Tuesday, June 20, 2006

MySpace Complaint

The complaint: Download MySpace.pdf [PDF].

Some interesting excerpts:

Myspace1_1

The complaint includes a fairly lengthy list of criminal conduct that was allegedly tied to the failings of MySpace, and then notes:

Myspace2

Myspace3

The case-specific discussion starts on page 12:

Myspace4
Myspace5

http://lawprofessors.typepad.com/tortsprof/2006/06/myspace_complai.html

Current Affairs, Documents | Permalink

TrackBack URL for this entry:

http://www.typepad.com/services/trackback/6a00d8341bfae553ef00d83427292753ef

Listed below are links to weblogs that reference MySpace Complaint:

» By reader acclaim: MySpace sued over alleged assault by date from Overlawyered
On MySpace, a 19-year-old Texas youth approached a 14-year-old girl; his profile claimed that he was a high school senior on the football team. She says that following a series of emails and phone calls,... [Read More]

Tracked on Jun 20, 2006 9:13:07 PM

Comments

I'm struck by the presumption that if the man had been an 18-year-old high school football player, as we were led to believe, then nothing would have happened. Letting 14 year-olds meet 18-year-olds they don't know is safe and good parenting. Just because interactions happen on the Internet doesn't mean that they are any more out of the control of the parents than interactions at a mall, school, or Starbucks. If someone had approached her at Starbucks, falsely told her he was 18 and then assaulted her, could her family sue Starbucks?

Posted by: Christine Hurt | Jun 20, 2006 1:40:13 PM

I think there's a serious disconnect between technological capabilities and the legal requirements that AGs and this case are hoping to establish. (I'm coming from the technical side of things -- I'm an IT auditor -- not the legal side. When it comes to law, I'm really just an interested observer with a decent head on his shoulders. All disclaimers involving grains of salt apply.)

There's a saying in the programming world: GIGO, or "Garbage In, Garbage Out." Any age verification system is only as good as the information it receives, and right now there is no way to guarantee that a user is being completely honest. Credit cards can be stolen, or borrowed from parents; and in any case, MySpace is aiming to provide a Space for users from 14-17 who won't have a credit card. Users in the 14-15 age group won't have driver's licenses. There's no guarantee even of-age users will have either of those. Social Security Numbers could theoretically be used, but that creates a host of privacy issues, especially important in the wake of the recent data thefts. Of course, if they use SSNs, what are users in other countries supposed to do?

(Warning, pure opinion ahead.) I believe there needs to be some sort of responsibility on the part of families when it comes to internet usage. (Then again, I'm of the opinion that there needs to be more personal responsibility taken in general.) Parents need to be aware of what their children are doing and to whom they're talking. This isn't a technological problem. Children need to be taught "don't reveal personal information online" right alongside "don't take candy from strangers" and "don't let dirty old men touch you in the bathing suit area." (Back to regularly-scheduled programming.)

The person who can come up with a bulletproof authentication method is going to make himself very rich in this age of identity theft and (in my opinion misplaced) liability for users...but if he exists and has made his breakthrough, he hasn't told anyone else yet.

Posted by: Matt Wester | Jun 20, 2006 2:23:07 PM

I think you both strike a note with which I fundamentally agree. (Of note, I've discussed a similar issue over on my amusement safety blog in connection with a six-year-old riding a ferris wheel solo. Maybe I'll post that here sometime too.)

My first question is, indeed, where are the parents? Why is the fourteen-year-old on MySpace unsupervised? And, as Christine aptly notes, would it really have been okay if he'd been a high-school senior? I can't imagine putting either of my kids (4 and 7) on a 50-foot ferris wheel with minimal restraints solo, even if they meet the height restrictions. And I hope neither of them are trolling whatever the MySpace equivalent will be in 10 or 7 years, respectively, without my being around. (That said, if the Starbucks had facililtated the contact and had prior knowledge of similar activities, is it so self-evident that they couldn't be liable?)

But the evident fact that the parents should have done more -- or the fact that no authentication system is bulletproof -- doesn't, of course, mean MySpace can do nothing and just point fingers. (Of course, I don't think MySpace has done nothing, and what they've done may well be all they can do.)

One other note -- while I agree that many of the proposals conflict with existing technology, many of the AGs appear to be urging MySpace to make the minimum age 18. That is an age that is much closer to verifiable with current technology than 14. Certainly those systems can be circumvented, but it's harder, I think you'll agree, than something that's purely self-policed. (Put another way, I bet a lot more fifteen-year-olds got adult content on sites that used the "click here to confirm your age" systems than on sites that used the commercial age verification systems.)

So it leaves us with an interesting situation: When there is evidently no cost-effective (or even extant) system for confirming ages below 18 with any level of certainty, and, judging from the reports in the complaint, this sort of system is a magnet for predators, is it enough to say that we should have better parenting? Does the net utility of MySpace outweigh the net risks? Dunno. Lapsing into old fogey mode, I still just look at it as a design disaster filled with bad writing. But clearly it connects with many people.

Posted by: Bill Childs | Jun 20, 2006 3:43:05 PM

Measuring utility is difficult even in the most simple of circumstances, so I won't even get into that discussion. It's funny you should mention risks, though. In IT auditing, as in any kind of auditing, we look for risks and controls - validations, reconciliations, automated processes, and so on - to mitigate those risks. I think we're in agreement on the following:

Risk: Underage users can be taken advantage of by predators.

So what sort of automated controls could MySpace put into place to mitigate the risk?

  • They could build a check of some sort into the system to prevent underage users from joining in the first place. As I've said above, though, this is impossible. GIGO, and no universal verification factors exist.
  • They could prevent the predators from signing up, or contacting underage users. But how do you tell who is a "predator"? Do you place a blanket ban on messages between anyone over 18 and anyone under 18? If you do, the real predators will just lie about their age, or groups of friends will lie about their age to be able to message each other. See GIGO and verification, above.

Seems to me that systematic controls are right out. When that happens in auditing, we check for a reconciliation. In this case, monitoring every message passed on MySpace is infeasible -- there are simply too many. It'd be less like looking for a needle in a haystack and more like looking for one specific needle in a haystack-sized pile of needles. How does MySpace tell what messages are predatory, what information-sharing is duplicitous? How do they differentiate between me sending my cell-phone number to an old high-school friend and Julie sending her cell-phone number to Predatory Pete? No, the control has to be performed by the user and the parents. The first part of this control is at the user level. Julie -- or, let's shift away from this specific case, and just call her Jane (as in Doe) -- Jane needs to be careful what information she's releasing, and to whom she releases it. The "reconciliation" then needs to be performed at the parental level, keeping tabs on internet usage and understanding where Jane is going and whom she is meeting.

Now, let's assume that the AGs get their way. This case and a bunch of negative publicity push Fox into making MySpace open to verifiable 18+ only. (The following may seem like a strange digression, but I promise I have a point.) The internet's very interesting, from a structural standpoint. Very robust - if one route for information to flow is cut, it can take another. Information follows the same model. Other social networking sites would spring up to fill the "needs" of the underage people, the people who don't feel like giving Fox their credit card number, the people who are following their friends off of the suddenly-"lame" MySpace...and the predators.

Enforcement efforts on the internet end up looking much like attempting to catch water in a seive. Prime example: piracy, specifically filesharing. Napster in the late '90s was centralized, huge...and an easy target. Just like MySpace. From there, other programs sprung up which were less dependent on central administration and operation. Now, files are sent directly from one person to another, with a central server holding just an index. That's enough, under (for example) current Swedish copyright law, to keep a large and popular sharing site operational, although recent events say they might be testing that in their courts soon enough under pressure from US Big Media.

I realize I'm going on a bit long now, and perhaps digressing too far. I guess what I'm trying to get at is that there isn't much MySpace can do to alleviate the situation -- and ultimately, if they implement strict age-limiting controls, they will fail and another site will become "the next big thing" that can't do much to alleviate the situation. If the risk of young ones becoming prey to predators is going to be controlled, it has to be controlled by those young ones and by their parents. The only way to do that is education.

I just wonder if that can be explained satisfactorily to a judge or jury. Or, I suppose, if it holds up at all.

Posted by: Matt Wester | Jun 20, 2006 4:49:52 PM

You are, I'm fairly certain, correct that if MySpace does "too much" in response to this sort of concern, someone else will pop up to do something similar. Way back in around 1987, I set up what I suppose was a very early (and obviously tiny) social networking site on an Apple //e with a 1200 baud modem, and even then, hints of controls, etc., could cause claims of lameness.

That someone else who sets up the alternative will, in terms of identity and age verification, likely do something more than MySpace's initial controls (pre-Fox) but something less than whatever gets MySpace into the "too much" stage.

If the legal pressure mounts on that entity, the level of controls will slowly increase as the technology improves -- and if there is a demand, the technologies will develop. There's too much money in it for them not to.

But the post-Napster developments indicate that, as sievelike as it all is, the legal actions can change even internet behavior. As you note, the pressure from the US legal system *is* -- at least maybe -- going to knock out the nth "Napster replacement." And that's why I think that the presence of the legal pressure may end up having value.

I further agree that there is relatively little that MySpace can do with today's technology, though I may be more optimistic than you about what they can do that would at least knock out some of the low-hanging fruit of Bad Things. And so I don't agree that systematic controls are right out, at least long-term.

One could hope, too, that the press relating to lawsuits and the incidents cited in the complaint will get some parents to pay attention to what their kids are doing. These are faint hopes, I'll grant you.

And of course your final point is key. A jury may well conclude that better controls are necessary, and that if they're not feasible, it's negligent to have that sort of site at all.

Posted by: Bill Childs | Jun 20, 2006 5:51:29 PM

The big question here is, if more extensive age verification is required, who has to implement it? Every forum on the Internet? Every Blog? Every comment to those blogs? The Interent is communication and interaction, wouldn't the same arguments used against MySpace apply to anywhere on the Internet? And why is age the only thing that should be verified, how about felons, sex offenders, con-men, etc. This is really an attack on the concept of Interent anonymity.

There are a lot of foreseeable bad guys that might use the Interent and their existence is foreseeable to every website on the Internet. Does this mean every website should be burdened with the duty to stop them? Does this blog have to verify my age and identity to keep the rest of you safe?

Posted by: Ed | Jun 21, 2006 11:15:54 AM

Recall that the standard for negligence is exercising ordinary care under the circumstances. Part of my circumstances is the knowledge that the vast majority of readers are over 14 and that I make no effort to attract 14 year olds or, in fact, people under 18. So my circumstances dictate a very different extent of care than a company that markets to youth.

So, no, I don't need to implement age verification. And, of course, since tort law is case by case, even if I did operate something exactly like MySpace, I wouldn't be *required* to do something more than they do -- just might be smart from a litigation-avoidance standpoint.) We're not talking regulations, we're talking litigation.

Posted by: Bill Childs | Jun 21, 2006 11:50:43 AM


My question was retorical, I was trying to point out how a simple blog would at least have to begin to worry about such an issue and how their risk of litigation would drastically increase.

I understand the standard for negligence, but I am also sure you are well aware of the impact if this lawsuit is successful. What constitutes ordinary care will alter, in part, based on this decision.

Why do you suppose that appealing to 14-year-olds is a distinguishing factor? If its prudent for MySpace to verify age, why do you assume that another website that appeals to all ages would not have to? Even if you are correct and appeal to a certain age group is a determining factor, a huge number of sites would still be affected. Would a blog, forum, or chat server run by a 14-year-old be held to a legal standard that would require him to screen out adult users?

Do you really think common law imposes any less of a burden than regulation. If so, I think you vastly underestimate the effect litigation has on behavior. In many areas the risk of litigation has a stronger effect than a regulation. So, I don't think the term "required" is too strong. Regulation would actually be preferable because a blogger would be less likely to need an attorney to explain legal risks and recommend courses of action.

One of the great benefits of the Internet and its power to encourage innovation is that anyone can jump in with an idea with nearly no barriers. Lawsuits like these, if successful, would change that dynamic and introduce legal risks that would discourage participation and create new barriers. I am amazed how few attorneys realize these effects. Perhaps it is because the only clients they see are those that can afford to consult an attorney.

How many 14-year-old internet entrepreneurs won't even try because you need an attorney to advise them on their legal risks (based on the ordinary care in the industry) if they start that website they were planning.

Posted by: Ed | Jun 22, 2006 7:32:02 AM

Oh, I don't discount the regulatory effects of litigation. I was a pharmaceutical defense attorney and still consult with that industry. I do think that the effect of this case would be relatively localized but of course recognize the potential broad impact.

And it certainly would affect many sites, possibly for the worse, possibly not. Tort liability is something that smart entrepeneurs are thinking about already; that's not something that hurts the internet, just something that brings it into the rest of the world. When the tort liability is unjustified (as ultimately I think it would be here, by the way), that's bad. When it's justified, that's good. Same as products law, same as auto accident law.

Posted by: Bill Childs | Jun 22, 2006 3:57:32 PM

How do you feel about insurance contracts as a way to at least attempt to guarentee identity? Just say it is possible to buy a surety bond for oneself and also one's dependent under 18.....which would put the insurance carrier on the hook for validity and so there would be a financial risk or cost which could in essence motivate self police parents to take responsibility money out of their pocket for their own and their children's identity on the web? Just in theory?

Posted by: robin | Sep 10, 2006 8:33:47 AM

An interesting idea - if there's enough money in it to have carriers want to do it (and enough parents who would pay for it).

Posted by: Bill Childs | Sep 10, 2006 4:10:37 PM

I need help!!! I need to have a copy of my son's communications on myspace website. He is only 15 and is communicating with a mother of his friend (girl). This mother picked up my son at one of the gas station at the corner without my knowledge. I found out yesterday after he disappeared for 3 hours. Please let me know how, where, and who to get this communication copies from. I need to save my son from this old mother/woman.

Thank you
Faye

Posted by: Faye | Jul 30, 2007 2:11:55 PM

do you think us parents should have access to myspace

Posted by: jennifer | Jan 29, 2008 8:54:02 AM

Post a comment