There’s a lot to this question.
Let’s work it in reverse order.
Become a Patron of Ask Leo! and go ad-free!
A Facebook account is no different than any other online account. Your “unique identifier”, as you call it, is your email address1, and indeed, you are required to set a password on the account. You log in to your Facebook account with your email address and password.
When you associate an email address with a Facebook account, you must verify that you actually own that email address. Facebook sends an email to that email address, containing a link you must click to confirm that ownership. While you can associate multiple email addresses with a single Facebook account (a good idea for account recovery), you cannot use the same email address on different Facebook accounts.
Most importantly, you can’t use an email address with a Facebook account without the owner of that email account clicking the link to confirm it’s what they want. Put another way, no one can open a Facebook account using your email address unless you click the confirmation link to confirm it. (Unless, of course, your email account has been hacked, in which case you’ll likely have other problems.)
What people can do is create Facebook accounts in your name using some other email address. It’s not your email address that was used; it’s someone else setting up their own Facebook account and making it look like you.
It’s very easy to set up imposter accounts. Somebody can set up an email address using a free email service like Outlook.com or Gmail, and then create the Facebook account using your name and other information.
If you have a Facebook account, they can also use anything that’s publicly visible to make their account look more legitimate. If they can see your birthday, your location, your associations, likes, and follows, they can use all that. They can even make copies of and use any photos — including your profile photo — if those are publicly visible.
Even if you don’t have a Facebook account, they can use any information they know or are able to find to make their fake account look more like the real you.
And, to be extra clear, since it’s not using your email address, it’s not your account, and you do not have control over it — even if everything in that account looks to be like you. The best you can do is hope Facebook will help and warn your friends there’s a fake ‘you’ on Facebook.
This kind of impersonation is, unfortunately, relatively common, and sadly, there’s little you can do about it.
You should definitely contact Facebook; they have a Report an Impostor Account page.
If it starts to cross the line into illegal activity, defamation, or worse, you can try to contact law enforcement. (Just be forewarned that law enforcement has little time for this type of thing, and often very little expertise.)
Invitations — from Facebook or any other service — are nothing to worry about.
All an invitation means is that someone has your email address and can send you email. That’s it.
Given the number of people with whom we share our email address so they can send us email, it’s no surprise that those email addresses make their way into online services like Facebook, who would love for us to have an account.
There’s never been a bounty that I’m aware of, but there is an … interesting … technique that is also not unique to Facebook.
When people set up an account with Facebook (and many other services), they’re asked to share their contacts with the service. This contact list can be used in either of two ways:
- It can be used to identify your friends who already use the service. Since email addresses uniquely identify users, and your contact list is full of email addresses, all the service needs to do is see who already has an account and connect the two of you, or at least suggest the connection. This is what most people expect when sharing their contacts with a service, and is the way that most “please share your contacts” requests are worded: as a service to you.
- It can be used to identify the email addresses of all your friends who don’t use the service. The service can then send them all invitations to sign up for accounts. Many people consider this spam, and it’s the biggest reason not to share your contact lists with online services.2
So, other than a little spam, there’s nothing really underhanded about invitations you receive. It’s just the service being a little over-aggressive trying to recruit new members.
As long as somebody isn’t actually trying to impersonate you, the best thing you can do is delete the invitations you get.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,