CEO of craiglist Jim Buckmaster said misuse of the site is extremely rare, and is not tolerated. In the past, Buckmaster has defended this section of the web site as striking a balance between allowing free speech and preventing exploitation. The craiglist blog lists 18 separate measures that the site takes to prevent illegal activity on the site.

This is not the first time the “Exotic Services” section of the site has been criticized. A year ago, the Attorney General of Connecticut Richard Blumenthal threatened a suit against the site for allowing nude pictures to be posted. In November 2008, Craiglist was able to come to an agreement with 40 states, which terms including a posting fee for advertisers to the “exotic services” section that required a valid credit card and working phone number (the idea being that law enforcement could access this information by subpoena). The website also agreed to sue 14 companies and individuals who allegedly used the site to facilitate human trafficking, child exploitation, and prostitution.

While craiglist claims that all revenue earned from the fee will be donated to charity, Dart has chided these efforts at goodwill as “dirty money”, and that the efforts have had “little practical effect”. Craiglist has countered this by showing the enormous reduction in postings to this section of the website since this November agreement, and continues to emphasize its continuing cooperation with law enforcement all around the country.

While it is perhaps too soon to see how the case will turn out, the Sheriff will face a tough battle. §230 of the Communications Decency Act provides immunity for ISPs and other service providers against actions perpetrated by 3rd party users, and craiglist will surely advance this as their defense. However, §230 is not so broad as to exclude federal criminal liability, and Dart is claiming that craiglist is more than a passive website operator, but actually an accomplice to the multiple federal crimes.

The Cook County Sheriff, Tom Dart, speaks about the suit at a press conference on March 5:

Image Lincoln by Katy/teapics. Used under a Creative Commons BY-NC-SA 2.0 license.

As new technologies become part of our lives, teenagers figure out a way to use these technologies to do what it is they do best: get themselves into trouble. Cell phones and picture messaging are no exception. This fall, a fifteen-year-old girl in Ohio was arrested for taking nude photographs of herself and sending them to other minors. The teenager was charged with illegal use of a minor in nudity oriented materials and possession of criminal tools under Ohio law 2907.323(A)(3). The charges could also qualify the girl to be classified as a sex offender, requiring her to register annually. An Ohio prosecutor, Ken Oswalt, said that the other minors who received the photographs might also be charged for possession of child pornography.

The Ohio case was recently settled out of court, and the young woman in that case will not have to register as a sex offender. But the law at issue was Ohio’s version of Megan’s law, which has been enacted, with slight variations, in all fifty states and the District of Columbia. This means that a similar case could potentially come up anywhere in the United States. In fact, the case in Ohio is by no means the first instance of a minor being faced with criminal charges for taking and sending, or posting online, nude photographs of themselves. According to Fox News, “Similar cases have been reported in New Jersey, New York, Alabama, Utah, Pennsylvania, Texas and Connecticut.” Michigan and Florida have also seen similar cases. Because this is a growing trend, it is important to ask ourselves if criminal charges are the appropriate way to deal with these teenagers’ misconduct.

The aim of laws of this type (preventing sexual offenses against minors) is to prevent harm to the child. Proponents of the law in issue argue that this means protecting children from harm they could cause to themselves in addition to protecting them against harm caused by others. While the current law does this to a certain extent, it is also overly broad in that it imposes a different, and arguably worse, harm on the minor. It is true that once the photographs become public, they will likely haunt the teenager forever or could possibly end up in the hands of adults who are looking for child pornography, both of which are harms that we should be concerned about. However, imposing criminal charges will not undo the fact that the photograph(s) are now out in public. Additionally, imposing criminal charges, especially requiring the minor to register as a sex offender, is also likely to haunt them forever. It is hard to see how preventing harm to minors justifies imposing other harms on them: the stigma of a criminal record and being labeled as a sex offender.

You (or your IT staff) may have been thankful to find that spam traffic has been a bit lighter in the last few weeks, after the recent shutdown of a major spam hub that, by some estimates, was responsible for as much as 75 percent of the world’s junk mail. You might have expected the company facilitating all of that spam – not to mention illegally gathered credit card information and child pornography – would have chosen to operate from the relative obscurity of an offshore hosting service. Instead, McColo Corporation set up shop in San Jose, California in a “top-level modern [...] IT center.” To be clear, McColo is merely the “virtual host” for those that are actually sending the spam; something akin to a landlord of an apartment building in which most, if not all, of the apartments are being used for illegal activity.

In an interesting twist, it wasn’t U.S. authorities that shut down the hub – instead the companies that provided internet connection for McColo decided to cut ties. This leaves open the possibility of McColo finding another internet provider – or the individual sites being hosted by McColo to disperse, making them harder to track and shut down. In fact, only two weeks after the shutdown, spam levels are reported to already be back to two-thirds of their previous levels.

Brian Krebs of the Washington Post, who is credited with the initial investigation and breaking the story, writes that “Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert.” According to Mr. Krebs, “[what is] unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.”

So what is the law (and what should it be?) in this murky, seedy area of the internet? Below is a roundup of various links that may help to address that question:

FBI wants widespread monitoring of ‘illegal’ Internet activity
Illegal Internet Activity a Growing Concern for Enterprise Organizations
Using the Law to Address Illegal Activity on the Internet
Employer responsibility to report illegal activities established by Court
FBI Internet Crime Complaint Center

Image Security by David Goehring. Used under a Creative Commons BY 2.0 license.

It has been over two decades since David Lightman, a scrawny Seattle high school boy, stole our hearts when he almost started World War III by hacking into the North American Aerospace Defense computer system in the 1983 movie Wargames. David Kernell, a modern day hacker, who allegedly broke into Sarah Palin’s personal Yahoo e-mail account certainly generated the same amount of attention, but he may not have elicited the same emotions.

The hacker impersonated Palin and used three pieces of readily available personal information in order to change the account’s password and get access to her e-mails. Palin’s e-mail contents, including some personal family pictures, went online overnight and in the process raised not only questions about internet security and personal privacy on the web, but also about whether Palin was deliberately attempting to hide public records by using a personal e-mail account to conduct state business.

This high-profile incident suggests it may be time to revisit the available legal tools to prosecute cyber crimes. The primary statute used to incriminate hackers is the Computer Fraud and Abuse Act (CFAA)—originally enacted in 1984. The statute makes it illegal for a person to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] … information from any protected computer ….” However, the statute does not make it easy for a prosecutor to charge Palin’s hacker with a felony, unless other conditions are met. Former Justice Department computer crime Prosecutor Mark Rasch anticipates that the hacker could be charged with as little as a misdemeanor and face “little, if any, jail time.” The statute calls for a felony charge if, inter alia, the value of the information the hacker obtains exceeds $5000, or if the hacking was “committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” It is not clear that Palin’s hacker falls under any of these categories.

According to computer experts, Palin’s hacker used a domestic proxy server in order to transmit the images to websites, which led to his arrest. One of the bigger problems stemming from advances in internet technology is the difficulty in tracking down hackers who leave little or no trace behind. One such dilemma results when a hacker cleverly uses a proxy server located in a foreign country, where potentially the United States has no jurisdiction (or means via a treaty) to subpoena the log entry. The need for more domestic and international protection remains a salient need of our society.

Even though Palin’s e-mail hacking incident is no inauguration of World War III, it is a wake up call to officials—who hopefully have checked their e-mail security by now—and legislators in charge of amending the laws. Today’s fast-paced technological society and the borderless world of the internet make us aware of the need for more protection against cyber criminals through broader statutes with provisions that cover not just hackers, but facilitators as well. The possibility of cyber crimes pushing countries into ratifying treaties like the Convention on Cybercrime, is, to say the least, a rational expectation.

Image Instant Messaging by Eric Bartholomew. Used under a Creative Commons BY 2.0 license.

Bullies. They’re an unattractive staple of childhood. Most of us have either been one, encountered one, or observed one in action. But, alas, gone are the good old days of schoolyard bullies, where our homes were still places of refuge from schoolyard threats and teases. A new era of bullying has arrived – cyberbullying.

If you’re reading this blog, then you might have already heard of the MySpace suicide case often used in awareness campaigns against cyberbullying. For those that haven’t, here’s a quick recap:

In November of 2007, Lori Drew was accused of helping her minor daughter create a fake MySpace account to lure, ridicule, and taunt her daughter’s ex-friend and neighbor, Megan Meier. Megan, at age 13, committed suicide as a result of the online bullying. While Missouri prosecutors were unable to find anything in the books to charge Lori Drew for criminal wrongdoing relating to Megan’s death, federal prosecutors in Los Angeles did not. This May, Drew was indicted by a grand jury in Los Angeles for conspiracy to commit a federal crime under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. While the trial was scheduled to begin on October 7th, it has not proceeded, and Drew’s defense attorney believes that the trial might be pushed further into December.

For a more thorough account of the story, see this New Yorker article, or follow the case on the Wall Street Journal Law Blog.

The question now is whether District Court Judge Wu should dismiss Drew’s indictments under the CFAA. And if so, what then for the morally reprehensible behavior of Lori Drew, an adult who instigated and heightened a game of child’s play that lead to a young girl’s suicide?

Let’s begin by examining the textual problems with charging Drew under § 1030(a)(2)(c). This subsection of the statute makes it a federal crime for anyone to intentionally access a computer without, or in excess of, authorization to obtain information from a protected computer, if the conduct involved an interstate or foreign communication. The Congressional intent of this statute was not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer or the internet. Rather, subsection 1030(a)(2)(C) was amended in 1996 with the intent to use the CFAA to “protect against the interstate or foreign theft of information by computer.” The purpose of this subsection is clear: CFAA is meant to punish those who ‘steal’ information (whether tangible or intangible) through computers. What interstate theft was involved in the MySpace suicide? Even if we’re wildly assuming that juicy teen gossip can be considered an intangible good that the Drews ‘stole’ from Megan, where is the interstate connection? All the parties involved in this case resided in Missouri during the entire episode. The only interstate medium remotely applicable is MySpace. MySpace and its servers are in Beverly Hills, California, a subsidiary of Fox Interactive Media. But the communications exchanged were still between people within Missouri.

Furthermore, the statute has been historically applied to mostly internet hacking cases; if the prosecution is allowed to continue under CFAA, it’s a daunting expansion of the federal government’s jurisdiction into unchartered and unintended territories. When Drew and her daughter registered the MySpace account under a fake identity, Drew agreed to the website’s terms of service (TOS). (MySpace updated their TOS in February 2008; this linked version may be different from the one Drew and her daughter agreed to in 2007). The TOS required Drew to register the account based on truthful and accurate information, to refrain from promoting false or misleading information, and to refrain from using MySpace to harass, abuse, or harm other people. The prosecution claimed that Drew and her daughter conspired to violate MySpace’s TOS when they set up their hoax account based on a fraudulent identify to use it for tortious actions against Megan Meier. Thus, according to the indictment, they violated provisions of the CFAA by intentionally accessing a computer without and in excess of authorization to obtain information from Megan over the internet.

Lawmakers and lawyers alike may feel their hair rise to hear the CFAA applied so broadly. What would it mean for users for the federal government to be able to broadly apply the CFAA to all users who register accounts under false information? For security purposes, I purposely register all my accounts under different date of births so that my personal information is not readily available on the web. Of course, the government won’t prosecute everyone that commits fraudulent registrations, right? But if not, how does the government decide who should be prosecuted, and will they be allowed to exercise such discriminatory selection? Allowing the prosecution to continue under the CFAA statute clearly raises issues related to social networking generally. It might not hurt to start reviewing some of the TOS you may have agreed to already, such as for Facebook, Twitter, Habbo, Friendster, or Orkut.

Justice Oliver Wendell Holmes said it best in his dissent in Northern Securities Co. v. United States: hard cases make bad law. What happened to Megan was a hard case – a life prematurely thrown away due to an immature prank by an adult. This awful tragedy draws on our innate social emotions to want to connect a law that can severely punish Lori Drew for her actions. But, as loud as society is screaming for justice, expanding the CFAA to such an extent is clearly bad law.

For those unsatisfied with the conclusions drawn above, here’s a tidbit to console if Drew avoids legal prosecution. While the court battles the legal dilemma of how to prosecute Lori Drew, if at all, the blogging community has been alive with their own sort of virtual vigilante justice. In mid November of 2007, when the story exploded over national television, video clips from CNN and Fox News, and even the original Suburban Journals article that first ran the story, all refrained from revealing the identify of Lori Drew to the public out of concern for her minor daughter. Repulsed by Drew’s action, the internet community was not so kind. By November 17, 2007, bloggers broadcast and posted Lori Drew’s name, police report, personal address, business information, phone number, and her husband’s employment information. Drew, who owned an advertising business, was rumored to have closed down her business and relocated due to her notoriety. Drew is sure to be haunted by her actions for a very long time. But is this form of virtual vigilante justice satisfying? Is it commendable or condemnable? The lines between the vigilante response and the original abuses grow increasingly unclear.

Though virtual vigilantism is a debatable sort of justice, the community at large has been taking a more definite form of justice – legislation. Numbers of states have either proposed or already enacted legislation that prohibits cyberbullying. See examples from New York, California, Illinois, and Missouri. Congress has also gotten involved, drafting a bill to make cyberbullying a federal crime, also known as the Megan Meier Cyberbullying Prevention Act.

Last week, a court in the Netherlands criminalized the theft of”virtual goods.” (Dutch news report.) According to a ruling handed down by a Dutch court, two teenagers, aged 14 and 15, were found guilty of theft after physically coercing a 13-year-old boy into transferring virtual money, a virtual amulet, and a virtual mask to their accounts in the online fantasy adventure game, RuneScape. Though the court only dealt with the theft issue and not the more obvious assault, it plainly and forcefully held that “[t]hese virtual goods are considered goods under Dutch law, so this is theft.”

Despite both the clarity of this ruling and the apparent intellectual property and monetary value that can be derived from games with their own currency and property, game-based virtual theft claims have had a rather uncertain history. For instance, Second Life, one of the Internet’s largest virtual realities, has seen both the wrongful “taking” of in-game land and a lawsuit between users for copying the design of objects sold in Second Life’s marketplace in the past year alone.

In the US, Minnesota police refused to recognize $4,000 of virtual currency stolen in Final Fantasy as a crime, explaining that because virtual items “are devoid of monetary value,” no crime had actually been committed. Perhaps even more significantly, the MMORPG, EVE Online, saw a large-scale banking scheme that defrauded a number of users. The stolen money was estimated to be worth as much as $170,000 in the real-world marketplace, and the scam even got the attention of some in the legal community who likened it to “actionable real-world fraud”.

Virtual goods like these, including game-based currencies, may not only have real economic value, but online communities like Facebook, Live Journal, and even Dogster have begun to create sentimental, communicative, and self-expressive value in virtual gifts that members can send to each other. These businesses, as well as games like Second Life and Gaia, are in some cases making tens of millions of dollars in revenue by selling virtual goods to personalize virtual avatars, land, and the like, and at least South Korea has even begun taxing these virtual property transactions.

Ultimately, as long as virtual goods inside of video games can be converted into real economic value, online thefts like the one seen in the Netherlands will continue or even increase “as ‘criminals’ may think the court systems and the police are not educated in online gaming, or the law as it pertains to in-game items and cash.” As one Dutch columnist argued even before this recent virtual theft, “[a]s long as the original owner loses something of value (such as virtual items) due to the act of another individual who gains possession over the item, it should . . . be qualified as theft, no matter whether the locus delicti is in the physical or the virtual world.”

¹  The Sexual Predator Punishment and Control Act: Jessica’s Law, http://www.83yes.com/language (last visited October 20, 2007).
²  Andy Furillo, Moving In on Sex Offenders, SACRAMENTO BEE, October 12, 2007, at A4, available at http://www.sacbee.com/111/story/428345.html (last visited October 20, 2007).
³  Sentencing Law and Policy, http://sentencing.typepad.com/sentencing_law_and_policy/(April 14, 2007, 13:30 EST).
⁴  Randy Dotinga, Attack of the Perv Trackers, WIRED, http://www.wired.com/science/discoveries/news/2006/11/72094 (last visited October 20, 2007).
⁵  Doe v Schwarzenegger, No. 06-6968 (D.N.D.Ca. Feb 22, 2007), http://prop83.org/Order%20of%20Dismissal.pdf.
⁶  Michael Rothfield, Some Sex Offenders Go Untracked, L.A. TIMES, October 19, 2007, available at http://www.latimes.com/news/local/la-me-offenders19oct19,0,6116786.story, (last visited October 20, 2007).