Tag Archives: Identity Theft

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

Posted on by

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
 Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Lack of Network Diligence Will Cost Dearly

Posted on by

Northwest Florida State College acknowledged on Oct. 10, 2012 that it has been the subject of a data breach. The announcement explained the attack included “Northwest Florida State College student data on 76,500 current and past students as well as student data on approximately 200,000 Bright Futures scholars across the State of Florida” as well as 3200 employees.

The breach seems to have been identified and corrected approximately two weeks prior to this announcement, around Sept. 24th. But the report acknowledges that the break-in began May 21st and continued unabated for three months.

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006-07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The Chronicle of Higher Education reports that “cases of identity theft have already been reported, with information used to take out loans or open store accounts and make purchases.”

An update by the university regarding the intrusion added details regarding the attack:

At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.

For universities struggling in a weak economy, high tuition, and questions on the return in investment, failures to protect the information of prospective or current students could prove disastrous. Senior university leadership should learn from the obligations under HIPAA and Sarbanes-Oxley to stay very informed and engaged in the security of their students – both offline and online. That the president of the university was personally targeted by the attackers makes the need for diligence even more important.

It is also a good reminder that all of us receiving funds via direct deposit need to become more diligent checking our accounts.

The university has set up a website at http://www.nwfsc.edu/security/.

Fourth Circuit Joins Ninth in Limiting CFAA – Setting Stage for More Action

Posted on by

In 1986, Congress amended its earlier attempt to combat computer crime with the Computer Fraud and Abuse Act of 1986. It was further expanded in 2001 under the USA Patriot Act. The CFAA serves as both a criminal and civil statute.  It has both strong criminal penalties for unauthorized entry into computer systems and provides an express private cause of action – enabling injured parties to sue intruders using the federal law as the basis for their claims.

The most controversial aspect of the CFAA has been the meaning of unauthorized access. Among the violations, Congress has made it a crime to “intentionally accesses a computer without authorization or exceeds authorized access….” The statute provides some additional guidance. The addition of exceed has its own definition. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). So it seems fairly clear that using one’s password to acquire documents for which one has no right to read is a violation of the statute.

But data theft is more nuanced than just this. What about downloading documents when the person downloading has authority to use the material, but then uses that material in an unauthorized manner. Put another way – if an employee is fired and then takes the files she has had at home and brings them to her next employer, it is unlikely an CFAA claim can be made. Conversely, if she returns to work the day after being fired and downloads all the company documents, she has certainly violated the CFAA since her termination ending her authorized access to the computer. But what about the situation when one downloads the documents intending trade secret theft prior to being fired or quitting the company?

In a recent Fourth Circuit opinion, WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) faced this situation.

The court explained the split of authority interpreting the statute:

In short, two schools of thought exist. The first, promulgated by the Seventh Circuit … holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held [in Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)] that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

The second, articulated by the Ninth Circuit … interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. Thus, in [United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc)] the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.

The Fourth Circuit opinion attempts to make sense of the language with a simple, plain language approach. “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized,” the court explained. “Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”

This separates the Fourth Circuit from the Seventh Circuit and even distinguishes it somewhat from other courts. Employees who hack into their employers’ computer systems to steal data or who use the username and password of other employees to gain greater access to computer systems will remain liable under the CFAA. But those who take electronic files home to work on them at night without express permission were beyond the scope of the CFAA. Similarly, those disgruntled employees who steal electronic files while on the job may be violating their terms of employment, company policies, and state laws but they are not violating the CFAA in the Fourth Circuit.

Since it is better that the interpretation of a statute does not turn on the language in the employee handbook, this is a better result. Companies can still protect themselves by limiting access to sensitive information. Other laws protect theft of trade secrets and other torts provide remedy for breach of fiduciary duties. On the other hand, the distinction between the circuits need not be as stark. An employee who erases all company data before returning equipment has likely exceeded the authority to alter the data. This result is consistent with the outcome in the WEC and a court can still reach such misconduct under the cleaner interpretation of the Fourth Circuit.

While it remains to be seen whether the Fourth Circuit opinion invites Supreme Court review, it may be sufficiently well reasoned to invite other circuits to reconsider interpretations of the statute that go beyond the language Congress enacted.

New CRS Reports Highlight Legislation for Cybersecurity

Posted on by

As noted in Eric Ficher, Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, (June 29, 2012) (CRS Report R42114) (full-text), cybersecurity is a “somewhat fuzzy subject.” Yet it has become the focus of considerable regulatory and legislative attention.

Dr. Fischer, Senior Specialist in Science and Technology, has provided a comprehensive roadmap for CRS which provides some context for the competing legislative approaches to this important but under-reported topic.

As the report notes, “There is as yet no overarching framework legislation in place, but many enacted statutes address various aspects of cybersecurity.” The report reviews proposed changes to 28 separate laws from the Posse Comitatus Act of 1879 to the Intelligence Reform and Terrorism Prevention Act of 2004. He reports that “more than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place.” So the report provides an important outline of the disparate efforts to address cybersecurity in congress.

The report identifies ten broad areas for the legislative proposals:

  • national strategy and the role of government,
  • reform of the Federal Information Security Management Act (FISMA),
  • protection of critical infrastructure (including the electricity grid and the
  • chemical industry),
  • information sharing and cross-sector coordination,
  • breaches resulting in theft or exposure of personal data such as financial
  • information,
  • cybercrime,
  • privacy in the context of electronic commerce,
  • international efforts,
  • research and development, and
  • the cybersecurity workforce.

Not to be outdone, the companion report provides even more specific information regarding recent legislative efforts. Rita Tehan, Cybersecurity: Authoritative Reports and Resources (July 3, 2012) (CRS Report R42507) (full-text) provides a comprehensive overview. Together, the two reports provide a critical roadmap to the present legislative efforts. Tehan’s introduction provides a glimpse at the scale of the activity:

“Cybersecurity is a sprawling topic that includes national, international, government, and private industry dimensions. More than 40 bills and resolutions with provisions related to cybersecurity have been introduced in the first session of the 112th Congress, including several proposing revisions to current laws. In the 111th Congress, the total was more than 60. Several of those bills received committee or floor action, but none have become law. In fact, no comprehensive cybersecurity legislation has been enacted since 2002.”

Fischer notes the importance of these changes. As he notes, “for more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised.”

Additional coverage can be found by ITWiki, PrivacyLives, and Justice Information Sharing.

CFAA only for hacking – at least in the West

Posted on by

In U.S. v. Nosal __ F.3d __ (2012), the Ninth Circuit made clear that it considers the scope of the Computer Fraud and Abuse Act to be focused specifically on computer hacking rather than more broadly related to violations of corporate policies and terms of service agreements.

The case arose out of a minor bit of corporate espionage – and the hubris and stupidity that often accompanies such activities. David Nosal, former employee at the executive search firm of Korn/Ferry, “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business.”  The Korn/Ferry employees used their access to the system to download confidential information, including source lists, names and contact, which they emailed to Nosal. They were all caught. The government indicted Nosal was on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA.

Although Nosal did not violate the CFAA, he was charged with aiding and abetting those former colleagues who did. The aiding and abetting count rests on whether the conduct of Nosal’s former colleagues violated the CFAA when they used their authorized access to the confidential database to violate the terms of confidentiality and theft of trade secrets.

Writing a clear, rather stinging rebuke of the government’s position, Judge Kozinski explained that the section of the CFAA is limited to computer hacking, not every violation of use.

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[] authorized access” if he looks at the customer lists.

Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

… The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.

… Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. … Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

There are a number of subsections of the CFAA and the government takes the position that the broad interpretation this provision is limited by the need to prove an intent to defraud. In those other sections of the CFAA where intent to defraud is not required, the statute’s scope can still be more limited. But the Ninth Circuit points out that the language of the offense is the same such that a different scope in the same statute for the same phrase is unworkable.

The Ninth Circuit remains at odds with decisions in other circuits. Eventually either Congress or the Supreme Court will need to reconcile this increasingly important tension in the CFAA. For now, one’s exposure to federal criminal prosecution depends, at least in part, on where one accesses the computer.

FTC Report on Protecting Consumer Privacy released

Posted on by
The FTC has issued its final report setting forth best practices for businesses to protect consumer’s personal data. The report emphasizes “privacy by design” which, among other things, requires more opt-in approaches to information sharing, setting defaults as private, and recognizing that there is a range between confidential and public, such as limited to family, to friends and family, to colleagues, or others. While called the final report, it undoubtedly will not be. Legislation is likely in this area as technology and public demands continue to shift. The FTC recognizes as much.

#

In the report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” the FTC also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.

Some proposals, such as do not track will have much stronger support among all interests in the privacy debate and should see broad legislative support.

“If companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” said Jon Leibowitz, Chairman of the FTC. “We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”

Concerns for tracking of mobile devices are adding to public interest in privacy legislation. Moreover, concern about the power of police and security forces may further the discussion for appropriate U.S. legislation.

At the same time, policy changes in Europe mean that it is likely the U.S. and Europe will move farther apart even as the U.S. tries to improve its protections of individual privacy.

Two days until NKU Law Review Symposium on Law & Informatics

Posted on by

The Northern Kentucky Law Review will host the inaugural Law & Informatics Symposium on March 1-2, 2012, presented in association with the NKU Chase Law & Informatics. Offering cutting edge presentations and 10.5 hours of CLE the symposium is sure to provide an important addition to the growing understanding of the intersection between law and information systems around the globe.

Limited seating is still available. See  https://supportnku.nku.edu/ChaseLII for details.

Your registration fee includes the general and special sessions, breakfast and lunch, as well as all published materials.

This two-day conference will gather academics, lawyers, and industry leaders from throughout the United States, Europe, and Asia to focus on cutting-edge issues involving data privacy, cyber-security, international trade, and internet regulation.

The first day’s topics will include criminal justice and the media, antitrust, HIPAA/HITECH Act compliance, GLBA reporting, social media marketing, and international internet regulations. The second day will include international cyber-crime cross-border transactions, international publicity, cyber currency, privacy legislation, and many related topics.

The Symposium is an opportunity for academics, practitioners, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. The agenda is available online at http://chaseinformatics.org/symposium/.

Speakers:

  • P.J. Blount, National Center for Remote Sensing, Air, and Space Law, University of Mississippi School of Law
  • Galina Borisevich, Perm State University, Russian Federation
  • Eric Chaffee, University of Dayton School of Law
  • Natalya Chernyadyeva, Perm State University, Russian Federation
  • Jorge Contreras, American University Washington College of Law
  • Evelina Frolovich, Perm State University, Russian Federation
  • Vaibhav Garg, Indiana University School of Informatics and Computing
  • Anne Gilliland, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • David Harris, Harvard Law School Charles Hamilton Houston Institute for Race and Justice
  • Henry Judy, K&L Gates
  • Kalyan C. Kankanala, Brain League IP Services Ltd. (India)
  • Deborah Keeling, University of Louisville College of Justice Administration
  • Michael Losavio, University of Louisville College of Justice Administration
  • Rachel Lyon, Northern Kentucky University College of Informatics
  • Jasmine McNealy, Syracuse University S.I. Newhouse School of Public Communication
  • Mark McPhail, University of Wisconsin-Whitewater College of Arts and Communication
  • Svetlana Polyaskya, Perm State University, Russian Federation
  • David Satola, The World Bank
  • Susan Stephan, Kretsch & Gust PLLC
  • Lauren Solberg, Meharry Medical College
  • Judith Wiener, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • Peter Yu, Drake University School of Law

For details, registration, and additional restrictions please see http://chaseinformatics.org/symposium/ or call 859.572.7577.

General Pricing: $395  – Same Day Rush: $200

Alumni Pricing: $295   – Same Day Rush: $200

Academics & Students not affiliated with NKU: $50 – Same Day Rush: $10

New fair use code helps libraries expand research with confidence

Posted on by

Patricia Aufderheide and Peter Jaszi of American University have provided critical guidance on fair use for documentary filmmaker, artists and other creative industries.  They have done it again with a new tool for academic libraries. Today, the Association of Research Libraries (ALR) announced the release of the next project to be developed in partnership with the Center for Social Media and the Washington College of Law at American University.

The Code of Best Practices in Fair Use for Academic and Research Libraries provides a guideline of fair and reasonable approaches to fair use developed by and for librarians. The Code is not a legal brief so much as a statement of reasonable use practices developed by scholars and researchers to help clarify the legal issues.

As with other areas of copyright fair use, the seemingly byzantine rules can be rationalized when viewed in the context of a particular industry. Moreover, many of the fair use rules are highly normative, meaning that the very reasonableness of the use is dependent on how others in the same market view such unauthorized copyright exploitation. Against this practical reality, the Code will provide a powerful statement of accepted practices that will provide guidance for libraries and a significant barrier to any rights holder that seeks to be overly aggressive in the protection of its rights.

The ALR announcement describes the scope of the project:

The Code deals with such common questions in higher education as:

  • When and how much copyrighted material can be digitized for student use? And should video be treated the same way as print?
  • How can libraries’ special collections be made available online?
  • Can libraries archive websites for the use of future students and scholars?

The Code identifies the relevance of fair use in eight recurrent situations for librarians:

  • Supporting teaching and learning with access to library materials via digital technologies
  • Using selections from collection materials to publicize a library’s activities, or to create physical and virtual exhibitions
  • Digitizing to preserve at-risk items
  • Creating digital collections of archival and special collections materials
  • Reproducing material for use by disabled students, faculty, staff, and other appropriate users
  • Maintaining the integrity of works deposited in institutional repositories
  • Creating databases to facilitate non-consumptive research uses (including search)
  • Collecting material posted on the web and making it available

In the Code, librarians affirm that fair use is available in each of these contexts, providing helpful guidance about the scope of best practice in each.

Business Law Today Features Rich Array of Cyberspace Issues

Posted on by

In the December 2011 of Business Law Today, The Cyberspace Law Section has weighed in with a series of articles discussing critical issues for online legislation, policy and security. The first is my introduction to the Protect IP Act and SOPA, the second focuses on international regulation, the third on the SEC move into disclosure of data threats, and the last on the internal regulations for updated policies.

All four articles are helpful and interesting. Please take a look.

As a postscript, let me point out that my article was intended to provide a neutral overview of the proposals currently before Congress. This was difficult for me to do. SOPA has a number of well-known problems and undermines data security. Moreover, the involvement of credit card companies and advertising companies will create a host of unintended consequences that will add to the cost of doing business while having only marginal impact on piracy. Nonetheless, the article was written to provide context to the current debate and help the public understand just how much additional regulation has been added in recent years.

New Legislation Renews Conflict Between Content Creators and Content Distributors
By Jon M. Garon

Business Interests Under Attack in Cyberspace: Is International Regulation the Right Response?
By Henry L. Judy and David Satola

The SEC Staff’s ‘Cybersecurity Disclosure’ Guidance: Will It Help Investors or Cyber-thieves More?
By Roland L. Trope and Sarah Jane Hughes

Going Mobile: Are Your Company’s Electronic Communications Policies Ready to Travel?
By Kathleen M. Porter

Rushdie Beats Facebook using Twitter – Regains use of Salman

Posted on by

Three decades ago novelist Salman Rushdie became an internationally famous author after his novel, The Satanic Verses, led to a decade in hiding, fearful of the Haraam (death penalty fatwa) pronounced on him by Iran’s spiritual leader because Iran’s leadership believed the book to insult Mohammed and the Qur’an.

After such a battle, Facebook was a minor opponent, though perhaps equally insulting, given our interconnected lives.

Facebook requires a poster to use one’s real identity unless Facebook agrees to the contrary. (It has done so, for example, to allow for animated characters to have pages as part of marketing campaigns.) So Facebook insisted that Rushdie use the name in his passport – Ahmed – rather than his middle name Salman, which he has used throughout his professional career. Worse, the page automatically made the switch.

Facebook values accountability, but that value is at odds with anonymity and pseudonymnity, both important for political and social speech. Who better than Rushdie for someone to stand for the cost of writing controversial content.

“Facebook has always been based on a real-name culture,’ Elliot Schrage, vice president of public policy at Facebook, told the New York Times. ‘We fundamentally believe this leads to greater accountability and a safer and more trusted environment for people who use the service.’

Rushdie used Twitter to light up the public and get a response to the unwanted disclosure. He tweeted that the change was “like forcing J. Edgar to become John Hoover” and noted other middle name users “Francis ‘Scot’ Fitzgerald and Edward ‘Morgan’ Forster.”

“Where are you hiding, Mark?” Rushdie demanded of Mark Zuckerberg. “Come out here and give me back my name!”

Rushdie and his thousands of followers have forced Facebook to relent, but the issue of what constitutes “real identity” is probably going to only grow as the public realizes that often a person’s real identity is not the one on the birth certificate.