, the DJO would be knowingly taking a password
controlling access to Facebook’s network (and the juvenile would be giving the password). See
Mo. Rev. Stat. § 569.095.1(4). The DJO would also be accessing Facebook’s computer network
to intentionally examine information about another person (by definition, the DJO would be
examining information about both the juvenile and the juvenile’s friends). See Mo. Rev. Stat. §
569.095.1(5). Under the even lower threshold of Missouri’s TCU, the DJO would also be
knowingly accessing or causing to be accessed Facebook’s computer network. See Mo. Rev.
Stat. § 569.099.1(1). Furthermore, if the juvenile is not brought under the immediate purview of
the relevant statutes by surrendering her login and password knowing it will be used by the DJO
24
to access Facebook, she could be swept under by the accomplice / accessory provisions. See 18
U.S.C. § 1030(b); Mo. Rev. Stat. § 562.041.1(2).
The California courts have repeatedly indicated it is the owners of the computer networks
– in this case, Facebook – who set the conditions of access to their sites that will determine
whether access is or is not authorized. See, e.g., United States v. Drew, 259 F.R.D. 449, 461-62
(C.D. Calif. 2009) (“It cannot be considered a stretch of the law to hold that the owner of an
Internet website has the right to establish the extent to (and the conditions under) which members
of the public will be allowed access to information, services and/or applications which are
available on the website. . . . [and] the vast majority of the courts (that have considered the issue
[under the CFAA]) have held that a website's terms of service/use can define what is (and/or is
not) authorized access vis-a-vis that website.”); Facebook, Inc. v. ConnectU, 489 F. Supp.2d
1087, 1091 (N.D. Calif. 2007) (“[California’s CCDAFA] defines the criminal offense: taking,
copying, or using data ‘without permission.’ The fact that private parties are free to set the
conditions on which they will grant such permission does not mean that private parties are
defining what is criminal and what is not.”); see also Snap-on Bus. Solutions, Inc. v. O’Neil &
Assoc., Inc., 708 F. Supp. 2d 669, 676-78 (N.D. Ohio 2010); cf. United States v. Nosal, 642 F.3d
781, 785 (9th Cir. 2011) (“We hold that an employee ‘exceeds authorized access’ under [the
CFAA] when he or she violates the employer’s computer access restrictions – including use
restrictions.”). Furthermore, the federal CFAA and the Missouri statutes also allow for private
civil actions based on certain violations of the criminal provisions. See 18 U.S.C. § 1030 (g);
Mo. Rev. Stat. § 537.525. It would be wholly incongruous to allow parties to bring suits for
damages due to unauthorized access to their computer networks, yet not allow them to dictate the
terms authorizing such access. Cf. Corley v. United States, 129 S. Ct. 1558, 1566 (2009) (“‘[A]
25
statute should be construed so that effect is given to all its provisions, so that no part will be
inoperative or superfluous, void or insignificant . . . .’” (quoting Hibbs v. Winn, 542 U.S. 88, 101
(2004)).
It is important to stress that it is Facebook that must authorize the access to its computer
network under the CFAA and TCU and TCD, not the juvenile impacted by Rule 14. In
Facebook, Inc. v. ConnectU LLC, 489 F. Supp. 2d 1087 (2007), the United States District Court
for the Northern District of California rejected a Facebook competitor’s motion to dismiss a civil
claim under California’s CCDAFA where the competitor “accessed information on the Facebook
website that ordinarily would be accessible only to registered users by using login information
voluntarily supplied by registered users.” Id. at 1091. The competitor argued – as this Court and
the DJO must to allow Rules 14 to stand – that “Facebook’s ‘terms and conditions of use’ have
no applicability to ConnectU itself, which never registered as a user or agreed to those terms and
conditions.” Id. at 1091. The court, however, opted for a commonsense reading of “without
permission” and declined to limit Facebook’s cause of action only to those third parties who
supplied the competitor with their login information. Id. at 1091; see also DocMagic, Inc. v. Ellie
Mae, Inc., 745 F. Supp. 2d 1119, 1151 (N.D. Calif. 2010) (“‘[CCDAFA] prohibits knowing
access, followed by authorized (i.e., ‘without permission’) taking, copying, or using data,’
including where the access is by means of a third-parties’, voluntarily-provided log-in
credentials.” (construing ConnectU, 489 F. Supp. 2d at 1091)); Snap-on Bus. Solutions, Inc., 708
F. Supp. 2d at 677-78 (N.D. Ohio 2010) (noting it is the website owner that must give the
accessor adequate permission, otherwise “an unwelcome computer hacker could escape liability
under the CFAA by pointing to some third party who had theoretically given him permission to
hack the [website owner]’s computer.” ).
26
Furthermore, this Court and the DJO cannot claim to be surprised to learn that accessing
Facebook and hundreds of its users by logging in as a third party in defiance of Facebook’s
explicit terms likely run afoul of federal and Missouri law. Cf. United States v. Nosal, 642 F.3d
781, 787 (9th Cir. 2011) (“By using their authorized access to defraud [employer] in violation of
[employer]’s access restrictions [employee]’s accomplices certainly had fair warning that they
were subjecting themselves to criminal liability [under the CFAA].”). In addition to the fact that
Facebook’s Terms prohibit such means of access, and a link to the Terms is posted on every
page, as noted, Facebook also allows users to customize privacy settings – and it requires such
settings for minors – so that only “friends” can view their posted information. Cf. ConnectU, 489
F. Supp. 2d at 1091 n.5 (stating that an assertion that users who posted e-mail addresses to their
profiles had no reasonable expectation of privacy “discount[ed] unduly the right of Facebook
users to disclose their email addresses for selective purposes.”). Nor should there be concern that
in this case, accessing Facebook through a third party “would improperly criminalize certain
actions depending only on the vagaries and whims of the [Facebook].” Cf. Nosal, 642 F.3d at
788 (2011). In April of this year, the United States Court of Appeals for the Ninth Circuit held
that where an employee exceeded an employer’s computer access restrictions, “As long as the
employee has knowledge of the employer’s limitations on that authorization, the employee
‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that.”
Id. at 788. Because in the case at hand, this Court and the DJO have clear notice of Facebook’s
access rules, as well as the relevant computer fraud law, “the rule of lenity . . . [should] not
support ignoring the statutory language” of the CFAA or Missouri’s TCD or TCU. Cf. Nosal,
642 F.3d at 788; but see United States v. Drew, 259 F.R.D. 449, 451 (C.D. Calif. 2009) (holding
that a misdemeanor conviction under the CFAA for “an intentional breach of an Internet
27
website’s terms of service, without more” was subject to the void-for-vagueness doctrine
(emphasis added)); cited in the dissenting opinion in Nasal, 642 at 790-91 (Campbell, J.,
dissenting).15
Finally, the case at hand would not be an example of the criminalization of innocent or
innocuous use of Facebook’s computer network. This is not the case of a parent asking neighbors
to purchase Girl Scout cookies in violation of a Term against solicitation; or a “lonely heart”
misrepresenting her appearance in violation of a term against posting misleading information; or
a student posting photos of classmates without permission; or a child under the age of 13 creating
an account; or even a cruel prank gone horribly wrong. See Drew, 259 F.R.D. at 452-53, 466.
And it is not just a violation of Facebook’s Terms and nothing more. See id. at 451, 467
(expressing concern that criminalizing all terms of service violations under the CFAA “without
more” would lead to statutory overbreadth). Rather, this Court is knowingly ordering a minor –
in the face of further detention – to violate Facebook’s Terms so that the State may access
Facebook and a network of hundreds of minors in a manner that Facebook expressly prohibits in
lieu of following the appropriate legal channels.
It is our firm belief that this Court and the DJO not only violate Facebook’s Terms, but
also quite literally meet every one of the elements required by the federal CFAA and the more
elaborate Missouri statutes exactly as the statutory language specifies. See Nosal, 642 F.3d at
782 (“[T]he specific intent requirements of [18 U.S.C.] § 1030(a)(4) sufficiently protect against
criminal prosecution those employees whose only violation of employer policy is the use of a 15 The issue at hand can be further distinguished from the Drew case – subsequently placed on tenuous ground by Nosal – where a MySpace user created a profile for a fictitious person, see Drew, 259 F.R.D. at 452-53. While creating a Facebook account for a fictitious member would violate Facebook’s terms of service, it would not automatically grant the fictitious member unauthorized access to other Facebook members’ profiles, especially minors’ profiles. The fictitious member would then have to ask other members for permission to become friends to gain access to their selectively private information. However, this Court’s Rule 14 would automatically allow the DJO to access a trove of Facebook user information without any such requests and consent from other users.
28
company computer for personal – but innocuous – reasons.”). To hold that a DJO’s
unauthorized access to Facebook is somehow not prohibited by law because this Court is unable
to understand that its actions – which align perfectly with the statutory language of each statute –
are prohibited would be to render each of the statutes meaningless.
V. EVEN WITHOUT FACEBOOK’S TERMS OF SERVICE OR ANY FINDING OF COMPUTER FRAUD VIOLATIONS, THIS COURT MUST FOLLOW PROPER JUDICIAL PROCEDURE FOR GAINING ACCESS TO FACEBOOK’S NETWORK AND HUNDREDS OF THIRD-PARTY PROFILES, WHICH CANNOT BE ACHIEVED BY IMPOSING RULE 14 ON A SINGLE JUVENILE USER.
As a final matter, as we have noted earlier, by signing into a juvenile’s account as the
juvenile, the DJO is potentially gaining unfettered access to hundreds, if not thousands, of other
minors whose information Facebook has expressly attempted to keep from openly-public access.
Independent of how Facebook’s Terms apply to the juvenile or the DJO, or whether the federal
or Missouri computer fraud statues apply, Facebook has been very clear about the channels
through which it provides law enforcement limited access to its information (namely, by
following the provisions of the Stored Communications Act, 18 U.S.C. § 2701 et seq.). There is
no reason to assume this Court and the State can gain access to Facebook’s network without
seeking Facebook’s permission or serving Facebook with subpoenas or warrants or following
other appropriate legal channels as required by the United States and Missouri Constitutions and
other applicable law for any other search or seizure from a third party – particularly third parties
not suspected of any wrongdoing. See, e.g., 18 U.S.C. § 1030(f) ([The CFAA] does not prohibit
any lawfully authorized investigative, protective, or intelligence activity of a law enforcement
agency of . . . a State, or a political subdivision of a State. . . .” (emphasis added)); 18 U.S.C. §
2703 (specifying the requirements for government entities to demand disclosure of “the contents
of any wire or electronic communication” by a provider of an “electronic communications
29
service” or “remote computing service”). Surely Facebook’s rights to prevent otherwise
unauthorized State access to its network cannot be merely waived by the consent of a single
juvenile user – a juvenile this Court has intimated may not even be capable of consenting to
Facebook’s Terms. We respectfully request that this Court cease and desist from circumventing
its duty to deal with Facebook – and access Facebook in a manner contrary to Facebook’s own
written policies – merely because it will be more expedient to do so.
CONCLUSION
For the reasons stated above, we respectfully request that this Court (1) remove Rule 14
from its Rules of Supervision/Probation entirely; (2) destroy any records of the usernames and
passwords of any and all juveniles already collected under Rule 14; and (3) notify any and all
such juveniles that they may wish to change all such usernames and passwords to ensure their
privacy. Furthermore, if this Court feels it has reason to request access to Facebook and the
information of hundreds, if not thousands, of innocent third parties, it should do so through
proper legal channels.
Respectfully submitted this 21st day of November, 2011.
___________________________________ ___________________________________Jeffrey Benjamin Rosebrough William WallerRule 13 Certified Student Attorney Rule 13 Certified Student Attorney
30
___________________________________Mae C. Quinn, Mo. Bar No. 61584Professor of LawCo-Director, Civil Justice Clinic –Juvenile Rights and Re-Entry ProjectWashington University School of LawOne Brookings Drive, Box 1120St. Louis, MO 63130-4899(314) 935-7238 Phone(314) 935-5171 [email protected]
31