Name of case: PIPEDA Report of Findings #2013-010
Area of Law: Criminal Code – Cyber Security Laws – Social Media Account Impersonation
Also known as identity theft or fraud, the Criminal Code covers cases where an individual’s identity is used by someone else in order to commit offenses. Fraud on the other hand defines an impersonator that uses someone else’s identity to gain an advantage, obtain property, or bring disadvantage to others. This includes the use of another person’s identity, personal information, legal name, signature, user name, password, and other elements.
Facts
There was a complaint made by a mother of a teenage girl regarding a Facebook account in the name of her daughter. The daughter herself did not have a Facebook account at the time of the complaint, though the imposter was able to use the account to interact with her schoolmates and make inappropriate comments regarding them via the website. Once the mother learned of the situation, she contacted representatives from Facebook concerning the impersonation. She had contacted them and urged them to delete the account, all the comments and content tied to the account permanently and immediately. She also asked to notify the contacts that the imposter account had befriended the deception. The investigation conducted by Facebook began with a request that the mother should provide personal information, such as her name and contact details. Additionally, they asked for a government-issued ID. The mother was able to provide all the necessary documents as well as her daughter’s passport. The support team at Facebook was able to discern that the account was unquestionably a fake, and proceeded to delete the account and all related content which included the comments.
The mother requested that Facebook take a few more steps by contacting the schoolmates via the website to inform them about the imposter. However, Facebook claimed that they believed that it would be impractical, inappropriate, and unfavorable to intrude upon the personal relationships of their users. The mother was also concerned with a multitude of issues after Facebook deleted the account. Her main concerns included the fact that Facebook had allowed the impersonation in the first place, the negative influence this could have on the reputation of a minor, Facebook’s unwillingness to contact the accounts the imposter had interacted with, being unable to contact personnel at the Toronto-based Facebook Canada office, and concern over the retainment of her daughter’s personal information. After the follow-up complaints, Facebook confirmed that the personal information of the daughter was deleted. They also stated that their policy barred them from sending notifications to users about such impersonations on behalf of the complainant. Additionally, they provided the option to conduct a private investigation via a form that is found on their Help Centre page.
Issue
The case focused on determining whether Facebook had any obligation to notify users that interacted with the impersonator about the deception. Facebook specified that they will not be contacting users concerning disabled accounts and would leave the affected individuals to handle the impersonation in a way that is fitting. There is still a substantial concern over this particular case, due to the fact that the daughter is a non-user and has no means of contacting the users who interacted with the impersonator. Therefore, in these particular situations, it is expected that Facebook should carry some of the responsibility for a business model that is vulnerable to such impersonations. The events of the case raised multiple concerns issues regarding the use of personal information of individuals who are not users of certain social networking websites. In the case of an individual demonstrating inaccuracies of personal information obtained by an organization in a successful manner, the organization is responsible for amending the information. Amendment can include correction, deletion, or addition of information.
Additionally, the organization can supply the new information to third parties by giving them access to it. However, there are limitations to notifying third parties. Some organizations may find it inappropriate to get involved in the personal relations of users. This is the only issue of the complainant that was not addressed. Moreover, the case also raises concern over the accessibility of personal information via the internet. There is also a need to educate both the youth and parents about the possibility of misuse of personal data on social networking websites.
Decision
It was evident that the imposter who had created the account in the name of the teenage girl had intentions of misrepresenting her online presence. In accordance with Principle 4.9.5, the mother requested for Facebook to notify the affected users of the impersonation which Facebook advised would be impractical and inappropriate. There was no legal requirement for Facebook to contact the users that were contacted by the impersonator. They support this claim due to the fact that in this case, it was a user that transmitted incorrect information but not the organization itself, and therefore Facebook was not obliged to contact the users. It was concluded that the intervention of Facebook within the personal relations to determine what is and is not true could potentially do more damage than recovery. Facebook was able to meet all the requirements under Principle 4.9.5 by deactivating the account and deleting all its content in a punctual manner. There were no further actions taken to prompt Facebook to contact the affected users about the fake account.
Reason for Selecting This Case
I have selected this case for three reasons. First, like many internet-related cases, this case provided an insight into many potential legal problems that had not appeared prior. For instance, in this case, the teenage girl was not a Facebook user and would not know about the impersonation at all if not for information relayed from friends. This could have allowed the impersonator to continue to misuse the account and spread false data unchecked for an uncertain period of time. It is clear that Facebook does not monitor these impersonations without contact from individuals who are targeted, and if not for the mother’s complaint, the problem may not have been resolved as promptly.
Secondly, Facebook is a business that the mother and daughter had no relation to but were obliged to provide them with personal information such as names, contact information, and passport details. This exposes a growing concern about the access corporations, or users have to people’s personal and sensitive documents or information. Lastly, the mother had many circumstances, which were discarded, in my opinion, due to Facebook’s policy. These included the inability to contact the Toronto office via phone. The ruling claimed that Facebook was not in violation because there was no prescribed method of contact. There was no conclusion concerning Facebook requiring identification confirmation prior to creating an account to avoid impersonator accounts.
Own Opinion
I am afraid I have to disagree with the ruling of the court for the following reasons. First, because Facebook is a corporation that the daughter is not a part of and not a user of, Facebook should have had more insight into the possible misuses of their own platform. I think Facebook was obligated to notify the affected users about the deception. Essentially, the deletion of the account does not allow the daughter a complete understanding of how her identity had been misused. There is no guarantee that every affected user knows of the deception via face-to-face conversation or another contact with the daughter. As such, there could be lasting damage caused to the daughter’s relations and reputation that she will have no way of identifying or repairing.
Secondly, Facebook should have provided more support to the mother in contacting them and resolving the issue. Though there is no prescribed method of contact with the Facebook office, it is possible that the mother was not as familiar with contacting support teams via chat or email. If the mother or the daughter were Facebook users, it would be their responsibility to become more familiar with the website and the ways in which they would be able to acquire technical support. However, as this was not the case, Facebook had more responsibility to provide an accessible mode of contact for the mother.
Lastly, the major issues all stem from Facebook’s policy which does not address the issue of impersonation in a satisfactory manner. The policy states that individuals should handle cases of impersonation in a way that is fitting to them, which is practical in most cases. However, in this case, the affected individuals had no way of knowing about the impersonation, considering they are not users of the website. As such, it is my opinion that the ruling should have focused more on laws concerning impersonation on the internet more than on Facebook’s policy.