We’re all familiar with the sort of identity theft where bad guys steal your personal data in order to get access to your money — or more often your good credit history — for financial gain. But what about those who impersonate others in online communications by deceptively adopting a real person’s name as a pseudonym?
That appears to have happened, bizarrely, to law prof and prolific blogger Frank Pasquale, as he explains at Concurring Opinions. A Blogger page called “The Paris Site” (cute pun) is a detailed gripe site about the local hospital in Paris, Texas and its parent company, Essent Healthcare. According to this news story in the local Paris paper, Essent has sued the anonymous bloggers behind the site for defamation, alleging that the site suggests the hospital is culpable for Medicare fraud and other wrongdoing. The blogger(s) use various pseudonyms, including, at one point, “Frank Pasquale.” The state court judge in the case has ordered a local ISP to provide the real name and address of the site’s proprietor.
This sort of thing occurs fairly frequently online. On political blogs you often see commenters signing the name of elected officials, usually to parody them by making sarcastic or ridiculous remarks in their name. You also see it all the time on sites like AutoAdmit/XOXOHTH, where part of the style of so-called joke is to use other people’s names (or screen names) and turn them into sock puppets. If obvious enough as humor, those may or may not be misleading, but I have little doubt that this sort of impersonation also happens in many contexts that are outright deceptive.
Speaking completely hypothetically, does Frank have a cause of action against the bloggers too?
I think he does. It could be defamatory to attribute comments to Frank that he did not make, at least if they harm his reputation as a trustworthy scholar and blogger. And in states that recognize the tort of appropriation, the unauthorized use of someone else’s name for your own benefit is unlawful. Of course, such litigation would be an expensive and complicated undertaking, and usually not worthwhile. Short of suing, though, the best remedy is, as Frank suggests, regular self-googling. I have been advising people to do this for some time. Even if you don’t actually spot someone stealing your identity, it gives you a sense of how others perceive you when they search for you online — a more important component of your persona all the time.
Finally, two asides about this particular case:
First, we are going to see more and more of these motions to disclose the identity of John Doe defendants in cases involving pseudonymous or anonymous online speech. It seems clear to me that there needs to be a mechanism for plaintiffs who are truly harmed by such speakers to hold them accountable in court (including in legitimate IP infringement cases). On the other hand, it should not be a routine procedural formality to unmask anonymous speakers just because you filed a complaint with some allegations. Our system is extremely lenient toward complaints at the initial or “pleading” stage. There is tension here with underlying fundamentals of civil procedure, because we would need a judge to make some assessments of the lawsuit’s merit at the very outset. This happens to some degree when plaintiffs seek preliminary injunctions, but in those situations at least the defendant is already at the table. There is more work to be done in developing appropriate standards for these ISP subpoenas.
Second, I have not seen the complaint, but based on the newspaper story alone I wonder whether the hospital’s case is very strong to begin with. It seems to allege defamation and violation of patients’ privacy.
On defamation, many of the newspaper’s quotations from the Paris Site seem to be statements of opinion that are not actionable, for example: “This isn’t Nashville or Boston or Dallas or Austin. It is a community that you wounded and are sucking out the life’s blood. We don’t like your style of vampires.” Clearly this is not an accusation that Nosferatu actually works at the hospital in Paris, Texas. The most likely candidate for defamation — again, just going on the news report — is this insinuation: “Apparently Medicare fraud is in the air, and PRMC is looking for a scapegoat. Billing practices from the rehabilitation unit are suspect, as well as vascular ultrasound studies billed by the hospital, but done by unregistered technologists.” I’m not sure, and I’d need to see it in context, but this may also skirt the boundary of defamation if it can be found to raise questions based on reliable information rather than to state flatly that the hospital is engaged in wrongdoing.
As to the patient privacy angle, what gives the hospital standing to sue on behalf of its patients? Not the privacy torts. Not HIPAA, which provides no right to sue (and anyway, a loophole in HIPAA means that individuals who are not “covered entities” cannot be held liable for breaches under the statute, as explained in this DOJ memorandum — the topic of an excellent seminar paper by one of my students last year). Again, I have not seen the complaint, but this does not sound like a slam-dunk case. If it is harassment against a gripe site — if that’s what’s really happening — then I hope these bloggers can find themselves a good pro bono lawyer.