Definition: Deceptively assuming the identity of a real person.
Legal Status:
Can be illegal
Platform ToS:
Violates Policy
Victim Visibility:
Contextually Sensitive
TSPA Abuse Type:
Deceptive & Fraudulent Behavior: Impersonation

Impersonation on online platforms refers to the act of pretending to be another user or entity, often with the intent to deceive, defraud, or harm. This practice undermines the foundational goal of trust and digital identity that are required for online communities to function effectively. Common examples include creating a fake social media profile to mimic a celebrity or public figure, or even assuming the identity of another regular user to spread false information or harass others.

Trust and safety teams face significant challenges in addressing impersonation. Distinguishing between genuine and fraudulent activity is nearly impossible based on content alone, especially when impersonators go to great lengths to make their profiles or actions seem authentic. Automated systems designed to flag suspicious activity often generate  ample false positives while still failing to catch sophisticated impersonation attempts. Manual reviews for impersonation require extensive resources, and aren't guaranteed to arrive at the right result. 

Efforts to curb impersonation through design also have significant privacy tradeoffs. Verification processes that require formal identification information deter users from engaging with the platform and raise questions about data storage and misuse. Moreover, overzealous monitoring of user behavior to detect impersonation can infringe on individual sensibilities around privacy.

Not only is impersonation around to stay, we can expect advancements in generative AI to make the problem of sorting out who-is-who even harder into the future.

What features facilitate Impersonation?

Unverified representation of identity is the core feature on which impersonation is possible.
Individuals' ability to represent themselves in a digital space.

How can platform design prevent Impersonation?

Though it has significant privacy harms, the clearest way to solve this problem is:
Identity Verification
Require users to register for an application with a state issued identity document.
Performing impersonation in bulk requires the automated creation of many different accounts.
Limit account volume
Reducing the volume of accounts a person can create restricts their capacity to cause harm at scale.
Cross platform username verification
To create an account with a popular username, require proof of ownership on another platform.
Is something missing, or could it be better?