In response to a case of a teen who was a victim of online impersonation, Facebook agrees to help non-users, on a case-by-case basis, reinstate their on-line reputation
PIPEDA Report of Findings #2013-010
July 11, 2013
A mother complained that someone had created a Facebook account in her teenaged daughter's name. While this teenaged girl didn't even have a Facebook account, the imposter made contact with schoolmates who did and made inappropriate comments about them.
Upon learning about her daughter's situation, the complainant approached Facebook about the impersonation. Upon confirming that the alleged imposter account was indeed a fake, Facebook deleted it and all associated content (including the comments).
The complainant wanted Facebook to go further and to contact all her daughter’s schoolmates, who were befriended by the imposter, and inform them of the deception.
Facebook would not go that far. It did not believe it would be appropriate, practical or beneficial for it to intervene in personal relations between individuals.
Principle 4.9.5 requires organisations to notify parties who had access to the inaccurate or incomplete information, where appropriate.
We were persuaded that in these circumstances, it would be inappropriate for Facebook to notify individuals “friended” by the imposter of the deception as it could potentially re-stigmatize the victim.
However, we remained deeply concerned for the reputational and emotional consequences of impersonation for non-users of social networking sites, like the individual in this case.
After further discussions with our Office, Facebook agreed to, in the case of non-users, examine and investigate on a case-by-case basis matters of alleged impersonation that are brought to the site administrator’s attention where the victim of an alleged impersonation requests a particular kind of assistance. Such assistance could include Facebook facilitating a process whereby non-users could themselves notify others who had been friended by an imposter account.
- When an individual successfully demonstrates the inaccuracy or incompleteness of personal information held by an organization, the organization shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. However, notification to third parties may not be appropriate in all cases, as this finding demonstrates.
- The accessibility and temporal persistence of personal information online can affect one's privacy and reputation in troubling ways.
- This case reiterates the importance of educating youth and parents about the potential misuses of Internet technology and what they can do about it.
Report of Findings
Complaint under the Personal Information Protection and Electronic Documents Act (the Act or PIPEDA)
- The complainant alleged, on behalf of her 13-year-old daughter, that Facebook Inc. (Facebook) violated its own Statement of Rights and Responsibilities when it allowed an imposter to set up a Facebook account in her daughter's name. The imposter account included a picture of her daughter along with inappropriate postings to the account's newly made Facebook "friends".
Summary of Investigation
- The complainant's daughter had never had a Facebook account. When the daughter was told by some of her friends that they had "friended" her on Facebook, it was discovered that the daughter was being impersonated on the social network website by an individual who had created an imposter profile. The imposter had used a photograph of the daughter to set up an account in her name and made inappropriate comments on her daughter's friends Facebook accounts who had "friended" the imposter profile.
- The complainant immediately contacted Facebook by email and demanded that the organization take the following actions:
- Delete the imposter account – immediately and permanently;
- Delete all comments attributable to the imposter account;
- Contact the individuals from the "friends" list and inform them of the deception.
- For its investigation, Facebook required certain personal information from the complainant (e.g., name, contact information) as well as a digital copy of government-issued photo ID of the person being impersonated.
- The complainant provided Facebook with the requested information, including a copy of her daughter's passport for the purpose of ID verification.
- After Facebook reviewed the account and passport information, it deleted the imposter profile of the daughter and all content associated with it. It also advised the complainant of these actions.
- The complainant continued to be concerned about several issues, primarily that:
- Facebook had allowed the impersonation in the first place;
- such matters could cause irreversible harm to a minor's reputation;
- Facebook had not contacted the "friends" list to advise them of the deception;
- the complainant was not able to speak to anyone over the phone or at the Facebook Canada office in Toronto; and
- her daughter's personal information provided for verification purposes had been retained.
- As a result of these issues, the complainant filed this complaint with our Office.
- During our investigation, Facebook confirmed to our Office that it had permanently deleted the imposter profile and associated content, including any content posted from the account (e.g., comments). Facebook also confirmed that it had deleted from its systems the passport information provided by the complainant in accordance with its policy to immediately delete or destroy personal information no longer required for the purpose of its collection.
- We reviewed Facebook's imposter account reporting procedures, which are accessible from the Help CenterFootnote 1, and noted that both users and non-users could report imposter accounts.
- With regard to notifying Facebook "friends" about the imposter account, Facebook informed us that as a matter of general policy, it does not send such notices on behalf of a user to a friend list in these (or any other) circumstances. In addition, it advised that once an account is disabled, all posts and messages sent from the account are removed from Facebook immediately. If a fake, imposter, or otherwise abusive account holder has sent messages to other Facebook users, those messages are no longer available in the system as soon as the account in question has been disabled.
- Facebook also stated that it set up a contact form for individuals who wish to pursue a private investigation into the impersonation activity. The form is also accessible via its Help Centre.
- Facebook advised that in the context of account impersonations, it would be wholly inappropriate, impractical, and would often cause more harm than good for Facebook to notify the "friends" linked to an impersonated account. Unlike the circumstance where an organization itself transmitted inaccurate personal information to a third party, it would not be appropriate for Facebook (or any other platform/service provider in similar circumstances) to take such action and insert itself into personal relations between individuals.
- Moreover, Facebook went on to advise that it cannot always ascertain which user issues are legitimate and which ones are not. Other than verifying the identity of a requestor, and acting on an uncontested request to disable an account, the company is not in a position to confidently state that an account is being disabled for reasons of impersonation.
- For these reasons, Facebook takes the position that it is best to leave it to individuals themselves to take action against imposters in the manner they deem appropriate. While our Office was persuaded by many of these arguments with respect to Facebook users who have tools at their disposal to rectify the situation in their own words and on their own terms, we remained concerned about cases, such as this one, where the victim of impersonation is a non-Facebook user with no means available to her at all to contact ─ let alone identify ─ the affected "friends" to set the record straight. We emphasized the need for Facebook, particularly in these non-user cases, to take some measure of responsibility for its business model, which allows imposter accounts to occur in the first place and to take appropriate means to help address or mitigate the emotional and reputational damage resulting from such privacy-infringing events.
- In making our determinations, we applied Principles 4.9 and 4.9.5 of Schedule 1 of the Act.
- Principle 4.9 states, in part, that an individual shall be able to challenge the accuracy and completeness of the information (held by an organization) and have it amended as appropriate.
- Principle 4.9.5 further provides that, when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
- In this case, it was clear that the imposter who opened a Facebook account in the name of the complainant's daughter and used her photo and personal information intended to misrepresent the user profile.
- The complainant alerted Facebook that the account had been set up by an imposter. She challenged the accuracy of the personal information related to her name, sought to have it corrected and requested that "friends" of the imposter account be so notified.
- Facebook has a process in place to report "fake accounts". Information about it can be found in its Help Center. When an account is flagged for suspicious activity, Facebook requires individuals to provide identifying information to confirm that a real person is behind the account. Facebook's objective is that it remains a community of people using their real identities to connect and share, as per its Statement of Rights and Responsibilities.
- Facebook clearly informs its users of the purpose for which it needs to collect personal information by individuals ─ namely as a security measure to ensure that the user is a real person. Further, this Office has previously found that this purpose serves to protect users' privacy and the integrity of their account.
- In the case at hand, once the complainant reported the imposter account and had provided Facebook with the necessary information to identify herself (i.e., her passport information), Facebook deleted the account, posts and messages associated with it, and the passport information within five days.
- Further to Principle 4.9.5, the complainant requested that Facebook send a notice to the Facebook "friends" with whom the imposter account had interacted. Facebook advised our Office that, in the context of account impersonations, it would be wholly inappropriate, impractical, and may often cause more harm than good, for Facebook to notify the "friends" linked to an impersonated account. Facebook argued that it could further exacerbate the situation, thereby allowing the victim of the impersonation to be re-victimized.
- Accordingly, it is Facebook's position that it would not be legally required under Principle 4.9.5 to notify any of the "friends" linked to an impersonated account as it would not be "appropriate" to do so in these types of situations. Unlike the circumstance where an organization itself has transmitted inaccurate personal information to a third party, and should appropriately inform them of the corrected version, Facebook claims that it would not be "appropriate" for it (or any other platform/service provider in similar circumstances) to take such action.
- We find these arguments persuasive. It would indeed be inappropriate to expect Facebook to intervene in interpersonal relations and arbitrate on what is true versus what is untrue. Requiring Facebook to pro-actively notify friends of an imposter account that the account has been "disabled" risks drawing more attention to the impersonated information, raising more suspicions than answers and potentially re-stigmatizing the individual and exacerbating potential hurt and embarrassment associated with the account.
- Facebook met its requirements under 4.9.5 by promptly deactivating and deleting the imposter account. We agree that under these circumstances, the Act does not oblige Facebook, as an organization, to notify the individuals "friended" by the imposter account to advise them of the deception.
Other Issues Raised by Complainant
- The complainant also expressed frustration in not being able to contact anyone at Facebook directly or by phone ─ that the only method available was via email and that Facebook's office in Toronto was not able to provide any assistance. We note that the Act does not favour or prescribe any one particular method of client contact over another. Thus, Facebook was not in violation of the Act when it responded only by email.
- The complainant also questioned why the creation of Facebook imposter accounts is possible in the first place. This raises the question of whether this Office should recommend that the creation of every new Facebook account be prefaced by prior identification and authentication of its creator.
- In previous cases, our Office has found that such a proposal would impact on all free social networking, email, gaming or other sites that provide free account services. It would also be extraordinarily difficult to implement and virtually impossible to enforce. Finally, it would have to be a global initiative as it would not be feasible to implement it in only one country.
- In those previous cases, we also examined the option of tying the verification procedures for any Internet account to a network provider. We found that doing this would require the network provider to perform verification for each user, which could well require payment for each verification instance. Although this might be feasible for fixed-account holders, it would not protect against potential imposters using Internet cafes, library computers or other public Internet-access sites.
- Accordingly, with respect to the issue of the deletion of the imposter account and notification of the "friends" list, we conclude the matter is not well-founded.
- While the Act may not oblige Facebook to notify the friends impacted by the imposter account, we remain deeply concerned for the reputational and emotional fallout to victims of impersonation on social network sites. In this particular case, as a non-user concerned with the reputational harm to her young daughter who was the victim of impersonation on Facebook from which inappropriate comments were made to her friends, the complainant sought help from Facebook to help stem the consequences of that incident for her daughter's reputation.
- We accept that Facebook users would be able to use the platform to correct misinformation about themselves from their own accounts and reinstate their online reputation in their own words and on their own terms. However, we remained concerned for non-Facebook users who do not have this same available option.
- After numerous consultations between Facebook and our Office, we were pleased that Facebook addressed our concern and agreed to implement a process whereby it would examine and investigate on a case by case basis of non-users, matters of alleged impersonation that are brought to its attention where the victim of an alleged impersonation requests a particular kind of assistance.
- Although Facebook would not itself send notifications to the "friends" list of the imposter account to advise them of the deception, Facebook offered as a remedy to facilitate a process whereby non-users themselves could notify those "friended" by the imposter account. This solution ultimately helps put non-users on the same footing as users, by empowering them to notify "friends" of the imposter account and reinstate their online reputation in their own words and on their own terms.
- In the case at hand however, the complainant's daughter's imposter account and related information were deleted promptly and therefore Facebook is unfortunately unable to offer the complainant any special assistance. However we are encouraged that for future requests by non-users, Facebook will ensure it provides special assistance to non-users empowering them to mitigate the potential reputational fallout of imposter accounts.
- We wish to commend the complainant for raising this important issue with our Office, in that the complainant was able to highlight the concern that the accessibility and temporal persistence of personal information online can affect one's privacy and reputation in troubling ways. Since the threats to privacy and reputation are so significant and forward reaching, the protection of personal information and reputation online has to be the responsibility of everyone: data protection authorities, organizations and individuals alike.
- We would also like to stress that individuals must be aware of their online presence. This case reiterates the importance of educating youth and parents about the misuses of Internet technology, and how these misuses can potentially damage a person's current and future reputation. It also reminds us to be vigilant of the information that exists online about each of us. The longer false information about us remains online, the more damaging it can be to our reputation.
- Date modified: