Tell HN: AngelList told my employer that I'd updated my profile

958 points by oliversisson ↗ HN
I recently updated my AngelList profile and they emailed my employer, pretending to be me, to "confirm" the project I'd added. How can they think this is a good idea?

234 comments

[ 5.1 ms ] story [ 277 ms ] thread
You're giving me cold sweats now thinking that angel list emailed my company
AFAIK, AL asks confirmation only if an entry is related to -that- company/person/etc. You might add -your- project (i assume not related to your employer) some how as if it is related to your employer.
What kind of TOS would allow that 3rd party involvement? If none - then it's grounds for law suit.
You can ask them yourself:

  team@angel.co
Let us know what you find out?
They do the same impersonation trick to confirm investors and co-founders as well. It gives them cleaner data & is great for growth.
Some call this "impersonation trick" an identity theft.
(comment deleted)
That's extraordinarily unethical. I doubt I'd need to use them, but if I ever have the opportunity, I won't.
do you see any difference between these two statements:

"John Fraser has just added you as an employer, can you confirm? -Linkedin"

"I'd like to add you as an employer on linkedin, can you confirm! -John Fraser"

Of course I do. I wasn't meaning to condone their behavior, only to share that it's something they do extensively and give some context on their potential motivation for it.

They send these emails from team@angel.co but the name and content definitely gives the impression it came from someone else.

>They do the same impersonation trick to confirm investors and co-founders as well. It gives them cleaner data & is great for growth.

I just started pointing to groups at bars when the bartender asks me if I want to start a tab. It's done wonders for my personal finances! /s

(comment deleted)
Depending on the details, it could be a minor felony for fraud.
Clarify? Who would have committed a felony, in what circumstance?
(comment deleted)
Identity theft/impersonation, the company, ceo
Let's take a more obvious case: Suppose you're running a Bitcoin exchange, and people are dumb enough to sign up for an account on it and give you their banking details. You have a copy of their id, their checking account number, their social security number, etc.

The person puts an order for $100,000 in Dogecoin on the exchange, and you'd like more information before you process it in case its fraudulent. So you call up their bank and pretend to be them, using all the information they've given you to bypass their security questions. Then you ask the representative to have a year's worth of statements sent to you via email. Bank of America will mail them to you for free.

This seems like it should be fraud, even though they didn't steal any money.

There's a couple differences:

* They used a email to trick the target rather than the telephone. Telephone has a history of regulations associated with it.

* They're tricking your employer rather than your bank. Regulations surrounding banks are tighter, so this might only be fraud if it deals with a bank.

* They may have used fewer documents when authenticating themselves. For example, they probably don't have your government id, so they likely only sent publicly available information when identifying themselves.

* They may have used an automated system to send the email rather than having someone manually craft it. I don't think this matters, except to make it a little harder to establish intent.

* They're not using this to gain new information, but rather to validate information already given. So no theft of company secrets, unless they ask for more details in the email.

* AngelList is based in California, so depending on where OP or his previous employer were, it might not cross state lines and so could be immune to federal law.

* It's unclear to me what exactly the contents of these emails are. Are they basically like LinkedIn spam, clearly identifiable as such? Or is someone crafting emails by hand and pretending to have a conversation with the manager to get details about the project? Imagine saying you worked at Valve on a secret game, so they called up your manager pretending to be you and ended up getting the release date for Half Life 3. That's fraud.

* It's unclear how they pretended to be the OP. Did they just forge the from: header on the email? Did they log into his gmail account and send an email authenticated from Google's servers? The latter would escalate the crime.

To answer your question, I was mainly thinking identity theft and that they'd fine the AngelList LLC. Exactly which of these differences matters I'm unsure about.

I don't think anyone would seriously care too much about it even if it were illegal though. The worst that would happen would be them being told to stop if enough people complained. It'd be worse if they were doing it to investors.

AngelList is likely trying to determine whether this is a real company. How is that felony or fraud?
Like if someone charges your credit card to determine if the number is valid?
Has anyone tried to determine is AngelList is a real company?

Their web site certainly claims they are, but I've never heard anything back from my repeated emails to team@angel.co, and I don't see them posting anything here. Even Sourceforge has better community outreach and reputation management. How is that not irony?

Yes, of course they are. They are registered and you can look this up using California's online business search, rather than grandstanding on an online forum.

It's dishonest of you to insinuate otherwise.

I had big problems with the "Angel List" web site, because it was extremely flakey and appeared to be a typical piece of garbage that some dime-a-dozen huckster with very little experience had just thrown together after watching the Ruby on Rails Make Your Own Trendy Dot Com Crud Web Site in 10 Minutes screencast.

Major features were totally broken. Many things about the design were devoid of thought and just haphazardly thrown together, as if I was using a mock-up that was nowhere near ready for prime time. Obviously whoever implemented it and runs it had no intention of using it themselves, and puts no time into maintaining the site or supporting the "customers" (who are actually the product). The only "design" apparent was in the most shallow surface details and of the least meaningful kind.

Their support is absolutely non-existent. I heard nothing back from them whatsoever, after sending several emails. Lights are on but nobody's home. It has the feel of yet another ghost town scam web site run by a sociopathic all-talk-no-chops frat boy "idea man" who long ago went on to something else after pissing off and driving away all their developers who worked for free on the promise of equity, and is now letting it run on autopilot. Too many self described "Serial Hacktrepeneurs", not enough programmers.

Because I encountered so many problems that I have no control over but should, it's an embarrassment to be listed with so many glitches that I am unable to work around, which cause investors to see my profile in such a haphazard state. Their carelessness makes it look like I'm the one who's careless.

I hope Silicon Valley does an episode parodying AngelList, or at least somebody writes some fanfic about it. [1]

[1] https://www.fanfiction.net/tv/Silicon-Valley/

Insulting, bordering on abusive hyperbole. You seem to have a major chip on your shoulder. Did Angel List eat your baby or something?

Also, if you hate them so much but seem to have some sort of reliance on their service, why not take yourself off the site and make a competing product?

I don't make a competing product because I don't have 10 minutes to watch a Ruby on Rails screencast.
The whole, "If it sucks, make a better one," is a terrible argument. I don't want to make something better - I want to use this. It is totally reasonable to expect the people who built this tool/software to deliver with core working functionality.
The poster I responded to literally said he could have done it better. My point is, if he has such harsh criticisms and apparently some idea's about how to fix it, why wouldn't he?
Since you asked "why wouldn't he?", here's why:

I spent quite some time trying to work around the glitches, which I was helpless to do anything about. So then I spent some more time writing up a detailed problem report including screen snapshots of Chrome debugger traces showing where some of the problems were. When I didn't hear back from them, I put even more time into trying to work around the glitches, and found even more, different glitches. So then I spent even more time writing up those problems in detail and sending them in. Then I continued to wait for a reply. And waited. And waited. And so far I have never received any acknowledgement of any of my problem reports. And none of the problems have been fixed. I have much better things to do with my time than to help AngelList debug their web site, and wait for a response before finishing my profile. Now my profile is still in a half-finished inconsistent state, because I went on to more important tasks, and have never heard back from them since then.

The first problem I reported was related to inappropriate unsolicited email that Angel List sent to my former employer on my behalf without my consent, applying for a job at a company I used to work for, presumably with forged headers and first-person pronouns making it seem like it came directly from me:

I added an entry for a company I worked for, XXX, and when looking at that page, I was surprised to see a button that said “[checkbox] Sent” in their Jobs section. I did not mean apply for a job there, and I do not remember doing anything that expressed my intention to apply there — I used to work there, but I’m working somewhere else now. There does not seem to be any way to list all of the jobs that I have applied for (or that AngelList applied for on my behalf without telling me), or DELETE any applications that I may have mistakenly made. Can you please remove my application for a job at the company I used to work at, XXX, or explain to me how I can do that myself.

How am I supposed to fix the problem myself, without access to their source code and servers and databases? Don't you think the ball is in their court to reply to my bug reports, after I've spent so much time unsuccessfully trying to work around it myself and writing up and sending in bug reports?

Or are you suggesting I start my own web site from scratch to compete with AngelList, instead of spending my time reporting problems that I have with AngelList to their team who ignores me, or even spending my time on my real job that I'm trying to describe on AngelList?

Was I wrong to spend so much time trying to work around the problem and writing up bug reports, when I should have instead spent my time watching a Ruby on Rails in 10 Minutes screencast, developing my own competing web site, deploying all the infrastructure required to publish it, hiring people to maintain it, getting the money together to run it, and renting office space? Should I use AngelList to get funding for that, in spite of all its flaws? Or are you offering to fund my AngelList competitor yourself?

>>> why not take yourself off the site and make a competing product?

A counter-argument in the form of "if you criticize something, make something better" is just really weak.

(comment deleted)
I regularly get messages from startups who are interested in me on AL. Every time I answer, I click the "I'm interested" button, and I add a message saying that there might be something up with the site. I never hear anything back even though the other side initiated the interest.

I also get an email from an AL engineer now and again asking if things are working. Not sure they are getting my responses, because they should have asked more questions given what I replied.

AL itself also interviewed me once, and they sent a socially incompetent guy who couldn't listen properly without reverting to a script. I would answer a question and the guy would literally ask the same thing again, as if he hadn't heard me.

Totally bizarre.

As a counterpoint, I've emailed/responded to emails from AL on a few occasions and received non-automated responses in a reasonable timeframe. I reported a company for posting false salary ranges and previously had some questions about a "top n% of profiles" thing I was apparently bucketed into.
You reply back to the startups that there is something wrong with the AL site?
Pretty sure he meant that he gets messages from two groups of people, startups and engineers, replies to both, receives responses from neither.
Personal insults are poor form, especially when the people you're insulting have added tons of value to this community with their advice. I know this is the internet, but you're talking about real people, man.
You and the other downvoted guy below are the bad persons in this thread!

You should admit to that :|

Please, no hatchet jobs here, even when a website is annoying.

HN is an experiment in avoiding some of the factors that have brought down internet discussion forums in the past. We depend on users for that, so please use your formidable flamewar powers for good.

I'm sorry if I came off as doing a hatchet job on AngelList. But it pales in comparison to the self inflicted hatchet job they're doing on themselves.

My intention was to make a last ditch effort to get some much needed customer support, before giving up and deleting my account. But even though Dave from AngelList has finally replied to this discussion, he still hasn't replied to any of my email or postings, or acknowledged and addressed the problems I encountered and reported to him more than a year ago.

I've already sunk a lot of time and energy into unsuccessfully trying to get my AngelList profile into an acceptable state, and I also went the extra mile to describe and illustrate many of the numerous problems I had in detail, and report them to team@angel.co.

I have been waiting for a response before sinking any more time into it, and more than a year has passed with no reply. So I took this discussion as an opportunity to try to get an acknowledgement from somebody at AngelList, but so far to no avail.

To prove my good intentions, and give them a chance to fix the problems so I can salvage my profile instead of deleting it, I've just sunk even more time into summarizing the details of the emails I sent to team@angel.co in another message below, because apparently my emails to team@angel.co never seem to get through to anyone who's paying attention.

I've told Dave the date and time of the first message I sent, 29 January 2015 at 11:09 CET, so he can check his support email archives, and see all the problem reports with screen snapshots that I sent him more than a year ago. But so far, I've seen no response from him.

If Dave continues to ignore the issues that I and other people have raised, that just further reinforces my impression that the lights are on but nobody's home, and that I'm just the product, not the customer.

Wow, I'm never going to use AngelList if this turns out to be true. What an unbelievable betrayal of trust.
Yeah Angel List does this whenever you list an incubator as well.
Want to know something funnier? I am a non-HR and non-recruiter employee at my company and I can see recruiting tab (angel.co/candidates).

On a related note, I try to avoid applying to jobs through AngelList. I'll usually go directly to the company website itself and apply.

I second this and it's arguably scarier than OP. I've seen this tab before - it shows everyone in our industry who has ever expressed interest in our company through AngelList. It lets me CRUD job listings and contact/reject any candidate. Presumably I got this incredibly far-reaching access simply because I was confirmed as one of 50 employees with an AngelList account. As far as I know, there was no intervention or approval from our recruiting lead.

From applicant perspective: as soon as you apply for a job through AngelList, everyone who ever works at that company (now and future) can trivially find you and decide your fate.

This is really uncomfortable from the company's perspective too. I could just as easily have been an employee who isn't expected to recruit / shouldn't be making first contact with candidates / shouldn't be able to touch job listings.

I don't even think you need to be confirmed at the company. I think once you put yourself as an employee of any given company, you can see their applicants, but they may have fixed this issue.

Though overall AngelList seem like a site that's focused on helping startups (and investors), and unlike most sites, they don't even charge for their job listings.

this doesn't even scratch the surface of what shady people in the funding industry do to put entrepreneurs or wannabe entrepreneurs in terrible positions.
I quit using AngelList when a recruiter confirmed that he'd seen that my profile was actively browsing the site. The old adage about who is the customer and who is the product rang so true with AngelList. I hadn't realized that it was even possible to build a scammier version of LinkedIn until that point.
This might be "false personation" under California law. See California penal code 529.[1] This is slightly different from identity theft. It's a criminal offense. The key elements of this offense are that someone else impersonated you in some way, and they derived some benefit from doing so. Because this is a criminal offense, AngelList's TOS's arbitration clause does not apply. You can file a police report with the SFPD. If several people do that, something might be done about it.

[1] http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&gr...

Unless you have authorized them to do this under the Terms and Conditions of course.....
Correct me if I'm wrong, but as I understand it, you cannot contract your way out of criminal law.
In this case, every giving would be stealing. If I gave you something, you didn't steal it from me. Likewise, if I gave you the right to impersonate me in particular circumstances, it's not a criminal offense if you do.
Except he obviously didn't give them permission to do this.
The comparison to stealing is frankly ridiculous, as the law doesn't say you can't transfer money. It will explicitly talk about consent. If contracts allowed you to agree to anything then minimum wage laws couldn't work. Which side the impersonation laws fall on will depend on how they're written.
What about boxing, martial arts sparring, fencing, assisted suicide, and voting by proxy?

The point here is that you either _can_ contract your way out, or (what I suspect is the case) there re exclusions in the law were relevant.

Either way, it suggests this might not be illegal if covered by something blindly tick-boxed.

You seem to be opertating under the delusion that the law is logically consistent. It isn't. There are some things you can allow by contract/permission and some things you cannot, and circumstance matters.
No, I'm not. I'm responding to the blanket statement to the contrary. I fully expect that it's a case of cased exclusions as I've said in another comment.
You cannot, uniformly, give people the ability to do anything to you. That's the point I'm making.

> What about boxing, martial arts sparring, fencing

Consent only works up to a point. I cannot consent to you stabbing me or beating me into a bloody pulp.

https://en.wikipedia.org/wiki/Consent_(criminal_law)

https://en.wikipedia.org/wiki/R_v_Brown

It's worth noting that bare knuckle boxing is illegal in the UK, and you can't just sign a document to do it.

> assisted suicide

Assisted suicide is illegal in the UK. It does not matter if the patient signs a contract to say it's OK, it's still illegal.

Again, my point about AS was that it has it's own legislation, implying to me at least that that of murder, manslaughter, suicide do not necessarily cover it by default.
If your Windows EULA said "Microsoft can take any of your property" they still can't steal from you just because you agreed to it.
It would no longer be stealing because you agreed to it. This is why repossession is legal.
Such a contract would likely be ruled unconscionable (invalid) if anyone challenged it. I don't think there's a judge in the country that could be convinced that any piece of code is good enough consideration for random tangible property.
Yes, you can agree to transfer all of your property to Microsoft in exchange for a Windows license. But including this in EULA will not work though, as there are limits on what you can agree to without signature or notary.
It depends on where you are in the world, but in most places in the civilized world, criminal law does not work that way. If something is illegal, we cannot sign a contract that says it's ok between you and me, and magically make it legal. E.g. if I kill someone, the state will prosecute me for murder, regardless of whether or not that guy and I signed a contract that said it was fine.

If impersonating someone is a criminal offense in a particular jurisdiction, then -- assuming that jurisdiction has a sane criminal code -- there is no way to make it legal through a contract.

Edit: there are good reasons why this is in place, the most relevant of which is that it provides protection against abuses. Otherwise, we'd have things like employers that would still be at liberty to use lashing and beating as disciplinary action against employees who don't really have a choice about signing a contract or not.

The point is that the specific criteria defining what is criminal can include whether or not there is consent.

A contract can establish consent.

E.g. if I go into your house without permission and take stuff, then it is theft. If I have a contract saying that I have permission to go into your house and take stuff, then it is not.

I have not contracted my away from something illegal. The contract has established consent, which meant the criteria that otherwise would have made my actions criminal are not fulfilled.

> If impersonating someone is a criminal offense in a particular jurisdiction, then -- assuming that jurisdiction has a sane criminal code -- there is no way to make it legal through a contract.

That depends whether or not the criteria that needs to be met for it to be a crime requires lack of consent. If it requires lack of consent, then a contract can document that the consent has been given.

All jurisdictions I'm aware of (not a lawyer) have the concept of agents that may act on your behalf with consent. To what extent such agents can act using your name (with consent) vs. using their own name but on your behalf, varies greatly.

E.g. some places your agents (say a PA) will sign letters "[agents name] for and on behalf of [your name]" or similar, while other places they will use a signature stamp with your signature, or do "p.p. [their signature] [your printed name]" (the p.p. stands for "per procurationem"). Many other variations are in use, and how obvious signs there are that a document was not personally signed by the person the letter is from varies greatly.

Yes, but consent is not something that can be universally declared in a credible manner. There are things that remain illegal even after you have consented to them. For instance, having sex with someone below the age of consent is illegal even if they have consented to it (the idea being, of course, that they may be coerced into expressing that consent).

> All jurisdictions I'm aware of (not a lawyer) have the concept of agents that may act on your behalf with consent. To what extent such agents can act using your name (with consent) vs. using their own name but on your behalf, varies greatly.

They do, but things are not as simple as "can act on your behalf with consent". Around here, for instance (but I'm in Europe), they can only act on your behalf if:

a) You have explicitly given them consent to act on your behalf in that specific situation (i.e. you told them "you can go to the bank on this date and cash in this much in my name"), or if you have explicitly given them consent to act on your behalf with that particular party and for a specified period of time (i.e. you can go to this bank and do anything in my name for this period of time), and

b) The contract that states this has been validated by a notary and recorded by authorities, and

c) The party that they are acting on your behalf with knows about this, has been explicitly informed that they are acting on your behalf, and agrees to work with them under these conditions.

If they fail to do any of these, it's flat-out illegal. I think this is covered under civil law here, though, so it can be voided by a contract -- but the idea is that consent is not as trivial as signing a sheet of paper that says yeah, do whatever you want. It's bound by specific terms, too, the breach of which makes the whole thing illegal, even if on the whole the operation was consensual (i.e. if an agent, with my consent, goes to the bank to cash in a deposit, but does not explicitly inform the cashier that they are acting on my behalf so that they record the transaction accordingly (i.e. done by X on behalf of NotALaser), he's breaking the law).

(Edit: or, to make it clearer: he can represent me, but he cannot claim he's me. He has to explicitly inform the other party that he's acting on my behalf, declare his identity and present the proper authorization etc.)

> There are things that remain illegal even after you have consented to them.

Yes, I pointed that out.

> They do, but things are not as simple as "can act on your behalf with consent"

I believe that was exactly the point I was making.

> Around here, for instance (but I'm in Europe), they can only act on your behalf if:

While I'm sure you're right for your location, "Europe" encompasses not only ~50 distinct legal systems, but also half a dozen or so distinct legal traditions (with e.g. Common law, Germanic law, Napoleonic law and Roman law as the biggest traditions), which is one of the reasons I specifically pointed out that it varies greatly how clear one has to be about whether or not something is signed by an agent.

Worldwide it gets even more complicated.

To be very clear: I agree that some places the agent will need to specifically sign and state their own name and specify they are acting as an agent. Exactly in line with the examples I gave, a couple of which are from Europe.

In others they can stamp or use a machine to "fake" the name of the person they are acting on behalf of -- as long as they have that persons consent to do so.

In the US we have perhaps one of the most famous examples of the latter: The office of the US President frequently uses an Autopen [1] to sign documents on behalf of the president, such as autographs or letters to constituents. The purpose of it is to duplicate the signature precisely, making actual pen strokes in order to make the signature seem more authentic than e.g. the use of a stamp or seal.

But US presidents have used it for much more important things than letters and autographs, including several times that Obama has had staffers use an Autopen to sign laws on his behalf.

[1] https://en.wikipedia.org/wiki/Autopen

> While I'm sure you're right for your location, "Europe" encompasses not only ~50 distinct legal systems, but also half a dozen or so distinct legal traditions (with e.g. Common law, Germanic law, Napoleonic law and Roman law as the biggest traditions), which is one of the reasons I specifically pointed out that it varies greatly how clear one has to be about whether or not something is signed by an agent.

Of course. I mentioned I'm in Europe just to ensure that it's clear I'm not referring to any law that apply in the US, as this is what HN is most familiar with. Europe is, indeed, very diverse when it comes to law.

If Alice and Bob enter into a contract that says Alice will kill Carol for $1m, can Bob sue her for breach of contract if she does not? Or does the legality of the contract supercede the body of the contract such that the contract is void?
The court will not enforce the contract against Bob because it is illegal to do the act specified by the contract. Furthermore, Alice and Bob could both be prosecuted for conspiracy to commit murder.
The parent's point was that obviously some rights (even on criminal matters) are obviously waivable in this manner.

Normally, I can't take your stuff or enter your property, but if you make a contract granting me the right to take (specific things among) your stuff or enter your property in specific cases, that's enforceable.

Can you similarly sign away your right not to be murdered similarly? To be impersonated? Maybe not, but it depends on the circumstances, and isn't simply a matter of "that's illegal so you can't sign it away".

> It depends on where you are in the world, but in most places in the civilized world, criminal law does not work that way.

I'm sorry, but: no. "In most places in the civilised world" there are these guys called hairdressers and they could routinely - technically - be charged with committing assault causing bodily harm. It's a pretty clear cut (sorry) case that gets trotted out in most any first year criminal law class. The reason they aren't charged is simple: you consent to that bodily harm being inflicted upon you. There are variously defined limits to your ability to consent, especially with regard to duress or excessive harm, but your reasoning is otherwise completely incorrect.

No! If an offence is criminal it can't be magically made OK by a contract.

I am not a lawyer. This is not legal advice.

Wouldn't it make it impossible under California law to have an agent that impersonate me? Have them tweet from my account, reply to emails in my name etc.
It is, of course, perfectly legal to do that with permission.

The problem here is that it was done without permission.

The OP is claiming that the impersonation without permission is a crime, and that it is impossible to waive the crime-ness of it through a contract.

Parent is replying to a comment stating:

    > If an offence is criminal it can't be magically made OK
    > by a contract.
I think this must be mistaken (IANAL either). Boxing, assisted suicide, and voting by proxy come to mind.
(comment deleted)
The quote sounds right to me. If the act of impersonating someone is indeed a criminal offense, you can not smooth that over with a contract.

Voting by proxy is not impersonation, you give someone the right to act (vote in this case) in your name. Thus, no criminal offense.

The other cases: Assisted suicide is a criminal offense in many countries. For example (similar, but not the same), there has been some legal struggle over "Sterbehilfe" here in Germany which garnered quite some media attention.

Boxing – I might be mistaken, but perhaps "beating someone" is not a criminal offense as long as it is not against the other persons will?

All these things hinge on very subtle differences in wording. For example the terms might say: "AngelList reserves the right to send mails on your behalf" which grants them the right to send mails to third parties in your name, but I'd be surprised if law would allow them to state "AngelList reserves the right to claim your identity".

Yes, I think the difference would be are they representing you or impersonating you. I.e. did the other party know.

I can give my voting proxy or power of attorney to someone else, but it's pretty clear to anyone paying attention that's what's going on. If the email said "This is AngelList on behalf of J. Random Employee" that would be different than sending an email that had every appearance of being from the employee.

Even if this is allowed in their TOS, it's pretty underhanded if they buried something like that in boilerplate that they know nobody reads.

    > you give someone the right to act (vote in this case) in
    > your name. Thus, no criminal offense.
Right, it would be an offence, except that you've given express permission; so it isn't.

Assisted suicide is, yes. But my point is that we have separate legislation for it, implying that is required.

Boxing, again, that's my point.

Regarding identity specifically, what I imagine we're talking about here is an automated message much like LinkedIn's:

    > Hi, I'd like to add you to my network! *
Do we have a problem with this too?

* Or whatever it is. Point being, it says "I"; not "Mr Ford".

I definitely have a problem with that. It's an abuse of e-mail to automatically impersonate someone, especially for a purpose as banal as expanding a social network.

The Gmail warning that "this message may not be from who it claims to be" never worked well, but I wish they'd make it work for cases like this.

It's too bad e-mail is so unverified and insecure. A smartphone app can be prevented from making calls or sending text messages from your number: all you have to do is deny it that permission. But there's no way to prevent a website that has your name and e-mail address from sending e-mails as you.

> If the act of impersonating someone is indeed a criminal offense, you can not smooth that over with a contract.

IANAL, but it's like having sex: it's perfectly okay if all participants are consenting adults, but without this important condition it's a felony.

From what I understand, the important part here is consent, and only lack of one makes it a criminal offense. I.e. the act of impersonating isn't a crime (on its own) - the act of doing so without consent is. Well, to be certain, I guess one should take penal code of the jurisdiction in question, find the article and check the exact wording used.

Are you saying assisted suicide is illegal, but _can_ be made OK by a contract? That's not the case in England. By contrast, proxy voting is fine if you register your proxy with the local electoral office in advance.
No, I'm wondering why would there be a separate law if it was automatically covered by not being able to consent your way out of being murdered.
Probably because it's not murder, it's suicide. Assisted suicide is generally not asking another person to kill you, it's asking another person to set up some situation so you can more easily kill yourself. And though suicide is illegal, such laws further define that assisting another person to commit suicide is also illegal.
Contracts must have 'legality of object' - the 'thing' that is contracted cannot be criminal, tortious, or against the prevailing public policy.

You will find that in each of your examples that there is a particular statute legalizing that activity in a particular state.

Boxing is not illegal. Boxing is regulated under certain conditions.
Agreeing to the terms could be giving permission though...
That would be for a court to decide and I doubt that any of us are qualified to advise the GP (I certainly am not!).
There are lots of competent tech lawyers on HN.
I have no idea. My post was more general and about principles rather than specifics. I have no knowledge of the specifics of the relevant terms of service for this company, I also don't know whether they form a binding contract in the relevant jurisdiction or what things are specifically legal to do in contracts in the relevant jurisdiction.

I repeat that I am not a lawyer so if this is important to you then hire a lawyer in your local jurisdiction to advise you, don't listen to random people on the internet.

(comment deleted)
These are two different things:

1. Hi, my name is John, I am contacting you on behalf of wojt_eu to confirm that he has been added to the "Cool New Project" as lead DEV.

2. Hi, it's me wojt_eu, I just wanted you to confirm that I've been added to the "Cool New Project" as lead DEV.

You can legally authorize someone to act on your behalf, in basically any Western Nation - although rules as to how this work will vary, but authorizing someone to impersonate you I don't believe would be made legal anywhere because impersonation is not just something one does on your behalf but also something one does to someone else. Both the person that acts on the impersonation as being real and the person being impersonated can be harmed by an impersonation, and therefore it is not adequate that the person being impersonated gives the impersonator the right to do so.

You are not describing the facts on the ground.

http://semanticcompositions.typepad.com/index/2004/03/flexib...

no, I was very much describing the facts on the ground, I was not describing highly abstract semantic analysis that doesn't relate to legal usages.

I was also not describing linguistic usage in telephone conversation, I was describing linguistic usage in email correspondence. I don't think a correspondence would exist with a structure similar to the conversation the blog post discusses.

It can certainly be that when a conversation or correspondence moves into the realm of impersonation should be determined by the court. I think in the case under discussion here it would determined to be impersonation, the question then becomes what the harm was.

Looking through the statute referenced http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&gr... I don't think I can see a harm defined that matches what was done very well. I think the most relevant section is 530 and it does seem a stretch.

> authorizing someone to impersonate you I don't believe would be made legal anywhere

I think you're confused. Celebrities hire third parties to tweet for them all the time. That's essentially impersonation.

well, no, I guess in a non-legal context it might be considered impersonation but if you gave me that example and asked me would you consider that impersonating someone I would say uh, no, not if you were hired by that person.

Then it's more like acting/broadcasting.

If you had an account on twitter and said you were The Real Steve Jobs and everyone believed you were the real steve jobs and not a joke then I would say yes that would be considered impersonation - at which point the context I left out of my answer, considering it a given because I thought it was quite apparent from the top of the thread was that laws against impersonation also have to identify in some way the harm the parties affected by the impersonation suffer.

In the original post a statute was linked to http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&gr... ,this describes a number of ways harm can be incurred in the act of impersonation.

I bet you can hire a tax preparer in California. That is someone hired to represent you and do things on your behalf for tax purposes. That is a highly regulated financial specialist though.

In principle it sounds similar. The details do matter though. Did they provide reasonable explanation of what they were doing? Did they attempt to do this in secret? Did they misrepresent anything? Are they any laws saying a person cannot sign away liability for things like this?

They also don't sign the tax form as you. They sign it as a "preparered by" and you sign it as the taxpayer.

Most tax preparers are liable for their own mistakes, but not for omitting anything you didn't tell them.

There are many things that would be illegal without a contract that are legal with one. That's kind of the point.
Illegal is not the same thing as criminal, the latter being a very special subset of the former.
(comment deleted)
What is it about not being a lawyer (psychiatrist, economist, whatever) that makes people feel their contributions, though unqualified and generally incorrect, are still valuable? Is there a magical state of not-being that I've never picked up?
Generally, it's because we feel that layman opinions on how the law work should affect how it actually works in a democratic society.

For instance, civil forfeiture, wherein property can be taken from a person who has not been proven guilty of a crime in a fair trial, is widely rejected by the public, even when the opinion poll uses the most biased questions possible. (i.e. Should drug dealers be allowed to keep the profits from their crimes if they escape conviction and punishment on a technicality?)

Also, a jury verdict is little more than an aggregated bunch of layman opinions.

The opinion of the general public is that software should not have bugs in it. Also, it should be gratis and always keep up with the latest GUI and HID fashion trends. As a software professional, I often do additional work to meet those public expectations, even if it has no technical merit. That's because the opinion of the customer matters, when they are employing the experts to work on their behalf.

I include that I am not a lawyer partly to provide a warning that I am probably wrong and that what I am saying is not particularly valuable. I welcome someone that is an expert jumping in and correcting me...
Of course it can. Lack of consent is a key element in many crimes. Rape, for example.
But in your example, the act in question would be sex - which is not itself a criminal act.
Impersonating someone isn't a criminal act either. It is impersonating someone without consent that is the criminal act. Read the statute:

"...any person who knowingly AND WITHOUT CONSENT credibly impersonates another actual person..."

(Emphasis added.)

Elvis impersonators.....
Another element of the criminal statute is that the impersonation has to be "credible".
This is not an appropriate analogy. You are reversing the situation.

Terms and conditions and even contracts are often inadmissible. Just because you signed something, doesn't mean it's valid. Being handcuffed to a contract happens only in the movies,

I am not a lawyer.

One can argue over whether Angellist's ToS constituted valid consent. But the original blanket claim that an action "can't be magically made OK by a contract" is just flat-out false. It can.
It can in some circumstances. If the action is illegal in the first place, no contract can make it OK.
But being "illegal in the first place" almost always hinges on consent, at least in the case of crimes that have victims. (Victimless crimes obviously cannot hinge on consent because there's no one to consent.) I think you'll find it very challenging to come up with an example of an action that is a crime with a victim that doesn't involve lack of consent as an essential element. The only example I can think of offhand is statutory rape, and in that case it's only independent of consent because the victim is explicitly barred by law from giving consent.
Here in the UK I can add: assisted suicide, many sexual activities particularly on camera (even between very enthusiastic participants), driving in a vehicle on the public highway without a seatbelt, working for under the minimum wage, corporal punishment and polygamy.
The claim I made was that a specifically criminal action can't be made non-criminal by a contract if the action is inherently criminal.
Question isn't consent here. Consent is part of what constitutes a contract, but you've clearly consented to their TOS. More importantly, their TOS cannot allow or compel a party to perform a criminal or tortious act. If impersonating you is criminal, then the contract is invalid.
Pro-tip: don't make exclamations when you don't know if what you are saying is true.

The entire point of a contract is to get permission to do something that otherwise is not allowed.

No, the point of a contract is to agree on mutual conduct. The conduct itself is still subject to laws, unless the law itself explicitly allows to be overridden with contracts.

We can agree in a contract to sell you my daughter's virginity, but that does not mean you can actually buy it.

Not sure why you're being downvoted so much. The statute clearly imposes penalties for impersonation "without consent," so consent is a defense here.
If I authorize you to kill someone, you're still on hook for committing the murder.
A contract that requires a party to do something illegal is inherently unenforceable.

https://en.wikipedia.org/wiki/Illegal_agreement

To illustrate why this is the case, we can look at an extreme example: a contract to have someone murdered. Would a court enforce that? Of course not.

> he key elements of this offense are that someone else impersonated you in some way, and they derived some benefit from doing so.

Is Facebook usage of their user's profile pic for advertisement purpose a false impersonation too ? (I don't know if it's still in practice or if it was ever implemented)

If Facebook used their photos to claim to be them, then maybe it would be impersonation. Using their photos in advertising is not claiming to be them.
If Facebook uses your picture for advertisement purposes it generally falls under "using your likeness" and is covered under their terms of service about advertising. They are not impersonating you because they are not claiming to be you, they are instead using your likeness to promote either themselves or their clients.

This is similar to agreements you might sign with an employer, photographer or other third party so they can use your photo in an ad or as part of marketing material. And from what I understand (IANAL) the requirements vary from state to state in the US and obviously outside the US. Although there are blanket terms that cover it from what I have seen.

BTW -- Anytime you have professional photos done, this is something you should always look for and make sure you are comfortable with the terms they lay out in their "Agreement". Many have boiler plate in their agreements that states they can use your likeness without paying you for it and without prior written consent. I just went through this when looking for a professional photographer when we had some family photos done as I don't want anyone using images of my family or kids.

Are you seriously advocating reporting someone to the police based on a one sentence secondhand account from a single dumb Hacker News front page post?

You have zero context for what happened here (could well be user error!) and yet you are encouraging an angry mob to go and SWAT someone.

If you want to play that game, I'm sure that filing false police reports -- or encouraging others to do so -- is a flagrant violation of California's penal code. It is you, John Nagle, who should be thrown in jail if this turns out to be a nothingburger (as is likely the case!).

Or we could all just calm down and report it as a bug. Jesus Christ.

(comment deleted)
Why is this getting down voted?
Because Animats is suggesting that the OP file a police report, not randoms from the internet. He then says if enough people (i.e. customers of AngelList) complain, they may be heard. There's nothing untoward about referring someone who believes they've been victimized to the police.
Probably because it escalated by getting personal. Wrong direction to go.
Thank you for the heads up, I just deleted my account there. How do these companies think for a second that being sleazy like this is OK?
Just deleted the account. Thanks for the tip, OP!
When you say "pretending to be me" do you mean that they spoofed your email address in the from and/or reply-to fields?

[edit: typo]

Downvotes? Just looking for some clarification on what actually happened here. It's not exactly clear.
People probably read too much into your comment, hence the down votes. Reason would dictate from the very small amount of info provided that AngelList merely made the email out to look like it was from OP. To say they spoofed them email headers would've gotten 3x the number of up-votes.
Yes, the FROM spoofs your name so that the person will believe it's being sent directly from you in most email clients, and the Reply-to goes directly to your email. These are the email headers:

    From: YOUR_NAME <team@angel.co>
    
    Reply-To: YOUR_NAME <YOUR_EMAIL@gmail.com>
They used my name in the email from and reply-to fields, and to sign my name. I've replied to my original post with the actual email.
Thanks, that spells it out. Damn, that is fairly messed up.

I had a similar experience with F6S sending emails in my name so I know how uncomfortable it feels.

This is a shame and hopefully just a one-off error.

Hah. Good to know how this happens. I thought it was an personal insider convo...
HN users confuse me quite a bit.

How would they confirm if you are lying or Telling the truth? I believe the only wah would be to confirm from the organization owner. Or else, ANYONE can claim to have done any project.

I believe they do the same verification (it's simple verification) for roles in an organization.e.g Adviser, Co founder, Investor etc. And the verification is the other way too. If an employer adds you as an employee, you are to verify it too.

I struggle to find what the issue is. Perhaps they should have told you they were going to verify your project?

Animats / John, when you invite your friend on a social network and they send a message on your behalf, is that criminal too? Remember, OP(Oliver) took an action by claiming he did a project in an organization. It could have been true or false.

Don Hopkins, take a deep breath man. You can pass a message without being mean. Except that's the intention for a reason not stated here. In that case, it's all good.

Think, when people usually update their profile on angellist, linkedin, etc? Usually, when looking for a new job. And normally, you'd rather not share the fact that you're looking for something with your current company as they might start looking for your replacement before you're ready.

>>> Perhaps they should have told you they were going to verify your project?

That would a huge difference and that's why the frustration - it's not something expected.

It's a semi prison if you are not allowed to update your profile at a job you work.

Remember, the person in question had to chose they were in the said organization and did a certain project.

Anyway, asking Angelist to show any claim will be confirmed is not asking for too much. However, it is not such a scandal as OP makes it out to be.

> It's a semi prison if you are not allowed to update your profile at a job you work.

It's not disallowed, it's just not good. You might not pay attention when your employees are looking for other jobs, but most business owners do, and react rather negatively to it.

> it is not such a scandal as OP makes it out to be

OP posted a one-line "Tell HN" comment, you're actually the one calling it a scandal.

Well, to each organization his to his or her own.

You are right re: the second part. I projected the "WHAT A SCANDAL??!!" comment thread to the OP.

As an aside though. Is there something wring for an employer to know ahead of time if their employee is planning to leave? Of course if an employee updating their profile gets you panicked, then you are not doing something right.

So I am speaking of non paranoid situations.

In the ideal world, you probably should have enough redundancy in terms of human resources so that one person leaving is just slightly inconvenient. Also, as an employer, you should be realistic that it's just a job to most of the people and they will leave whenever a better offer comes, just a matter of time.

So in the ideal world, there's nothing wrong.

However, we don't live in such a world, unfortunately, and should adjust accordingly.

There are many small companies that would struggle horribly if one of the key employees would leave, and eventually they will. Also, some employers expect loyalty and treat it very personally if they know that someone's is definitely looking to jump the ship.

It's right, I agree, but that's how it is usually.

Employers are necessarily oppressive and may fire employees over this sort of notification if the listed project or the AngelList profile in general is against business interests.

If it wasn't clear already, this sort of move shows exactly who AngelList is serving. After all, as you said, how will the employer, in their contractual fantasies, ever be able to confirm that a potential interviewee is telling the truth?

I don't work for AngelList however I think this is overblown.

If you add yourself to an open site, your employer will see it. It is indexed on Google. It shows up when you search the site for the organization.

Are you saying as an owner of an organization, you are happy for anyone to claim to be an employee and to have done any project at your company without you knowing?

Should I be able to claim I did the Dropbox AWS migration without the folks at Dropbox getting notified I am making the claim?

It would be bizarre for an employer to fire an employee for stating (s)he works at the company and did a project.

But what do I know.

The creepy part to me is that the email pretended to be from the employee, not AL. I am actually curious to know exactly what that email looked like.
account deleted, thanks!
They do something similar (though less creepy) when you add a team member to your own org. I've got replies from people to emails sent out with my name, and my address in the reply-to field. They're deliberately crafted to seem personal, with I/you/me/us peppered throughout the body and "Thanks, [your name]" in the sig.

Ultimately it's a social network with accounts for orgs and people - it's no surprise that people are getting _some_ notification, but the impersonation is a little discomforting. It would be totally find if they just showed it as a template and said "hey, we're about to send this, okay?"

AngelList lists startups, so why are you registering there if you are employed? That's likely a violation of your contract in the first place, and their ToS, and it's public info anyway. AngelList is for companies, not projects. You do realise this info is meant to be public? AngelList is a public register of startups showing the people behind them. If you don't want that info public, don't register there.
There is also a "JOBS" section. If they are not protecting the confidentiality of the potential candidates, well, they are not making any favour to the startups or their business.
If this is true, I'm deleting my account immediately.
Thank you for sharing the news. I have just deleted my account. In case someone has problems as well finding out how:

1. Click your profile picture on the top right corner

2. Click settings in the dropdown.

3. Click Delete account

4. ?

5. Profit

Before deleting your account you should edit out and overwrite as much information as possible. Things like your name, e-mail, and any other fields should be falsified before deleting. You have no way of knowing if their "delete" mechanism just flips a deleted bit or if it actually erases your data.

The problem, in this case, is that the company might notify your employer that you're making those changes. Not sure what I'd do in this case. It might be worth creating some dummy accounts to see what actions actually trigger notifications.

It flips a delete bit. But here's the bigger problem: your pages return a 404 error page with status code 200, so Google takes a long time to clear them from their cache (real 404s clear semi-instantly).
What are the odds that works?
I deleted my account but it's still visible
Thanks, just deleted it.