Online Impersonation Continues, With Varying Consequences

Online impersonation is defined in the New York Code provisions that prohibit the practice, as the act of impersonating another “under an assumed character with intent to obtain a benefit or to injure or defraud another.” See, Penal Law '190.25. The foremost case brought under this law, People v. Golb, 15 N.E.3d 805 (N.Y. 2014), in many ways epitomizes the bizarre and highly esoteric reasons why someone chooses to impersonate another in the first place. In essence, Golb is about a son creating myriad fake online personalities to defend his father against other scholars who differed with his father's interpretation of the origin of the Dead Sea Scrolls. Some of the profiles were fictitious, but others were in fact impersonations of the very targets of the campaign, that is, those scholars that disagreed with the defendant's father.

This is hardly common Internet debate fodder, and it illustrates how the ease of access to anonymous, seemingly consequence-free communication provided by the Internet can create conflicts that in the past may not have materialized. If nothing else, Golb also sheds insight into how even the most particularized and arcane subjects ripe for argument can metastasize into legal proceedings that lead to a criminal conviction of the impersonator. Over a vigorous dissent arguing that criminalizing this speech constituted a First Amendment violation, the Court of Appeals concluded that most of such acts of impersonation could sustain a criminal conviction.

Golb is hardly an outlier. As discussed further below, litigation that seeks to hold online impersonators liable for any havoc they may cause, whether it be of a financial, reputational or emotional nature, has proliferated in numerous jurisdictions. Thus far, plaintiffs have found moderate success, although convictions under federal criminal anti-hacking statutes appear to be the exception to the rule. Another common element of these actions is that most focus on messages understood to be coming from the ostensible sender, and not the impersonator, as such message are naturally those less likely to be understood as false. Finally, these cases illustrate that to be actionable, the messages must be reasonably considered to not involve obvious parodies or jokes.

This article describes and analyzes some of the most recent online impersonation cases, including those which concern: a police chief's impersonation of a local political dissident; a dispute over a municipal library Internet use policy that led to the creation of an imitation Facebook page; and the use of numerous pseudonyms to circumvent the Terms of Use and advertising policies of that same social networking colossus.

Differences In Political Views Precipitate Civil Rights Claims

As heated political discourse now occurs in innumerable forums online (see if you can try to avoid it any time you read a news article) that often involves anonymous commentators whose true identities are difficult, if not impossible, to ascertain, it is hardly surprising that online impersonation stemming from political grievances has created legally actionable consequences. See, Luce v. Town of Campbell, — F. Supp. 3d —-, 2015 WL 3767616 (W.D. Wisc. 2015).

In the case, plaintiff Gregory Luce, a member of the local Tea Party group, had been participating in protests against abortion and other policies of the Obama Administration on a pedestrian overpass spanning Interstate 90 in western Wisconsin. In response to the distractions (which could theoretically lead to increased accidents) and traffic jams supposedly caused by Luce's protests, the board of supervisors of the town of Campbell enacted an ordinance that prohibited numerous forms of protest on overpasses, including the placement of signs and the American flag. Luce challenged the ordinance as a violation of his First Amendment rights; such claim will not be discussed here.

Rather, concomitant to the dispute between Luce and the town, he received approximately 15 calls from individuals regarding profiles and accounts created in his name on gay dating and pornography websites, as well as healthcare.gov, among others. Around the same time, a poster going by the nom de plume “Bill O'Reilly” began commenting on the local newspaper's website that Luce had been “Tea Partying” too much and that “Greggie disrespected the wrong” person. “Bill” also posted Luce's home address.

It was later determined that defendant and then-Campbell Chief of Police Tim Kelemen was both the creator of the “Bill O'Reilly” account and had impersonated Luce in order to sign up for accounts at the aforementioned websites. Luce then filed a First Amendment retaliation claim against Kelemen pursuant to the Civil Rights Act, 42 U.S.C. '1983.

To state a valid cause of action under this section, a plaintiff must establish that, inter alia, the defendant acted under “color of state law.” See, Monroe v. Pape, 365 U.S. 167 (1961). Such misuse of state power can occur only when such wrongdoer is cloaked with sufficient authority so as to create the impression that he wields the power of the state.

The court held that Kelemen had not acted under color of state law, and therefore Luce could not maintain a viable claim against him under 42 U.S.C. '1983. Specifically, Kelemen had not used the power intrinsic to the enforcement of state law at all, much less misused such clout. As for the relevant legal standard, most courts have concluded that a defendant cannot act under color of state law unless either: 1) the defendant expressly or impliedly invoked state authority; or 2) the defendant could not have transgressed the plaintiff's constitutional rights without the exercise of state authority.

With respect to the first prong, Kelemen's remarks while masquerading as “Bill O'Reilly” were obviously offered anonymously, and thus Kelemen had not used or displayed, even indirectly, his police power. Rather, Kelemen had attempted to hide his identity, which is a fortiori that he was not utilizing his police power. As for the second prong, Kelemen did not use the instrumentalities of the police force to infringe on Luce's constitutional rights. He gleaned all the information necessary to sign Luce for these sites via publicly available websites, and the use of a police department computer in accessing this information was not the use of state power, as any functioning computer could have been used to gather this information, and not merely one peculiar to the police department. An example of a computer containing information peculiar to the police department would be access to a departmental database containing information that is not otherwise available to the general public.

Though Kelemen was entitled to summary judgment on the 42 U.S.C. '1983 claim, his actions were hardly bereft of consequences. Another aspect of the opinion concluded that the police department insurer did not have to defend the claims against Kelemen, thereby shifting all costs to him. He pled no contest to a state law proscription against unlawful use of a “computerized communication system” and resigned from his position as the police chief.

Creating a Fake Facebook Page Insufficient To Trigger Liability

Plaintiff Bridget Bittman provides marketing and public relations services to the Orland Park (Illinois) Public Library. Megan Fox and Kevin DuJan (defendants), who appear to be affiliated with a nonprofit that advocates for increased government transparency that was also a named defendant, objected to the Library offering unfiltered access to the Internet, and commenced efforts to change this policy. Around the time of a series of bizarre events, including Bittman's allegation that the defendants assaulted her at a public meeting held at the library, the defendants created a Facebook page entitled “Sassy Plants Illinois” that claimed to represent Bittman's floral arrangements business. The page included the use of the word “fruits,” a derogatory term for gay people. It additionally posted personal photos of Bittman without her authorization.

Among a litany of other causes of action, Bittman sued for violations of: 1) the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1030; and 2) defamation per se under the common law based on the unauthorized creation. Regarding the CFAA claim, the court rejected Bittman's argument that the creation of the Sassy Plants page exceeded authorized access to Facebook's computers . The CFAA, as the court noted, is a statute designed foremost to “punish trespassers and attackers,” that is, those who access digital information without any access whatsoever. Although the defendants did create the fake Facebook page, which violated the Facebook Terms of Use, they did not obtain unauthorized access to Bittman's computer or social media accounts, which is a requirement for a viable CFAA cause of action. A lack of such vestiges, much less overt evidence, of hacking necessarily doomed Bittman's CFAA claim. See also, Doe v. Hofstetter, 2012 WL 2319052 (D. Colo. June 13, 2012) (using a fake Twitter account to distribute illicit photographs of plaintiff was not a violation under the anti-hacking statutes, even if the account was created in contravention of Twitter's account-creation policy). But see, Chavan v. Cohen, 2015 WL 4077323 (W.D. Wash. July 6, 2015) (creating fake accounts on three separate social networking sites violates Washington statute barring online impersonation).

To support her defamation per se claim, Bittman argued that the page repeatedly used a pejorative epithet, “fruits,” to refer to gay people, which falsely imputed prejudice and ill repute to her and her business. This claim also did not pass muster with a court that focused on the specificity of the allegation, as well as its context. First, the court observed that Bittman could not provide one specific example of the use of the term “fruit” on the Sassy Plants Facebook page. Second, the court engaged in some linguistic analysis insofar as it rejected this claim in part because the word fruit “lends itself to various interpretations depending on the context.” Since Bittman had not proven that the unidentified “fruit” statements referred to a slur, and not to an apple, the defamation per se claim must be rejected.

After winning the case, Megan Fox continues her quest, the gravamen of which is to ensure heightened government transparency. For instance, in late July 2015, she posted to her Facebook page that she had received documents pursuant to a FOIA request which indicated that a local Orland Park official chose to use the “non-emergency” number when library patrons were accessing illicit material on the Internet.

Creating Advertising Accounts On Facebook Under False Names Is Banned By CFAA

Despite the issues for the plaintiff in Bittman, on at least one occasion, fraud and CFAA claims against an online impersonator have been successful. In Facebook v. Grunin, — F. Supp. 3d —-, 2015 WL 124781 (N.D. Cal. 2015), Facebook accused Martin Grunin of creating fictitious accounts and other unauthorized means to: 1) place an ad that contained sexually provocative material; and 2) repeatedly obtain and sell access to advertising accounts with which he possessed no affiliation, even after Facebook had sent cease-and-desist letters and employed technical measures to prevent Grunin's access.

As background, in 2011 Grunin utilized Facebook to post to his personal account a salacious picture of a woman that included a “sexually explicit and profane caption.” Facebook then disabled Grunin's account. Undeterred, Grunin continued to access the site by impersonating an individual named “Kayla Stewart,” who claimed to work for an entity owned by Thinkmodo, a “viral video marketing agency” located in New York City. As “Kayla Stewart,” Grunin petitioned Facebook for permission to run advertisements without paying for them. By the time the scheme was discovered, Grunin had run roughly $40,000 worth of ads. In 2013, Grunin impersonated a number of individuals, each of whom claimed to work for another marketing agency. To establish a line of advertising credit with Facebook, Grunin, as these individuals, submitted false bank statements. Ultimately, Facebook averred that under various pseudonyms, Grunin racked up $340,000 in advertising gratis.

In a subsequent action, Facebook plead violations of the CFAA and fraud, among others. Each succeeded. The court concluded that Facebook's complaint had sufficiently stated a fraud claim, as Grunin's decision to masquerade as “Kayla Stewart,” “Colan Neilson,” “Felix Ward,” and “Joy Hawkins” in order to obtain free advertising constituted a knowing misrepresentation designed to induce reliance. As for damages, the court validated Facebook's assertion that the use of deceptive advertising and fraudulent accounts engendered $340,000 in pecuniary losses and attendant reputational harm.

Unlike the CFAA claim in Bittman, since Grunin had gained unauthorized access after his account had been blocked, and multiple cease and desist letters had been sent by Facebook, his use was considered tantamount to the hacking the statute is designed to prevent. See also, LVRC Holdings v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (CFAA violations only apply to exceeding authorized access, and not exceeding authorized use).

Conclusion

As access to the Internet increases worldwide, and laws remain behind the pace of technological innovation, online impersonation will continue to proliferate, for a number of reasons. Logistically, it is far easier for a prospective impersonator to create a fake Twitter or e-mail account than it is to disguise one's self on the phone or in person. The costs of creating such accounts, as well as other elements typically employed in such a scheme, is de minimis. Information designed to further an impersonation scheme can be easily disseminated to a large audience. Finally, the seemingly impenetrable anonymity that cloaks many online interactions, which some argue is one of the best aspects of the online world, probably provides motivation to those who would otherwise think twice.

As such, online impersonation, and the closely related concept of identity theft, has arguably become such a significant issue so as to join the pantheon of other problems plaguing the Internet, including phishing, shaming, hacking and cyberbullying. The best proof of such a reality may be that a cottage industry of “experts” has formed who purport to offer services designed to mitigate any reputational damage to those victimized by such impersonation.

Unsurprisingly then, state lawmakers have begun to recognize the threat. New York, Washington and California, among other states, have enacted statutes designed to thwart online impersonation. The statute used to convict in Golb is a prime example. While such efforts are undoubtedly commendable, if the relevant history of Internet-based crime shows anything, it is likely that efforts to prevent the pernicious effects of online impersonation will likely lag behind the occurrence of such effects, at least for the foreseeable future.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).

Online impersonation is defined in the New York Code provisions that prohibit the practice, as the act of impersonating another “under an assumed character with intent to obtain a benefit or to injure or defraud another.” See, Penal Law '190.25. The foremost case brought under this law, People v. Golb, 15 N.E.3d 805 (N.Y. 2014), in many ways epitomizes the bizarre and highly esoteric reasons why someone chooses to impersonate another in the first place. In essence, Golb is about a son creating myriad fake online personalities to defend his father against other scholars who differed with his father's interpretation of the origin of the Dead Sea Scrolls. Some of the profiles were fictitious, but others were in fact impersonations of the very targets of the campaign, that is, those scholars that disagreed with the defendant's father.

This is hardly common Internet debate fodder, and it illustrates how the ease of access to anonymous, seemingly consequence-free communication provided by the Internet can create conflicts that in the past may not have materialized. If nothing else, Golb also sheds insight into how even the most particularized and arcane subjects ripe for argument can metastasize into legal proceedings that lead to a criminal conviction of the impersonator. Over a vigorous dissent arguing that criminalizing this speech constituted a First Amendment violation, the Court of Appeals concluded that most of such acts of impersonation could sustain a criminal conviction.

Golb is hardly an outlier. As discussed further below, litigation that seeks to hold online impersonators liable for any havoc they may cause, whether it be of a financial, reputational or emotional nature, has proliferated in numerous jurisdictions. Thus far, plaintiffs have found moderate success, although convictions under federal criminal anti-hacking statutes appear to be the exception to the rule. Another common element of these actions is that most focus on messages understood to be coming from the ostensible sender, and not the impersonator, as such message are naturally those less likely to be understood as false. Finally, these cases illustrate that to be actionable, the messages must be reasonably considered to not involve obvious parodies or jokes.

This article describes and analyzes some of the most recent online impersonation cases, including those which concern: a police chief's impersonation of a local political dissident; a dispute over a municipal library Internet use policy that led to the creation of an imitation Facebook page; and the use of numerous pseudonyms to circumvent the Terms of Use and advertising policies of that same social networking colossus.

Differences In Political Views Precipitate Civil Rights Claims

As heated political discourse now occurs in innumerable forums online (see if you can try to avoid it any time you read a news article) that often involves anonymous commentators whose true identities are difficult, if not impossible, to ascertain, it is hardly surprising that online impersonation stemming from political grievances has created legally actionable consequences. See, Luce v. Town of Campbell, — F. Supp. 3d —-, 2015 WL 3767616 (W.D. Wisc. 2015).

In the case, plaintiff Gregory Luce, a member of the local Tea Party group, had been participating in protests against abortion and other policies of the Obama Administration on a pedestrian overpass spanning Interstate 90 in western Wisconsin. In response to the distractions (which could theoretically lead to increased accidents) and traffic jams supposedly caused by Luce's protests, the board of supervisors of the town of Campbell enacted an ordinance that prohibited numerous forms of protest on overpasses, including the placement of signs and the American flag. Luce challenged the ordinance as a violation of his First Amendment rights; such claim will not be discussed here.

Rather, concomitant to the dispute between Luce and the town, he received approximately 15 calls from individuals regarding profiles and accounts created in his name on gay dating and pornography websites, as well as healthcare.gov, among others. Around the same time, a poster going by the nom de plume “Bill O'Reilly” began commenting on the local newspaper's website that Luce had been “Tea Partying” too much and that “Greggie disrespected the wrong” person. “Bill” also posted Luce's home address.

It was later determined that defendant and then-Campbell Chief of Police Tim Kelemen was both the creator of the “Bill O'Reilly” account and had impersonated Luce in order to sign up for accounts at the aforementioned websites. Luce then filed a First Amendment retaliation claim against Kelemen pursuant to the Civil Rights Act, 42 U.S.C. '1983.

To state a valid cause of action under this section, a plaintiff must establish that, inter alia, the defendant acted under “color of state law.” See, Monroe v. Pape, 365 U.S. 167 (1961). Such misuse of state power can occur only when such wrongdoer is cloaked with sufficient authority so as to create the impression that he wields the power of the state.

The court held that Kelemen had not acted under color of state law, and therefore Luce could not maintain a viable claim against him under 42 U.S.C. '1983. Specifically, Kelemen had not used the power intrinsic to the enforcement of state law at all, much less misused such clout. As for the relevant legal standard, most courts have concluded that a defendant cannot act under color of state law unless either: 1) the defendant expressly or impliedly invoked state authority; or 2) the defendant could not have transgressed the plaintiff's constitutional rights without the exercise of state authority.

With respect to the first prong, Kelemen's remarks while masquerading as “Bill O'Reilly” were obviously offered anonymously, and thus Kelemen had not used or displayed, even indirectly, his police power. Rather, Kelemen had attempted to hide his identity, which is a fortiori that he was not utilizing his police power. As for the second prong, Kelemen did not use the instrumentalities of the police force to infringe on Luce's constitutional rights. He gleaned all the information necessary to sign Luce for these sites via publicly available websites, and the use of a police department computer in accessing this information was not the use of state power, as any functioning computer could have been used to gather this information, and not merely one peculiar to the police department. An example of a computer containing information peculiar to the police department would be access to a departmental database containing information that is not otherwise available to the general public.

Though Kelemen was entitled to summary judgment on the 42 U.S.C. '1983 claim, his actions were hardly bereft of consequences. Another aspect of the opinion concluded that the police department insurer did not have to defend the claims against Kelemen, thereby shifting all costs to him. He pled no contest to a state law proscription against unlawful use of a “computerized communication system” and resigned from his position as the police chief.

Creating a Fake Facebook Page Insufficient To Trigger Liability

Plaintiff Bridget Bittman provides marketing and public relations services to the Orland Park (Illinois) Public Library. Megan Fox and Kevin DuJan (defendants), who appear to be affiliated with a nonprofit that advocates for increased government transparency that was also a named defendant, objected to the Library offering unfiltered access to the Internet, and commenced efforts to change this policy. Around the time of a series of bizarre events, including Bittman's allegation that the defendants assaulted her at a public meeting held at the library, the defendants created a Facebook page entitled “Sassy Plants Illinois” that claimed to represent Bittman's floral arrangements business. The page included the use of the word “fruits,” a derogatory term for gay people. It additionally posted personal photos of Bittman without her authorization.

Among a litany of other causes of action, Bittman sued for violations of: 1) the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1030; and 2) defamation per se under the common law based on the unauthorized creation. Regarding the CFAA claim, the court rejected Bittman's argument that the creation of the Sassy Plants page exceeded authorized access to Facebook's computers . The CFAA, as the court noted, is a statute designed foremost to “punish trespassers and attackers,” that is, those who access digital information without any access whatsoever. Although the defendants did create the fake Facebook page, which violated the Facebook Terms of Use, they did not obtain unauthorized access to Bittman's computer or social media accounts, which is a requirement for a viable CFAA cause of action. A lack of such vestiges, much less overt evidence, of hacking necessarily doomed Bittman's CFAA claim. See also, Doe v. Hofstetter, 2012 WL 2319052 (D. Colo. June 13, 2012) (using a fake Twitter account to distribute illicit photographs of plaintiff was not a violation under the anti-hacking statutes, even if the account was created in contravention of Twitter's account-creation policy). But see, Chavan v. Cohen, 2015 WL 4077323 (W.D. Wash. July 6, 2015) (creating fake accounts on three separate social networking sites violates Washington statute barring online impersonation).

To support her defamation per se claim, Bittman argued that the page repeatedly used a pejorative epithet, “fruits,” to refer to gay people, which falsely imputed prejudice and ill repute to her and her business. This claim also did not pass muster with a court that focused on the specificity of the allegation, as well as its context. First, the court observed that Bittman could not provide one specific example of the use of the term “fruit” on the Sassy Plants Facebook page. Second, the court engaged in some linguistic analysis insofar as it rejected this claim in part because the word fruit “lends itself to various interpretations depending on the context.” Since Bittman had not proven that the unidentified “fruit” statements referred to a slur, and not to an apple, the defamation per se claim must be rejected.

After winning the case, Megan Fox continues her quest, the gravamen of which is to ensure heightened government transparency. For instance, in late July 2015, she posted to her Facebook page that she had received documents pursuant to a FOIA request which indicated that a local Orland Park official chose to use the “non-emergency” number when library patrons were accessing illicit material on the Internet.

Creating Advertising Accounts On Facebook Under False Names Is Banned By CFAA

Despite the issues for the plaintiff in Bittman, on at least one occasion, fraud and CFAA claims against an online impersonator have been successful. In Facebook v. Grunin, — F. Supp. 3d —-, 2015 WL 124781 (N.D. Cal. 2015), Facebook accused Martin Grunin of creating fictitious accounts and other unauthorized means to: 1) place an ad that contained sexually provocative material; and 2) repeatedly obtain and sell access to advertising accounts with which he possessed no affiliation, even after Facebook had sent cease-and-desist letters and employed technical measures to prevent Grunin's access.

As background, in 2011 Grunin utilized Facebook to post to his personal account a salacious picture of a woman that included a “sexually explicit and profane caption.” Facebook then disabled Grunin's account. Undeterred, Grunin continued to access the site by impersonating an individual named “Kayla Stewart,” who claimed to work for an entity owned by Thinkmodo, a “viral video marketing agency” located in New York City. As “Kayla Stewart,” Grunin petitioned Facebook for permission to run advertisements without paying for them. By the time the scheme was discovered, Grunin had run roughly $40,000 worth of ads. In 2013, Grunin impersonated a number of individuals, each of whom claimed to work for another marketing agency. To establish a line of advertising credit with Facebook, Grunin, as these individuals, submitted false bank statements. Ultimately, Facebook averred that under various pseudonyms, Grunin racked up $340,000 in advertising gratis.

In a subsequent action, Facebook plead violations of the CFAA and fraud, among others. Each succeeded. The court concluded that Facebook's complaint had sufficiently stated a fraud claim, as Grunin's decision to masquerade as “Kayla Stewart,” “Colan Neilson,” “Felix Ward,” and “Joy Hawkins” in order to obtain free advertising constituted a knowing misrepresentation designed to induce reliance. As for damages, the court validated Facebook's assertion that the use of deceptive advertising and fraudulent accounts engendered $340,000 in pecuniary losses and attendant reputational harm.

Unlike the CFAA claim in Bittman, since Grunin had gained unauthorized access after his account had been blocked, and multiple cease and desist letters had been sent by Facebook, his use was considered tantamount to the hacking the statute is designed to prevent. See also, LVRC Holdings v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (CFAA violations only apply to exceeding authorized access, and not exceeding authorized use).

Conclusion

As access to the Internet increases worldwide, and laws remain behind the pace of technological innovation, online impersonation will continue to proliferate, for a number of reasons. Logistically, it is far easier for a prospective impersonator to create a fake Twitter or e-mail account than it is to disguise one's self on the phone or in person. The costs of creating such accounts, as well as other elements typically employed in such a scheme, is de minimis. Information designed to further an impersonation scheme can be easily disseminated to a large audience. Finally, the seemingly impenetrable anonymity that cloaks many online interactions, which some argue is one of the best aspects of the online world, probably provides motivation to those who would otherwise think twice.

As such, online impersonation, and the closely related concept of identity theft, has arguably become such a significant issue so as to join the pantheon of other problems plaguing the Internet, including phishing, shaming, hacking and cyberbullying. The best proof of such a reality may be that a cottage industry of “experts” has formed who purport to offer services designed to mitigate any reputational damage to those victimized by such impersonation.

Unsurprisingly then, state lawmakers have begun to recognize the threat. New York, Washington and California, among other states, have enacted statutes designed to thwart online impersonation. The statute used to convict in Golb is a prime example. While such efforts are undoubtedly commendable, if the relevant history of Internet-based crime shows anything, it is likely that efforts to prevent the pernicious effects of online impersonation will likely lag behind the occurrence of such effects, at least for the foreseeable future.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).