• Criminalizing cyberspace: from Myanmar to California, going digital can mean going to jail

    Nov 24, 2008 11:15 pm by debaron@illinois.edu

    Myanmar, the country formerly known as Burma, has sentenced prominent comedian U Maung Thura to 45 years in jail for violating the country's "Electronic Act," which strictly controls digital communication. 

    An internet class in Myanmar

    An internet class in Myanmar; with a population of 48 million, there are only 40,000 internet users, making it, per capita, one of the least connected countries in the world.

    Maung Thura, better known by his stage name Zarganar, "the tweezers," had criticized the government's response to the May cyclone which killed 130 million Burmese, and organized a private effort to help the storm's victims. Police seized the comedian's computer and CDs with images of the disaster that the government did not want made public.

    Burmese bloggers are subject to criminal prosecution in secret police courts for distributing news and information about events in Myanmar, as are democracy advocates and others labeled dissident or counterrevolutionary. It's likely that the court will add more time to Maung Thura's sentence once it rules on the other charges laid against him.

    In addition to punishing individual computer users, Myanmar regularly pulls the plug on its internet as part of the country's self-imposed isolation from the rest of the world.

    Myanmar's home page 

    The government unplugged Myanmar's internet during the 2007 cyclone so that news of the destruction wouldn't get out, but even on a good day, the Burmese net barely moves: as this screen shot shows, after more than 20 minutes, only a small portion of myanmar.gov.mm managed to load. Links on the site to current Myanmar news stories haven't been updated since 2007.

    Governments around the world from China to Syria to Cuba strictly control computer use and routinely jail their citizens for violating digital communication laws. Even the United States, which takes a much more liberal approach to computer use, has its own version of Myanmar's "Electronic Act," and it too can land "users" violating its provisions in the clink.

    The U.S. Computer Fraud and Abuse Act (CFAA), a kind of Digital Patriot Act, gives the federal government broad powers to protect computer data "against unauthorized disclosure for reasons of national defense or foreign relations . . . . [when] information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation." CFAA also criminalizes hacking bank computers or stealing online credit information; and breaching private computers to perpetrate fraud.

    The Massachusetts Bay Transportation Authority invoked the CFAA to get a temporary restraining order against three MIT students who wanted to present their computer science term paper on how to hack the transit company's fare ticket at the DEFCON computer security conference in Las Vegas. In their defense, the students insisted that their presentation did not actually show people how to ride for free, plus they offered to tell the MBTA exactly where its system was vulnerable.

     

    In refusing to extend the ten-day TRO, U.S. District Judge George A. O'Toole Jr. said "the damaging 'transmission' of information that is regulated by the Computer Fraud and Abuse Act applies to computers, not to speech." In other words, the students could talk about their hack at a conference as long as they didn't email about it.

    The MIT 3 who hacked the MBTA fare ticket 

    Did they ever return? The MIT 3, who hacked the MBTA's CharlieTicket

    Across the continent, another CFAA trial continues in California. In this case, a Missouri woman is charged with "three counts of accessing a computer without authorization via interstate commerce to obtain information to inflict emotional distress," a violation of the CFAA which carries a maximum sentence of 20 years.

    The woman, Lori Drew, allegedly posed as a teenage boy on MySpace, a ruse that led ultimately to the suicide of a 13-year old Missouri girl. Megan Meier had been Drew's neighbor and a friend of her daughter. Drew, together with her daughter and an employee, created a fictional boy named Josh who flirted with Meier online in order to find out if she was spreading gossip about Drew's daughter. When Drew and her accomplices felt it was time to end the deception, "Josh" told Megan "the world would be a better place without you," and Megan went to her room and hanged herself.

    MySpace logo

     

    The social networking site myspace.com bills itself as "a place for friends"

    Authorities in Missouri found that although the cruel deception had tragic results, no laws had been violated. But federal prosecutors in California, where MySpace has its servers, took jurisdiction, indicted Drew under the interstate computer communications provisions of the CFAA, and went to trial.

    In his closing argument, Drew's attorney reminded the jury that they weren't trying a homicide case: "This . . . is a computer case, and that's what you need to decide.'' The attorney insisted that the issue was whether Drew violated the MySpace terms-of-service agreement, but he argued that she never read that seven-page agreement: ''Nobody reads these things, nobody,'' he said. ''How can you violate something when you haven't even read it?"

    Prosecutors disagree, claiming that even if she didn't read the agreement, clicking the "agree" button subjects the user to the agreement's provisions. In addition, they reminded the jury that several people who were in on the hoax warned Drew that what she was doing was wrong.

    While Lori Drew may or may not be criminally culpable for the death of her neighbor's daughter, civil libertarians consider it a stretch to try her under the CFAA since the crime, if there was one, took place between two parties in Missouri who never physically crossed state lines.

    Protesting the use of the CFAA in this case, the Electronic Frontier Foundation has all but claimed, "Computers don't kill people. People kill people," an argument that might sound hollow until we remember that the Supreme Court ruled in the Heller Case last year that guns don't kill people, people kill people.

    What Drew and her accomplices seem guilty of is an act of bullying that went terribly wrong. On Law and Order Jack McCoy would charge her with involuntary manslaughter or depraved indifference. 

    But whether or not Drew violated a fine-print terms-of-service agreement that nobody does ever read, the Computer Fraud and Abuse Act is not designed to punish cyberbullies, and while the act does prohibit sending computer communications across state lines to cause "physical injury to any person," Drew hasn't been charged with causing physical injury, but with failure to comply with a contract.

    UPDATE: Drew was found guilty of three lesser, misdemeanor charges of unauthorized access to a computer, carrying pentalties ranging from probation to three years in prison.