California Senate Bill 1411, authored by Joe Simitian, has passed the legislature unanimously and now awaits Governor signature. He has only 140 days left in his term but it seems likely to get through.
“In the age of the Internet,” said Simitian, “pretending to be someone else is as easy as using their name to create a new e-mail account. When that is done to cause harm, folks need a law on the books they can turn to.”
The current law, said by Simitian to be from 1872, apparently could not handle the latest attacks that involve impersonation online. I have not yet found the right copy of the old text (Chapter 8, Sections 528 through 539?) but apparently the language had a loophole for “electronic means” (Pony Express mail was covered) and perhaps the fine was only 10 cents. This will be changed to a whopping maximum of $10,000 or up to a year in jail. The Simitian site says the new law makes it a misdemeanor if impersonation has two conditions: criminal intent and if it is done without consent. This must expand the current tests of harm to the victim and benefit to the attacker, but I am not a lawyer.
I wonder why 1872 is relevant. Other laws from a hundred years prior (e.g. 1776) seem to be ok. Is the age of a law really important or is there something more specific that is wrong?
It also prompts me to wonder if you have consent can you still have criminal intent? Imagine a couple who are married or have given written full power of attorney for a transaction…perhaps that would give a situation with legal consent yet criminal intent. On the other hand there seem to be cases where you do not have consent but that does not mean criminal intent. Consider the recent ruling on schools that monitor students at home, for example.
“Electronic means” is defined here.
This bill defines “electronic means” to include opening an e-mail account or an account or a profile on a social networking Internet Web site in another person’s name.
Although Simitian speaks of stopping pernicious attackers, the bill seems much more broad. Someone just opening an account, rather than active use of the account for impersonation, could already face lawsuits related to their intent. I assume they mean registering a new one and not just authentication when they say “opening…an account”.