Facebook has responded to an October 5 open letter from a global coalition, including EFF, about its broken authentic name policy.” Facebook’s response is a step in the right direction. It’s also not the last change to the policy we’ll see, since Facebook notes we’re making changes now and in the future.” Facebook says it want[s] to reduce the # of people asked to verify ID.” Facebook and the Nameless Coalition share that goal, and these suggestions will help achieve it. But they still leave some users out in the cold.

The Nameless Coalition letter was signed by over 80 individuals and organizations. The signatories, which include US-based groups like the National Coalition Against Domestic Violence and the ACLU as well as digital rights and human rights groups from Africa, the Americas, Europe, and Asia such as the Internet Democracy Project, India, serve different populations and work on different issues. But we all agree on one thing: Facebook should get rid of its names policy altogether. In the meantime, the letter made five concrete suggestions to Facebook about how to lessen the harm caused by the policy, and asked for a response by October 31:

> Commit to allowing pseudonyms and non-legal names on its site in appropriate circumstances, including but not limited to situations where using an every day name would put a user in danger, or situations where local law requires the ability to use pseudonyms.

> Require users filing real name policy abuse reports to support their claims with evidence. This could come in written form, multiple-choice questions, or some alternative documentation.

> Create a compliance process through which users can confirm their identities without submitting government ID. This could include allowing users to submit written evidence, answer multiple-choice questions, or provide alternative documentation such as links to blog posts or other online platforms where they use the same identity.

> Give users technical details and documentation on the process of submitting identity information such as where and how it is stored, for how long, and who can access it. Provide users with the ability to submit this information using PGP or another common form of encrypted communication, so they may protect their identity information during the submission process.

> Provide a robust appeals process for users locked out of their accounts. This could include the ability to request a second review, to submit different types of evidence, and to speak to a real Facebook employee, especially in cases involving safety.

On October 30, Facebook responded.

More on the response below. But first, it’s important to remember that convincing a company that provides a service to nearly 20% of the world’s population isn’t easy. Facebook has made changes only because of user feedback and campaigns like the Nameless Coalition and MyNameIs. That’s why we’re counting this as a step in the right direction. Even though Facebook is only making small modifications over time, every change activists advocate for that gets implemented will help at least some users continue to access Facebook — and that’s progress.

Timeline

Facebook specifically states that they plan on rolling out tests on these process changes in December. Many of the signatories to the letter have been informing Facebook that the name policy is a problem for years, and some have even been working with Facebook for over a year now to discuss specific changes, so having a timeline is important.

We’ll keep pushing Facebook to be transparent about when people can expect any changes to roll out in their region. We’ll also keep working to ensure that Facebook hears the feedback users have on these changes, and we’ll do a specific follow-up once testing has started.

Changes to reporting

Since Facebook only enforces its name policy when one user reports another, it has been used to harass and silence some of Facebook’s most vulnerable users. In particular, the letter and appendix pointed to a recent rash of attacks on Indian feminists on Facebook. They’ve been pushed off the site by targeted reporting campaigns, and they’re not alone.

This is hardly surprising, since as the coalition’s letter points out; “[a]ny user can file as many reports as they wish, as quickly as they wish, allowing targeted reporting sprees.”

That’s why the coalition asked Facebook to require users filing real name policy abuse reports to support their claims with evidence.” Facebook directly responded to this, and will now require people to provide additional information about why they are reporting a profile.” This will require people to click through another list of options, which will be focused on behavior. They’ll also have to fill out a text field, making the entire reporting process take longer.

Facebook’s change responds to one of the biggest concerns expressed in the Nameless Coalition letter- that the name policy is a tool to silence people. How it will work in practice will remain to be seen.

Changes to enforcement and appeals

Once someone has been reported on Facebook, their experience trying to get back on the site may be so difficult that they give up. As Lil Miss Hot Mess of MyNameIs pointed out: many feel that they’re talking to robots when in fact they’re receiving canned responses from humans.” That’s why the letter demanded a robust appeals process for users locked out of their accounts,” including the ability to speak to a real Facebook employee, especially in cases involving safety.”

Facebook’s commitment to a new process that will allow people to give more information about their situation and receive more personalized help throughout the confirmation process” is a very welcome change. When the need for additional assistance is identified, Facebook will channel users to a team of its most experienced staff. Instead of rehashing pre-written responses, this team must engage closely with users, and prioritize those who are in real danger, such as outed human rights activists or trans people.

Security

The coalition letter raised concerns about how Facebook protects users as they submit information to prove their identities, especially for users in authoritarian countries. In the face of revelations from documents leaked by Edward Snowden that the the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive,” these aren’t imaginary concerns. Facebook is a prime target for surveillance. In response to these Snowden documents, Mark Zucerkberg wrote “ When our engineers work tirelessly to improve security, we imagine we’re protecting you against criminals, not our own government.” But there’s no question that Facebook should be concerned about government surveillance — from the United States, but also from the other countries in which it operates.

Facebook’s response to these security concerns in the letter noted that when people submit IDs to us, the information is encrypted.” However, this relies on the security of HTTPS, which may not always be enough, especially in an authoritarian country that could present a false Facebook certificate to the user. In fact, exactly this situation played out in Syria in 2011. Adding support for more secure encryption protocols such as PGP would provide an extra layer of protection for those who need it.

Facebook made one encouraging change: IDs submitted to Facebook as part of this process will be encrypted when they are temporarily stored on our servers. The ability of our team to decrypt these IDs will expire after 30 days. The encrypted IDs will then be deleted shortly after that.”

Even with these changes, the policy still needs to go away

Of course, all of these complicated changes could be avoided if Facebook would simply get rid of the names policy. The company continues to say it keeps people safer, and even says in the letter that “[a] review of our reports from earlier this year showed that bullying, harassment or other abuse on Facebook is eight times more likely to be committed by people using names other than their own than by the rest of the Facebook community.”

Unfortunately, it’s unclear what reports Facebook was referring to or how they decided a user was using a name other than their own. It’s also unclear what sorts of abuse the company is talking about. But it seems Facebook’s calculus here is off. The organizations in the Nameless Coalition have heard and shared myriad stories about how the name policy itself seriously endangers people. Being outed in a country where your human rights activism could get you tortured, for example, is clearly an incredibly dangerous situation. And Facebook still doesn’t treat maliciously accusing another user of violating the names policy as harassment. Without statistics on that, Facebook can hardly claim the policy is the right solution to harassment and abuse.

The biggest thing missing from Facebook’s response, though, is that it does not solve the problem for people who genuinely need to use a pseudonym. In fact, the response completely ignores domestic violence survivors or trans people who aren’t out to everyone. For activists, it suggests that pages may be useful to people who do not want to use their personal profiles for advocacy.”

But pages and profiles aren’t the same, either in the eyes of Facebook or other users. Pages can’t make friend requests: administrators must hope people find and like the page, which hardly makes sense for activists who are doing community organizing. Pages also can’t comment on Profiles, join groups, or comment on group posts. The fact that they can’t join groups is key. Facebook has groups that facilitate incredible amounts of community — many of which are not public. Many sexual assault or domestic violence survivors, activists, LGBTQ youth, and trans people use these groups as one of the only support systems available to them, and one of the best — and sometimes only — platforms available to share information on. For these users, Facebook would lose any real utility without the ability to fully engage in communities. Facebook should recognize this and extend its commitment to improving Facebook to all of these users.

What’s next?

> We know there is more work to be done, and we want to incorporate your ongoing feedback as we continue working on this.

Like Facebook, the Nameless Coalition doesn’t see this response as the end of the work that needs to be done to make Facebook accessible and safe for all users, regardless of their identity. In fact, it’s just beginning.1 Facebook continues to grow.1 As they do, they should take this opportunity to become more proactive about considering how their policies will affect users. And when they make that assessment, they should reach out to community organizations and activists around the world, and consider the many use cases, cultural, political, and linguistic contexts the signatories to the Nameless Coalition’s letter represent.

All that being said, these changes are encouraging. None of them would have been possible without concerned activists and pressure on Facebook. And Facebook points out in its response that its data about the problems people are facing will be enhanced by these changes. That’s why we plan on continuing this conversation as these changes roll out.


  1. This is especially important considering that Facebook is specifically focused on growth in India, and India is currently Facebook’s second-largest market after the United States. As Facebook becomes ever-more ubiquitous there, it will either facilitate rich communication between users, or it will create new avenues for the most marginalized Indians to be repressed. ↩︎

Originally published in EFF.