Some States Criminalize Internet Identity Theft

New Jersey Law Journal

NOVEMBER 18, 2013         

 Some States Criminalize Internet Identity Theft

By Jonathan Bick Bick is of counsel at Brach Eichler LLC in Roseland. He is also an adjunct professor at Pace and Rutgers law schools, and the author of 101 Things You Need to Know About Internet Law (Random House 2000).

Last year CNN reported that more than 80 million fake/impostor Facebook profiles were in use. Among them was a New Jersey Facebook user who was prosecuted for identity theft after creating a fake profile that depicted her ex-boyfriend as a criminal. Another Facebook user in California was prosecuted for accessing and altering another’s Facebook account without consent. These unlawful actions typify the two most common forms of Internet identity theft: e-impersonation by fraudulently creating a fake account or by deceptively using an existing account.

Both types of impersonation result in criminal liability for perpetrators of Internet impersonation. Some state statutes have specifically criminalized such Internet activity. For example, New York Penal Law § 190.25(4) states that a person is guilty of criminal impersonation when said person impersonates another by communication by Internet website or electronic means with intent to obtain a benefit or injure or defraud another. The California Penal Code § 528.5 states that any person who knowingly and without consent credibly impersonates another actual person through or on an Internet website or by other electronic means for purposes of harming, intimidating, threatening or defrauding another per-son is guilty of a public offense.

Only Texas, Mississippi, Hawaii, New York and California have enacted statutes containing language explicitly referring to Internet impersonation. However, most states, including New Jersey, have statutes that would cover Internet impersonation transactions. In New Jersey, for example, a defendant is guilty of identity theft if that person impersonates another and does an act in such assumed identity for the purpose of obtaining a benefit or to injure or defraud another (see New Jersey Code of Criminal Justice § 2C:21-17, Impersonation; theft of identity; crime).

Such impersonation also results in one or more torts. These torts normally include misappropriation of name or likeness, and violation of right of publicity.

Federal courts have also used statutes designed for Internet fraud generally to apply Internet impersonation cases. For example, in United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009), the court allowed the use of the Computer Fraud and Abuse Act

(CFAA) in a matter involving, Lori Drew, whose actions allegedly led to the suicide of 13-year-old Megan Meier. However, the use of CFAA in this case was found to be an unwarranted expansion of what Congress intended the CFAA to include.

E-identity theft on the Internet can arise when a person gains access to another’s social media account, and subsequently impersonates that person (see In re Rolando S., 129 Cal. Rptr. 3d 49, where a person willfully obtained another’s social network website access code). Once unlawful access to another’s social media account is achieved, the perpetrator usually either posts tormenting material or uses the victim’s site to steal information.

When prosecuting Internet imposters for the act of stealing passwords or personal information, both federal and state statutes may be used. For example, federal statute 18 U.S.C. § 1030(g) is applicable to the perpetrator of content theft, as long as there is an economic detriment to the victim. Thus, CFAA is often used to prosecute impersonating hackers.

Arizona, New York and California have identity theft statutes explicitly prohibiting online impersonation to obtain financial records. In particular see: Ariz. Rev. Stat. Ann. § 13-2008(A); N.Y. Penal Law § 190.25(1); and Cal. Penal Code § 530.5(a).

California and 45 other states have enacted anti-cyberstalking laws. These laws have also been used to prosecute Internet imposters. The repercussions of e-impersonation can result in consider-ably harmful consequences to the person being impersonated.

In one of the first successfully prosecuted Internet impersonation cases, the Los Angeles District Attorney’s office convicted a man of violating California’s cyber-stalking laws when he falsely impersonated a woman who had rejected his romantic advances. On at least six occasions, third parties contacted said woman in response to said phony solicitations. Gary S. Dellapenta, 50, a security guard, was charged with stalking, computer fraud and solicitation of sexual assault in connection with the case. He pleaded guilty in April 1999 to one count of stalking and three counts of solicitation of sexual assault.

The determinative factor on whether a perpetrator will be prosecuted under an identity theft statute or a cyber-stalking statute is the foreseeable harm element. Consider the In re Rolando S. matter, where embarrassing comments were posted, but it is unlikely the perpetrator could foresee imminent harm. Whereas, in the case of the ex-boyfriend who posted solicitation related to alleged fantasies under his ex-girlfriend’s name, imminent harm was readily foreseeable.

Additionally, cyberstalking statutes are traditionally triggered when the victim is likely to be placed in reasonable fear of his or her safety, as evidenced in the In re Rolando S. matter, where the prosecutions were under the California identity-theft statute and not the cyber-stalking statute. Prosecutors are more likely to utilize identity-theft statutes when the Internet impersonation caused some sort of harm to the victim, but the victim was not placed in reasonable fear of his or her safety, as evidenced by the Dellapenta matter, where the prosecutions were under the cyberstalking statute rather than the identity-theft statute.

Ariz. Rev. Stat. Ann. § 13-2008 was among the first identity-theft statutes in the United States. The Arizona statute renders a perpetrator guilty of identity theft if a person knowingly takes any personal identifying information of another without consent and with the intent to use the other person’s identity for any unlawful purpose. The first federal identity-theft act was 18 U.S.C. § 1028(a)(7). This act made it a federal crime to knowingly possess, without authority, a means of identification of an-other person with the intent to commit any unlawful activity that constitutes a violation of federal, state or local law. It was limited to economic losses suffered by consumers. It should be noted that the Arizona statute explicitly states that economic loss to the victim is not required.

Arizona law is typical of state identity-theft statutes. Thus, prosecutors prefer to proceed with state rather than federal actions when prosecuting the perpetrator of identity theft on a social-media site because of the difficulty of demonstrating economic loss.

Prosecuting using state rather than federal identity-theft statues for Inter-net-related transaction is particularly prevalent when the state statute specifically identifies an Internet element in the identity-theft statute. Consider New York law, N.Y. Penal Law § 190.25(4); California law, Cal. Penal Code § 528.5; and Texas law, Tex. Penal Code Ann. § 33.07 (a)(1)(2), as examples.

According to N.Y. Penal Law § 190.25(4), a person is guilty of criminal impersonation when that person impersonates another by communication via Internet website with intent to obtain a benefit or injure or defraud another. The New York statute includes explicit language concerning identity theft on the Internet as a separate subdivision of its identity-theft statute.

California’s Penal Code § 528.5 is an entire statute intended to protect its citizens from Internet identity theft. This statute states that any person who knowingly and without consent credibly impersonates another actual person through or on an Internet site for purposes of harming, intimidating, threatening or defrauding another person is guilty of identity theft.

The Texas Internet impersonation statute, Tex. Penal Code Ann. § 33.07 (a)(1)(2), makes a person guilty of a felony when that person, without obtaining the other person’s consent and with the intent to harm, defraud, intimidate or threaten any person, uses the name or persona of another person to create an Internet site page on a commercial social networking site or other Internet website; or to post messages on or through a commercial social networking site. It should be noted that the Texas statute criminalizes e-impersonation by fraudulently creating a fake account or by deceptively using an existing account.

It should also be noted that private law (contract law) may be used to pre-vent Internet impersonation. In particular, most social media sites are governed by contracts know as terms of use agreements. Those contracts generally forbid harmful impersonation, upon penalty of losing access to said social media site. Thus, Internet users who report acts of impersonation will generally be granted relief by the social media site because such requests typically result in the termination of the imposter’s access to the site and the removal of the harmful impersonation.