Impersonation, privacy settings and social networking sites

Settled case summary #31

Complaints

It is not only the rich and famous who have been impersonated on social networking sites.  One regular Canadian family found out the hard way that they too could be targeted by an unscrupulous person looking to cause trouble. 

An individual created a false account on a social networking site using the name, personal information and image of a particular person, who is a parent with two daughters.  The impersonator used the account to “friend” the daughters.  Thinking it was their father, they accepted the friend request and the impersonator was able to view their accounts.  Several other individuals with the same last name as the father and daughters also allowed this person’s friend request.  Once a friend, the impersonator had access to all information not restricted by the account holders.

The same day, the impersonator began to harass the daughters.  He first posted a threatening message about the father on one daughter’s wall.  Messages to both daughters’ personal e-mail addresses soon followed – each message harassing and obscene.  The messages were sent through various services offered by the site.

The daughters quickly realized that this person was not their father.  They notified their real father, and the site, and in response the site deleted the account in question.  However, both father and daughters believed that the site lacked control mechanisms when accounts are created to prevent identity theft. 

Outcome

Certain information is collected from individuals when they register an account on the social networking site: the individual’s name, date of birth, and e-mail address.  The site does not, however, have formal mechanisms in place to verify information given, other than ensuring the e-mail address provided during the account creation is valid.  It is not uncommon for individuals to use false information to create accounts although this is a violation of the site’s terms of use.  The site relies on its users to report inappropriate content or suspicious activity.

In this case, there was no question that the impersonator set out to deceive.  In the profile that the daughters saw when being friended, they saw their father’s picture.  The imposter used a photograph of the father that was available on the web site of the father’s employer to populate the profile.  The imposter searched the site for anyone with the same last name as the father and then sent friend requests to them.  It would appear that he had no intention of maintaining the pretence.  He impersonated the father and then immediately began to harass the father’s family with highly objectionable comments about the person he was pretending to be. 

The Office explored the issue of verification procedures on social networking sites but concluded that such procedures would be more privacy-invasive, expensive, and time-consuming to administer.

At the time they set up the accounts, the daughters were unaware of the fact that they could change their privacy settings (they had not restricted access to their profiles).  They have since changed their settings, and the social networking site has deleted the false account. 

The complainants were satisfied with the investigation and considered the matter settled.

The Office is reviewing broader privacy issues in connection with social networking sites (including the issue of privacy controls).  Information on our extensive investigation and related research and public education efforts will soon be available on our web site.