Content note: discussion of harassment, sexual assault, and community responses to them.
It’s Vegas Security Dog-and-Pony Show Week[1], and I’ve come to dread the stories I will inevitably hear about harassment and assault at Defcon and the assorted computer security events that happen around it. It’s an occupational hazard of being one of the few people speaking out about harassment in infosec – I end up being the person people vent to, a safe outlet for the terrible things people don’t feel safe airing in public. Every year, it’s the same awful litany – assault, groping, drink-spiking, and all varieties of harassment – 5-10 incidents every year for the past five years. I hear these stories from people of all genders, from respected experts and neophytes. I didn’t even attend last year, and I still heard stories. Every year, I learn that another person I once respected as a professional peer is accused of being a predator. Every year. [edit: This wasn’t my story to tell, but the latest instance of someone I had immense professional respect for being accused of rape was made public yesterday. I had no knowledge of this when I wrote this post.]
If you’re thinking “Why don’t I hear these stories?” you should know that most people who experience harassment and worse in our field are afraid to speak out publicly about the specifics of what’s happened to them. They are afraid of backlash, further harassment, and professional ostracism – and with good reason. Here’s the target of a violent attempted rape at an infosec conference, writing about her fears on a blog post she later deleted: “I don’t want to write this. I don’t want to get caught up in anything to do with this women in infosec bit. […] People I thought were my friends and colleagues have said things to me about this that have cut deeper than the actual assault ever could.” How fucked up are we as a community[2] that someone is afraid to talk publicly about a violent assault and attempted rape by her fellow conference speaker?
And yet, my friend Jack once told me that I “see things as they are and yet manage to hang on to some optimism.” Dan Farmer’s recent post criticizing sexism at Defcon has renewed my optimism that now is the time to start making change. So I am asking you to take two leaps of faith: 1) trust me when I say that things are really bad (even worse than what you read), and 2) believe me when I say that it doesn’t need to be that way. Believe me that small interactions change behavior and change expectations around what we as a community are willing to tolerate.
If you care about making the security community a better place for women (and everyone!), here are some things you can do:
Stop tolerating casual bigotry
So someone “makes a joke” about faggots, scenewhores, or uses a racial slur. What are you going to do? Casual bigotry dehumanizes people, and tells predatory people that you will not be likely to speak out if they choose to harass someone around you – or you yourself. But you can change that by speaking up. Never underestimate the power of a simple “pardon me?” or a more direct “wow, that was a messed up thing to say.”
People will object, “Oh but it was just a joke!” Read this about how rape jokes give comfort to rapists and speak up the next time you hear a rape joke. Or people will say, “They didn’t mean it, they are just socially awkward!” This is the biggest myth of all. Socially awkward people are more likely to be the targets of predatory people, especially when predators have power over them.
Stepping up in cases like this feels awkward, but you weren’t the one making it awkward – the bigot already did. Make them own their own awkward. Push through it. That’s what change feels like. And it gets easier with practice. I also highly recommend spending some time on Captain Awkward for more on learning to handle awkward moments with grace, and Yo! Is This Racist? for snappy comebacks to racism.
Stand up to harassment
Making it clear that harassment is unacceptable helps stop it before it turns into something worse. Here are some great tactics from Hollaback, a group that works to fight street harassment:
Direct Action – As a bystander, you can directly intervene when you see a situation of street [or other] harassment by confronting the situation head on. For example, you can ask the harasser to stop bothering the person she/he is targeting.
Distraction – A bystander can take an indirect approach to intervening. For example, if you notice someone being harassed, you can approach her/him to ask for directions or say ‘hello’ as if you know them, thus de-escalating that situation.
Delegation – This is when you seek outside assistance to intervene in the situation. For example, a bystander can seek help or assistance from the police, a public transport worker or another outside party on behalf of the victim/target.[3]
Delay – This is when you wait for the situation to pass and you check in with the person who was targeted to make sure that they are okay. Even if you were unable to intervene at the time, checking in later makes a difference to the person who was harassed.
Believe and support people who speak up
Most of the time, the disincentives are so high for people speaking up that there’s zero incentive for them to lie about being assaulted or harassed. Operating from a default mode of believing people who speak up is a powerful change of frame. Choose to identify with survivors, rather than sympathizing with harassers and abusers.
Choose to believe that the person who is suffering in order to seek justice is telling the truth, as otherwise you’re choosing to accuse them of lying.
Advocate for codes of conduct
Incident response 101 says: have a playbook that covers the scenarios you already know about. We know that harassment and assault happens at conferences. Having a plan to handle the set of known issues helps you deal them should they arise, and to at least have a starting point should new kinds of issues appear. Communicating your plan publicly acts as a powerful social signal as to what behavior is not acceptable in your community. Anil Dash wrote a great post a while back titled “If your website’s full of assholes, it’s your fault” – in the same way, those who run conferences have the power to set social norms and expectations. Choosing to not set those norms means preferring abusers and predators over other attendees.
While there has been controversy in the security community over codes of conduct, I have seen their use make a real change in the open source community and continue to advocate for them. Four years ago, I was hearing about multiple sexual assaults at open source conferences each year. Now, I hear about one or two a year, and usually they get handled quickly. Rather than reinvent this wheel, read Ashe Dryden’s Code of Conduct 101 and FAQ, and check out the resources for conferences and communities on the Geek Feminism wiki.
Probably at this point someone is going to pop up and say, “But what about Violet Blue’s talk at BSides SF? You are against rape prevention education!!1!11”[4] I want to finally call bullshit on this whole argument. I did my first training as a sex educator 12 years ago, and helped run the Sex Ed and Peer Counselling Centre at the largest university in Canada. I have given awkward demonstrations involving bananas. I have counselled survivors of sexual assault, and been there for friends who were escaping intimate partner violence. I know this stuff. I watched the recording of the talk Violet eventually gave at BSides LV, and it was Sex Ed 101, with a smattering of advice about safety (and a long rant about the Ada Initiative, an organization which I’ve supported since its inception with both volunteer labour as an advisor, and thousands of dollars of my own money).
Flared bases are not the most important part of our threat model here, people. I do not have 5-10 sad people per year tell me about their failure to use their toys correctly. I do have that many people telling me about their experiences getting roofied or stalked or worse – people from our community. People you care about. As a community, we need good education about rape culture, consent, and not being a bystander – but that hour-long “where is the clitoris” festival of the bad kind of awkwardness wasn’t it. And a good code of conduct that indicates clearly that sex-positive content is on-topic certainly won’t stand in the way of the talks our community does need.
Educate yourself – resources
- Update your threat model on how predatory people operate. Start with Meet the Predators and Mythcommunication: It’s Not That They Don’t Understand, They Just Don’t Like The Answer. Two further reads – books this time – which focus on men’s violence towards women but contain much generalizable insight, are ”Why Does He Do That?: Inside the Minds of Angry and Controlling Men” and Helping Her Get Free: A Guide for Families and Friends of Abused Women”
- The Geek Feminism Timeline of Incidents
- The Geek Feminism Resources for Allies
- Why teaching women self-defense isn’t the answer to harassment and assault
- Get an Ally Skills Workshop at your workplace or conference, or sign up for the free one I’m teaching this week in Vegas (which is mostly full, but I’ll see what I can do. I’ll be around but not attending any of the conferences.).
A call to action
We aren’t doomed to being the harassment and sexual assault capital of the tech world. We can make a difference. And it starts with each one of us standing up for what we think is right, in the moment when it happens.
[1] I’ve lost track of the sheer number of events, but there’s BlackHat, Defcon, BSides LV, and all of the associated off-conference parties that vendors throw, for starters.
[2] Some folks like to play semantics on “scene” vs. “community” vs. “professional field.” I think those semantics are a cop-out. You get to choose the kind of environment you want to be part of, whatever the word you choose to use for it is.
[3] Note: I have heard enough reports at this point of harassment from Defcon Goons themselves, or mishandling of issues reported to them, that I wouldn’t personally be inclined to reach out to them for help. Goons are volunteers and I have no idea what training they go through; I’ve only seen its effects. Use your judgement as to whether or not that would be a good idea. I myself would call hotel security or the cops rather than ask a Goon for help unless it happened to be one of the handful I trust.
[4] For those who are wondering what I am talking about regarding BSides, here’s a news article, her side of the story, our side of the story part 1, our side of the story part 2. It’s worth noting that the incident people are holding up as evidence of how codes of conduct are bad… happened at an event which didn’t have one.
Comment moderation note: Please keep the focus in the comments on moving forward: things that you want to do to make things better, questions about strategies in specific types of interactions, resources that you have found helpful in fighting sexism. I’m just going to delete any whining about BSidesSF, so don’t even bother. Trust me, I’ve heard enough about it in the last 18 months to last a lifetime, and you’re not going to make a new argument.
hypatia dot ca 
Thank you for writing this. I appreciated your clear context and especially liked the suggestions on ways everyone can be part of the solution.
A nice write up, one that should be shared multiple times over across the world so that people have the awareness needed.
Just one observation though – Often times, harassers happen to be people who have the “skill” to intimidate the “by stander who steps in” and additionally, they happen to have magical ways of getting away from the law. This is what frustrates me a lot more than the actual incident of harassment. Hope things start changing for good soon. Thanks again for the post
It doesn’t matter! Just the fact that someone stood up to them makes them tons less likely to do it again.
I saw something about a ‘ally workshop’ at Defcon. Someone know something about that?
Hey Sydney! You heard correctly – I taught one yesterday and will be teaching another on Sunday, which is sadly very over-full. You can read more about the content of the workshop here: http://adainitiative.org/what-we-do/workshops-and-training/ – there’s even a video and facilitator’s handbook 🙂
I would actually be very curious to hear your thoughts on what some of the side effects have been in the open source community other than a drop in harassment incidents since the feminist activism of late has begun to take effect.
you mentioned that the number of incidents is going down, (which is fantastic), but has the social climate changed in other ways as well? (i.e. do people still feel free to engage with one another as they did before? has there been a significant attendance shift? etc?)
There has been a significant uptick in women’s attendance in recent years at all open source conferences I’ve attended. There were more women at the past couple of Pycons than there were people total at the first Pycon 🙂
As for “feeling free to engage” – I’d say that no, people don’t feel as “free” and I’m totally ok with that. I think people should be thoughtful about how they engage. I’ve definitely heard men complain that they have to be more thoughtful about their behavior and I just start playing the world’s tiniest open source 3D printed violin in their direction. I actually have a baggie of them somewhere.