The nerdy joke is that there are only 2 hard problems in computer science:
- Naming things
- Cache invalidation
- Off by one errors
I've recently had the interesting experience of changing my name. I have my name: the one I use on a daily basis, the one I identify with, the one to which I actually respond. I also have the name I was born under, or my "deadname" in the colloquial trans parlance. I don’t really identify with this name any more, but it follows me around like a spectre haunting Europe. There's now a noticeable gap between me hearing my deadname and realising someone's referring to me. It's fun to see how quickly those things change.
So, this brings me to my primary conceit for this post. We, as an industry, are horrible at accepting name changes for folks. In this post I'll give some examples of things I've seen done wrong. I'll show you how you can make your application better for folks who are changing their name. Let’s dive in!
Google accounts, and single sign-on
Disclaimer, I work for Google. This section is my opinion and my best understanding, and does not represent the opinions, or views of Google LLC, or Alphabet Inc. In my opinion Google has done a lot to make changing one’s name easy, which I really appreciate, but some folks using Google APIs don't do the best integration here
There are two types of Google accounts, individual, and GSuite Google's business offering. Each Google account has one primary email address, and zero or more aliases associated with it. The most important thing to know is that the primary email address can change on the same account.
So if you're alice@somegsuitedomain.com, you can become bob@somegsuitedomain.com. When you do that you keep your account, inbox, and all your Google apps access under the same account. Under the hood there's a stable identifier that's associated with the account that does not change when the email address changes. In other words, an email address is not the primary key of a Google account. When you change your Google email address, Google sets up a permanent, undeletable, alias for the old email address. This means if you send an email to the old address, the person will receive it. However, I suspect if you ask most folks, they'd tell you they don't want to see it.
If your application implements single sign-on with Google, you should key off the stable ID, and not the email adress or name. if you store the email and name in your database, you should change them if Google tells you they has changed.
Let's look at the mechanics of how you can implement this with Google's OAuth APIs. I set up the basic OAuth workflow in Rails, and the first details that came back from my account were (partially redacted):
{"provider"=>"google",
"uid"=>"113017XXXXXXXX8346486",
"info"=>
{"name"=>"Penelope Phippen",
"email"=>"penelope@rubycentral.org",
"unverified_email"=>"penelope@rubycentral.org",
"email_verified"=>true,
"first_name"=>"Penelope",
"last_name"=>"Phippen",
"image"=>"https://lh3.googleusercontent.com/-Tj-GuDdntsY/AAAAAAAAAAI/AAAAAAAAAAA/ACHi3rfGmAsSR_4ZenyOeMkId6EERxmFIg/s50-c/photo.jpg"},
Now, it's worth noting, the email address associated with this account used to be different. Every time you do an OAuth exchange with this account, it'll give you the new email address and name. So, the right thing to do here is update your user record with the new email address and name every time you get a new OAuth payload back. If a user's name has changed, you can assume it's intentional, and update from that. The thing that will always be stable is the uid field, which actually comes from the sub field in the raw OAuth response.
Let me change my username, you cowards.
The next is the family of applications which have their own auth. Before email became the standard way to identify users, we had the username. Many applications have long since migrated off letting users specify usernames. Those apps are now authenticating only with email address.
I've found that certain applications don't let you change your username. I used my deadname as my primary internet identifier up until I changed my name. If I can't change my username, and I've accumulated significant data on your application, I don't want to have to destroy my account and start a new one. This puts me in a place where your application is repeatedly deadnaming me, and I can't do anything about it. Build in fungibility of your usernames, let folks change them. Please for the love of all that is holy don't use a user provided string as a primary database key.
Don't allow for username re-use
This one is a security/harassment vehicle. On websites like GitHub and Twitter, you can change the username associated with your account, which is great. However, this introduces a new problem, what to do with the old username?
Both GitHub and Twitter allow for a username to be registered the moment that you change your old username. On Twitter, this means that when a person changes their username, you could immediately impersonate their old identity. On GitHub, this means that if people are pulling software from your old name, someone could immediately replace your repos with malware.
On both sites, I now have "squatter" accounts, that hold my old name. This is largely a security protection for myself and those who follow my work. I've written more than one pretty popular software package. People could plausibly be git cloning those packages as their dependency management strategy (please don't do this). It's worth noting GitHub does set up redirects until someone with the same username creates a repo with the same name, but a targeted attack would be almost trivial to pull off. On Twitter, I didn't want a troll occupying my old name and pretending to be me.
Here's the thing, almost certainly, re-using a username is something that you never want to have happen. Unless there's literally 0 security or harassment opportunity with your application, letting someone else occupy someone's old name is going to result in problems. The right thing to do is, most likely, just redirect everything under the old name to the new name, and not let anybody else interact with data on the old name.
Caching name off other identifiers
I first encountered this one in real life in a virtual queueing system for a restaurant. They asked me for my name, I said "Penelope'", then they asked me for my phone number. Dutifully, I gave them my phone number (which hasn't changed since I moved to the US). Then when they texted me to tell me my table was ready the text contained my deadname. Annoying, but NBD I thought. Then when I got back to the restaurant, my friends and I were treated to being told our table for [my deadname] was ready.
What's upsetting about this interaction is that I had given them my name. Whatever virtual queuing system had grabbed my name from some previous interaction with it, and then not properly invalidated it when I gave them my new name. As far as I can tell, having backtracked through their website there's no way for me to manually change my name in their system. So I expect I will just continue to get deadnamed by this system for the rest of my life. My other choice is to change my phone number, which is obviously annoying.
The lesson here is that names are fungible in relation to other identifiers. In the case of phone numbers, well, they can get recycled. A phone number belonging to only one person for an extended period of time is the exception and not the rule. In my case, this naïve exception has resulted in my life now containing additional annoying and upsetting interactions.
You don't even have to use my legal name for most things
Now we come to the section of interactions where using my legal name is an admitted requirement. If you're a government organisation, financial institution, or other similar body, I understand the need for your company to know my legal name. That's fine, I'll be changing it soon, but in the meantime, I'd like to point out that you don't need to use it all the time.
To use an example, let's think about one of the investing applications I use. When I set up my account, they took my full legal name, to verify my identity. Ever since, they've emailed me using that name. Even before I changed my name, I didn't use my full legal name for most things. I used a short version. It feels weird and overly formal that all their product emails are addressed to my legal name. I can't set a different name with them. Now that I've changed my name, things reveal my legal name that absolutely 100% don't need to. A simple statement doesn't need to use my legal name. From their perspective, there's no difference between Hey <legal deadname>, here's your balance and Hey Penelope, here's your balance. Unlike a bank statement, those emails can't be used for proof of address or similar so they don't need to be so formal.
I’d also like to point out that legal names can change. Changing my non-legal name has been enough of a battle with tech companies as it is, I’ll be sure to detail all the things that are needed to get that legal name change everywhere in a future post. In the meantime, see if you can do some work to make it easier for folks to change how you address them in your apps.
A more extreme example of my legal name being used unnecessarily is when I'm talking with my credit card companies on the phone. They only know me by my legal identity, but it'd be vastly more comfortable for me if I could use a different name and honorific on the phone (miss instead of sir). Again, in that context there's no impact to them for doing so, but there is a huge impact on me. It's also not the sort of thing where I feel ok just being like
“Hey, this seems kind of weird, but could you refer to me as Miss Phippen instead”. If your application does require a legal name, please consider having fields for preferred name, pronouns, and honorific that your staff/communications can use to address folks most of the time.
Conclusions
This post hasn't even covered all the ways that you, dear reader, likely have no power to make name changes. OS X and Windows both burn your username into the OS install in such a way that you need to reinstall to ever get properly rid of it. There's a constellation of things that will probably always bare the wrong name for me. This post gives a few practical tips for fixing that, however. And I hope you can do a little to make it easier for all of us, in the locus of control you do have.
Consider this my ask to you, that if you’re working on a product that involves using someone’s name, pronouns, or honorifics, that you make it easy to change in a self service manner. This is a basic dignity for many folks, and it’d mean a lot to me.
I'm coming to this from the perspective of someone who's trans, who has changed their first name to signal a significant change in who I am. This isn't the only reason someone changes their name (see also: marriage, parents getting divorced, and myriad other reasons), but my use case has thus far worked as something of a stress test for various computer systems.
For all people, there is an essential dignity to living our lives being identified as we want to be. As you develop your computer systems, please keep the following things in mind:
- A person's name can change (and with a pretty high probability, will) once or more in their life
- A person will want to change multiple identifiers when that happens including email addresses and usernames
- if your application doesn't allow for that, the person might experience significant pain or distress because of that inflexibility
- A legal name is something that someone may wish to be not associated with frequently, and you should allow folks to give you another name against which to refer to them and then use that most of the time
- If you want to make your application more friendly to a wider set of humans you should support making those changes
Thank you so much for reading. If you liked this, please consider following me on twitter @penelope_zone.
Latest comments (82)
What a lovely read for today.
Thanks!
Enjoyed the post, thank you! These primary key ID details are so bedrock. On the Twitter platform, we are all just unique numbers ;)
First off, this is a fantastic post, Penelope! Thank you for sharing.
My wife is Katelyn Carroll and I am Michael Tharrington. No name changes for either of us, yet! But we are seriously considering combining our last names to be Carrington. 😀 Emphasis on the caring ❤️ as that's a good name to try and live up to.
Might be worth noting that this should all be covered by GDPR, at least as far as the legal names are concerned.
Part of the GDPR says they have to make sure their data is up-to-date, and only the minimum required. If a name changes, it's no longer up-to-date and they're at fault if they don't change it in their database, including scrubbing any reference to previous names.
Another part is the right to have all your info from any other party scrubbed.
I know the GDPR doesn't apply to parts of the world like the US, but there are repercussions for breaking it over here.
Great read! Thank you for sharing.
"Please for the love of all that is holy don't use a user provided string as a primary database key" 😂 😂 😂
excellent post. I want to narrate a real case that I had right here in dev.to.
last year i deleted my old profile on Github and created another one using the same username.
the case is that before that, i had registered here on dev.to and my new profile was blocked due to having a different uuid from the previous profile.
talking to @ben by email I managed to reactivate my account, but there is another bug involving the change of usernames that often goes unnoticed.
Unfortunately the ability to change a name in the application is dependent upon convincing product owners that there is value in that data model.
Consider this a rather silly question from someone who does not know much, but is it so much of an issue to change your legal name and then go to all the companies using it and changing it there? If you'd first change your legal name you would then have an official document proving that change. It should be possible for these companies to change the name in that case.
Again, I don't want this to sound ignorant, but I think it may solve some of the problems you described.
And of course, the changes in those systems you described are important and need to happen - but I'm not sure this is something which will happen fast, and in the meantime...
@penelope_zone Interesting topic which clearly helps devs like me who like to get their users at home. The OAuth part is quite interesting as well because I have to admit, I did make the mistake :(, but I now try to get the unique ID (when returned by the authenticator).
Just a question. In Belgium, the national security number is made on the date of birth reversed: YYMMDD-XXX.YY. With the year using 2 digits, you can easily understand the issues we are beginning to face. More and more people begin to have numbers conflicts (currently avoided by running the random generator a bit longer and checking each time, but that another topic to discuss).
The random number being generated at the end is ending with an odd digit for people identified as men. Do you have a similar (stupid?) logic in US as well? Does changing the official gender change the national security number as well? This cause a lot of harm as well for services used to authenticate against the national number. I know US isn't great wrt social security, so pardon my ignorance here.
Google allows name-changes? Really? I've had to create a new gmail account (a year ago or so) because the old user-name was a reference to a hobby I no longer identified with. Sure, mail from the old email address gets forwarded (because I set it up like that), but I do have to manage 3 google accounts these days. Because you know: business email too... In my case not a big deal - I no longer identify with the old account, but it wasn't as big a deal as changing gender is, I'm sure.
Still - if it's possible as you say - the process is certainly not easily discoverable or found in google (the search engine).
I'm in a similar situation. Everywhere I read it says to create a new account and forward the email. But in this day and age email isn't the only thing tied to your google account...
First of all, Congrats for changing your name.
I think github usernames problem has a simple solution, when a user changes the username we take all its code and move it under de new account. But that's another problem, anyone pointing to this repo will immediately start failing. Didn't that happend with npm and react?
Wow, great article. I am happy to have changed my name when I was so young I didn't have time to have a big footprint on the Internet, only using IRC and one Hotmail account that I don't use anymore. I have that habit to use an email address as the login primary key, and I don't give the possibility to change it. I will now take a deep dive into this situation and change it in future projects since I don't have much power on the ones I did before.
The problem with that is that then one user would be using two (or 10) usernames. And usernames are valuable. People don't want to have MyN4m31zJohn as paypal handle
Good topic and very well written. Thanks Penelope for sharing.
Those kinds of arbitrary limitations to what changes you can do to your personal information on sites can be completely ridiculous, and they seem to be based on some theoretical static idea of what a user is (probably closer to a CS textbook example than a real human being).
Many sites that easily let you change your name doesn't let you change user names, if you happened to use your full name as your username then there's not much to do besides creating a new account. If you have a lot of data you want to keep and you can't migrate any of your data it's even worse.
Even if you're not changing your real-life name there are many valid reasons for why you might want to change your user name, I don't think I'm the only one who wouldn't want to use the user names I chose when I was 15.
There are many other examples of personal information you should be able to change, but so many sites restrict it. People change, people make mistakes. There are many times where I've realized I've made a typo when finally submitting some information regardless of how careful I was. There's no reason for this, other than laziness and lack of understanding of the user.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.