Monday, May 19, 2008

Imposture (Revisited)

At the end of 2006, I did a post on online imposture. In that post, I was talking about pretending to be someone else by posting information or messages in their name. I was primarily concerned with whether that would qualify as defamation and, if so, if that would provide the victim with adequate redress.

Here, I want to talk about something different.

In my last post – on the juvenile charged with harassment – the facts indicated that another juvenile had pretended to be the principal of her school in creating a MySpace profile. Given that the students were in middle school, I’m willing to guess that the profile created in the principal’s name was probably too amateurish and juvenile to convince anyone he created it.

But that raises an interesting possibility: creating a MySpace or Facebook page in someone’s else’s name and using it to embarrass them and maybe even cause major damage to their reputation and career. It could be a really insidious, nasty thing to do, because it might well take the victim a long time to find out what had been done . . . by which time the damage would have been done. Then the victim would be in the position of having to convince anyone who’s seen the fake MySpace or Facebook page that it was, in fact, created by someone else for malicious purposes.

I’ve found some indication that this has already been done. According to this site, it was done to Yaron London, an Israeli “media star.” The site doesn’t tell me much about what was done, but does indicate that he was embarrassed by comments on the page that was created without his knowledge. And I find posts on various sites in which people report that this has happened to them though, again, they don’t provide much detail about the “harm” the imposture caused. And I found a story from last year that talks about MySpace and Facebook imposters and about what the victim can do, in terms of getting the fake site taken down.

My interest in this phenomenon goes to the possibility of criminal liability. One of the stories I found about Facebook and MySpace imposture refers to it as “identity theft.” It could be identity theft, I suppose, but not in the scenario I set out above.

The crime of identity theft is not about imposture; instead, it’s usually about fraud. Here, for example, is how Connecticut defines identity theft:
A person commits identity theft when such person intentionally obtains personal identifying information of another . . . without the authorization of such other person and uses that information to obtain or attempt to obtain, money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.
Connecticut General Statutes Annotated § 531-129a(a). Except for “medical information,” the statute is criminalizing the use of somebody else’s identity for financial gain, which is a kind of fraud.

A few states break identity theft into two categories, as in this Arkansas statute:
(a) A person commits financial identity fraud if, with the intent to:

(1) Create, obtain, or open a credit account, debit account, or other financial resource for his or her benefit or for the benefit of a third party, he or she accesses, obtains, records, or submits to a financial institution another person's identifying information for the purpose of opening or creating a credit account, debit account, or financial resource without the authorization of the person identified by the information; or
(2) Appropriate a financial resource of another person to his or her own use or to the use of a third party without the authorization of that other person, the actor:
(A) Uses a scanning device; or
(B) Uses a re-encoder.

(b) A person commits nonfinancial identity fraud if he or she knowingly obtains another person's identifying information without the other person's authorization and uses the identifying information for any unlawful purpose, including without limitation:

(1) To avoid apprehension or criminal prosecution;
(2) To harass another person; or
(3) To obtain or to attempt to obtain a good, service, real property, or medical information of another person.
Arkansas Code § 5-37-227. The statute defines “identifying information” as including the following: Social security number; driver's license number; checking or savings account number; credit or debit card number; personal or electronic identification number; digital signature; or “[a]ny other number or information that can be used to access a person's financial resources”. Arkansas Code § 5-37-227.

It seems this statute could encompass the scenario I outlined above, since it, unlike most identity theft statutes, reaches harassment as well as using someone’s identity for financial gain. Massachusetts is the only state I can find that has a similar statute. Massachusetts General Laws 266 § 37E.

I’m not sure it really could encompass the scenario, though, because of the way the statute defines “identifying information.” Identifying information seems to be limited to financial information. The Massachusetts statute looks like it might, since it defines identifying information as “any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual, including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, credit card number or computer password identification.” Massachusetts General Laws 266 § 37E.

I’m also not sure if when the statutes refer to harassing “another person” (which both do) they mean harassing the victim of the identity theft or a third person; I tend to think they mean harassing a third person (but I could be wrong). If I’m right, then neither statute could be used to prosecute the kind of imposture I hypothesized above.

The more important question is “should we use criminal law to reach this kind of conduct?” On the one hand you can, as I noted above, cause a lot of “harm” to someone by essentially using MySpace or Facebook to frame them. My law school, like other law schools and, I assume, other professional schools and undergraduate programs, makes a great effort to warn our students that they put on MySpace or Facebook pages can come back to haunt them. Both bar associations and potential employers troll the sites to find information that discredits a bar applicant or potential employee. If you framed someone, you could, in the law school context, prevent them from being able to sit for the bar examination and/or to find a job. That’s pretty nasty.

I tend, though, to believe we can’t use criminal law to handle every nasty maneuver that crops up. In the United States, we already have, IMHO, way too many crimes and lock up way too many people. We can’t keep going along that path. Aside from anything else, it takes a lot of resources – a lot of money and personnel – to enforce criminal law and to punish offenders.

I also wonder if this is to some extent a transitional problem. I wonder if, as time passes, we will become less credulous, more jaded consumers of the information posted online.

No comments: