It’s been two weeks since the smoke from the fire finally cleared and San Francisco was drenched in rain. I’d never experienced air pollution like it – the 2017 fires were bad, but this year’s smoke settled over the city like an unwelcome houseguest.
What I didn’t expect was that even all this time later, I’m just starting to come out of the fog of the smoke myself. It hit me harder than I expected – the combination of being unable to go outside during the day right as the clocks changed left me feeling like “oh, it’s bedtime” right as soon as the sun set… at 5PM.
I did all the right things – I got an air purifier, minimized time outside and consistently wore a mask when I did, and ultimately left town for a couple days when the smoke was at its worst. I was fortunate to be able to afford to do all the “right” things – and I was still a mess, and it still hit me harder than I even realized when I was in the thick of it, and took much longer to recover from.
This probably could have just been a couple of tweets but I wanted to write it out to remind myself of how I felt if the fires (and smoke) hit again next year – both for myself as a reminder of how bad it was, and for others, too. Bay Area friends, know that if you’ve been feeling like shit this fall, you’re not alone and you’re not weird. It’s been rough, even as a generally pretty physically healthy person (albeit with mild asthma – a visit I had to the pulmonologist today reminded me to write this post). I’ve been thinking, too, of this smart twitter thread about disability, denial, and the smoke:
re: the fires/smoke. a lot of my friends have been reflecting on the deep denial lots of folks are in, just going around doing normal ass things like this is an acceptable way to live (eating outdoors, jogging, etc), and the level of alienation from one's body that requires
I am deeply lucky to only have had to deal with the smoke’s effects on my lungs and my brain. Nearly 100 people lost their lives, more are still missing, and thousands of people are now homeless – climate refugees in California, a state in perpetual housing crisis. My post-election worry that the federal government would bungle aid to natural disasters in California proved somewhat true – enough to make me feel justified about having checked off some of the Wirecutter’s disaster preparedness list a while back. Raking the leaves isn’t going to save us from climate change. But at least for now, for those currently still dealing with the aftermath, you can make tax-deductible donations to fire relief efforts via the North Valley Community Foundation here.
As part of launching my new company Tall Poppy, I’ve been getting to know other organizations who are doing anti-harassment and anti-abuse work – from Empower Work’s high-impact SMS-based counselling on tough workplace issues, to Anxiety Gaming’s work on mental health in the gamer community, to Citizen Lab’s interactive online security guide, Security Planner.
Over the past year, I’ve had the good fortune to get to know the founders of BetterBrave. I edited their Guide for Allies and have otherwise been supporting their work where I could. BetterBrave provides essential tools to people facing workplace harassment. They have produced up-to-date, plain-language legal guides – including detailed information about the sometimes very short timeframes targets have to report harassment. They also offer referrals to attorneys, therapists, and other experts to people facing workplace harassment.
Tammy and Grace, the cofounders of BetterBrave, conducted over a hundred hours of interviews in developing the guides on the site. Their guides have even been signal-boosted by whistleblower Susan Fowler:
This is a guide to how to handle sexual harassment. It's the best one I've seen. Please read and share widely: https://t.co/VOWOOtronb
This August, BetterBrave is hoping to raise $25,000 to support their efforts over the next year. While I’m running pretty lean these days, this work is incredibly important to me so I am making a matching challenge: I will match up to $1,000 in donations to BetterBrave made before August 31st. You can donate at this link, or tweet your donation receipts to me!
Donations are tax deductible as BetterBrave is fiscally sponsored by the Philanthropic Ventures Foundation, EIN 94-3136771. And don’t forget to get your employer to match your donation if that’s a thing they offer – just note in the match form that the donation is designated for BetterBrave.
This post no longer updated as of February 2018. I’ve put an updated and reorganized version of this post on a dedicated page accessible at hypatia.ca/safety – please link to that going forward.
It seems we’re about due for another round of Shitty Infosec Dude Gets Outed As A Predator. If you don’t know what I’m talking about, I’ll link to it when stories appear. In this case, I’m referring to Morgan Marquis-Boire. Having been through this myself last year, I want to stand in solidarity with other survivors, as well as to ask journalists to not be fucking assholes.
Some things I learned as a survivor coming forward:
Coming forward is a HUGE step towards protecting other people. If you’ve done so willingly, thank you for your profound courage. We talk a lot in infosec about whistleblowers, but you should know that you are a goddamn whistleblower too. If your story has been told without your consent, I know that that’s a wretched retraumatizing experience and I am so sorry – but please do know that it’s not without impact and WILL keep other people safe in the future.
Carefully vet the reporters you talk to. I have personally worked with and trust the security practices and sensitivity to survivors of Sarah Jeong, Selena Larson, Kate Conger, Cyrus Farivar, and Jessica Guynn – journalists who are covering this, feel free to reach out and if I trust you and think it’s appropriate I will add you here. There is at least one male journalist sniffing around about this who I have personally seen mistreat women. Approach with caution. Another good tactic here is to ask if they’ve previously covered sexual assault and/or sexism in tech and ask for press clippings of previous coverage.
If you’re talking to the press, email interviews are a great hack. You get the time to consider what to say and make sure that it won’t open you up to litigation, you can just decline to answer some of the questions (because cripes, the questions people will ask you…). Working over email also lets you run your responses by a trusted and hopefully less-traumatized friend to make sure they’re unambiguous and don’t reveal more than you intend.
Some useful language re: the press. Know the difference between these terms, and get the reporter you’re talking to to agree to the one you prefer before you say anything:
On the record: can be published, can be attributed to you by name
Off the record: can’t be published, can’t be attributed to you by name
On background: can be quoted or paraphrased and used as a story detail without direct attribution but with a vague organizational affiliation, eg. “a person in the White House who was not authorized to speak to the press” – this is the usual “anonymous source” mode
On deep background, not for attribution: can be quoted or paraphrased and used as a story detail without any attribution
When you want to say something on either “background” and “deep background,” it’s useful to give a clear definition of what you mean, just so you’re both on the same page. The definitions given above are commonly used. If you want, copy/paste those exact sentences into the email with the reporter so you’re unmistakably clear about your boundaries.
You can ask for anonymity. You can ask for press time to be delayed. You can negotiate anything as long as you do it before you give the quote. If you have conditions, make sure your agreement is hashed out in advance. Journalists are not bound to conditions imposed after the fact.
If the reporter is working for a magazine, sometimes they will ask you for a phone number so that a fact-checker can call you. Don’t be freaked out: this is common practice and doesn’t mean you’re going to be de-anonymized. Incidentally: the fact-checker is not obligated to read back to you verbatim what’s going to be in the piece, but you will get a sense of what’s going to end up in the piece based the questions they do ask.
Again, if this freaks you out, negotiate a different process before you give the quote, such as doing the fact-checking over email.
You can do things like “anything below this line is on the record” or “anything in italics is off the record” – just get an agreement in writing with the journalist as to the shared format
The rules around on the record / off the record / not for attribution / anonymity and so on are built to give journalists flexibility in dealing with sources who have power, like the PR divisions of major corporations. If a journalist pushes the outer bound of ethics really far with a victim, that has entirely different consequences than doing that to a company. Keep in mind that corporations and government sources negotiate these kinds of terms with journalists all the time, and very aggressively: there’s no reason why they shouldn’t be in your toolkit too.
It is up to you whether this is a good time or not to be open to hearing from other victims. Last summer, I noted in my post that I wasn’t ready to listen to other survivors’ stories, and directed folks to appropriate counselling resources. Almost everyone respected this, for which I was grateful. It gave me time and space to process going public without being retraumatized by trying to help others process their own experiences. I have since spoken with many other survivors (of the same assailant and others) and it has been a very important part of my healing process, but it was important to me to take the time to just process the media drama with close and trusted friends, and my therapist, first.
I was fortunate to have access to good pro bono legal advice and some familiarity of my own with the laws around defamation. You probably want to find a lawyer to talk to (it’s worth paying money for if you can’t find someone to talk to you for free). Local domestic violence shelters and rape crisis hotlines may be able to help here with referrals. Remember that lawyers tend to be conservative due to the nature of their work; “this could get you sued” is not the same as “this WILL get you sued”. Sometimes the risk is worth it. The other thing to look are the “anti-SLAPP” laws in your jurisdiction – some of them have language that specifically deals with the right to speak out about one’s own experiences with DV or sexual assault.
Now I’m not actually an expert on how reporters should treat survivors of sexual violence, so I’ll mainly link to some excellentexisitingguides. Please comment or ping me if you have resources I should add. But what I will note is a few things I learned from my experience last year:
If you’re sleeping with the perpetrator, don’t report on this story. The disgrace to the profession of journalism I’m subtweeting here knows who she is.
Don’t name victim’s employers unless it’s actually relevant to the reporting. William Turton did this to me last year. He never reached out to me for comment about my report of harassment, just went straight to naming my employer in his article. Gross.
I’m going to write more here soon including some of the more egregious Bad Questions I got asked but wanted to get this posted for survivors first.
We’re thrilled with the recenttrendtowards sexual harassment in the tech industry having actual consequences – for the perpetrator, not the target, for a change. We decided it was time to write a post explaining what we’ve been calling “the Al Capone Theory of Sexual Harassment.” (We can’t remember which of us came up with the name, Leigh or Valerie, so we’re taking joint credit for it.) We developed the Al Capone Theory over several years of researching and recording racism and sexism in computer security, open source software, venture capital, and other parts of the tech industry. To explain, we’ll need a brief historical detour – stick with us.
As you may already know, Al Capone was a famous Prohibition-era bootlegger who, among other things, ordered murders to expand his massively successful alcohol smuggling business. The U.S. government was having difficulty prosecuting him for either the murdering or the smuggling, so they instead convicted Capone for failing to pay taxes on the income from his illegal business. This technique is standard today – hence the importance of money-laundering for modern successful criminal enterprises – but at the time it was a novel approach.
The U.S. government recognized a pattern in the Al Capone case: smuggling goods was a crime often paired with failing to pay taxes on the proceeds of the smuggling. We noticed a similar pattern in reports of sexual harassment and assault: often people who engage in sexually predatory behavior also faked expense reports, plagiarized writing, or stole credit for other people’s work. Just three examples: Mark Hurd, the former CEO of HP, was accused of sexual harassment by a contractor, but resigned for falsifying expense reports to cover up the contractor’s unnecessary presence on his business trips. Jacob Appelbaum, the former Tor evangelist, left the Tor Foundation after he was accused of both sexual misconduct and plagiarism. And Randy Komisar, a general partner at venture capital firm KPCB, gave a book of erotic poetry to another partner at the firm, and accepted a board seat (and the credit for a successful IPO) at RPX that would ordinarily have gone to her.
Then we realized what the connection was: all of these behaviors are the actions of someone who feels entitled to other people’s property – regardless of whether it’s someone else’s ideas, work, money, or body. Another common factor was the desire to dominate and control other people. In venture capital, you see the same people accused of sexual harassment and assault also doing things like blacklisting founders for objecting to abuse and calling people nasty epithets on stage at conferences. This connection between dominance and sexual harassment also shows up as overt, personal racism (that’s one reason why we track both racism and sexism in venture capital).
So what is the Al Capone theory of sexual harassment? It’s simple: people who engage in sexual harassment or assault are also likely to steal, plagiarize, embezzle, engage in overt racism, or otherwise harm their business. (Of course, sexual harassment and assault harms a business – and even entire fields of endeavor – but in ways that are often discounted or ignored.) Ask around about the person who gets handsy with the receptionist, or makes sex jokes when they get drunk, and you’ll often find out that they also violated the company expense policy, or exaggerated on their résumé, or took credit for a colleague’s project. More than likely, they’ve engaged in sexual misconduct multiple times, and a little research (such as calling previous employers) will show this, as we saw in the case of former Uber and Google employee Amit Singhal.
Organizations that understand the Al Capone theory of sexual harassment have an advantage: they know that reports or rumors of sexual misconduct are a sign they need to investigate for other incidents of misconduct, sexual or otherwise. Sometimes sexual misconduct is hard to verify because a careful perpetrator will make sure there aren’t any additional witnesses or records beyond the target and the target’s memory (although with the increase in use of text messaging in the United States over the past decade, we are seeing more and more cases where victims have substantial written evidence). But one of the implications of the Al Capone theory is that even if an organization can’t prove allegations of sexual misconduct, the allegations themselves are sign to also urgently investigate a wide range of aspects of an employee’s conduct.
Some questions you might ask: Can you verify their previous employment and degrees listed on their résumé? Do their expense reports fall within normal guidelines and include original receipts? Does their previous employer refuse to comment on why they left? When they give references, are there odd patterns of omission? For example, a manager who doesn’t give a single reference from a person who reported to them can be a hint that they have mistreated people they had power over.
Another implication of the Al Capone theory is that organizations should put more energy into screening potential employees or business partners for allegations of sexual misconduct before entering into a business relationship with them, as recently advocated by LinkedIn cofounder and Greylock partner Reid Hoffman. This is where tapping into the existing whisper network of targets of sexual harassment is incredibly valuable. The more marginalized a person is, the more likely they are to be the target of this kind of behavior and to be connected with other people who have experienced this behavior. People of color, queer people, people with working class jobs, disabled people, people with less money, and women are all more likely to know who sends creepy text messages after a business meeting. Being a member of more than one of these groups makes people even more vulnerable to this kind of harassment – we don’t think it was a coincidence that many of the victims of sexual harassment who spoke out last month were women of color.
What about people whose well-intentioned actions are unfairly misinterpreted, or people who make a single mistake and immediately regret it? The Al Capone theory of sexual harassment protects these people, because when the organization investigates their overall behavior, they won’t find a pattern of sexual harassment, plagiarism, or theft. A broad-ranging investigation in this kind of case will find only minor mistakes in expense reports or an ambiguous job title in a resume, not a pervasive pattern of deliberate deception, theft, or abuse. To be perfectly clear, it is possible for someone to sexually harass someone without engaging in other types of misconduct. In the absence of clear evidence, we always recommend erring on the side of believing accusers who have less power or privilege than the people they are accusing, to counteract the common unconscious bias against believing those with less structural power and to take into account the enormous risk of retaliation against the accuser.
Some people ask whether the Al Capone theory of sexual harassment will subject men to unfair scrutiny. It’s true, the majority of sexual harassment is committed by men. However, people of all genders commit sexual harassment. We personally know of two women who have sexually touched other people without consent at tech-related events, and we personally took action to stop these women from abusing other people. At the same time, abuse more often occurs when the abuser has more power than the target – and that imbalance of power is often the result of systemic oppression such as racism, sexism, cissexism, or heterosexism. That’s at least one reason why a typical sexual harasser is more likely to be one or all of straight, white, cis, or male.
What does the Al Capone theory of sexual harassment mean if you are a venture capitalist or a limited partner in a venture fund? Your first priority should be to carefully vet potential business partners for a history of unethical behavior, whether it is sexual misconduct, lying about qualifications, plagiarism, or financial misdeeds. If you find any hint of sexual misconduct, take the allegations seriously and step up your investigation into related kinds of misconduct (plagiarism, lying on expense reports, embezzlement) as well as other incidents of sexual misconduct.
Because sexual harassers sometimes go to great lengths to hide their behavior, you almost certainly need to expand your professional network to include more people who are likely to be targets of sexual harassment by your colleagues – and gain their trust. If you aren’t already tapped into this crucial network, here are some things you can do to get more access:
Seek out opportunities to meet, socialize with, and sponsor targets of oppression
These are all aspects of ally skills – concrete actions that people with more power and privilege can take to support people who have less.
Finally, we’ve seen a bunch of VCs pledging to donate the profits of their investments in funds run by accused sexual harassers to charities supporting women in tech. We will echo many other women entrepreneurs and say: don’t donate that money, invest it in women-led ventures – especially those led by women of color.
For the fourth year in a row, I’ll be teaching a free Ally Skills workshop the week of Security Summer Camp. Previous years have been a lot of fun, and I’m looking forward to once again not attending Defcon but still doing my part to make security a better place for underrepresented people.
The Ally Skills workshop teaches concrete skills to fight biases like sexism, racism, and transphobia through a (very) short talk followed by a series of scenarios that are discussed in small groups. There’s no awkward role-playing, and people are always surprised by how much fun it is. This isn’t a tedious legally mandated workshop, it’s a practical set of tools that you’ll use in your every day work and life.
The workshop will be on Saturday from 1-3 in a suite at Caesar’s Palace, graciously provided by the fine folks at Atredis Partners.
If you’re interested, please sign up here. I’ll be in touch a week or so before to confirm your attendance.
Again the workshop is free, but if you like the work I do, I always appreciate folks donating to the ACLU (disclosure: I work there, but this is on my own time and I’m paying my own way to Vegas) or Equal Rights Advocates.
In a couple of weeks, I will be joining the ACLU’s Project on Speech, Privacy and Technology as a Technology Fellow. I will be working on activist issues near and dear to my heart – encryption, surveillance, and privacy rights that are facing renewed threat under the new administration. I am so excited to get to apply my decade of work in the security industry to helping shape conversations and policies on these topics.
More so than ever before, cyber security issues are at the forefront of public conversations about freedom and democracy. In my time on the Patch Tuesday team at Microsoft, doing incident response at Salesforce, and most recently at Slack, I have learned a lot about the nuts and bolts of how security is practiced in the real world – and how to communicate about it with the public. I further honed those skills through my work as an advisor to the Ada Initiative, the creator of the neveragain.tech pledge, and in providing behind-the-scenes security assistance to activists and public figures. Building on this foundation, I am looking forward to being an outspoken and effective advocate for our digital rights during the year of my fellowship and beyond.
My role will include collaborating with the ACLU’s lawyers and other staff to identify, understand, and potentially litigate issues related to security, technology, and civil liberties. I am also looking forward to working with journalists as a source for commentary on security and privacy issues. Please feel free to reach out to me via email (leigh at hypatia dot ca) or Twitter DM for my Signal number. My PGP key is also available here.
I am deeply grateful for and proud of my two years at Slack and will miss everyone a bunch (though I’m not going far – I’ll be working out of the San Francisco ACLU office). I was the third security employee at Slack, and helped grow and evolve the team over the past two years, eventually becoming manager of our incident response team. Early in my time at Slack, I worked to streamline and improve our highly successfulbug bounty program and update our security documentation. I got to interview my boss Geoff before we hired him as our first CSO. I worked with colleagues to build a next-generation secure development process, and most recently my work has focused on hiring and building our incident response practice. I’m happy to be able to help hire our next incident response leader in my last couple of weeks at the company – you can check out the job description and apply here, and I would be glad to talk about the role and my time at Slack with interested candidates.
One of the key roles of an Ombudsman is to identify when issues are systemic rather than one-off cases. Australia’s Financial Ombudsman Service has a succinct definition of systemic issues — they are those which “will have an effect on people beyond the parties to a dispute.” The training I attended included a couple of hours on this topic, and a rubric for evaluating issues that came in through the triage process to determine whether or not they represented potentially systemic issues.
With this context, I was shocked to see the confidence with which Uber board member Arianna Huffington declared that the company’s sexual harassment issues were not systemic. If you haven’t seen it already, watch this interview with her. It’s… honestly just appalling. She claims to have talked to “hundreds” of women at Uber, and when asked at the end if there is anything that would make her consider that Travis isn’t fit for the job, her answer is a clear “no”.
It is deeply inappropriate for Huffington to be making this assessment before the investigation that she’s overseeing (but ostensibly not part of?) is completed. Based on what’s been reported in the press, and what friends have been saying behind closed doors for years, I feel confident in saying that she is wrong to be drawing that conclusion at this juncture. She is also undermining any chance of credibility that the actual investigation has, by conflating her own… research? meddling? whatever she’s doing… with the investigation itself.
But you don’t need to just listen to me. To confirm my gut feeling, I decided to apply the Ombudsman’s rubric to what is known about the situation at Uber. The parts in bold are more or less verbatim from the course notes; there isn’t a copy online, but there’s a shorter version in an essay by the former Ombudsman at this link. Or if you’ve got CAD$124 burning a hole in your pocket, you may be interested in “Conducting Administrative, Oversight & Ombudsman Investigations,” but you’re probably not as much of a weirdo as me and therefore haven’t asked for that book for your birthday. ANYWAY, on to the rubric:
Lots of ink has been spilled on Uber’s gender issues both before and in the wake of Susan Fowler’s post. Joey deVilla has an extensive and colourful roundup of the history of Uber’s malfeasance, gender and otherwise, here.
Does the case have systemic implications?
Some of the factors to consider in determining if an issue has systemic implications or not are:
Are there a number of similar complaints? We have Fowler’s account, and, well, real talk here – the Silicon Valley women’s backchannel has had stories like hers going around for years. I don’t know of a single woman engineer who was surprised by Fowler’s story – what many were surprised by was that anyone listened this time.
Are there obvious systemic issues? HR’s (mis)handling of Fowler’s complaints just screams “obvious systemic issues” to me.
Does the issue encompass a range of policies/processes? At a rough guess, I’d say – HR, recruiting, engineering management – so yes.
Does it affect a lot of people? It certainly sounds like it has both within Uber as an organization and also outside – there are plenty of stories going around about crappy, biased engineering recruiting experiences at Uber. And that’s without even touching on how they treat drivers, or passengers who’ve had issues with sexual harassment/assault by drivers. So yes.
Is the issue sensitive and/or high-profile?
This is an easy one. A Google News search for “uber sexual harassment” returns nearly half a million results. Definitely high-profile.
Is an investigation in [the organization’s] interest?
In the Ombudsman’s rubric, this question is asked about the public interest rather than the organization’s interest – I’ve modified the rubric a bit to apply to a private entity. Factors to consider in determining interest include:
Is the alleged injustice so egregious (on the face of it) that an investigation is clearly necessary? I’d say yes, here.
What other organizations are involved or investigating? I expect that entities such as the EEOC have this issue on their radar, and they definitely will if employees file formal complaints.
Is it a matter of public discussion? Yup we’ve definitely got that one covered, that’s for sure.
Will the case likely result in significant recommendations for change if the complaint is substantiated? The HR processes that Fowler describes are profoundly broken and indicate substantial failures in organizational leadership. I’d sure hope that it becomes clear that significant change is needed.
Will the fact-gathering process be complex or protracted?
This is the one where Huffington’s statements really fall on the floor, as her rush to judgement makes it clear that either any investigation that’s taken place so far has been utterly biased (not that this is going to surprise anyone) or that she’s quite simply talking out of her posterior. Some factors that lead to thinking this needs to be treated as a systemic issue include that there are clearly facts in dispute, many potential witnesses will need to be interviewed, and many documents need to be assessed – starting with the entire record of Fowler’s correspondence with HR. And finally, multiple parts of the Uber organization need to be involved (HR and engineering management, to start with).
Will the investigation be a judicious use of resources?
This is less of an issue for a billion-dollar “unicorn” startup than it would be for a resource-constrained public service Ombudsman’s office. Uber has millions in the bank, and can easily afford a proper independent investigation. The cost of not properly investigating could potentially include: additional sexual harassment lawsuits down the road that could have been prevented, responding to independent investigations from organizations such as the EEOC or Department of Justice, an inability to hire engineers and other key employees, and the harm to current and former Uber employees’ career prospects as Uber becomes a toxic stain on their resumes.
Is there any potential to resolve the issue(s) informally?
It is clear from Fowler’s post that she made heroic efforts to have her mistreatment addressed through appropriate, pre-existing formal channels. Since it is amply evident that that didn’t work, informal resolution isn’t appropriate in this case.
Based on the Ontario Ombudsman’s rubric, the gender issues at Uber clearly meet the bar for a potential systemic issue worthy of deep investigation. In cases like that, a truly independent investigation is in order — not one conducted by a board member who has spoken dismissively of the issues. Last summer in our No More Rock Stars post about fighting systemic abuse in tech organizations, Valerie, Mary and I wrote that combating abuse in organizations requires “[starting] with the assumption that harassment reports are true and investigat[ing] them thoroughly“, and Huffington’s dismissal of Fowler’s complaint as a non-systemic issue violates that principle. The principle is not about “assuming guilt” but about thoroughness. It is about diligent, methodical, rigorous follow-up. Which I wholeheartedly hope Eric Holder’s investigation will involve, although I’ll be skeptical until I see it.