Wednesday, September 08, 2010

Nastiness in Legal Academia . . .

This post is a bit of a digression. It’s my way of sorting through the potential criminal liability a law school faculty candidate might incur for the dirty trick she seems to have played on another law school faculty candidate.

This is all I know of what happened, or allegedly happened, based on this blog post:

P and V were both on the academic job market. They had somewhat overlapping areas of research interest, and so might have been thought of as competitors, as it were. Both P and V were under some degree of consideration at Major Law School (hereafter MLS). But V, unlike P, got a fly-back to give a job talk at MLS. On the morning of the day of V's job talk, P sent the following e-mail under a pseudonym (`Jade West’) from an e-mail account created for that purpose.

The e-mail began with a quotation discrediting V's scholarship and disparaging V's publications. P alleged that this quotation came from an email that was sent to P's `colleagues’ at MLS. The e-mail concluded with these lines: `In other words, WE DON'T WANT YOU. . . HERE AT [MLS]. You belong at a crap school like [name omitted]. Hope you blow your job talk today.’

Fortunately, V did not see P's e-mail until after the job talk. V was obviously very distressed, however, and the intent of the malicious missive was clear. Its contents were also false, i.e., no e-mail had circulated among faculty at MLS like the one P purported to be quoting, and P was never a faculty member at MLS.

An acquaintance of V, a computer expert, set up a technological trap known as a `honeypot’ to decisively link P's fake email account to P's school account. P's identity is thus now known.

P, in fact, secured a tenure-track job at another law school. That law school does not know about P's appalling misconduct.

For what it’s worth, I have NEVER heard of anything comparable, or even similar, happening in legal academic (which, of course, doesn’t mean it hasn’t happened, but I’m quite confident that things like this are, at most, very rare).

Being a cybercrime person, when I read this post my thoughts turned to the possibility that P (for whom I, and perhaps you, have no sympathy but a fair amount of anonymous rancor) had committed a crime or crimes. So I decided to use this post to sort through the possibilities.

Let’s start with identity theft. As I’ve noted in other posts, it’s is usually a financial crime, i.e., it generally involves a perpetrator who uses someone’s personally identifying information to obtain credit or otherwise enrich herself. As I’ve noted in a couple of posts, at least one state – Wisconsin – has an identity theft statute that encompasses the use of another’s identifying information to inflict financial “harm” on them but also makes it a crime to use such information to harm the person’s reputation. Wisconsin Statutes section 943.201(2)(c). I think that’s probably the broadest identity theft statute I’ve seen.

So, has P committed a crime under that statute? Except for one glitch, we might have at least an attempt charge under the Wisconsin statute because in criminalizing the use of another’s personal information for financial gain, it includes using the information to obtain employment. That, in a roundabout kind of way, is what P was trying to do here, though it doesn’t seem to have worked; that’s why I say we might, at most, have an attempted identity theft charge under a statute like the Wisconsin statute.

Except for that same glitch, we would seem to have a good case for charging P under the residual provision of the Wisconsin identity theft statute, the section that makes it a crime to use someone else’s personal identifying information to harm their reputation. If we decided that the pseudonymous email P sent “harmed” V’s reputation (which it might have done, if it was widely distributed), then we might have a viable charge under the Wisconsin identity theft statute or a similar provision, if one exists.

But there’s the glitch. P didn’t use V’s personal identifying information. She used an alias (which I’m assuming is fake) that at least implicitly represented herself as a member of the MLS law faculty. Since she used an alias, she didn’t “steal” V’s identity, which probably mean identity theft isn’t a viable charge. As I explained in an earlier post, the U.S. Supreme Court held last year that, at least under the federal identity theft statute, you have to steal the identity of a real person in order to have a viable case of identity theft. So identity theft probably doesn’t work.

What about criminal impersonation? As I’ve noted in other posts, some states have a statute that makes it a crime to pretend to be another person. Arkansas, for example, has a statute that makes it a crime to (i) obtain another person’s personal identifying information without their permission and (ii) use it for any unlawful purpose, including to “harass another person.” Arkansas Code § 5-37-227. As I noted in another post, a few other states have criminal impersonation statutes that make it a crime to pretend to be someone in order to commit a crime or otherwise “benefit” themselves.

The Arkansas statute seems a possible option for dealing with what P did, except for two things. One is that P didn’t use another (real) person’s personal identifying information; she used a pseudonym that, as far as we know, doesn’t belong to a real person. The other problem is the requirement that P have used the identifying information to “harass” another person. She used a name other than her own (Jade West) V, and for the purposes of analysis we’ll assume that qualifies as using personal identifying information. So we might have the “other person” (since V is distinct from P and from the presumably fictive “Jade West”), if fake people count (or if there is a real Jade West and if P was using her name).

The problem I see with this alternative is one I’ve noted in earlier posts on harassment: Statutes consistently define harassment in terms of repeated conduct (probably because something that might be irritating can become annoying and harassing if it’s repeated). We apparently only have one email here, which almost certainly wouldn’t qualify as harassment.

We have the same problem with stalking. As I’ve noted in earlier posts, cyber-stalking statutes often criminalize the use of electronic media to inflict “emotional distress” on the victim but they, like harassment statutes, require repeated conduct. The usual term of art in cyber-stalking statutes is a “course of conduct,” i.e., three or more repeated acts that inflict, or are intended to inflict, emotional distress on the victim. What P did no doubt caused V to suffer emotional distress, but it wasn’t repeated, within the meaning of a cyber-stalking statute.

What about criminal defamation? I’ve done a few posts on criminal defamation and I wrote a lengthy law review article on it (“Online Defamation”), which you can access via a link on the right-hand side of the blog. Here is an example of a criminal defamation statute:

A person who shall knowingly publish or disseminate, either by written instrument, sign, pictures, or the like, any statement or object tending to . . . impeach the honesty, integrity, virtue, or reputation or expose the natural defects of one who is alive, and thereby to expose him to public hatred, contempt, or ridicule, commits criminal libel.

Colorado Revised Statutes § 18-13-105(1). It looks like we might have a winner here: P published statements that were clearly intended to “impeach the . . . reputation” of V, so prosecution for criminal libel might be a possibility, depending on what state(s) all this happened in.

Since truth is usually an absolute defense in a criminal libel case, P might have a defense if she could – as I doubt – show that what she said was true. (She certainly wasn’t on the MLS faculty, but that probably isn’t an integral part of what seems to constitute criminal libel here.) I also don’t see that, given what P said about V’s scholarship, would have the kind of hyperbole defense argument that applied in a case I recently blogged about.

Do I think P will ever be prosecuted, for criminal defamation or anything else? No. I’m not even sure if she’s ever be sanctioned in any way for what she did (though some of the comments on the blog post quoted above are suggesting that she be reported to the bar authorities, for potential discipline). I just thought (think) it was a really crummy thing to do and therefore decided to ruminate on whether or not it could give rise to criminal charges.


Anonymous said...

It doesn't sound like anything more than P trying to psych V out and make her mess up on the interview. The email wasn't sent to anybody else by V, so I don't see anything criminal here or defamitory.

If anything, V could perhaps be in trouble for this 'honey pot' thing, depending upon how she was able to access the underlying email account info from P's computer system.

Susan Brenner said...

Yes, there's been a lot of discussion of the honey pot issue . . . don't know if anything will come of it.

Susan Brenner said...

And if anyone is interested in the outcome:

Anonymous said...

The "honeypot" thing is odd.

They could have had to sent an imagebug in an email to all the email addresses of the people they knew were interviewing and one to the fake email address. This is not a honeypot. Its also not illegal.

Why P ever logged into that email account ever again confuses me greatly. I really don't think she would ever have any reason to and if you think they were duplicitous enough to this scam they would never do it again.

If that is the case then there are a few other ways to figure it out. They all involved sending an email to everyone who might have possibly sent the email as above and then tricking them into going to website under F's control. F being V's friend.

Once you are there you can do several things, one of them is to use a tricky CSS hack that allows you to embed invisible links into the webpage and then check to see if they have a specific color which corresponds to if the link has been visited. You could do this to see if they have visited the web interface of the domain the aliased email message was from.

The above isn't technically a "honeypot", but I can see how it could be construed as one.

I dont think this would be illegal though as they don't damage anything or access anything.

Mercutio said...

Regarding Wisconsin law in specific, there are other areas where this might lead to criminal prosecution.

943.70 Computer crimes
947.0125 Unlawful use of a computerized communications system

Impersonation is typically prohibited by the terms of service agreement for an email account. If P violated the TOS, any access is unlawful in nature.

Detective W said...

If this occurred in NC P could be charged with cyberstalking. The statute is very liberal as demonstrated:

"Electronically mail or electronically communicate to another repeatedly, whether or not conversation ensues, for the purpose of abusing, annoying, threatening, terrifying, harassing, or embarrassing any person." NCGS 14-196.3

Just sending the email is enough, repeat conduct is not required.

I had a similar case where two people on a HOA board were feuding. One of the parties set up a fake email account in the others name and started to send threatening and harassing emails to himself and others.

Susan Brenner said...

Thanks for the suggestion, Detective W, and for the statute. You're right . . . it's expansive enough to cover this kind of case.

And thanks for mentioning the similar case . . . nice to know this kind of thing isn't confined to aspiring law professors . . . .