Combating Online Impersonation
By Owen J. Sloane and Rachel Stilwell
Multi-platinum recording artist and songwriter Chris Daughtry was surprised to discover an impostor Facebook profile created in his name last year, and asked Owen Sloane to take action to have it removed. The impostor created the profile from scratch, using unlicensed photographs of Mr. Daughtry and attributing posted statements to the rocker without permission.
Actor/musician Jonathan Jackson (currently co-starring in ABC’s new drama “Nashville") enlisted the help of Leon Gladstone when Jonathan discovered an impostor Facebook profile in his name. That profile included statements attributed to Jonathan, asking fans to donate to a particular “charity." The charity did not exist; the whole Facebook site was a scam targeting the actor’s fans.
On behalf of private individuals as well as public figures, our firm has enjoyed success convincing Facebook and Twitter to quickly remove impostor profiles. However, many individuals working by themselves have struggled to receive swift action from social media sites, even after following the protocols required by those entities for reporting such abuses.
In its most recent SEC filing, Facebook disclosed that approximately 83 million of its user accounts were fakes or duplicates, and that nearly 14 million of those accounts were “undesirable," i.e., created specifically to violate Facebook’s terms of service. “Undesirable" accounts include spammers and impostors.
Impostor Facebook profiles are distinct from merely “fake" profiles. “Fake" profiles describe someone who doesn’t actually exist, but whose appeal dupes users into “friending" the phony persona. Then the creep behind the fake profile can spy on the victim’s Facebook postings that would otherwise be shielded from public view.
On the other hand, impostor profiles actually impersonate a particular victim, utilizing without permission the name and likeness of that victim, and purporting to speak on behalf of him or her. Such impersonation can occur regardless of whether the victim uses social networking sites at all.
Another trend involves prospective employers and colleges coercing applicants to provide passwords to social networking sites so that screeners can review otherwise private information about the applicant. Accordingly, California recently passed three new statutes aimed at protecting employees and students’ online privacy. Last month, California Governor Jerry Brown signed Assembly Bill 1844, which prohibits employers from demanding access to social media accounts belonging to job applicants and employees. Two more new California statutes aim to protect students: Senate Bill 1349 prohibits public and private universities from requiring a student, prospective student or employee to disclose his/her social media account information. Assembly Bill 1732 allows schools to suspend or expel any students who creates an online profile impersonating a classmate. These new California statutes are effective January 1, 2013.
Users of social media sites have long faced challenges trying to retain a modicum of privacy while enjoying the benefits of social media. Online impersonation is a particularly insidious type of invasion of privacy that can cause victims extraordinary anguish and distress.
Impostors come in many forms. We know of one instance in which a perpetrator created an impostor Facebook profile stating false information about an elderly New York resident—a distant member of the perpetrator’s family. The victim had recently announced that he had cut the impostor out of his will. The perpetrator allegedly retaliated by creating an impostor Facebook profile that asserted false information about the victim and purported to speak for the victim in an unflattering way.
Author Susan Arnout Smith learned the hard way that using Facebook’s online forms to report an impostor profile can lead to…. nothing at all. In her Salon.com article “ The Fake Facebook Profile I Could Not Get Removed," she chronicled her months-long effort to get Facebook to remove a defamatory impostor profile in her name and likeness. After Ms. Smith clicked the “remove this fake profile" box on the applicable Facebook form, the impostor profile remained active for over a month. The impostor attributed to Ms. Smith false solicitations to pay strangers for sexual favors, and posted a photograph in which Smith’s face had been spliced onto a body wearing only underwear. After unsuccessfully using Facebook’s online forms, she diligently tried – and failed-- to reach a human being at Facebook by phone or email. Ms. Smith’s research indicated that the impostor profiles had been created by two adolescent students attending schools abroad. Having run out of patience with Facebook, Smith contacted the principals of the schools attended by the bullies who had posted the profile. The principals of those schools were finally able to get Facebook to remove the offending page.
The elderly man who discovered an impostor Facebook profile after changing his estate plan enlisted his tech-savvy son to help him contact Facebook. Facebook refused to accept a takedown request from the son on behalf of his father, alleging that they could only accept a takedown request from the victim himself, who was required to upload government-issued identification. After the victim used Facebook’s forms to report the impostor profile, the profile remained online for several weeks. Frustrated by the delay, the victim hired a law firm to send a cease and desist letter to Facebook. The same day that the attorney’s letter was received by Facebook, the impostor profile was finally removed.
Laws vary by state with respect to online impersonations. Many courts have considered online impersonation to be a form of identity theft or defamation, but since impersonation on social media often does not involve money, many victims have found it daunting to show that they suffered money damages.
A California law that came into effect in 2011 provides civil and criminal liability for “any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means for purposes of harming, intimidating, threatening, or defrauding another person." In addition to making such action punishable by up to a year in jail and/or criminal penalties of up to $1000, Cal. Penal Code § 528.5 provides for victims’ private right of action for compensatory damages, attorneys fees and injunctive relief for civil enforcement. In cases where it is proved by clear and convincing evidence that a defendant has been guilty of oppression, fraud or malice, the court may also award punitive or exemplary damages.
In In re Rolando S., 197 Cal. App. 4th 196 (Cal. App. 5th Dist. 2011), a California Court of Appeal addressed an identity theft claim against a juvenile who had received an unsolicited text message that included the password to an email account belonging to an adolescent acquaintance. The juvenile used the password to gain access to the victim’s Facebook account, where he posted prurient messages in her name and “altered her profile description in a vulgar manner."
Interestingly, Rolando S. argued that his conduct would have violated the newly-enacted online impersonation statute, Cal. Penal Code §528.5, had that statute been effective at the time he had hacked into the victim’s Facebook account and posted the offensive messages. But he argued that since his hacking and defamatory conduct predated the effective date of Section 528.5, that new law was inapplicable. He further argued that he could not be held liable under Cal. Penal Code § 530.55 (a), which makes it a crime to willfully obtain personal identifying information of another person and use that information “for any unlawful purpose." He argued that he did not “willfully obtain" the victim’s password; rather he received it inadvertently by text message. The Court of Appeal disagreed, and accepted the prosecutor’s argument that the defendant had acted willfully by using the password to gain control of the victim’s Facebook account, even though he had passively received the password by text message and took no action to obtain it.
Rolando S. was found criminally liable for identity theft under § 530.55 and was also held to have committed libel by virtue of having written “sexually explicit and vulgar comments on the victim’s friends' walls, accessible by the victim’s friends and acquaintances, and purportedly as her," and by publishing material that “clearly exposed the victim to hatred, contempt, ridicule and obloquy with his actions."
Had the defendant’s actions occurred after the effective date of §528.5, the victim could have filed a civil action under that statute and sought punitive damages and attorneys’ fees under Cal. Penal Code §502. Since §528.5 is such a new law, In re Rolando S. is the only decision thus far that has discussed that statute. We look forward to reading future court decisions interpreting this new law, which was designed in part to make it easier for victims of online impersonation to prove that they are entitled to substantial money damages from the perpetrators of such acts.
Other states including New York, Texas, Mississippi, Washington, and Hawaii have enacted laws punishing online impersonation, while lawmakers in Louisiana, Illinois and Rhode Island recently introduced similar legislation.
In the event you find yourself the victim of online impersonation via hacking or an impostor profile, save a PDF of the offending communications including a date/time stamp, and complain immediately to the social media site, demanding to have the impersonating data removed. If the site does not respond by removing the material in what you believe is a timely manner, consider hiring an attorney to speak on your behalf and further advise you of your options.