By: Evisa Kambellari*
In the virtual world, one person can present himself in different identities and several persons can present themselves under the same virtual identity. Online impersonation can occur in two ways: either by stealing one’s personal information to gain access to his online profile or by creating a completely fake profile. The fake profile might reveal information that belongs to someone else or be totally fictitious. Such flexibility in assuming one’s identity online is due to the anonymity that people enjoy in the online world. Inability to elaborate proper identification tools of Internet users is one of the biggest challenges in preventing and prosecuting social media related crimes. Online social networking has reshaped human interaction in a way that reduces the barriers that would traditionally keep strangers apart. Identification requirements are minimal and there is no proper mechanism of verifying the truthfulness of the information one presents in creating an online profile or e-mail account. However, creating a fake online profile is not a criminal act per se. The component that turns the lawful act into an unlawful act of online impersonation is the imposter’s malicious intent to “defraud,” obtain a “benefit,” or “injure”.
So far, only a small number of states have statutes that explicitly criminalize online impersonation. The effectiveness of enacted statutes is limited for reasons related to the anonymity of Internet users, the First Amendment protection of freedom of speech, etc.
Prosecuting illegal acts of online impersonation by law enforcement may interfere with an individual’s right to communicate freely. In this respect, courts have tried to set the boundaries of such actions as to not undermine the substance of the free speech right. Moreover, proactive conduct by police officers in creating fake profiles of minors that target potential online sexual predators or other criminals might sometimes interfere with a person’s right to privacy. Under such circumstances, reference to the facts of a specific case helps in determining whether the defendant had a reasonable expectation of privacy in the information he shared with the person he thought he was talking to.
Relevant case law shows that not every kind of injury intended by the perpetrator can form the required element of the offense. U.S. courts tend to limit the operation of the offense in cases where there is a tangible injury or a negative effect to one’s reputation.
U.S v. Drew is a landmark decision in California addressing the case of online impersonation, which proved once again, the inability of legislatures to catch up with technological developments. The case received widespread public attention and media coverage at the time.
Lori Drew from Missouri, conspired with other members in agreeing to intentionally access a computer to obtain information for the purpose of intentional infliction of emotional distress against the victim M.M. The victim was a 13-year-old girl who had been a classmate of Drew’s daughter. On September 20, 2006, Drew, assisted by her friends, created a profile for a fictitious 16-year-old male juvenile named “Josh Evans” on www.MySpace.com (“MySpace”). Then, she contacted Megan through the MySpace network using the Josh Evans pseudonym and began to flirt with her over a couple of days. In October 2006, the conspirators had “Josh” inform Megan that he no longer liked her and that “the world would be a better place without her in it.” Shortly after learning that, Megan killed herself. Missouri prosecutors were having problems in identifying what offense to charge Drew with because there was no federal criminal statute against cyberbullying. They decided to charge her for violating a felony portion of the Computer Fraud and Abuse Act, which prohibits accessing a computer without authorization or in excess of authorization. By allegedly violating My Space’s click-to-agree contract, Drew committed the same crime as any hacker, prosecutors claimed. However, the U.S District Court of California, found that “creating a MySpace account under a false name, even with tortious intent, cannot be criminalized.” The court noted that “violating the terms of service for MySpace by using a false identity is, at worst, a contract violation. Congress revealed no intent to criminalize contract violations and the application of the law to such conduct renders it void for vagueness.”
The court found that the statute failed to provide a fair warning to individuals of common intelligence that breach of website’s terms of service could be a crime. The court also reasoned that “[i]f every intentional breach of an ISP’s TOS were to become criminal, the result would be a standardless sweep where federal law enforcement agents could improperly pursue their personal predilections.” The court seemed to adopt the views expressed in the Brief of Amici Curiae that if a violation of a website’s terms could be a basis for criminal prosecution, there would be no limiting principle to prevent arbitrary or discriminatory application of the law.
In Matot v. C.H., et al., the defendant, a middle school assistant principal brought action against students asserting claims for violation of Computer Fraud and Abuse Act (CFAA) and defamation after a student allegedly created social media accounts under the assistant principal’s name and likeness, and invited other students to communicate with them. There, the U.S. District Court of Oregon ruled that the “Computer Fraud and Abuse Act’s (CFAA) prohibition on use of computers in excess of authorized access is limited to violations of restrictions on access to information, and not restrictions on its use.” The court made reference to the rule of lenity which requires penal laws to be construed strictly, and therefore dismissed the action for lack of legal grounds.
Fake online identities present the U.S. Courts with legal questions they are unequipped to handle. The mere act of creating a fake online profile for the purpose of harming or harassing someone did not fall under the construction of any existing criminal statute, thus presenting a strong call for legislative action to properly address the situation.
III. Legislative response
So far, only a small number of states have statutes that explicitly criminalize online impersonation. New York, California and Texas are among the states that have addressed the issue. Under the New York statute, a person is guilty of criminal impersonation when he “impersonates another by communication by internet website or electronic means with intent to obtain a benefit or injure or defraud another.” Similarly, the California statute holds a person guilty of impersonation when he “impersonates another actual person through or on an Internet Web site or by other electronic means for purposes of harming, intimidating, threatening, or defrauding another person”. Under the Texas Penal Code, a person commits online impersonation if the person:
“without obtaining the other person’s consent and with the intent to harm, defraud, intimidate, or threaten any person, uses the name or persona of another person to . . . create a web page on a commercial social networking site or other Internet website; or . . . post . . . messages on or through a commercial social networking site.”
Moreover, the respective provision criminalizes any act of “sending an e-mail, instant message, . . . that references a name, . . . or other item of identifying information belonging to any person . . . with the intent to cause a recipient . . . to reasonably believe that the other person authorized or transmitted the communication; and with the intent to harm or defraud [that] person.”
The level of protection provided by Texas statutory provision is higher as compared to the New York’s and California’s statutes. It addresses situations in which the perpetrator is not proactively engaging in harmful conduct by faking someone else’s identity, but instead causes someone else to mistakenly start communication with a nonconsenting party. In such cases, the perpetrator tries to use the acts of innocent third parties to harass the victim. In this respect, the Texas Penal Code seems to cover a broad range of the wrongful conduct of misusing personal information that seriously interferes with a person’s right to privacy.
The above-mentioned statutes show the legislature’s intent was to criminalize acts of impersonating someone else’s identity for the purpose of defrauding or harassing another person. Such construction seems to cover a substantial part of criminal acts that are committed by assumption of someone else’s identity on Internet. However, the statutes fail to address cases where the perpetrator is creating a fake profile by entering fake information that does not assume the identity of any real person. The perpetrator in such cases is still able to use that fake profile for criminal purposes such as harassing or intimidating someone.
IV. Online impersonation and protected interests
In states that have explicitly criminalized acts of online impersonation, courts have been facing constitutionality challenges of the respective statutes on grounds that their alleged wide formulation affects a substantial amount of protected speech.
A different concern is raised in cases where the fake profile is created by undercover police officers to detect potential pedophiles or other dangerous criminals. In such circumstances, defendants might claim that they have been subject to an unlawful search and seizure, in violation of their Fourth Amendment rights. The following cases present how courts have handled such problems.
In State v. Stubbs, the Texas Court of Appeals considered whether the statutory provision criminalizing online impersonation violated the First Amendment of the U.S. Constitution. The defendant, Stubbs, was alleged to have the intent to harm, defraud, intimidate, or threaten any person, by using the persona of complainant to post one or more messages on and through an Internet website, namely, Craigslist.com, without obtaining the complainant’s consent.
The Court of Appeals held that “Texas’s online impersonation statute . . . [did not] proscribe conduct involving only unprotected speech, and thus statute fell within ambit of First Amendment’s free speech guarantee; but [nevertheless] statute was content neutral.” Thus, “content-neutral regulation of speech, as well as regulation of speech that can be justified without reference to its content, receives intermediate scrutiny . . . [and] is permissible if it promotes a significant governmental interest and does not burden substantially more speech than necessary to further that interest.”
The court also noted that “speech integral to criminal conduct has long been recognized as a category of speech that may be prevented and punished without raising a First Amendment problem.” It concluded that “a statute will not be invalidated for overbreadth under the First Amendment merely because it is possible to imagine some unconstitutional applications. The overbreadth of the statute must not only be real but substantial, as well, judged in relation to the statute’s plainly legitimate sweep.”
In Collier v. Harris, the defendant registered plaintiff’s name and the name of an advocacy group she formed as domain names, and then redirected all Internet users who visited those websites to the websites for the candidates supported by the defendant himself. Plaintiff alleged that the defendant registered the domain names and illegally used them to mislead the public into thinking she supported his candidates. Defendant moved to strike the complaint pursuant to the anti-strategic lawsuit against public participation (SLAPP) statute.
The Californian Appellate Court upheld the motion because the defendant’s act did not constitute an exclusion from the SLAPP statute’s protections. The court reasoned that such exclusion “may be applied only when the defendant concedes, or the evidence conclusively establishes, that the assertedly protected speech or petition activity is illegal as a matter of law.” It further argued that “‘illegal’ means the conduct is criminal . . . merely violating a statute that makes it unlawful . . . to use a domain name, that is identical or confusingly similar to the personal name of another living person or deceased personality, . . . does not trigger the ‘illegal as a matter of law’ exclusion.”
In People v. Golb, the Court of Appeals of New York addressed the question on whether reputational harm alone can be sufficient to find a person liable for online impersonation. The defendant, the son of a scholar of the Dead Sea Scrolls started an Internet campaign to attack the integrity and harm the reputation of other Dead Sea Scrolls academics and scholars, while promoting the views of his father. To accomplish his goal, defendant, using pseudonyms and impersonating real academics and scholars, sent emails to museum administrators, academics and reporters.
The court held that “a person may be found guilty of criminal impersonation in the second degree if he or she impersonates another with the intent to cause a tangible, pecuniary injury to another, with the intent to interfere with governmental operations, or with the intent to harm the reputation of another.” The court found that injury to reputation was within the “injury” contemplated by the online impersonation statute, and noted that any people, particularly with a career in academia, as relevant to this case, value their reputations at least as much as their property.
In State v. Moller, the Ohio Appellate Court overruled the defendant’s motion on suppression of evidence obtained through electronic communication with a police officer, who the defendant thought was a 14-year-old girl, as obtained in violation of his Fourth Amendment rights. The court reasoned that “Moller assumed the risk of speaking to an undercover agent when he engaged in inappropriate chat room conversations and e-mail with a person he believed to be a minor looking for sex with an older man.” The statements were not protected by the Fourth Amendment because this was “a risk that anyone visiting a chat room necessarily takes when communicating with strangers. It is easy for anyone using the Internet to adopt a false persona, whether for purposes of law enforcement, or for other and nefarious purposes.”
Relevant case law shows that state legislatures need to be cautious in their efforts to criminalize online impersonation so that the statutes will violate the First Amendment because they are overbroad or non-content neutral.
Another issue that needs further consolidation in practice is the definition of harm as a necessary element of the offense. Courts seem to be reluctant to recognize mere psychological injury resulting from online impersonation as a qualifying circumstance for applying criminal liability, and tend to treat this cases as raising questions of civil liability only. Reputational harm has received a certain level of protection by the respective criminal statutes, which can be explained by the more obvious character of this type of harm.
For claims of Fourth Amendment violations, current cases show that the risk of the disclosure of incriminating information to an undercover police officer via a chat room is a natural risk that one takes when making virtual communications, and therefore does not raise any Fourth Amendment problems.
The online impersonation phenomenon has not yet attracted the necessary legislative attention. Only a small number of states have statutes that explicitly criminalize the assumption of one’s identity on Internet.
A possible explanation to this might be that acts of online impersonation are overshadowed by statutory provisions on the offense of identity theft, which is an offense primarily committed for financial gain. This is a wrong approach since statutory provisions on identity theft are incapable to cover cases of online impersonation because: first, the assumption of someone else’s online identity is carried out for purposes different from financial gain, such as intimidation, harassment or reputational harm and second, the perpetrator of online impersonation does not need to “steal” a real person’s identity in order to further his goals. Impersonation can happen even without the reproducing of the online profile of a real person.
In jurisdictions that do not criminalize online impersonation, attempts to encompass the problem would fall under the provisions against unauthorized use of a computer system. However, as the court noted in Drew,  such attempts will produce a standardless approach and therefore fail under the void for vagueness test.
Another limitation of the current legislative framework on online impersonation is that the respective statutes concern cases where the imposter steals the identity of another actual person, but not on the cases where the created profile is totally fictitious. In either case, an imposter can use the fake profile for criminal purposes such as harassing or intimidating someone. Therefore, a similar regulation is needed to address those cases.
Also, current online impersonation statutes leave the description of the conduct element of “harming or injuring another person” unclear. Such element has not received sufficient elaboration even in the relevant court decisions, leaving the question arguably open. What kind of harm is to be intended/predicted by the defendant so that criminal liability can attach upon him? What kind of actual harm is to be suffered by the victim so that to consider the offense committed? Such determinations are necessary to be made so that to draw a line between civil and criminal liability on matters of online impersonation.
In addition to prevention of the phenomenon by passing new criminal statutes, another suggestion is placing more responsibility on ISPs.  Most of social media providers state in their TOS that users are prohibited from creating fictitious accounts, but they make minimalist efforts to verify an user’s identity. In both technical and practical terms, the approach of applying higher standards on ISPs seems more difficult to be sustained due to lack of a central regulatory authority that could pose such obligations on ISPs and monitor their uniform compliance.
[*] Evisa Kambellari is an Associate Professor of Criminal Law at University of Tirana, Faculty of Law, Albania. She holds a PhD in “Offences against confidentiality and integrity of computer data and systems” from Univ. of Tirana. She is an LLM graduate of the University of Illinois College of Law, Class of 2017.
 Bernhard Anrig & Emmanuel Benoist, Virtual Persons Applied to Authorization, Individual Authentication and Identification in Identity in a Networked World. FIDIS, 6 (2006). http://www.fidis.net/fileadmin/fidis/deliverables/booklet/fidis.booklet.Identity_in_a_Networked_World.d26.pdf.
 Maksim Reznik, Identity Theft on Social Networking Sites: Developing Issues of Internet Impersonation, 29 Touro L. Rev. 455, 455 (2013), http://digitalcommons.tourolaw.edu/cgi/viewcontent.cgi?article=1472&context=lawreview.
 Thaddeus Hoffmeister, The Challenges of Preventing and Prosecuting Social Media Crimes, 35 Pace L. Rev 115, 129 (2014), http://digitalcommons.pace.edu/cgi/viewcontent.cgi?article=1877&context=plr.
 People v. Golb, 23 N.Y.3d 455, 467 (2014)
 Reznik, supra note 2.
 For more on this issue, see Kori Clanton, We Are Not Who We Pretend to Be: Odr Alternatives to Online Impersonation Statutes, 16 Cardozo J. Conflict Resol. 323 (2014).
 See, Sarah Castle, Cyberbullying on Trial: the Computer Fraud and Abuse Act and United States v. Drew, 17 J. L. & Pol’y 579, 585 (2009),
 United States v. Drew, 259 F.R.D. 449, 452 (C.D. Cal. 2009).
 18 U.S.C. § 1030(a)(2)(C) (2012).
 MySpace’s user agreement requires registrants, among other things, to provide factual information about themselves, and to refrain from soliciting personal information from minors and using information obtained from MySpace services to harass or harm other people. See Drew, 259 F.R.D. at 455.
 The case against Lori Drew was filed in Los Angeles, California, where MySpace’s servers were based.
 See generally, Drew, 259 F.R.D. 449.
 According to the court, “individuals of common intelligence were not on notice that breach of website’s terms of service could be a crime, since normally breaches of contract were not subject to criminal prosecution, and the CFAA did not explicitly provide that breaches of contract were criminalized …and treating a violation of the website’s terms of service, without more, as a misdemeanor violation of the CFAA would transform the provision into an overwhelmingly overbroad statute and convert a multitude of innocent internet users into criminals”. Drew, 259 F.R.D. 449 at 464.
 See Brief for Lori Drew as Amici Curiae Supporting Defendant, United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (No. CR-08-0582-GW), https://www.eff.org/files/filenode/US_v_Drew/drew_amicus.pdf.
 Matot v. CH, 975 F. Supp. 2d 1191, 1197 (D. Or. 2013).
 Reznik, supra note 2.
 Other states that have criminal statutes on the issue are Arizona, California, Hawaii, Louisiana, Mississippi, New York, Pennsylvania, Texas, and Washington. See Amy Coleman, Catfish season, Juris Magazine (Apr. 19, 2013), http://jurismagazine.com/catfish-season/.
 N.Y. Penal Law § 190.25(4).
 Cal. Penal Code § 528.5.
 Tex. Penal Code § 33.07 (a)(1)(2).
See Tex. Penal Code § 33.07.
 See Geelan Fahimy, Liable for your lies: misrepresentation law as a mechanism for regulating behavior on social networking sites, 39 Pepp. L. Rev. 367 (2012).
 State v. Stubbs, 502 S.W.3d 218, 224 (Tex. Crim. App. 2016).
 Id. at 223.
 Content-based regulations are those that distinguish favored from disfavored speech based on the idea or message expressed. See Ex parte Flores, 483 S.W.3d 632, 639 (Tex. App. 2015); Ex parte Lo, 424 S.W.3d 10, 15 (Tex. Crim. App. 2013). Such a statute is subject to strict scrutiny.
 Collier v. Harris, 192 Cal. Rptr. 3d 31, 42 (2015).
 Golb, 23 N.Y.3d at 470.
 State v. Moller, No. 2001–CA–99, 2002 WL 628634, at *5 (Ohio. App. Apr. 19, 2002)
 Reznik, supra note 2.
 Paul Bernal, P. Internet Privacy Rights: Rights to Protect Autonomy 255–56 (2014).
 Thaddeus A. Hoffmeister, Social Media in the Courtroom: A New Era for Criminal Justice? 22 (2014).