It was one of my first few days on the cybersecurity beat, and I was on the phone with a potential source in one of the military’s online warfare units. He asked me to tell him about my background because he didn’t Google me before our conversation. I laughed, absentmindedly typing my own name into the search engine.
In that moment, I was glad he hadn't tried to find me online.
The second search result was my Twitter account — except it wasn’t mine. At least, not anymore. Bruce Willis was my avatar and I had, apparently, been tweeting exclusively in Russian.
I did a double-take, and realized what happened. Weeks prior, I changed my handle from @SaraSorcherNJ to the simpler @SaraSorcher when I left my job at National Journal covering national security to join The Christian Science Monitor to help lead a new section on, somewhat ironically considering the situation, security and privacy. Apparently within days of that change, someone — or a bot — had taken over my former work identity.
My real account, @SaraSorcher, still existed. In my picture, I was still smiling and wearing a gray suit. The @SaraSorcherNJ account — Fake Me — sported a smirking, balding Willis in a track suit and v-neck white tee. I tweet about news and wonky security policy issues. Fake Russian-speaking Me enjoys “watching Hannibal, eating apples and pondering the nature of existence." (Thanks, Google Translate.)
As someone who relies on Twitter as a professional outlet, it was shocking.
I felt acutely uncomfortable that another person seized that specific user name within minutes or a day of me changing it. And it was uncomfortable that handle would be available at all for that person to seize. Perhaps the most annoying part? This handle for my old account had more followers than I ever did.
I wanted it taken down.
The Twitter police
What were the rules?
According to Twitter’s policies, users are allowed to create parody or fan accounts. This clearly was not either one. Impersonation, however, is a violation of the social network’s rules. Yet Twitter warns users will not be removed simply because they share my name, but not other information. (In other words, even though to the best of my knowledge, I am the only Sara Sorcher in the world, that’s not grounds on its own for a similarly-named account to be removed.)
Twitter does not, however, allow accounts “portraying another person in a confusing or deceptive manner.”
Because I am a reporter, and the Internet archives forever, people and sites across the Internet remain linked to my old @SaraSorcherNJ user name. All references to that handle thus made my impersonator appear to be the author of articles that I actually wrote, about topics like military sexual assault or Pakistan’s drones. It looked as if I suddenly gained a new personality and some quick Russian language fluency – or was hacked.
I decided the account was indeed deceptive, and filled out a detailed impersonation report to send to Twitter.
After getting an auto-response from Twitter, I took to Twitter to ask about Twitter. Meta, yes, but effective. Turns out, I wasn’t alone. Other reporters had the same thing happen — including Jeremy Hill and Carlo Munoz — after they left The Hill newspaper for other media jobs.
Even in a spiraling online discussion with security and tech reporters, no one knew. Luckily, help was on the way. It wasn‘t long before someone from Twitter jumped in on Twitter to answer our questions about Twitter.
Human vs. Bot
As a human fighting online with what was indeed probably a robot, I wanted to know: Can a user prevent their old handle from being seized?
The options weren’t great: If I left my old @SaraSorcherNJ account standing, I would have had to start from scratch with my followers — and I would have had two accounts when people tried to find me. But clearly, once I changed my name, my old account (and a part of my professional identity) were left vulnerable.
Nu Wexler, a spokesman for the social network, said my case appeared to fall under Twitter’s impersonation policy, but had no comment on specific policies on how it handles lurkers taking over peoples’ abandoned handles after they change them.
Twitter likely makes these determinations on a case by case basis. Unlike Facebook, Twitter does not require people to use their real names, and users can claim handles as they become available. If a user goes inactive, as I had with my old work account, their name would be up for grabs. Theoretically, that would be kosher, unless a user successfully petitioned to remove them under grounds of impersonation, as I had.
In my case, all’s well that ends well. Twitter suspended that @SaraSorcherNJ account and Twitter #verified me that night.
My ordeal was over within 24 hours. It’s a testament to Twitter’s response — at least for media-related accounts — and I appreciate the technical support. But one can only assume, if one tweet reveals several users who did not go to the trouble of fixing this, that this happens frequently. But there hasn’t been much discussion about this, online or even from Twitter itself.
So let’s discuss it here. Has this, or something similar, happened to you on a social networking platform? How would you feel if your identity were taken online? Would you report it? What should Twitter’s policy be about people who take over recently abandoned accounts?
(Also, if you are Bruce Willis, I’d still love a reply to my request for comment — and an answer for why, despite so many fake accounts pretending to be you on Twitter, you do not appear to have a real and verified account to reclaim your own identity online?)