This week’s question is from Haley via the form. Haley asks:

After listening to the Sinisterhood episodes on Kristin Smart, I couldn't stop thinking about this. What if you submit your DNA to a private company, and it happens to solve a case, are they required to notify you? Are there even laws or regulations for these types of situations? How is law enforcement getting the DNA from the private company (if that's a thing)? Thanks!

Great question, Haley! It’s also a timely question as Maryland and Montana just passed laws restricting how police can use DNA from online databases.

At the time the DNA website GEDMatch was used to capture the Golden State Killer in 2018, the site wasn’t meant for hunting murderers. Two guys created GEDMatch and had no idea police were searching the site’s database for suspects. They thought it was a cool way to find long-lost relatives.

Indeed, at the time, there was no legitimate way for police to search GEDMatch or the other site they used called FamilyTreeDNA. Instead they created a fake profile and uploaded the Golden State Killer’s DNA. Police got a match to a distant cousin and then built a family tree for the suspect in order to identify Joseph James DeAngelo, Jr., who ultimately pleaded guilty to the crimes.

According to The Atlantic, the news of the killer’s arrest was the first time GEDMatch’s creators ever got wind that cops were using their genealogy site to solve crimes. In the wake of the publicity, GEDMatch updated its terms of service to inform users that “DNA obtained and authorized by law enforcement” may be uploaded and used on the site to identify perpetrators of “violent crime.” Though that is defined as rape and murder, the site concedes that it has no way to monitor what crimes law enforcement is using the site for. FamilyTreeDNA followed suit and made similar changes it its privacy policy as well.

With that background, I’ll answer each of your questions in turn.

What if you submit your DNA to a private company, and it happens to solve a case, are they required to notify you?

On FamilyTreeDNA, users who elect to participate in law enforcement efforts are subject to the terms of FamilyTreeDNA’s Law Enforcement Guide. If law enforcement obtains a hit on a user’s DNA and requests more information on the user from FamilyTreeDNA, the website’s policy states that the site will “notify users of the request and supply a copy of the request prior to disclosure” of the user’s information, “unless we are legally barred from doing so.”

In the U.S., law enforcement agencies can get a court order that prevents the DNA website from notifying users. In that case, the user would have no idea they were the subject of an investigation or whether their DNA was being used in connection with an investigation. Usually the court would grant this request if informing the user would somehow impede the investigation, including: endangering the life or physical safety of an individual; causing flight from prosecution; causing the destruction of or tampering with evidence; leading to the intimidation of potential witnesses; or otherwise seriously jeopardizing an investigation or unduly delaying a trial.

If a court finds any of those factors (or any factors otherwise defined under state law), it would sign an order preventing the DNA website from telling you that law enforcement is asking for more information about you.

Are there even laws or regulations for these types of situations?

The overall schema of using a consumer-facing DNA database for purposes of criminal apprehension is governed by the Fourth Amendment and our constitutional right to be secure in our persons, houses, papers, and effects, against unreasonable searches and seizures.

Until recently, if a person turned over data to a third-party, like for instance information you give to a bank, that person would no longer have any Fourth Amendment protection for the information given to the third party. This was based on longstanding Supreme Court precedent that said, in essence: if you give your data to someone else, you should not expect it to remain private.

In a 2001 decision, Ferguson v. Charleston, the Supreme Court curtailed that slightly, holding that “material which a person voluntarily entrusts to someone else cannot be given by that person to the police, and used for whatever evidence it may contain.” That case involved a hospital testing medical urine samples for drugs and then turning that information over to the police.

Then in 2018, the Court decided Carpenter v. United States, holding that “a defendant has a legitimate expectation of privacy in the record of his physical movements as captured through cell-site location information.” This meant that just because you allow cell phone companies to know your location, does not mean that the companies can wholesale turn that information over to the cops.

Neither of these decisions discussed DNA websites directly, but reading them together, it’s reasonable to assume that personal, private genetic information may now be considered sufficiently sensitive and private to be protected against general searches by the government, even where you have turned that information over to a third party like GEDMatch.

Going further, starting October 1, in Montana and Maryland, the laws will change to protect information uploaded to a DNA website. In Maryland, the practice of uploading a suspect’s DNA to a site will require approval from a judge and will only be allowed in cases of sexual assault and murder. In Montana, law enforcement will have to obtain a search warrant, unless users have opted to allow police access to their DNA. Other states may soon follow suit and pass laws of their own.

How is law enforcement getting the DNA from the private company (if that's a thing)?

With the Golden State Killer, they just made a fake profile and uploaded it as if they were a regular user. After the news broke of how they got their information, the websites then created specific channels for law enforcement to upload suspects’ data going forward. For FamilyTreeDNA, law enforcement users are directed to follow certain procedures and email their requests to a special department. On GEDMatch, law enforcement users are directed to use the GEDMatch Pro site, rather than the regular consumer site, and must confirm that they are looking for perpetrators of a violent crime.

For general users with a profile on either FamilyTreeDNA or GEDMatch, the decision whether to make their DNA data available to law enforcement is an option to toggle on or off in the privacy settings area of the website.

Since data like DNA uploaded to a website implicates privacy concerns that extend well into Fourth Amendment territory, law enforcement officials are no longer able to misuse the consumer-facing website for investigative purposes, at least not in Montana or Maryland. If they do it in other states, they may face challenges to use of the data on Fourth Amendment grounds, especially in the wake of the 2018 Supreme Court decision in Carpenter.

I hope that answers your questions, Haley! Thanks for submitting.

Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.

***

This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.

This week’s question is from Julissa on Instagram. Julissa asks:

So I’m seeing with all the apps you can use to swap your face with a celebrity’s face there are now TikToks of people just using the app and doing funny videos while pretending to be a celebrity like @deeptomcruise for example. My question is what kind legal protections exist to protect your likeness and how it can and can’t be used? Thank you!!!

Thanks for asking, Julissa!

As a lawyer fighting scams, I think Deep Fakes are the next biggest threat to scam victims, especially seniors. One way I tell seniors to try and avoid romance scams or celebrity scams is to ask to video chat with the person reaching out to them. Now, if scammers can put a celebrity’s face onto their own and pretend to be someone they’re not, how can we keep ourselves safe?

As a person who has seen Face/Off, I am equally as concerned about facial transplant surgery. But this question is about deepfakes, so let’s go with that.

What are Deep Fakes?

In case you are not familiar, the term “deepfake” can refer to manipulated media, either photo, video, or audio, that creates a false piece of new media. Scientists (or scammers) can use a special type of computing system to analyze photos, videos, or audio of a person to determine how to recreate them in the new media. For instance, when creating a deepfake video, the program may track what mouth shapes are linked to various sounds in order to mimic them.

These algorithms work best where there is tons of footage of a person – Tom Cruise, Tom Hanks, Tom Holland. Also other famous people not named Tom like Barack Obama, George W. Bush, and Hilary Clinton.

It’s funny to watch a person who appears to be Tom Cruise fall down in an upscale store. Believe me, I’ve laughed at it. But it is scary how much cheaper and easier it is becoming to create more and more credible deepfakes. There are even apps now that allow you to perform a deepfake live during a video chat, making my advice to always ask for a video chat pretty useless.

Just compare the 2018 Barack Obama deepfake linked above with the 2020-2021 Tom Cruise deepfakes from TikTok. The Obama video is fun to watch, especially knowing it’s Jordan Peele behind the fake, but you can tell there’s something just beneath the surface that’s not quite real. On the other hand, the Tom Cruise videos are so spot on that the creator made a breakdown video just to show how it was done and calm people’s fears.

There is also this incredibly realistic and funny, but wildly inappropriate, video created by the South Park guys featuring our most recent former president and a handful of other celebs including Julie Andrews and Michael Caine. The voices are clearly silly exaggerations, but to my untrained eye, the videos seem flawless.

What kind legal protections exist to protect your likeness and how it can and can’t be used?

The good news is we don’t need to rush to make a bunch of new laws to keep up with this new technology. Good old fashioned common law can serve to protect you from being victimized by deepfakes in most cases. There are a couple of torts (tort = a reason for suing someone) you could use to recover after being the victim of one of these videos.

One such tort is called “false light.” False light is recognized in some states, though not Texas. According to the Restatement (Second) of Torts, when you sue someone for false light, you have to prove:

1. The defendant/deepfaker published the information widely (i.e., not to just a single person, as in defamation);

2. the publication identifies the plaintiff/you;

3. it places the plaintiff/you in a "false light" that would be highly offensive to a reasonable person; and

4. the defendant/deepfaker was at fault in publishing the information.

False light claims can be similar to defamation claims, which is actually why Texas doesn’t recognize false light as a cause of action. Texas courts have said that behaviors that other states would recognize as “false light” are covered under Texas defamation laws. Any expansion, the courts said, would have an impermissible chilling effect on free speech and run afoul of the First Amendment. So in Texas, someone may try to sue a deepfaker for defamation.

When bringing a claim for something like defamation, the law distinguishes a private figure from a public one. Private figures are ordinary, non-famous citizens. If a citizen who has no public persona sues for defamation, they would only need to claim that the bad actor was negligent regarding the truth or falsity of the defamatory statement at issue. On the other hand, public figures would have to prove that the bad actor knew the statement was false, or recklessly disregarded whether it was false.

This makes it particularly hard for politicians, who are generally considered to be public figures, to recover under defamation suits. However, if a deepfake is “fake” by its very nature, would it be so difficult to prove that the bad actor knew it was false? They created the falsity themselves.

New laws may also help politician-victims of deepfakes. In Texas, we now have our very own anti-deepfake law. In 2019, Texas became the first state to outlaw political deepfakes by statute, making it a crime to create videos “with intent to injure a candidate or influence the result of an election” that are “published and distributed within 30 days of an election.” California passed its own version of the bill in 2019 as well.

Some have warned that these laws are unconstitutional, but because the laws are new they have not yet been challenged.

It’s not just political videos to worry about. A 2018 study cited by the MIT Technology Review found that 90% and 95% of deepfake videos are not whimsical Tom Cruise gaffs or political videos but are, instead, nonconsensual pornography. Then, about 90% of those videos are nonconsensual porn featuring women, both famous and non-famous. Current revenge porn laws don’t cover deepfake pornography made without the subject’s consent.

Even so, other laws may be effective in stopping nonconsensual deepfake porn. Creators of these harmful videos could find themselves subject to criminal penalties like harassment, cyberbullying, or even extortion for making and distributing these videos without the subjects’ consent.

Can celebrities sue for deepfakes?

Not easily. Jay-Z found himself the subject of vocal deepfakes. The iconic rapper has such a unique way of rapping/speaking that a YouTube channel called Vocal Synthesis was able to upload videos of him supposedly rapping the “To be or not to be” soliloquy from Hamlet and the lyrics to Billy Joel’s “We Didn’t Start the Fire” (shout out Billy Joel!) Both videos were vocal deepfakes.

Hova’s legal team issued Digital Millennium Copyright Act (DMCA) take down notices to YouTube to remove the videos for violating copyright, but their requests failed. Why? You can’t copyright someone’s manner of speaking.

Both Jay-Z’s Shakespearean monologue and the Billy Joel bit would fall under Fair Use parody anyway, as would things like the Tom Cruise deepfakes showing a mad cap Cruise tripping and falling. Things change when someone tries to make money off the sound-alikes, though.

It doesn’t have to be a fake video posted online, either. In the late 1980s, McDonald’s introduced the Mac Tonight, moon-headed crooner who played piano and invited customers to enjoy late night meals. His singing style was a little too close to the then-deceased singer Bobby Darin whose estate sued McDonald’s for trademark infringement, causing McD’s to nix the commercials.

In a completely unrelated turn, Mac Tonight has since become an alt-right white supremacist meme because we apparently can’t have nice things. You’re welcome for that bizarre rabbit hole.

Along those lines, Texas and other states recognize the Right of Publicity – that is, the right of a person to make money off their name and likeness. It is actually considered a property right under statute. This law would protect someone from having a deepfake of them used for commercial purposes.

Under Texas common law, an individual could also make a similar claim for “misappropriation” which courts have broken down into three elements:

1.  that the defendant/deepfaker appropriated the plaintiff's name or likeness for the value associated with it, and not in an incidental manner or for a newsworthy purpose;

2. that the plaintiff can be identified from the publication; and

3. that there was some advantage or benefit to the defendant.

So if (1) a deepfaker appropriated your name/likeness for the value – that is, to make money, (2) the fake media is identifiably you, and (3) the deepfaker is advantaged or benefitted by the deepfake, you could possibly prevail on a claim of misappropriation.

What can we do to stop deepfakes?

To sum it up, civil causes of action like defamation, false light, right of publicity, and misappropriation should work to protect most deepfake victims from having their faces used for inappropriate or commercial purposes. However, things like Fair Use/parody and high bars of recovery for defamation of public figures may make that difficult in some cases.

Criminal laws prohibiting harassment, cyberbullying, and extortion may also be used to help victims of deepfakes. However, the most common use for deepfakes – nonconsensual porn – isn’t explicitly covered by current revenge porn laws, not yet at least. States like Texas and California have passed deepfake laws to try and prevent meddling in elections by criminalizing deepfakes, but those laws may be on the constitutional chopping block by courts if ever challenged.

Of course, we don’t want to criminalize parody videos or restrict speech. Watching Tom Cruise slip and fall in a fancy store is hilarious. WE MUST PROTECT IT AT ALL COSTS!

But should there be some protection for the public from these tricky videos, photos, and audio? Probably, considering a company lost $243,000 when scammers used a deepfake voice to mimic a CEO’s voice and demand the hefty funds transfer. With the increasing accessibility of the technology and the unceasing motivation of scammers to steal money by any means possible, this is only the beginning.

Next time you watch a video, ask yourself, like Shakespeare would: “doth mine eyes deceive me?” Is that Shakespeare or was it the bard Shawn Carter? 🤔 Either way, we can’t trust photos/video/audio we see on the internet. We can ONLY trust what we see in person. If we see someone in person, we know it’s them and not an imposter, right? RIGHT!?!?

Oh no.

Thanks for the question, Julissa!

Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.

***

This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.

This week’s question comes from Abby via the form. Abby asks:

“So I'm not sure if you have heard or are following anything happening with the wedding dress designer Hayley Paige. From her account, the company JLM Couture has taken all rights to her name, including her presence on social media. I've tried reading the court doc that JLM posted in their Instagram bio but it's all gibberish to me. Is what they're doing justified? What is their claim to her name anyway?”

Excellent question, Abby!

Here’s a short-ish run-down of the situation going on in the wild world of wedding gowns. For a longer play-by-play, check out this piece from Business Insider.

On July 13, 2011, budding wedding dress designer Hayley Paige Gutman signed an employment agreement with JLM Couture, a bridalwear manufacturer. At just 25 years old, Gutman was offered the opportunity of a lifetime – design bridal gowns for a heavy hitter dress manufacturer and receive their support and compensation in exchange.

In an email at the time of signing, JLM wrote to Gutman, saying, “Attached is a signed contract. Hayley please confirm you have reviewed this with your attorney.”

Gutman responded, “Thank you for sending! I have reviewed with my attorney accordingly.” She’s now saying that email was a lie, and she never hired an attorney to review the agreement. Honestly, that may be the case.

If I had reviewed her employment contract, I would have had a couple notes. First of all, the language in her contract is pretty broad. It gives JLM the exclusive rights to use and trademark the name “Hayley Paige” and variations thereof as well as “the exclusive world-wide right and license to use her name ‘Hayley’, ‘Paige’, ‘Hayley Paige Gutman’, ‘Hayley Gutman’, ‘Hayley Paige’ or any derivative thereof” during the stated term of the employment contract and for two years thereafter.

Even if you’re not a lawyer, you can imagine that “exclusive right” and “exclusive world-wide right and license” are pretty broad and sweeping. That means only JLM can use those names or decide who else can use them.

The rights also last for the entire term of the contract PLUS two years. So, she should have been real sure about what she was giving up – in this case, her name – even though she was being compensated for it.

That compensation came in exchange “for the assignment of the Designer’s Name and the Trademarks” to the Company. She literally traded her name for compensation. This is a big decision. Huge! Not one to undertake without representation.

To really finalize the deal, JLM had Gutman sign a trademark registration acknowledgment, confirming that she had transferred all trademark rights in the name “Hayley Paige” and any derivatives thereof to JLM and that she consented to the registration of the trademark “Hayley Paige.” After that, JLM actually owned her name for use in business.

Over the next few years, Gutman created a brand around herself and her designs, posting them across social media including on Instagram under the handle @misshayleypaige. The Instagram gained over a million followers as fans followed her posts about her dog, her personal life, and especially her bridal gown designs. She became more and more well known and even appeared on the wedding show Say Yes to the Dress on TLC.

In late 2019, after extending her contract through August 2022, Gutman created a TikTok using @misshayleypaige on which she posted mostly personal content. JLM’s CEO Joe Murphy then allegedly asked her to post brand-approved content only.

Instead, she changed the password to the 1.1 million-follower @misshayleypaige Instagram account, locking out JLM’s social media manager who had been assisting with the account. Over the next few months, she removed some posts regarding JLM and her bridal line and took two influencer deals to make money posting about unrelated third-party products on the account. One was a salad dressing company and the other was whey protein. She also removed references to JLM in the account’s bio.

JLM and its CEO Joe Murphy didn’t seem to care for this too much. They requested login credentials to the @misshayleypaige accounts. According to JLM, Gutman allegedly ignored or refused these requests. In response, JLM sued Gutman on December 15, 2020 for a long list of stuff, including trademark infringement and dilution, false designation of origin, unfair competition, conversion, trespass to chattel, breach of fidelity, breach of contract, breach of fiduciary duty, and unjust enrichment.

Since then, a federal court has granted a temporary injunction giving JLM control over all of the @misshayleypaige accounts. JLM also sought the court to order the-designer-formerly-known-as-Hayley-Paige from “publicly disparaging JLM” and from “continuing [her] social media bullying campaign” against JLM. The court denied this part of the request as it would constitute “prior restraint” in violation of Gutman’s First Amendment rights.

On April 9, 2021, JLM announced that a new designer would be creating the gowns under the Hayley Paige line. That person? Not named Hayley Paige. She is Francesca Pitera, a former designer for Monique Lhuillier who had prior experience with JLM on another line.

With that injunction, Gutman has been restrained from using her own name in business and is enjoined from using the @misshayleypaige social media accounts. Now to answer the questions…

Is What They're Doing Justified?

It would appear so. It super sucks that she gave away the rights to her name in that contract. I have no clue in what universe you would negotiate a deal to assign the “exclusive right” and “exclusive world-wide right and license” to your name without a lawyer. I do not live there. I get that she was 25 at the time, but in the eyes of the law she was still grown and able to make that agreement.

When I was 25, I was just starting law school. I don’t think I would have even trusted myself to sign something like that without a lawyer. Bless her heart, as we say in Texas, but the language of that contract is mega-broad and she agreed to it.

In another provision of the contract, she agreed that any other “works” conceived of or developed by her in connection with her employment with the Company are “the sole and exclusive property of the Company.” In the court’s opinion, the term “works” includes the Instagram and TikTok accounts she created after her employment term began.

Because her contract required her to assist with advertising, the creation and use of the accounts to promote the brand fell under “employment” and were “works for hire” belonging to JLM. It appears from the language in the court order that she operated the account as an extension of her duties at JLM. She got input from JLM and its employees on what captions to use and on responding to DMs. Therefore, the court said, the social media pages were created by Hayley Paige the employee for work purposes and therefore belonged to JLM.

Gutman argued that the accounts were created for her personal use rather than business use. However, there was internal communication that indicated she mixed in the personal stuff as a marketing tactic, rather than as a form of personal expression. She stated in an email that she needed a social media director to help with the account to “maintain the balance specifically on the @misshayleypaige account . . . [because] I think it’s important that we do not dilute this Instagram with too much promotion/advertisement so that we can maintain the aesthetic and personality of the brand.”

Were the cute dog and fiancé photos really to express her joy? Or were they posted to avoid “diluting” the page with promotion/advertisements to preserve the aesthetic of the brand? The court decided it was the latter.

In its order on the temporary injunction, the court concluded that she assigned “Hayley”, “Paige”, “Hayley Paige Gutman”, “Hayley Gutman”, “Hayley Paige” and any derivative thereof to JLM. The court also concluded that the language of the contract “unambiguously encompasses” both “misshayleypaige” and “@misshayleypaige,” which are derivatives of “Hayley Paige” because they only add the word “miss” to the beginning.

So yeah, at least according to the federal court and based on the language of the contract, they are justified in claiming use of those accounts.

What is Their Claim to Her Name Anyway?

They paid for it. Not only did she receive a base pay and additional sales volume-related compensation, she is also entitled to receive a further percentage of “net revenues derived from the sale of goods” sold under her name and the other Hayley Paige trademarks for ten years following the termination of her employment with the company.

This means even after her contract ends in August 2022, she is entitled to receive payments based on future sales that use her name for another full decade.

Is that compensation worth it to give up your name? I don’t know. I wouldn’t shake on that deal, but everybody is free to make whatever deals they want to make. Maybe JLM will sell an ass load of Hayley Paige wedding dresses and Gutman will never have to work again so it will all have been worth it. On the other hand, maybe they’ll sell a bajillion dresses, but even then she may not feel like it is enough compensation to warrant losing her name.

The real rub is that, as it stands, she is pretty much bound. Absent the court undoing the contract (which I doubt will happen given the court’s language in the preliminary injunction docs) that’s the deal she made and that’s the deal she’s gotta live with. This is especially true since the contract does not include a provision permitting Gutman to terminate it on her own (“unilaterally”). She’d have to get JLM to agree to releasing her. Otherwise, her actions may be considered repeated breaches of the terms of her agreement, subjecting her to having to pay damages or to further injunctions.

The answer to all this is probably negotiating a settlement. From JLM’s perspective, it looks pretty bad to be doing this, even if they are within their rights under the law. The @misshayleypaige account currently under the control of JLM has turned its comments off, attempting to avoid online backlash. JLM also claimed in its complaint that some bridal boutiques have quit carrying the line due to the legal drama.

For what it’s worth, Gutman has counter-sued JLM, claiming (1) JLM “willfully failed to pay and/or unlawfully deducted Additional Compensation due to” her, (2) she was defamed by JLM in private and in public, and (3) JLM CEO Joe Murphy sexually harassed Gutman and others and created a hostile work environment.

If they don’t settle, then at least Gutman will get her day in court. Until then, she’s known on Instagram as @allthatglittersonthegram where she recently put out a request for suggestions on an all-new name she plans to choose for herself.

I hope that answers your question, Abby! Thanks for sending.

Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.

***

This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.

This week’s question comes from me scrolling through TikTok. I got to wondering:

“A woman on TikTok tracks down people who she thinks are trying to illegally obtain COVID vaccine cards or others who threaten violence against women. She then contacts their employers, licensing authorities, and family members using publicly available data. Is this legal?”

Excellent question, me! I love answering questions from you, but just like you, I also have a curious mind and couldn’t stop thinking about this situation.

I was inspired by a new TikToker I found named Savannah. She’s a pharmacist, lactation consultant, and web sleuth who was tracking down wrongdoers and reporting them to their employers, their family members, or the authorities. She worked with other TikTok detectives who used open source investigation to find people possibly violating the law or just generally acting like gross assholes.

** EDIT - She has since deleted the videos at issue and posted an update video. In the update, she states, “I am not sorry for the videos that I made. I am not sorry for the people being held accountable, and I will continue to hold people accountable as it pertains to public health and patient safety.” She cites the credible threats made against her and her family’s safety as her reason for removing the videos. **

KIDNAPPING JOKE

One male TikTok user (TikToker? TikTaker??) “dueted” one of Savannah’s videos. If you’re not familiar with TikTok, when one user makes a video, another can choose to “duet” the original video. The second creator will react to the original video side-by-side. Savannah’s video showed all the ways she and other female runners must prepare themselves to go on a run safely – for example, by taking ID, carrying pepper spray, and only wearing one AirPod.

The male user who dueted her video included captions indicating the ways he would “disarm” her tactics, with the underlying “joke” being that he was learning how to effectively abduct a woman, I think?? I’m not a professional comedian or anything… oh wait, yes, I am. That’s a bad joke, if it can be considered a joke at all.

Savannah found this user’s Facebook, and from there tracked down family members. She messaged them privately and let them know their family member made these unsettling remarks in his publicly available TikTok video. One sibling responded saying she would take care of it and asked that Savannah not reach out to other family members. Savannah obliged. Not sure what “take care of it” entailed, as another sister and a cousin later reached out to Savannah, threatening legal action. Unedited excerpts from their messages appear below:

“Defamation is real and court is too!”

“Not only did you harass my ENTIRE family you defamed his name. We would like the video to be taking down ASAP or we will have no other choice but to bring this to court.”

Savannah did not take the video down.

FAKING VACCINE CARDS

In another set of videos, a user found a comment on a COVID vaccine post that read, “I work at a pharmacy and grabbed blank [COVID vaccine cards] for me and my hubby 😜 😜.” Beneath that comment, another user asked, “Can I pay you to ship a couple to me 🤣”

Based on what seemed to be a fairly cursory internet search, Savannah was able to locate the initial poster and identify her as a pharmacy technician in Illinois. This pharmacy tech had actually posted her entire pharmacy license renewal form on TikTok. Yikes.

The second commenter asking to pay for the cards was a nurse. Again, a pretty easy search (beginning with the Instagram profile linked in her TikTok profile) turned up the where the nurse worked and that she was indeed licensed in Texas. Savannah then made a report to the Texas Nursing Board of the incident.

A several other videos on TikTok shared by Savannah involved people – some of whom are licensed medical professionals – asking for blank or fake vaccine cards.

One now-deleted video by Savannah viewed over 9 million times showed the Instagram, Facebook, and place of employment for a woman I’ll call Kari. A self-described “pediatric trauma RN,” Kari initially posted a TikTok video of herself selfie-style lip-synching to the song “Big Gangsta” by Kevin Gates. Cringey though that may be in and of itself, the worst part is the caption that reads, “Screw a fake ID. I need a fake vaccination card now.”

After Savannah’s post, concerned TikTok users contacted the hospital listed as Kari’s employer in her Facebook profile. Faced with comments and phone calls, the hospital released a statement that they were aware of the video, but that the nurse in question, Kari, had not worked for the hospital since August 2020.

Savannah left up the video naming the hospital as the woman’s employer, drawing ire from other users. She later posted a follow up video with the correction, but still kept the original video with the incorrect information up. She finally deleted it after being threatened by what she called “far right TikTok.”

There’s a lot swirling in my mind here. Let’s take the issues one by one. First, we’ll talk about the people on the receiving end of Savannah’s videos then move on to what Savannah is doing in response.

CAN YOU JOKE ABOUT FAKING COVID VACCINE CARDS?

Generally, yeah, jokes are protected speech. The government can’t lock you up for joking about something. But free speech is only between you and the government. Your employer can make whatever choices they want about how to respond to your joke.

Fake vaccination cards are a real thing. According to Fortune, advertisements for fake vaccination documentation are up 300% since January on the dark web, a hidden part of the internet that isn't visible to Google. I suppose not having access to the dark web, these folks had to post their requests for obtaining vaccine cards openly on TikTok.

But aren’t the comments just a joke? The addition of a 🤣 or a 😜 may mean the comments were insincere. Or was the wink indicating that the pharmacy tech did something illegal already? Or was it just a joke all along?

Emojis are being used by courts to interpret people’s intent in both civil and criminal cases. For instance, does a kissy-face emoji in response to a sexual advance indicate that you welcome the advance? Does adding an “LOL” emoji after asking someone to do crime with you make it a joke?

In a sentence that sounds very 2020, the intrinsic meaning of an emoji and its intent in relation to a sentence would be up to the interpretation of a judge or a jury. Generally they’ll look at things like the accepted use of the emoji (e.g., 🍆) and the context of the words around it.

For instance, these two emoji uses have very different interpretations:

Let’s cook dinner at home tonight. Trying to be healthy 🍆

versus

i’ve got something for you to eat 🍆

LET’S JUST SAY IT WASN’T A JOKE. IS IT UNETHICAL TO FAKE VACCINE CARDS?

For sure.

The pharmacist tech who said she stole COVID vaccine cards from her employer is possibly in violation of the pharmacist rules of her home state of Illinois. One of the requirements for a pharmacy tech is that they must be “of good moral character.”

Savannah mentioned that as a pharmacist, she had an obligation to report the actions. This same rule applies to lawyers. We have an ethical duty to report conduct that violates our rules. Yeah, we’re mandated snitches. It’s part of the deal when you sign up to be a professional.

The Texas nurse who asked to buy the blank cards is regulated by the Texas Board of Nursing. Is asking to buy a stolen, blank vaccine card a violation of the Board of Nursing rules? Looks like the nurse would have to actually be arrested for a “crime involving moral turpitude” for it to be actionable. I’m not sure simply asking for the fake document, when accompanied by a “laugh till you cry” emoji would qualify.

Then again, this is an evolving situation impacting public health, and lying about one’s vaccinated status may put patients in jeopardy. In that case, it could be a violation. Even so, it would likely require more action that a comment on TikTok.

IS IT ILLEGAL TO FAKE VACCINE CARDS?

Yeahhhh, most likely. There’s a pretty broad federal law at 18 U.S.C. § 1001 that makes it a federal felony to:

• falsify, conceal, or cover up by any trick, scheme, or device a material fact;

• make any materially false, fictitious, or fraudulent statement or representation; or

• make or use any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry

to the government.

In short, this law makes it a crime to lie to the federal government. If you steal the blank cards and write fake information on them, that seems to be a pretty clear case of using a false document knowing that it contains a fraudulent entry.

Since the COVID vaccine is so new, there aren’t yet laws that address the vaccine cards specifically. A state legislator in New York has proposed a bill that would prohibit the falsification of COVID-19 vaccination records. If the bill passes, a non-medical professional who falsified COVID vaccine records could be charged with a Class A misdemeanor punishable by up to 364 days in jail and/or a $1,000 fine. For medical providers, it would be a Class E felony punishable by up to four years in jail.

But even without these specific laws, there is possibly a law on the books in these folks’ jurisdictions that make falsifying the records a crime. I’m more familiar with Texas law and § 37.10 of the Penal Code, which makes it a crime to falsify, sell, or alter a “government record.” Given that the vaccine card is issued by the CDC, a government entity, sounds like a “government record” to me.

This law could easily apply to stealing, selling, or using blank vaccine cards. The law includes a whole list of prohibited actions including: altering a government record, presenting/using a false record with the intent that it be taken as genuine, or possessing, selling or offering to sell a blank document with the intent that it be used unlawfully.

Pretty much covers the stealing-blank-cards scam and would cover selling them, too. If you mailed them across state lines or used the internet to sell them, you would be eligible for a federal charges as well (it’s all about that interstate commerce!)

Now that we’ve established that what these folks have done is at best icky and unethical, and at worst, illegal, what about the actions Savannah has been taking? Is it doxxing? Defamation? Illegal? Let’s walk through it.

FIRST: WHAT IS DOXXING?

A shortened version of “dropping docs” or personal documents, the dictionary definition of dox is “to publicly identify or publish private information about (someone) especially as a form of punishment or revenge.” Examples of “private information” that can be used to dox someone include “addresses, phone numbers, and even Social Security numbers.”

Doxxing is the act of revealing private information about someone in a public way. This happened when Lou Dobbs, the now-cancelled Fox News host, shared the home address and phone number of a woman who accused former president Donald Trump of sexual assault. Her phone number and address were not publicly available, but he shared them from a random Twitter account.

Doxxing is different from open source investigations, which is where a web sleuth uses public data available on the internet to help identify perpetrators of crime. A recent example of a successful open source investigation is the capitol insurrection that happened in January 2021 (why did I feel the need to give you the date? How many capitol insurrections have we lived through? One too many, that’s how many.)

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, took to Twitter after seeing the photo of an insurrectionist toting a shit load of zip ties in the Senate chamber. People on Twitter began referring to the man as Zip Tie Guy because human beings love a good nickname.

Fearing a public safety concern, Scott-Railton and other Twitter users attempted to identify Zip Tie Guy. In an interview with GQ, Scott-Railton described the process wherein he and other Twitter users “surface[d] details and use[d] them to identify a person.”

Using patches on Zip Tie Guy’s gear, the gear itself, and other photos and videos published publicly on social media, the online detectives managed identify the Zip Tie Guy. Another insurrectionist was also identified by the military insignia he wore on his helmet which linked him to a specific service unit in Texas. Once he was sure they got the right people, Scott-Railton took his identifications to the FBI.

He also warned his followers not to announce perpetrators publicly until the authorities had confirmed their identities. In his interview with GQ, Scott-Railton said, “It was not far from my mind that there have been efforts like these that have gotten wrong, and that can have lasting consequences.”

He may have been referring to the Reddit vigilantes who, in the wake of the Boston Marathon bombing, mistakenly named an unrelated missing student as the bomber. The student was totally uninvolved. The general manager of Reddit later apologized for the “online witch hunts and dangerous speculation” that happened in the case.

Remember, doxxing is the public sharing of private information. Open source investigations use publicly available information to identify someone and then report it privately to authorities.

Publishing it publicly? That’s a dangerous line to toe, and can lead to situations like the hospital in this case being bombarded with calls about a nurse that no longer works there.

IS DOXXING A CRIME?

Federal Law

There are a few laws that relate to doxxing. The first and most relevant may be the federal law that makes it a crime to reveal the personal information of a small group of “covered persons” under 18 U.S.C. § 119. It only applies to a really narrow group of people including:

• government employees/officers, including military personnel;

• any juror, witness, or other officer of any court of the United States;

• an informant or witness in a Federal criminal investigation or prosecution; or

• a State or local officer or employee whose restricted personal information is made publicly available because of the participation in, or assistance provided to, a Federal criminal investigation by that officer or employee.

If the victim of doxxing is not one of those narrow categories listed above, then there isn’t exactly a law against doxxing. However, federal or local stalking laws may apply depending on the doxxer’s behavior.

A doxxer could face charges under federal law at 18 U.S.C. § 2261A, which makes it a crime to stalk. Proving that someone is stalking you under this law requires proving the “elements” listed below.

• Intent – the stalker must have the “intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person.”

• Use the Mail or Internet – For the federal government to regulate criminal conduct, the criminal conduct must be connected to “interstate commerce.” Otherwise, the states are tasked with regulating criminal conduct.

• Engage in a course of conduct that — (1) Places the victim in reasonable fear of the death of or serious bodily injury; or (2) causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress to a person.

This law covers a victim, their immediate family members, their spouse or intimate partner, or their pet, service animal, emotional support animal, or horse. Yes, you can sleep easy. Your horse is safe from stalking.

A key element here is “intent” – would you be able to prove that an open source investigation that involves reporting someone to the authorities and posting publicly is done with the intent to “kill, injure, harass, or intimidate” someone? It may be intended to harass or intimidate. Would publicly posting reporting someone’s bad behavior “cause substantial emotional distress” to a person? What if they person had already publicly posted it themselves?

I’m not a federal judge (YET!) or a member of a jury (YET!) so I can’t say for sure. It would depend on the facts of each case. I know – “it depends” is such an annoying lawyery answer.

State Law

There are also state laws against cyberbullying and stalking. Since Savannah is in Mississippi (by her own public admission – not trying to dox anyone here!), we’ll look at Mississippi law.

The Mississippi law on cyberbullying only covers actions by kids at school, so it’s not relevant to this situation

The most relevant statute is probably Mississippi’s law against cyberstalking. The law makes it a crime to “use in electronic mail or electronic communication any words or language threatening to inflict bodily harm to any person or to that person's child, sibling, spouse or dependent, or physical injury to the property of any person, or for the purpose of extorting money or other things of value from any person.”

Of the now-deleted videos I watched, at no point did Savannah threaten bodily injury to anyone, threaten their property, or attempt to extort them. Indeed, quite the opposite. She has apparently received multiple threats of physical violence not only against herself but also very graphic threats of violence against her young daughter which caused her to delete the original posts.

Mississippi also has a law against stalking. Under that law, stalking is defined as purposefully “engaging in a course of conduct directed at a specific person” or “making a credible threat” by a person “who knows or should know that the conduct would cause a reasonable person to fear for his or her own safety, to fear for the safety of another person, or to fear damage or destruction of his or her property.” Course of conduct is defined as two or more acts.

When Savannah reposted publicly available information – such as someone’s name, employer, or general city location – would that have been sufficient to cause a “reasonable person” to fear for their safety?

Again, I’m not a Mississippi judge (PROBABLY WON’T EVER BE!) or a person on a Mississippi jury (WHO KNOWS? MAYBE SOME DAY!) so I couldn’t tell you. I will say if I were on a jury, I would like to see a little more action than simply sharing open source information, like possibly sharing the exact military base where someone lives and the person’s phone number …

I say that last part because users who seem to take umbrage at what Savannah was doing have shared the base on which Savannah lives, her exact address, and her phone number. Couple that with the direct threats of physical violence she has also received, and it’s shaping up to be possible violations of these Mississippi criminal statutes.

It may also run afoul of the federal law at 18 U.S.C. § 119 if Savannah’s husband, who is apparently in the military, is also the subject of doxxing.

WHAT ABOUT DEFAMATION?

If what Savannah is doing is not a crime, could it be actionable in a civil court? By that I mean, could someone sue her for what she’s doing?

What do we say, y’all? You can sue anybody for any reason, it’s just whether or not you’ll win. Here, they probably wouldn’t.

To win a case of defamation generally, a person would have to prove:

• The defendant (person being sued) published the statement – this includes publishing something online. Check.

• The statement is about the plaintiff (the person suing/the target) – this element can be met even without directly naming the plaintiff. If you publish something with sufficient information to identify the plaintiff, this element can be satisfied. Check.

• The statement harmed the reputation of the plaintiff – the plaintiff would have to prove that the statement is more than just offensive. It would have to “expose a person to hatred, ridicule or contempt, lower him in the esteem of his peers, cause him to be shunned, or injure him in his business or trade.” This “harm” could include a target being fired from their job. Maybe check.

• The statement was published with some level of fault – the level of fault depends on whether someone is a public figure/government official or a private citizen. It’s enough to be negligent if the target is a private citizen. For public officials, the standard is much higher. It is possibly negligent not to confirm where someone worked currently. Or is it reasonable to rely on someone’s social media? Another maybe.

• The statement was false – this is a big one. Truth is a defense to defamation. The famous case of New York Times v. Sullivan is the classic case taught in law schools with this lesson: a plaintiff has to prove that a defamatory statement is false in order to prove defamation. Definitely NOT check.

Savannah herself said, “I’m not even good at research. I’m good at clicking links on people’s profiles. It’s more difficult to put in a DoorDash order.” She showed exactly how she finds information, usually with screen recordings and narrations. As far as I have seen, she was not publishing anything that was non-public, and she was not publishing anything false.

Re-posting a TikTok video that someone posted publicly and made available for duet, as she did with the man who made plans how to disarm her in order to kidnap her, would not be a false statement. He is the one who made the video. Not sure what his family was planning on suing her for. Maybe they thought she created a deep fake video showing their brother/cousin as the word “DISARM” appeared on screen beside a video about women’s safety? Somehow I doubt it.

The same goes for the nurses and pharmacists and other folks asking for government documents to falsify. They were the ones lip-syncing that they’re gangsters and putting a call to action in the caption on the video indicating their desire for fake vaccine cards.

Again, Savannah didn’t make the initial videos for them. They made them on their own. Neither did she publish any false statements – she simply shared screenshots of publicly available information.

The one issue she may face, aside from their indignance at being called out, is for using their photos/videos – technically, their intellectual property – on her page. But this thing is already a million words long, so I’m not even going to go there. It’s also an especially weak argument if the videos were duet-able. That is an implicit invitation for people to repost and interact with your content. Plus she’s already deleted the offending content.

Based on the information available, it looks like it is not doxxing, and it is not defamation either.

You can dislike that Savannah or these other online vigilantes were naming folks in public, but the answer definitely is not to publish their address/phone number or physically threaten them or their families in return. See above re: crimes.

For a comprehensive guide on how to use your web sleuthing skills to help law enforcement solve crimes, check out Billy Jensen’s Chase Darkness With Me. An important note, his first rule of crime solving is “Never Name Names in Public” sooo yeah. I’d second that. That’s partially because agree with Billy Jensen on just about everything. It’s also just damn good advice.

I am also going to issue a general warning against faking or stealing COVID vaccine cards or any other government documents or doing other crime. Wow, who ever thought I’d need to say that sentence?

I hope that was interesting for all you to learn as it was for me! Thanks for reading.

Got a question? Submit it here. They can be legal what-if questions, questions on current events, or questions about the legality of actions in TV shows or movies you’ve seen. I never ever want to answer your personal legal questions, so don't send those. Love you, but I don’t do that.

***

This piece first appeared in Sunday Morning Hot Tea. Subscribe so you don’t miss another piece.