Logging Into Someone Else’s Facebook Account and Posting Messages on Their Friends’ Walls Could Be Identity Theft — In re Rolando S.
[Post by Venkat Balasubramani, with comments from Eric]
In re Rolando S., 2011 WL 3212879 (Ca. Ct. App.; July 21, 2011)
Background: Rolando was a juvenile who received an unsolicited text message with the victim’s email password. According to the court, he used the password to gain access to the victim’s Facebook account and posted several sexually inappropriate messages from the victim’s account. The Facebook posts included posts on the walls of the victim’s friends and the following change to the victim’s profile:
Hey, Face Bookers, [sic] I’m [S.], a junior in high school . . . I want to be a pediatrician but I’m not sure where I want to go to college. I have high standards for myself and plan to meet them all. I love to suck dick.
The victim testified that she suffered stigma as a result of these and other posts. She said:
I used to love going to school. Now, I dread dealing with this every day.
The juvenile was prosecuted under a California statute (section 530.55) which applies to anyone who:
wilfully obtains personal identifying information [of the victim and] uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medication information.
Did the defendant willfully obtain the victim’s “personal identifying information”? The court holds that despite his argument that he “passively receiv[ed] the text message” which contained the victim’s password information, he “willfully” obtained it because he remembered it or otherwise recorded it so he could use it later. Moreover, the court concludes that defendant willfully obtained the victim’s Facebook account password. The record was devoid of evidence as to how exactly the defenant accessed the victim’s Facebook account, and in the absence of any such evidence, the court says it’s “reasonable to infer” that the defendant reset the victim’s Facebook password using her email password, and then gained access to the victim’s Facebook account.
Did the defendant use the victim’s information for an unlawful purpose? In addition to obtaining the information willfully, the perpetrator has to use the information for an “unlawful purpose.” The first possibility was that the defendant violated section 647.6, which applies when someone “annoys or molests any child under 18.” However, under California Supreme Court precedent, this statute requires a motivation by “an unnatural or abnormal sexual interest in the victim.” [emphasis added] The court concluded that the facts did not fit into this statute because the defendant had no real contact with the victim other than the Facebook posts and he also testified that he “intended his comments to be taken as a joke.”
The second possibility was that the defendant used the victim’s personal information to commit a tortious act. The defendant argued that “unlawful purpose” as used in the statute should be restricted to criminal conduct, but the court disagreed, noting legislative intent to expand the scope of the statute in amending it. The court also pointed to the fact that the definitions section of the statute included the term “crime,” and the legislature chose instead to use “any unlawful purpose.” The defendant practically conceded that his conduct satisfied the requirements of a civil defamation claim. The court therefore finds that defendant’s act constituted libel and constituted an “unlawful purpose” under the statute. Alternatively, the court held that defendant’s conduct satisfied the statute because it also constituted a criminal offense. Defendant’s actions violated section 653m, which makes any contact with another person using “obscene language . . . by means of an electronic communication device . . . with [the] intent to annoy.”
It’s tough to muster much sympathy for the defendant, who was previously in trouble for reckless driving when he drove his car “at three girls in the school parking lot, but stopped abruptly several feet away from them in an attempt to scare them.”
The definition of “personal identifying information” in the statute is broad. (We ran into an analogous problem in the Pineda case). It looks like the court focused on the Facebook password as being the PII in question that supported the violation of the statute, but the opinion is not totally clear on this. A broad definition of personal identifying information coupled with the court’s decision to allow tortious conduct to satisfy the “unlawful purpose” could lead to a statute that is expansive in scope and which should raise everyone’s First Amendment hackles. Given that the defendant used the email password to access Facebook, this does not feel to me like a case that pushed the statute to the limit.
Interestingly, the defendant argued that his conduct would violate California’s newly enacted e-personation statute (section 528.5) which was effective January 1, 2011, and the fact that this statute was passed demonstrates that the legislature did not view his conduct to violate the previously existing statute. The court disagrees with this argument, noting that the newly enacted e-personation statute has different elements from section 530.5:
Section 528.5 does not include a requirement that a perpetrator obtain personal identifying information. As a result, a person could violate section 528.5 by merely posting comments on a blog impersonating another person. There is no requirement, under these circumstances, that the person obtain a password — a key distinction.
Yikes. This is precisely what is wrong with California’s e-personation statute.
This case plays out as a Greek-style tragedy in three parts.
Part #1: Someone sent the victim’s email password to the defendant. The court is vague about who did this or how that person got the victim’s password.
This prompts one of my modern rules for clean living: never tell anyone else your passwords. EVER. (Another rule for clean living is to constantly change your passwords, but this is harder to obey). I am such a stickler about my passwords that I don’t tell them to ANYONE. Certainly not to campus IT when they want to muck with my computer, but I don’t even tell my passwords to my wife. (FWIW, my wife has told me many of her passwords, but I would never use them without her express instructions). I know there’s a debate about the spouse-and-passwords dilemma. It’s not that I don’t trust my wife. I do, completely. But my rule is clean and simple. If someone other than me types in my password, then they ripped it off. (We’ll revisit the problem of accessing a logged-in computer in a bit).
In this case, we don’t know why the password-obtainer had the victim’s password. Perhaps it was hacked. More likely, the victim made an error in judgment. Either way, the defendant apparently used the email password to help reset the Facebook password and access the Facebook account.
Part #2: The defendant misused the victim’s password. It goes without saying that the defendant had no business logging into the victim’s email or Facebook account. Doing so was inappropriate even if the defendant merely just looks around, given the amount of private information stored in email and Facebook accounts. It was even worse to publish content under that person’s name, and worse still to post fake come-ons for sex.
Having said this, once a juvenile finds out he/she can access to a peer’s Facebook account, it seems like it would be almost irresistible not to muck around with it. I don’t want to dismiss this entirely as “kids will be kids,” but I’m sure a non-trivial percentage of kids would take advantage of a peer’s password if the circumstance presented itself. Perhaps it’s like the joyriding of days of old. If people left keys in their cars, some kids will take the cars for a spin. We can enact draconian laws to discourage joyriding, but if keys are left in cars, joyrides are inevitable. Here, the defendant basically took the victim’s Facebook account for a joyride. It was unquestionably wrong behavior, but given its inevitability, it probably shouldn’t be felonious.
The defendant’s behavior here is analogous to the fake online profiles that teens set up for school officials. I blogged in more detail about that phenomenon last year. In connection with the DC v. RR case, I also blogged on the problems of kids saying hyperbolicly outrageous things online that aren’t amenable to punishment under traditional defamation or bullying laws. All of these examples remind us that kids are going to push limits with electronic tools just like they do offline. We need to find safer ways to let kids be kids online without ruining their lives.
Part #3: The court stretched the identity theft statute too far. As Venkat recaps, the court confronted several statutory ambiguities without any good common law precedent. The court also didn’t acknowledge or consider any constitutional concerns with its ruling. Instead, the court reaches the counterintuitive and potentially troubling result that publishing fake content through someone else’s account steals their identity. Obviously that takes us a pretty far distance from a paradigmatic case of pretending to be someone for commercial benefit (i.e., what I typically think of as “theft”).
As Venkat indicates, the ruling reinforces why we should be nervous about California’s recent “e-personation” law, which is even more broadly written and applies even when there’s no password misuse. It also shows why expansive identity theft laws should be feared, not encouraged. For more on that point, see my post about Illinois’ identity theft law.
This ruling leaves open two obvious questions:
1) will it always be identity theft to use a third party password to publish fake content via someone else’s account?
2) will it be identity theft to access a third party or shared computer and publish fake content via someone else’s account? In that case, the password isn’t obtained at all. Given how many people always leave their computers logged-in to various services, I imagine this happens with some frequency.