New Jersey Law Journal
VOL. 214 - NO 7
MONDAY, NOVEMBER 18, 2013
ESTABLISHED 1878
INTERNET LAW
Some States Criminalize
Internet Identity Theft
Impersonating someone on a social-media site can be a crime
By Jonathan Bick
L
ast year CNN reported that more than
80 million fake/impostor Facebook
profiles were in use. Among them
was a New Jersey Facebook user who
was prosecuted for identity theft after
creating a fake profile that depicted
her ex-boyfriend as a criminal. Another
Facebook user in California was prosecuted for accessing and altering another’s Facebook account without consent.
These unlawful actions typify the two
most common forms of Internet identity
theft: e-impersonation by fraudulently
creating a fake account or by deceptively
using an existing account.
Both types of impersonation result
in criminal liability for perpetrators
of Internet impersonation. Some state
statutes have specifically criminalized
such Internet activity. For example,
New York Penal Law § 190.25(4)
states that a person is guilty of criminal impersonation when said person
impersonates another by communica Bick is of counsel at Brach Eichler
LLC in Roseland. He is also an adjunct
professor at Pace and Rutgers law schools,
and the author of 101 Things You Need
to Know About Internet Law (Random
House 2000).
tion by Internet website or electronic
means with intent to obtain a benefit or
injure or defraud another. The California Penal Code § 528.5 states that any
person who knowingly and without
consent credibly impersonates another
actual person through or on an Internet
website or by other electronic means
for purposes of harming, intimidating,
threatening or defrauding another person is guilty of a public offense.
Only Texas, Mississippi, Hawaii,
New York and California have enacted
statutes containing language explicitly
referring to Internet impersonation.
However, most states, including New
Jersey, have statutes that would cover
Internet impersonation transactions. In
New Jersey, for example, a defendant
is guilty of identity theft if that person
impersonates another and does an act in
such assumed identity for the purpose
of obtaining a benefit or to injure or
defraud another (see New Jersey Code
of Criminal Justice § 2C:21-17, Impersonation; theft of identity; crime).
Such impersonation also results in
one or more torts. These torts normally
include misappropriation of name or
likeness, and violation of right of publicity.
Federal courts have also used
statutes designed for Internet fraud
generally to apply Internet impersonation cases. For example, in United
States v. Drew, 259 F.R.D. 449 (C.D.
Cal. 2009), the court allowed the use
of the Computer Fraud and Abuse Act
(CFAA) in a matter involving, Lori
Drew, whose actions allegedly led to
the suicide of 13-year-old Megan Meier. However, the use of CFAA in this
case was found to be an unwarranted
expansion of what Congress intended
the CFAA to include.
E-identity theft on the Internet
can arise when a person gains access
to another’s social media account, and
subsequently impersonates that person
(see In re Rolando S., 129 Cal. Rptr. 3d
49, where a person willfully obtained
another’s social network website access code). Once unlawful access
to another’s social media account is
achieved, the perpetrator usually either
posts tormenting material or uses the
victim’s site to steal information.
When prosecuting Internet imposters for the act of stealing passwords
or personal information, both federal
and state statutes may be used. For
example, federal statute 18 U.S.C. §
1030(g) is applicable to the perpetrator of content theft, as long as there is
an economic detriment to the victim.
Thus, CFAA is often used to prosecute
impersonating hackers.
Arizona, New York and California
have identity theft statutes explicitly
prohibiting online impersonation to obtain financial records. In particular see:
Ariz. Rev. Stat. Ann. § 13-2008(A);
N.Y. Penal Law § 190.25(1); and Cal.
Penal Code § 530.5(a).
California and 45 other states have
Reprinted with permission from the NOVEMBER 18, 2013 edition of New Jersey Law Journal. © 2013 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.
214 N.J.L.J. 703
NEW JERSEY LAW JOURNAL, NOVEEMBER 18, 2013
enacted anti-cyberstalking laws. These
laws have also been used to prosecute
Internet imposters. The repercussions of
e-impersonation can result in considerably harmful consequences to the person being impersonated.
In one of the first successfully prosecuted Internet impersonation cases,
the Los Angeles District Attorney’s office convicted a man of violating California’s cyber-stalking laws when he
falsely impersonated a woman who had
rejected his romantic advances. On at
least six occasions, third parties contacted said woman in response to said
phony solicitations. Gary S. Dellapenta,
50, a security guard, was charged with
stalking, computer fraud and solicitation of sexual assault in connection
with the case. He pleaded guilty in April
1999 to one count of stalking and three
counts of solicitation of sexual assault.
The determinative factor on whether a perpetrator will be prosecuted under an identity theft statute or a cyberstalking statute is the foreseeable harm
element. Consider the In re Rolando S.
matter, where embarrassing comments
were posted, but it is unlikely the perpetrator could foresee imminent harm.
Whereas, in the case of the ex-boyfriend
who posted solicitation related to alleged fantasies under his ex-girlfriend’s
name, imminent harm was readily foreseeable.
Additionally, cyberstalking statutes
are traditionally triggered when the victim is likely to be placed in reasonable
fear of his or her safety, as evidenced in
the In re Rolando S. matter, where the
prosecutions were under the California
identity-theft statute and not the cyberstalking statute. Prosecutors are more
likely to utilize identity-theft statutes
when the Internet impersonation caused
some sort of harm to the victim, but the
victim was not placed in reasonable fear
of his or her safety, as evidenced by the
Dellapenta matter, where the prosecutions were under the cyberstalking statute rather than the identity-theft statute.
Ariz. Rev. Stat. Ann. § 13-2008 was
among the first identity-theft statutes in
the United States. The Arizona statute
renders a perpetrator guilty of identity
theft if a person knowingly takes any
personal identifying information of
another without consent and with the
intent to use the other person’s identity for any unlawful purpose. The first
federal identity-theft act was 18 U.S.C.
§ 1028(a)(7). This act made it a federal
crime to knowingly possess, without authority, a means of identification of another person with the intent to commit
any unlawful activity that constitutes a
violation of federal, state or local law.
It was limited to economic losses suffered by consumers. It should be noted
that the Arizona statute explicitly states
that economic loss to the victim is not
required.
Arizona law is typical of state identity-theft statutes. Thus, prosecutors
prefer to proceed with state rather than
federal actions when prosecuting the
perpetrator of identity theft on a socialmedia site because of the difficulty of
demonstrating economic loss.
Prosecuting using state rather than
federal identity-theft statues for Internet-related transaction is particularly
prevalent when the state statute specifically identifies an Internet element in
the identity-theft statute. Consider New
York law, N.Y. Penal Law § 190.25(4);
California law, Cal. Penal Code § 528.5;
and Texas law, Tex. Penal Code Ann. §
33.07 (a)(1)(2), as examples.
According to N.Y. Penal Law §
190.25(4), a person is guilty of criminal
impersonation when that person impersonates another by communication via
Internet website with intent to obtain a
2
benefit or injure or defraud another. The
New York statute includes explicit language concerning identity theft on the
Internet as a separate subdivision of its
identity-theft statute.
California’s Penal Code § 528.5
is an entire statute intended to protect
its citizens from Internet identity theft.
This statute states that any person who
knowingly and without consent credibly impersonates another actual person
through or on an Internet site for purposes of harming, intimidating, threatening or defrauding another person is
guilty of identity theft.
The Texas Internet impersonation
statute, Tex. Penal Code Ann. § 33.07
(a)(1)(2), makes a person guilty of a felony when that person, without obtaining the other person’s consent and with
the intent to harm, defraud, intimidate
or threaten any person, uses the name
or persona of another person to create
an Internet site page on a commercial
social networking site or other Internet website; or to post messages on or
through a commercial social networking site. It should be noted that the Texas statute criminalizes e-impersonation
by fraudulently creating a fake account
or by deceptively using an existing account.
It should also be noted that private
law (contract law) may be used to prevent Internet impersonation. In particular, most social media sites are governed
by contracts know as terms of use agreements. Those contracts generally forbid
harmful impersonation, upon penalty of
losing access to said social media site.
Thus, Internet users who report acts of
impersonation will generally be granted
relief by the social media site because
such requests typically result in the termination of the imposter’s access to the
site and the removal of the harmful impersonation.¢