The painful issue of cyberbullying has recently taken center stage in the ongoing debate about online child safety. Last week I wrote about Lori Drew’s acquittal on charges related to Megan Meier’s tragic suicide, suggesting that the judge in the case was right to overturn her conviction on a very expansive reading of the federal anti-hacking statute. While I think that decision was necessary on legal grounds, it’s sure to add “fuel to the fire” of calls for “action” in Congress.  Thus, I emphasized that observers of the case need to separate their understandable outrage from the from the questions of (1) whether that statute was properly applied and (2) how the law should treat such cases in the future.

On the second question, Adam and I recently released a major entitled, “Cyberbullying Legislation: Why Education is Preferable to Regulation.”  We distinguish among:

1. Cyberbullying: kid-on-kid abuse online
2. Cyberharassment generally: people of all ages using the Internet to harass each other
3. Adult-on-kid cyberharassment: For example, Lori Drew’s alleged (but still unclear) role in the Megan Meier case

In a nutshell, we argue that education is the better approach to cyberbullying (Problem #1)—an approach taken by a bill introduced in the Senate by Sen. Robert Menendez (D-NJ) and in the House by Rep. Debbie Wasserman Schultz (D-FL) .  We go on to argue that, while it would be difficult to create criminal sanctions for cyberharassment generally (Problem #2) without infringing free speech and due process rights, it might be possible to craft laws narrowly tailored to cyberharassment of kids by adults (Problem #3).

By contrast, Rep. Linda Sánchez has proposed the “Megan Meier Cyberbullying Prevention Act, which by its title purports to deal with that problem (#3) but would actually create a sweeping Federal felony for all cyberharassment (#2). We noted the potential Commerce Clause problems with states trying to regulate Internet speech, and emphasized education as a superior approach at both the federal and state level that avoids constitutional problems, but suggested that, if Congress does ultimately conclude a criminal law is needed for Problem #3, it would well to do look to how the states craft cyberharassment laws before creating any federal penalty.

Just about the time we finished our paper, Tennessee enacted a new law (PDF) that makes it a misdemeanor (up to 1 year in prison and a $2,500 fine) for making threats made online (cyberstalking) as well as certain instances of cyberharassment, defined as communications:

1. Made with “the malicious intent to frighten, intimidate or cause emotional distress”;
2. Made in a “manner the defendant knows, or reasonably should know, would frighten, intimidate or cause emotional distress to a similarly situated person of reasonable sensibilities; and
3. That actually result in making that person “frightened, intimidated or emotionally distressed.”

Prong #1 is essentially the same as the Sánchez bill (with the addition of the word “malicious”), while Prongs #2 and 3 somewhat increase the evidentiary burden faced by any prosecution under the law. So the bill suffers from many of the same problems that the Sánchez bill suffers from, which we discuss in our paper—most importantly, the bill would chill protected online speech because it is unclear when it would apply, and some online speakers would fear prosecution under the bill.

But what’s really disappointing here is that the original Tennessee bill at least recognized the critical importance of drawing distinctions by age.  It would have applied to specifically to harassing communications “with another person who is, or purports to be, less than 18 years of age” or to communications that cause “another person to be frightened, intimidated, or emotionally distressed, provided that the person’s response is one of a person of average sensibilities considering the age of the person.” While neither approach is quite what we recommend in our paper—if we’re going to criminalize anything, it should be adult-on-kid harassment—the original legislation was certainly better to what finally passed, which would likely fail to pass constitutional muster.

In a related context, Adam and I recently released another major paper detailing the serious consequences for online free speech of well-intentioned efforts to expand COPPA’s privacy protections for kids under 13 to cover all adolescents. There as here, while children under a certain age might be uniquely vulnerable and therefore require special protection (such as special penalties for cyberharassment by adults), we can’t treat everyone like small children without severely compromising freedom of expression online and the future vitality of the Internet itself. Again, this is why education is generally a better approach than criminalization.

Important article in the New York Times yesterday in which Brian Stelter wondered if, in the wake of the Lori Drew verdict this week, “Is lying about one’s identity on the Internet now a crime?” It’s still unclear if the case will have such profound ramifications, but it has many quite worried. Stelter quotes occasional TLF contributor Andrew Grossman, who is Senior Legal Policy Analyst at the Heritage Foundation. Andrew penned an outstanding paper on the case for Heritage in mid-September: “The MySpace Suicide: A Case Study in Overcriminalization.” He summarized the paper and the important issues at stake in the case in this post for the TLF: “Go to Jail for Online Anonymity: The End of Internet Freedom?”  Make sure you read them. I wholeheartedly agree with the concerns Andrew outlines in those essays.

You’ll also want to check out Orin Kerr’s analysis of the case over at the Volohk Consipiracy as well as his tounge-and-cheek piece today about changing the blog’s Terms of Service in light of the decision. I’ve been more focused recently on the threat posed to online anonymity by mandatory online age verification, but this case could have equally important ramifications.

Forget net neutrality and the growing Googleplex. The real threat to Internet freedom comes from plain old criminal law.

In three weeks time, Missouri housewife Lori Drew will face trial for entering false personal details when she signed up for a MySpace account. Her indictment alone, whether or not she is convicted, should frighten anyone who’s ever filled out a form online.

The case, which captured the tabloid media when it broke last year, turns on unusual facts. Drew, posting as a teenage boy, created the MySpace account to probe why a neighbor’s daughter, Megan Meier, had broken off a friendship with her own daughter. She gave a few others access to the account, and things quickly spiraled out of control. Before long, “Josh Evans” (the fictional teen) and Meier were an online couple, and soon after that, they were hurling insults at one another on public message boards.

Meier, already suffering from depression, was devastated by Josh’s turnabout. A final private message from the Evans account–“The world would be a better place without you”–pushed her over the edge. Twenty minutes after receiving it, Meier hung herself in her closet.

Even though she was not responsible for the worst of the messages (according to a prosecutor who investigated the case but declined to file charged), Lori Drew mislead an emotionally troubled youth, and that was surely wrong.

But it’s more problematic to say that it’s a crime.

The theory of the prosecutor behind this case would make all Internet users criminals. It goes like this: Drew lied when she created the “Josh Evans” account. That was a violation of MySpace’s terms of service (those slabs of legalese that nobody reads before checking the box on a sign-up form). And by violating those terms, she accessed MySpace without authorization. “Unauthorized access” is a felony under a federal statute, the Computer Fraud and Abuse Act of 1986. The statute was meant to target hacking, but its loose language leaves the door open for a much broader reading.

(And as I discuss in a National Review Online column today, that’s the same law that could be used to prosecute the person who hacked into Gov. Sarah Palin’s email account.)

To put it succinctly: Violate any website’s terms of service, and you could face five years’ jailtime. Include a conspiracy charge (Drew faces several), and the maximum sentence doubles.

As the Electronic Frontier Foundation spells out in a brief in the case, that formula spells an end to online anonymity. Using a fake name or making up any detail when creating an email account or anything else could be grounds for prosecution.

Even innocent exaggeration could be targeted. Adding an inch or two to your height is a violation of the terms of service on Match.com and most dating sites.

But that’s not the scariest part. This threat isn’t just about one law, twisted into absurd form by an aggressive prosecutor, but thousands of them. After decades of fast growth, there are at least 4,450 separate criminal offenses in federal laws, and perhaps tens of thousands more in regulations. And then there’s state law: Each state, to begin with, has its own copy of the federal anti-hacking statute Lori Drew is accussed of violating.

I discuss this issue, in the context of the Drew case, at some length in a recent paper. The problem, in brief, is this: Public pressure has led legislators to criminalize so much behavior in vague and broad statutes that probably all Americans are criminals under some dumb law. When there’s a tragedy–like the death of Megan Meier–prosecutions will follow, whether or not anyone had reason to believe that what went on was actually against the law.

Fixing this one statute won’t solve the problem.

Right now, the only thing that safeguards our online freedoms–anonymity, free speech, the right to access speech, and so on–is prosecutorial discretion that could be revoked for any one of us at any time for any reason. This isn’t a hypothetical–it’s happening today.