Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/8/2014
11:30 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Good Job, Facebook: The Intersection Of Privacy, Identity & Security

Birth names and legal names aren't always the names people are best known by, concedes Facebook in the wake of a real-name policy usage flap.

When Google+ was first released to the public there was a great deal of brouhaha about its so-called “real-names” policy by which users could only be identified by their legal names. Recently, this issue raised its ugly head once again when Facebook suspended a number of accounts.

According to the explanation (and apology) posted by VP of Product Chris Cox:

An individual on Facebook decided to report several hundred of these accounts as fake. These reports were among the several hundred thousand fake name reports we process every single week, 99 percent of which are bad actors doing bad things: impersonation, bullying, trolling, domestic violence, scams, hate speech, and more — so we didn't notice the pattern.

That “pattern” was that all of the accounts reported by this individual were of drag queens, drag kings, and transgender individuals who used pseudonyms to protect their privacy in the real world. What was even more surprising to Facebook, evidently, was that its particular name usage policy had somehow become conflated with the heavily discredited (and now abandoned) Google+ real-names policy.

A policy that requires that people use only their legal names, the names they were born with, would have caused a great deal of problems to the heroes of my youth should there have been a Google+ around at the time. Saturday mornings in the long-ago were spent watching Marion Morrison, Leonard Slye, William Boyd, and Orvon Autry clean up the Old West. Never heard of them? Perhaps if I’d said John Wayne, Roy Rogers, Hopalong Cassidy, and Gene Autry you might have understood.

The point is that birth names and legal names aren’t always the names that people are best known by. Jorge Mario Bergoglio may not immediately trigger an image in your mind (unless you’re an Argentine), but if I referred to him as Pope Francis you might immediately know to whom I’m referring.

This is the point that was finally hammered home to Google, most notably by my friend Kaliya Hamlin. Now, I didn’t know who “Kaliya Hamlin” was the first time I met her (at the initial Internet Identity Workshop in Oakland, Calif., back in 2005), but I did know who “Identity Woman” was. Turns out they’re one and the same.

Pseudonyms have a long history, especially among writers (where they may be known as “pen names” or “noms de plume”). The English author we call George Elliott (The Mill on the Floss, Silas Marner, Middlemarch) was actually a woman named Mary Ann Evans. She used the pen name because, at that time, it was nearly impossible for a woman to be published. The mystery author Ellery Queen was actually a collaboration between two men, Frederic Dannay and Manfred Lee. Even stranger, both of those names are pseudonyms: Dannay was actually Daniel Nathan and Lee was legally Manford Lepofsky!

It’s not often I say good things about Facebook in terms of identity, privacy or security, but Chris Cox, in the note referenced above, put the policy very succinctly:

Our policy has never been to require everyone on Facebook to use their legal name. The spirit of our policy is that everyone on Facebook uses the authentic name they use in real life. For Sister Roma, that's Sister Roma. For Lil Miss Hot Mess, that's Lil Miss Hot Mess. Part of what's been so difficult about this conversation is that we support both of these individuals, and so many others affected by this, completely and utterly in how they use Facebook.

It’s not about birth names, rather it’s all about attribution, authority, and “identification” in a broader sense. It’s about knowing that the person who says “x” is the same one who says “y” and is -- at least in the eyes of those people who care about it -- the “real” Roy Rogers/Pope Francis/Identity Woman.

Good job, Facebook.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
uruberdeluded
50%
50%
uruberdeluded,
User Rank: Apprentice
10/9/2014 | 7:47:32 PM
FB is a harbinger
(along w/majority of social networking) of this contemporary modern "culture" devouring itself.  and in its wake the narcissitic morbidly self-obsessed mentally-deranged majority.  i'll continue to watch them drown in their own vile spew.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/9/2014 | 8:07:44 AM
Re: What about Fake Steve Jobs?
Interestingly, the New York Times reported this week that Facebook is also working on a stand-alone mobile application that allows users to interact inside of it without having to use their real names. Mike Isaac wrote in the Bits Blog: 

The point, according to these people, is to allow Facebook users to use multiple pseudonyms to openly discuss the different things they talk about on the Internet; topics of discussion which they may not be comfortable connecting to their real names.

Isaac speculated that the new app would be useful for discussions around health, for example, where people have legitimate concerns about revealing personal information in a public forum, but would speak candidly if their identity was protected. 

dak3
50%
50%
dak3,
User Rank: Moderator
10/8/2014 | 10:39:10 PM
Re: What about Fake Steve Jobs?
It's akin to any actor better known for his/her role then their actual selfs, I'd guess. Think Father Guido Sarducci, for example. I'm sure Don Novello would prefer to be known as Don  Novello, but then he probably wouldn't be as famous.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
10/8/2014 | 7:45:15 PM
What about Fake Steve Jobs?
I wonder how you handle the Fake Steve Jobs issue, where someone is better known by his nom de plume than a real name because he's propagating an anonymous impersonation. Then he drops his adopted target's name and becomes, on Facebook, who he was all along? He's still probably bettern known as Fake Steve Jobs.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.