For years, experts have argued over which crimes can be called identity theft. Some say the term should refer mainly to the creation of a new account that the victim has no knowledge of; others say it is fine to use the term for fraud on bank accounts the victim created and controls.
One court in California is stretching the definition further. According to a recent ruling, it may be identity theft if a person
The California court's ruling in a July case stemmed in part from its categorization of a Facebook password as "personal identifying information," a term that generally refers to details such as a name, bank account number or Social Security number, Venkat Balasubramani, a lawyer, explained on Eric Goldman's Technology and Marketing Law Blog Monday. California law lists a "PIN … or password" in its definition of personal identifying information.
In this case, a juvenile was accused of misusing a peer's email password to post nasty phrases to the victim's Facebook profile. The defendant received the password in a text message.
The defendant argued that rather than be tried as an identity thief, he should have been tried under the state's e-personation law that took effect in January.
"The fact that this statute was passed demonstrates that the legislature did not view his conduct to violate the previously existing [identity theft] statute," Balasubramani wrote. "The court disagrees with this argument, noting that the newly enacted e-personation statute has different elements" in that it does not require the use of a password, as identity theft might.
The actions of the defendant, Rolando S., were "inappropriate," Goldman, a professor at Santa Clara University School of Law, said in comments on Balasubramani's post. But his behavior was not so inappropriate that it deserves to be equated to the sort of crime one typically thinks of as ID theft, Goldman said.
"Perhaps it's like the joyriding of days of old," Goldman wrote. "If people left keys in their cars, some kids will take the cars for a spin. We can enact draconian laws to discourage joyriding, but if keys are left in cars, joyrides are inevitable. Here, the defendant basically took the victim's Facebook account for a joyride. It was unquestionably wrong behavior, but given its inevitability, it probably shouldn't be felonious."
Further, Goldman wrote, "the ruling reinforces why we should be nervous about California's recent 'e-personation' law, which is even more broadly written and applies even when there's no password misuse."
