Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:30 AM
Dave Kearns
Dave Kearns
Connect Directly
E-Mail vvv

Good Job, Facebook: The Intersection Of Privacy, Identity & Security

Birth names and legal names aren't always the names people are best known by, concedes Facebook in the wake of a real-name policy usage flap.

When Google+ was first released to the public there was a great deal of brouhaha about its so-called “real-names” policy by which users could only be identified by their legal names. Recently, this issue raised its ugly head once again when Facebook suspended a number of accounts.

According to the explanation (and apology) posted by VP of Product Chris Cox:

An individual on Facebook decided to report several hundred of these accounts as fake. These reports were among the several hundred thousand fake name reports we process every single week, 99 percent of which are bad actors doing bad things: impersonation, bullying, trolling, domestic violence, scams, hate speech, and more — so we didn't notice the pattern.

That “pattern” was that all of the accounts reported by this individual were of drag queens, drag kings, and transgender individuals who used pseudonyms to protect their privacy in the real world. What was even more surprising to Facebook, evidently, was that its particular name usage policy had somehow become conflated with the heavily discredited (and now abandoned) Google+ real-names policy.

A policy that requires that people use only their legal names, the names they were born with, would have caused a great deal of problems to the heroes of my youth should there have been a Google+ around at the time. Saturday mornings in the long-ago were spent watching Marion Morrison, Leonard Slye, William Boyd, and Orvon Autry clean up the Old West. Never heard of them? Perhaps if I’d said John Wayne, Roy Rogers, Hopalong Cassidy, and Gene Autry you might have understood.

The point is that birth names and legal names aren’t always the names that people are best known by. Jorge Mario Bergoglio may not immediately trigger an image in your mind (unless you’re an Argentine), but if I referred to him as Pope Francis you might immediately know to whom I’m referring.

This is the point that was finally hammered home to Google, most notably by my friend Kaliya Hamlin. Now, I didn’t know who “Kaliya Hamlin” was the first time I met her (at the initial Internet Identity Workshop in Oakland, Calif., back in 2005), but I did know who “Identity Woman” was. Turns out they’re one and the same.

Pseudonyms have a long history, especially among writers (where they may be known as “pen names” or “noms de plume”). The English author we call George Elliott (The Mill on the Floss, Silas Marner, Middlemarch) was actually a woman named Mary Ann Evans. She used the pen name because, at that time, it was nearly impossible for a woman to be published. The mystery author Ellery Queen was actually a collaboration between two men, Frederic Dannay and Manfred Lee. Even stranger, both of those names are pseudonyms: Dannay was actually Daniel Nathan and Lee was legally Manford Lepofsky!

It’s not often I say good things about Facebook in terms of identity, privacy or security, but Chris Cox, in the note referenced above, put the policy very succinctly:

Our policy has never been to require everyone on Facebook to use their legal name. The spirit of our policy is that everyone on Facebook uses the authentic name they use in real life. For Sister Roma, that's Sister Roma. For Lil Miss Hot Mess, that's Lil Miss Hot Mess. Part of what's been so difficult about this conversation is that we support both of these individuals, and so many others affected by this, completely and utterly in how they use Facebook.

It’s not about birth names, rather it’s all about attribution, authority, and “identification” in a broader sense. It’s about knowing that the person who says “x” is the same one who says “y” and is -- at least in the eyes of those people who care about it -- the “real” Roy Rogers/Pope Francis/Identity Woman.

Good job, Facebook.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ...
View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/9/2014 | 7:47:32 PM
FB is a harbinger
(along w/majority of social networking) of this contemporary modern "culture" devouring itself.  and in its wake the narcissitic morbidly self-obsessed mentally-deranged majority.  i'll continue to watch them drown in their own vile spew.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/9/2014 | 8:07:44 AM
Re: What about Fake Steve Jobs?
Interestingly, the New York Times reported this week that Facebook is also working on a stand-alone mobile application that allows users to interact inside of it without having to use their real names. Mike Isaac wrote in the Bits Blog: 

The point, according to these people, is to allow Facebook users to use multiple pseudonyms to openly discuss the different things they talk about on the Internet; topics of discussion which they may not be comfortable connecting to their real names.

Isaac speculated that the new app would be useful for discussions around health, for example, where people have legitimate concerns about revealing personal information in a public forum, but would speak candidly if their identity was protected. 

User Rank: Moderator
10/8/2014 | 10:39:10 PM
Re: What about Fake Steve Jobs?
It's akin to any actor better known for his/her role then their actual selfs, I'd guess. Think Father Guido Sarducci, for example. I'm sure Don Novello would prefer to be known as Don  Novello, but then he probably wouldn't be as famous.
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
10/8/2014 | 7:45:15 PM
What about Fake Steve Jobs?
I wonder how you handle the Fake Steve Jobs issue, where someone is better known by his nom de plume than a real name because he's propagating an anonymous impersonation. Then he drops his adopted target's name and becomes, on Facebook, who he was all along? He's still probably bettern known as Fake Steve Jobs.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
Re:Desk 2.3 allows insecure file upload.
PUBLISHED: 2020-09-30
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for a...
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from both the virtual machine and the host. An attacker in a VM can change the contents of the memory after vhost_crypto has validated ...
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can lead to a large buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attack...