Some advice for survivors and those writing about them

wheatpasted street art. on the left, text in all caps stating "your heart is a weapon the size of your fist keep loving keep fighting". on the right a white drawing of a hand holding a heart on a black background.

It seems we’re about due for another round of Shitty Infosec Dude Gets Outed As A Predator. If you don’t know what I’m talking about, I’ll link to it when stories appear. In this case, I’m referring to Morgan Marquis-Boire. Having been through this myself last year, I want to stand in solidarity with other survivors, as well as to ask journalists to not be fucking assholes.

Some things I learned as a survivor coming forward:

  • Coming forward is a HUGE step towards protecting other people. If you’ve done so willingly, thank you for your profound courage. We talk a lot in infosec about whistleblowers, but you should know that you are a goddamn whistleblower too. If your story has been told without your consent, I know that that’s a wretched retraumatizing experience and I am so sorry – but please do know that it’s not without impact and WILL keep other people safe in the future.
  • Lock your online stuff down as best as you can. Here’s an extensive guide I wrote much of which covers security stuff as well as physical threats like SWATting, and here’s a short one that covers the computery essentials. The even shorter version: use a password manager to set up unique passwords on key accounts, and enable two-factor auth on your email/Facebook/Twitter.
  • Carefully vet the reporters you talk to. I have personally worked with and trust the security practices and sensitivity to survivors of Sarah Jeong, Selena LarsonKate CongerCyrus Farivar, and Jessica Guynn – journalists who are covering this, feel free to reach out and if I trust you and think it’s appropriate I will add you here. There is at least one male journalist sniffing around about this who I have personally seen mistreat women. Approach with caution. Another good tactic here is to ask if they’ve previously covered sexual assault and/or sexism in tech and ask for press clippings of previous coverage.
  • If you’re talking to the press, email interviews are a great hack. You get the time to consider what to say and make sure that it won’t open you up to litigation, you can just decline to answer some of the questions (because cripes, the questions people will ask you…). Working over email also lets you run your responses by a trusted and hopefully less-traumatized friend to make sure they’re unambiguous and don’t reveal more than you intend.
  • Some useful language re: the press. Know the difference between these terms, and get the reporter you’re talking to to agree to the one you prefer before you say anything:
    • On the record: can be published, can be attributed to you by name
    • Off the record: can’t be published, can’t be attributed to you by name
    • On background: can be quoted or paraphrased and used as a story detail without direct attribution but with a vague organizational affiliation, eg. “a person in the White House who was not authorized to speak to the press” – this is the usual “anonymous source” mode
    • On deep background, not for attribution: can be quoted or paraphrased and used as a story detail without any attribution
      • When you want to say something on either “background” and “deep background,” it’s useful to give a clear definition of what you mean, just so you’re both on the same page. The definitions given above are commonly used. If you want, copy/paste those exact sentences into the email with the reporter so you’re unmistakably clear about your boundaries.
    • You can ask for anonymity. You can ask for press time to be delayed. You can negotiate anything as long as you do it before you give the quote. If you have conditions, make sure your agreement is hashed out in advance. Journalists are not bound to conditions imposed after the fact.
    • If the reporter is working for a magazine, sometimes they will ask you for a phone number so that a fact-checker can call you. Don’t be freaked out: this is common practice and doesn’t mean you’re going to be de-anonymized. Incidentally: the fact-checker is not obligated to read back to you verbatim what’s going to be in the piece, but you will get a sense of what’s going to end up in the piece based the questions they do ask.
      • Again, if this freaks you out, negotiate a different process before you give the quote, such as doing the fact-checking over email.
    • You can do things like “anything below this line is on the record” or “anything in italics is off the record” – just get an agreement in writing with the journalist as to the shared format
    • The rules around on the record / off the record / not for attribution / anonymity and so on are built to give journalists flexibility in dealing with sources who have power, like the PR divisions of major corporations. If a journalist pushes the outer bound of ethics really far with a victim, that has entirely different consequences than doing that to a company. Keep in mind that corporations and government sources negotiate these kinds of terms with journalists all the time, and very aggressively: there’s no reason why they shouldn’t be in your toolkit too.
  • It is up to you whether this is a good time or not to be open to hearing from other victims. Last summer, I noted in my post that I wasn’t ready to listen to other survivors’ stories, and directed folks to appropriate counselling resources. Almost everyone respected this, for which I was grateful. It gave me time and space to process going public without being retraumatized by trying to help others process their own experiences. I have since spoken with many other survivors (of the same assailant and others) and it has been a very important part of my healing process, but it was important to me to take the time to just process the media drama with close and trusted friends, and my therapist, first.
  • Therapy is great and has been an essential part of being resilient in the face of garbage fires like you’re going through. If you’re employed, your work may have an EAP that will get you a therapist with minimal fuss. If it’s not covered by your insurance Captain Awkward has a guide to locating low-cost mental health services in the US and Canada, and a newer post on other free and low-cost mental health resources.
  • I was fortunate to have access to good pro bono legal advice and some familiarity of my own with the laws around defamation. You probably want to find a lawyer to talk to (it’s worth paying money for if you can’t find someone to talk to you for free). Local domestic violence shelters and rape crisis hotlines may be able to help here with referrals. Remember that lawyers tend to be conservative due to the nature of their work; “this could get you sued” is not the same as “this WILL get you sued”. Sometimes the risk is worth it. The other thing to look are the “anti-SLAPP” laws in your jurisdiction – some of them have language that specifically deals with the right to speak out about one’s own experiences with DV or sexual assault.

Now I’m not actually an expert on how reporters should treat survivors of sexual violence, so I’ll mainly link to some excellent exisiting guides. Please comment or ping me if you have resources I should add. But what I will note is a few things I learned from my experience last year:

  • If you’re sleeping with the perpetrator, don’t report on this story. The disgrace to the profession of journalism I’m subtweeting here knows who she is.
  • Don’t name victim’s employers unless it’s actually relevant to the reporting. William Turton did this to me last year. He never reached out to me for comment about my report of harassment, just went straight to naming my employer in his article. Gross.
  • I’m going to write more here soon including some of the more egregious Bad Questions I got asked but wanted to get this posted for survivors first.

Finally, some resources for horrified bystanders:

Vegas Ally Skills 2017

For the fourth year in a row, I’ll be teaching a free Ally Skills workshop the week of Security Summer Camp. Previous years have been a lot of fun, and I’m looking forward to once again not attending Defcon but still doing my part to make security a better place for underrepresented people.

Me giving a talk, looking all fancy
I won’t look quite this fancy while teaching the workshop. Photo by Mike Bridge https://twitter.com/michaelbridge/status/875801248888311808

The Ally Skills workshop teaches concrete skills to fight biases like sexism, racism, and transphobia through a (very) short talk followed by a series of scenarios that are discussed in small groups. There’s no awkward role-playing, and people are always surprised by how much fun it is. This isn’t a tedious legally mandated workshop, it’s a practical set of tools that you’ll use in your every day work and life.

The workshop will be on Saturday from 1-3 in a suite at Caesar’s Palace, graciously provided by the fine folks at Atredis Partners.

If you’re interested, please sign up here. I’ll be in touch a week or so before to confirm your attendance.

Again the workshop is free, but if you like the work I do, I always appreciate folks donating to the ACLU (disclosure: I work there, but this is on my own time and I’m paying my own way to Vegas) or Equal Rights Advocates.

But is it systemic?

Back in January 2015, I was fortunate to be able to attend the Ontario Ombudsman’s “Sharpening Yor Teeth” training program for administrative watchdogs. I’ve long been a fan of the Ontario Ombudsman’s Office’s work – from their meta-investigation of the Ontario Special Investigations Unit (itself a watchdog which investigates police misconduct), to the reforms they engendered in the lottery and gaming system, to their work on expanding access to vital cancer medications. I’m a bit of a nerd about this stuff — I’m pretty sure I was the only attendee who was there out of my own interest, rather than on behalf of an employer.

One of the key roles of an Ombudsman is to identify when issues are systemic rather than one-off cases. Australia’s Financial Ombudsman Service has a succinct definition of systemic issues — they are those which “will have an effect on people beyond the parties to a dispute.” The training I attended included a couple of hours on this topic, and a rubric for evaluating issues that came in through the triage process to determine whether or not they represented potentially systemic issues.

With this context, I was shocked to see the confidence with which Uber board member Arianna Huffington declared that the company’s sexual harassment issues were not systemic. If you haven’t seen it already, watch this interview with her. It’s… honestly just appalling. She claims to have talked to “hundreds” of women at Uber, and when asked at the end if there is anything that would make her consider that Travis isn’t fit for the job, her answer is a clear “no”.

It is deeply inappropriate for Huffington to be making this assessment before the investigation that she’s overseeing (but ostensibly not part of?) is completed. Based on what’s been reported in the press, and what friends have been saying behind closed doors for years, I feel confident in saying that she is wrong to be drawing that conclusion at this juncture. She is also undermining any chance of credibility that the actual investigation has, by conflating her own… research? meddling? whatever she’s doing… with the investigation itself.

But you don’t need to just listen to me. To confirm my gut feeling, I decided to apply the Ombudsman’s rubric to what is known about the situation at Uber. The parts in bold are more or less verbatim from the course notes; there isn’t a copy online, but there’s a shorter version in an essay by the former Ombudsman at this link. Or if you’ve got CAD$124 burning a hole in your pocket, you may be interested in “Conducting Administrative, Oversight & Ombudsman Investigations,” but you’re probably not as much of a weirdo as me and therefore haven’t asked for that book for your birthday. ANYWAY, on to the rubric:

What Happened?

Lots of ink has been spilled on Uber’s gender issues both before and in the wake of Susan Fowler’s post. Joey deVilla has an extensive and colourful roundup of the history of Uber’s malfeasance, gender and otherwise, here.

Does the case have systemic implications?

Some of the factors to consider in determining if an issue has systemic implications or not are:

  • Are there a number of similar complaints? We have Fowler’s account, and, well, real talk here – the Silicon Valley women’s backchannel has had stories like hers going around for years. I don’t know of a single woman engineer who was surprised by Fowler’s story – what many were surprised by was that anyone listened this time.
  • Are there obvious systemic issues? HR’s (mis)handling of Fowler’s complaints just screams “obvious systemic issues” to me.
  • Does the issue encompass a range of policies/processes? At a rough guess, I’d say – HR, recruiting, engineering management – so yes.
  • Does it affect a lot of people? It certainly sounds like it has both within Uber as an organization and also outside – there are plenty of stories going around about crappy, biased engineering recruiting experiences at Uber. And that’s without even touching on how they treat drivers, or passengers who’ve had issues with sexual harassment/assault by drivers. So yes.

Is the issue sensitive and/or high-profile?

This is an easy one. A Google News search for “uber sexual harassment” returns nearly half a million results. Definitely high-profile.

Is an investigation in [the organization’s] interest?

In the Ombudsman’s rubric, this question is asked about the public interest rather than the organization’s interest – I’ve modified the rubric a bit to apply to a private entity. Factors to consider in determining interest include:

  • Is the alleged injustice so egregious (on the face of it) that an investigation is
    clearly necessary? I’d say yes, here.
  • What other organizations are involved or investigating? I expect that entities such as the EEOC have this issue on their radar, and they definitely will if employees file formal complaints.
  • Is it a matter of public discussion? Yup we’ve definitely got that one covered, that’s for sure.
  • Will the case likely result in significant recommendations for change if the
    complaint is substantiated? The HR processes that Fowler describes are profoundly broken and indicate substantial failures in organizational leadership. I’d sure hope that it becomes clear that significant change is needed.

Will the fact-gathering process be complex or protracted?

This is the one where Huffington’s statements really fall on the floor, as her rush to judgement makes it clear that either any investigation that’s taken place so far has been utterly biased (not that this is going to surprise anyone) or that she’s quite simply talking out of her posterior. Some factors that lead to thinking this needs to be treated as a systemic issue include that there are clearly facts in dispute, many potential witnesses will need to be interviewed, and many documents need to be assessed – starting with the entire record of Fowler’s correspondence with HR. And finally, multiple parts of the Uber organization need to be involved (HR and engineering management, to start with).

Will the investigation be a judicious use of resources?

This is less of an issue for a billion-dollar “unicorn” startup than it would be for a resource-constrained public service Ombudsman’s office. Uber has millions in the bank, and can easily afford a proper independent investigation. The cost of not properly investigating could potentially include: additional sexual harassment lawsuits down the road that could have been prevented, responding to independent investigations from organizations such as the EEOC or Department of Justice, an inability to hire engineers and other key employees, and the harm to current and former Uber employees’ career prospects as Uber becomes a toxic stain on their resumes.

Is there any potential to resolve the issue(s) informally?

It is clear from Fowler’s post that she made heroic efforts to have her mistreatment addressed through appropriate, pre-existing formal channels. Since it is amply evident that that didn’t work, informal resolution isn’t appropriate in this case.

Conclusion

Based on the Ontario Ombudsman’s rubric, the gender issues at Uber clearly meet the bar for a potential systemic issue worthy of deep investigation. In cases like that, a truly independent investigation is in order — not one conducted by a board member who has spoken dismissively of the issues. Last summer in our No More Rock Stars post about fighting systemic abuse in tech organizations, Valerie, Mary and I wrote that combating abuse in organizations requires “[starting] with the assumption that harassment reports are true and investigat[ing] them thoroughly“, and Huffington’s dismissal of Fowler’s complaint as a non-systemic issue violates that principle. The principle is not about “assuming guilt” but about thoroughness. It is about diligent, methodical, rigorous follow-up. Which I wholeheartedly hope Eric Holder’s investigation will involve, although I’ll be skeptical until I see it.

Take action to stop police violence

Just over a year ago, in the wake of a white supremacist terrorist attack, I wrote about taking action to fight white supremacy in its many forms. I recommended a couple of specific charities, and called on white people to cut it out with the white guilt crap and put their money to work for racial justice instead.

Police violence is an absolute crisis in this country, and if you want to have an impact on racial justice in America, I don’t think there’s a better way to do it than to give to groups which are fighting it. In the wake of the two latest horrifying shootings, I’m giving $500 to each of the ACLU and We The Protestors, and I invite you to do the same, and tell people that you are donating. Especially if you work in tech – put your dollars where your woke tweets are. Here is more information on these two organizations, taken from last year’s post:

The American Civil Liberties Union works on the fight for voting rights, against the infuriating school-to-prison pipeline, and on many other racial justice issues [2016 edit: and on police use of force]. Follow @aclu on Twitter, and donate here. Donations to the ACLU are not tax-deductible or employer-matchable; if that matters to you, donate to the ACLU Foundation here.

We the Protesters/Campaign Zero works to “fulfill the democratic promise of our union, establish true and lasting justice, accord dignity and standing to everyone, center the humanity of oppressed people, promote the brightest future for our children, and secure the blessings of freedom for all black lives.” Follow the amazing activists behind this movement on Twitter, or donate via the PayPal button at the end of their homepage. Donations are not tax-deductible.

If you’re White and you live in the United States, you have centuries of unearned economic advantage at your back, from slavery and Jim Crow to the New Deal, from the GI Bill to redlining. Take some of that unearned cash and use it to stop cops from killing Black people. It’s the least you can do.

No more rock stars: how to stop abuse in tech communities

Content note for discussion of abuse and sexual violence.

In the last couple of weeks, three respected members of the computer security and privacy tech communities have come forward under their own names to tell their harrowing stories of sexual misconduct, harassment, and abuse committed by Jacob Appelbaum. They acted in solidarity with the first anonymous reporters of Jacob’s abuse. Several organizations have taken steps to protect their members from Appelbaum, including the Tor Project, Debian, and the Noisebridge hackerspace, with other responses in progress.

But Appelbaum isn’t the last – or the only – abuser in any of these communities. Many people are calling for long-term solutions to stop and prevent similar abuse. The authors of this post have recommendations, based on our combined 40+ years of community management experience in the fields of computer security, hackerspaces, free and open source software, and non-profits. In four words, our recommendation is:

No more rock stars.

What do we mean when we say “rock stars?” We like this tweet by Molly Sauter:

Seriously, “rock stars” are arrogant narcissists. Plumbers keep us all from getting cholera. Build functional infrastructure. Be a plumber.

You can take concrete actions to stop rock stars from abusing and destroying your community. But first, here are a few signs that help you identify when you have a rock star instead of a plumber:

A rock star likes to be the center of attention. A rock star spends more time speaking at conferences than on their nominal work. A rock star appears in dozens of magazine profiles – and never, ever tells the journalist to talk to the people actually doing the practical everyday work. A rock star provokes a powerful organization over minor issues until they crack down on the rock star, giving them underdog status. A rock star never says, “I don’t deserve the credit for that, it was all the work of…” A rock star humble-brags about the starry-eyed groupies who want to fuck them. A rock star actually fucks their groupies, and brags about that too. A rock star throws temper tantrums until they get what they want. A rock star demands perfect loyalty from everyone around them, but will throw any “friend” under the bus for the slightest personal advantage. A rock star knows when to turn on the charm and vulnerability and share their deeply personal stories of trauma… and when it’s safe to threaten and intimidate. A rock star wrecks hotel rooms, social movements, and lives.

Why are rock stars so common and successful? There’s something deep inside the human psyche that loves rock stars and narcissists. We easily fall under their spell unless we carefully train ourselves to detect them. Narcissists are skilled at making good first impressions, at masking abusive behavior as merely eccentric or entertaining, at taking credit for others’ work, at fitting our (often inaccurate) stereotypes of leaders as self-centered, self-aggrandizing, and overly confident. We tend to confuse confidence with competence, and narcissists are skilled at acting confident.

Sometimes rock stars get confused with leaders, who are necessary and good. What’s the difference between a rock star and a leader? We like the term “servant-leader” as a reminder that the ultimate purpose of a good leader is to serve the mission of their organization (though this feminist critique of the language around servant-leadership is worth reading). Having personal name recognition and the trust and support of many people is part of being an effective leader. This is different from the kind of uncritical worship that a rock star seeks out and encourages. Leaders push back when the adoration gets too strong and disconnected from achieving the mission (here is a great example from Anil Dash, pushing back after being held up as an example of positive ally for women in tech). Rock stars aren’t happy unless they are surrounded by unthinking adoration.

How do we as a community prevent rock stars?

If rock stars are the problem, and humans are susceptible to rock stars, how do we prevent rock stars from taking over and hijacking our organizations and movements? It turns out that some fairly simple and basic community hygiene is poisonous to rock stars – and makes a more enjoyable, inclusive, and welcoming environment for plumbers.

Our recommendations can be summarized as: decentralizing points of failure, increasing transparency, improving accountability, supporting private and anonymous communication, reducing power differentials, and avoiding situations that make violating boundaries more likely. This is a long blog post, so here is a table of contents for the rest of this post:

Have explicit rules for conduct and enforce them for everyone

Create a strong, specific, enforceable code of conduct for your organization – and enforce it, swiftly and without regard for the status of the accused violator. Rock stars get a kick out of breaking the rules, but leaders know they are also role models, and scrupulously adhere to rules except when there’s no alternative way to achieve the right thing. Rock stars also know that when they publicly break the little rules and no one calls them out on it, they are sending a message that they can also break the big rules and get away with it.

One of the authors of this post believed every first-person allegation of abuse and assault by Jacob Appelbaum – including the anonymous ones – immediately. Why? Among many other signs, she saw him break different, smaller rules in a way that showed his complete and total disregard for other people’s time, work, and feelings – and everyone supported him doing so. For example, she once attended a series of five minute lightning talks at the Noisebridge hackerspace, where speakers sign up in advance. Jacob arrived unannounced and jumped in after the first couple of talks with a forty-five minute long boring rambling slideshow about a recent trip he took. The person running the talks – someone with considerable power and influence in the same community – rolled his eyes but let Jacob talk for nine times the length of other speakers. The message was clear: rules don’t apply to Jacob, and even powerful people were afraid to cross him.

This kind of blatant disregard for the rules and the value of people’s time was so common that people had a name for it: “story time with Jake,” as described in Phoenix’s pseudonymous allegation of sexual harassment. Besides the direct harm, dysfunction, and disrespect this kind of rule-breaking and rudeness causes, when you allow people to get away with it, you’re sending a message that they can get away with outright harassment and assault too.

To solve this, create and adopt a specific, enforceable code of conduct for your community. Select a small expert group of people to enforce it, with provisions for what to do if one of this group is accused of harassment. Set deadlines for responding to complaints. Conduct the majority of discussion about the report in private to avoid re-traumatizing victims. Don’t make exceptions for people who are “too valuable.” If people make the argument that some people are too valuable to censure for violating the code of conduct, remove them from decision-making positions. If you ever find yourself in a situation where you are asking yourself if someone’s benefits outweigh their liabilities, recognize that they’ve already cost the community more than they can ever give to it and get to work on ejecting them quickly.

Start with the assumption that harassment reports are true and investigate them thoroughly

Over more than a decade of studying reports of harassment and assault in tech communities, we’ve noticed a trend: if things have gotten to the point where you’ve heard about an incident, it’s almost always just the tip of the iceberg. People argue a lot about whether to take one person’s word (the alleged victim) over another’s (the alleged harasser), but surprisingly often, this was not the first time the harasser did something harmful and it’s more likely a “one person said, a dozen other people said” situation. Think about it: what are the chances that someone had a perfect record of behavior, right up till the instant they stuck their hand in someone else’s underwear without consent – and that person actually complained about it – AND you heard about it? It’s far more likely that this person has been gradually ramping up their bad behavior for years and you just haven’t heard about it till now.

The vast majority of cases we know about fit one of these two patterns:

  1. A clueless person makes a few innocent, low-level mistakes and actually gets called on one of them fairly quickly. Signs that this is the likely case: the actual incident is extremely easy to explain as a mistake, the accused quickly understands what they did wrong, they appear genuinely, intensely embarrassed, they apologize profusely, and they offer a bunch of ways to make up for their mistake: asking the video of their talk to be taken down, writing a public apology explaining why what they did was harmful, or proposing that they stop attending the event for some period of time.
  2. A person who enjoys trampling on the boundaries of others has been behaving badly for a long time in a variety of ways, but everyone has been too afraid to say anything about it or do anything about other reports. Signs that this is the likely case: the reporter is afraid of retaliation and may try to stay anonymous, other people are afraid to talk about the incident for the same reason, the reported incident may be fairly extreme (e.g., physical assault with no question that consent was violated), many people are not surprised when they hear about it, you quickly gather other reports of harassment or assault of varying levels, the accused has plagiarized or stolen credit or falsified expense reports or done other ethically questionable things, the accused has consolidated a lot of power and attacks anyone who seems to be a challenge to their power, the accused tries to change the subject to their own grievances or suffering, the accused admits they did it but minimizes the incident, or the accused personally attacks the reporter using respectability politics or tone-policing.

In either case, your job is to investigate the long-term behavior of the accused, looking for signs of narcissism and cruelty, big and small. Rock stars leave behind a long trail of nasty emails, stolen credit, rude behavior, and unethical acts big and small. Go look for them.

Make it easy for victims to find and coordinate with each other

Rock stars will often make it difficult for people to talk or communicate without being surveilled or tracked by the rock star or their assistants, because private or anonymous communication allows people to compare their experiences and build effective resistance movements. To fight this, encourage and support private affinity groups for marginalized groups (especially people who identify as women in a way that is significant to them), create formal systems that allow for anonymous or pseudonymous reporting such as an ombudsperson or third-party ethics hotline, support and promote people who are trusted contact points and/or advocates for marginalized groups, and reward people for raising difficult but necessary problems.

Watch for smaller signs of boundary pushing and react strongly

Sometimes rock stars don’t outright break the rules, they just push on boundaries repeatedly, trying to figure out exactly how far they can go and get away with it, or make it so exhausting to have boundaries that people stop defending them. For example, they might take a little too much credit for shared work or other people’s work, constantly bring up the most disturbing but socially acceptable topic of conversation, resist de-escalation of verbal conflict, subtly criticize people, make passive-aggressive comments on the mailing list, leave comments that are almost but not quite against the rules, stand just a little too close to people on purpose, lightly touch people and ignore non-verbal cues to stop (but obey explicit verbal requests… usually), make comments which subtly establish themselves as superior or judges of others, interrupt in meetings, make small verbal put-downs, or physically turn away from people while they are speaking. Rock stars feel entitled to other people’s time, work, and bodies – signs of entitlement to one of these are often signs of entitlement to the others.

Call people out for monopolizing attention and credit

Is there someone in your organization who jumps on every chance to talk to a reporter? Do they attend every conference they can and speak at many of them? Do they brag about their frequent flyer miles or other forms of status? Do they jump on every project that seems likely to be high visibility? Do they “cookie-lick” – claim ownership of projects but fail to do them and prevent others from doing them either? If you see this happening, speak up: say, “Hey, we need to spread out the public recognition for this work among more people. Let’s send Leslie to that conference instead.” Insist that this person credit other folks (by name or anonymously, as possible) prominently and up front in every blog post or magazine article or talk. Establish a rotation for speaking to reporters as a named source. Take away projects from people if they aren’t doing them, no matter how sad or upset it makes them. Insist on distributing high status projects more evenly.

A negative organizational pattern that superficially resembles this kind of call-out can sometimes happen, where people who are jealous of others’ accomplishments and successes may attack effective, non-rock star leaders. Signs of this situation: people who do good, concrete, specific work are being called out for accepting appropriate levels of public recognition and credit by people who themselves don’t follow through on promises, fail at tasks through haplessness or inattention, or communicate ineffectively. Complaints about effective leaders may take the form of “I deserve this award for reasons even though I’ve done relatively little work” instead of “For the good of the organization, we should encourage spreading out the credit among the people who are doing the work – let’s talk about who they are.” People complaining may occasionally make minor verbal slips that reveal their own sense of entitlement to rewards and praise based on potential rather than accomplishments – e.g., referring to “my project” instead of “our project.”

Insist on building a “deep bench” of talent at every level of your organization

Your organization should never have a single irreplaceable person – it should have a deep bench. Sometimes this happens through a misplaced sense of excessive responsibility on the part of a non-abusive leader, but often it happens through deliberate effort from a “rock star.” To prevent this, constantly develop and build up a significant number of leaders at every level of your organization, especially near the top. You can do this by looking for new, less established speakers (keynote speakers in particular) at your events, paying for leadership training, creating official deputies for key positions, encouraging leaders to take ample vacation and not check email (or chat) while they are gone, having at least two people talk to each journalist, conducting yearly succession planning meetings, choosing board members who have strong opinions about this topic and a track record of acting on them, having some level of change or turnover every few years in key leadership positions, documenting and automating key tasks as much as possible, sharing knowledge as much as possible, and creating support structures that allow people from marginalized groups to take on public roles knowing they will have support if they are harassed. And if you need one more reason to encourage vacation, it is often an effective way to uncover financial fraud (one reason why abusive leaders often resist taking vacation – they can’t keep an eye on potential exposure of their misdeeds).

Flatten the organizational hierarchy as much as possible

Total absence of hierarchy is neither possible nor desirable, since “abolishing” a hierarchy simply drives the hierarchy underground and makes it impossible to critique (but see also the anarchist critique of this concept). Keeping the hierarchy explicit and making it as flat and transparent as possible while still reflecting true power relationships is both achievable and desirable. Ways to implement this: have as small a difference as possible in “perks” between levels (e.g., base decisions on flying business class vs. economy on amount of travel and employee needs, rather than position in the organization), give people ways to blow the whistle on people who have power over them (including channels to do this anonymously if necessary), and have transparent criteria for responsibilities and compensation (if applicable) that go with particular positions.

Build in checks for “failing up”

Sometimes, someone gets into a position of power not because they are actually good at their job, but because they turned in a mediocre performance in a field where people tend to choose people with proven mediocre talent over people who haven’t had a chance to demonstrate their talent (or lack thereof). This is called “failing up” and can turn otherwise reasonable people into rock stars as they desperately try to conceal their lack of expertise by attacking any competition and hogging attention. Or sometimes no one wants to take the hit for firing someone who isn’t capable of doing a good job, and they end up getting promoted through sheer tenacity and persistence. The solution is to have concrete criteria for performance, and a process for fairly evaluating a person’s performance and getting them to leave that position if they aren’t doing a good job.

Enforce strict policies around sexual or romantic relationships within power structures

Rock stars love “dating” people they have power over because it makes it easier to abuse or assault them and get away with it. Whenever we hear about an organization that has lots of people dating people in their reporting chain, it raises an automatic red flag for increased likelihood of abuse in that organization. Overall, the approach that has the fewest downsides is to establish a policy that no one can date within their reporting chain or across major differences in power, that romantic relationships need to be disclosed, and that if anyone forms a relationship with someone in the same reporting chain, the participants need to move around the organization until they no longer share a reporting chain. Yes, this means that if the CEO or Executive Director of an organization starts a relationship with anyone else in the organization, at least one of them needs to leave the organization, or take on some form of detached duty for the duration of the CEO/ED’s tenure. When it comes to informal power relationships, such as students dating prominent professors in their fields, they also need to be forbidden or strongly discouraged. These kinds of policies are extremely unattractive to a rock star, because part of the attraction of power for them is wielding it over romantic or sexual prospects.

Avoid organizations becoming too central to people’s lives

Having a reasonable work-life balance isn’t just an ethical imperative for any organization that values social justice, it’s also a safety mechanism so that if someone is forced to leave, needs to leave, or needs to take a step back, they can do so without destroying their entire support system. Rock stars will often insist on subordinates giving 100% of their available energy and time to the “cause” because it isolates them from other support networks and makes them more dependent on the rock star.

Don’t set up your community so that if someone has a breach with your community (e.g., is targeted for sustained harassment that drives them out), they are likely to also lose more than one of: their job, their career, their romantic relationships, their circle of friends, or their political allies. Encouraging and enabling people to have social interaction and support outside your organization or cause will also make it easier to, when necessary, exclude people behaving abusively or not contributing because you won’t need to worry that you’re cutting them off from all meaningful work or human contact.

You should discourage things like: semi-compulsory after hours socialising with colleagues, long work hours, lots of travel, people spending almost all their “intimacy points” or emotional labour on fellow community members, lots of in-group romantic relationships, everyone employs each other, or everyone is on everyone else’s boards. Duplication of effort (e.g., multiple activist orgs in the same area, multiple mailing lists, or whatever) is often seen as a waste, but it can be a powerfully positive force for allowing people some choice of colleagues.

Distribute the “keys to the kingdom”

Signs of a rock star (or occasionally a covert narcissist) may include insisting on being the single point of failure for one or more of: your technical infrastructure (e.g., domain name registration or website), your communication channels, your relationship with your meeting host or landlord, your primary source of funding, your relationship with the cops, etc. This increases the rock star’s power and control over the organization.

To prevent this, identify core resources, make sure two or more people can access/administer all of them, and make sure you have a plan for friendly but sudden, unexplained, or hostile departures of those people. Where possible, spend money (or another resource that your group can collectively offer) rather than relying on a single person’s largesse, specialized skills, or complex network of favours owed. Do things legally where reasonably possible. Try to be independent of any one critical external source of funding or resources. If there’s a particularly strong relationship between one group member and an external funder, advisor, or key organization, institutionalize it: document it, and introduce others into the relationship.

One exception is that it’s normal for contact with the press to be filtered or approved by a single point of contact within the organization (who should have a deputy). However, it should be possible to talk to the press as an individual (i.e., not representing your organization) and anonymously in cases of internal organizational abuse. At the same time, your organization should have a strong whistleblower protection policy – and board members with a strong public commitment and/or a track record of supporting whistleblowers in their own organizations.

Don’t create environments that make boundary violations more likely

Some situations are attractive to rock stars looking to abuse people: sexualized situations, normalization of drinking or taking drugs to the point of being unable to consent or enforce boundaries, or other methods of breaking down or violating physical or emotional boundaries. This can look like: acceptance of sexual jokes at work, frequent sexual liaisons between organization members, mocking people for not being “cool” for objecting to talking about sex at work, framing objection to sexualized situations as being homophobic/anti-polyamorous/anti-kink, open bars with hard alcohol or no limit on drinks, making it acceptable to pressure people to drink more alcohol than they want or violate other personal boundaries (food restrictions, etc.), normalizing taking drugs in ways that make it difficult to stay conscious or defend boundaries, requiring attendance at physically isolated or remote events, having events where it is difficult to communicate with the outside world (no phone service or Internet access), having events where people wear significantly less or no clothing (e.g. pool parties, saunas, hot tubs), or activities that require physical touching (massage, trust falls, ropes courses). It’s a bad sign if anyone objecting to these kinds of activities is criticized for being too uptight, puritanical, from a particular cultural background, etc.

Your organization should completely steer away from group activities which pressure people, implicitly or explicitly, to drink alcohol, take drugs, take off more clothing than is usual for professional settings in the relevant cultures, or touch or be touched. Drunkenness to the point of marked clumsiness, slurred speech, or blacking out should be absolutely unacceptable at the level of organizational culture. Anyone who seems to be unable to care for themselves as the result of alcohol or drug use should be immediately cared for by pre-selected people whose are explicitly charged with preventing this person from being assaulted (especially since they may have been deliberately drugged by someone planning to assault them). For tips on serving alcohol in a way that greatly reduces the chance of assault or abuse, see Kara Sowles’ excellent article on inclusive events. You can also check out the article on inclusive offsites on the Geek Feminism Wiki.

Putting this to work in your community

We waited too long to do something about it.

Odds are, your community already has a “missing stair” or three – even if you’ve just kicked one out. They are harming and damaging your community right now. If you have power or influence or privilege, it’s your ethical responsibility to take personal action to limit the harm that they are causing. This may mean firing or demoting them; it may mean sanctioning or “managing them out.” But if you care about making the world a better place, you must act.

If you don’t have power or influence or privilege, think carefully before taking any action that could harm you more and seriously consider asking other folks with more protection to take action instead. Their response is a powerful litmus test of their values. If no one is willing to take this on for you, your only option may be leaving and finding a different organization or community to join. We have been in this position – of being powerless against rock stars – and it is heartbreaking and devastating to give up on a cause, community, or organization that you care about. We have all mourned the spaces that we have left when they have become unlivable because of abuse. But leaving is still often the right choice when those with power choose not to use it to keep others safe from abuse.

Responses

While we are not asking people to “cosign” this post, we want this to be part of a larger conversation on building abuse-resistant organizations and communities. We invite others to reflect on what we have written here, and to write their own reflections. If you would like us to list your reflection in this post, please leave a comment or email us a link, your name or pseudonym, and any affiliation you wish for us to include, and we will consider listing it. We particularly invite survivors of intimate partner violence in activist communities, survivors of workplace harassment and violence, and people facing intersectional oppressions to participate in the conversation.

2016-06-21: The “new girl” effect by Lex Gill, technology law researcher & activist

2016-06-21: Patching exploitable communities by Tom Lowenthal, security technologist and privacy activist

2016-06-22: Tyranny of Structurelessness? by Gabriella Coleman, anthropologist who has studied hacker communities

We would prefer that people not contact us to disclose their own stories of mistreatment. But know this: we believe you. If you need emotional support, please reach out to people close to you, a counselor in your area, or to the trained folks at RAINN or Crisis Text Line.

Credits

This post was written by Valerie Aurora (@vaurorapub), Mary Gardiner (@me_gardiner), and Leigh Honeywell (@hypatiadotca), with grateful thanks for comments and suggestions from many anonymous reviewers.

Ally Skills Workshop – Vegas Edition 2016

A couple of years ago I wrote a call-to-arms about fighting sexism at Security Summer Camp. While there’s been some progress since then, recent conversations on really basic safety stuff at Defcon remind us of how far we have to go as a community.

Las Vegas 89
Yup, it’s happening again.
This summer, I’ll be teaching another Ally Skills Workshop on Saturday, August 6th from 2-4PM. It will be near the Defcon venue, but it is not an official Defcon event – nor will I be attending the con myself.

If you’re interested in attending, please sign up here. I’ll send additional details closer to the date of the workshop.

I’m not charging for the workshop, but if you appreciate the work I do please consider donating to Sexual Health Innovations. SHI is a great non-profit that is working to end sexual violence on US college campuses through improved reporting technology – I’m a volunteer advisor to that project, called Callisto.

Papercuts

No-context-needed IRC log time!

-!- zfe [n=Gianluca@88.252.29.47] has joined #ubuntu-women
<zfe> is this the kitchen?
<zfe> who would make me a sammich?
<redacted> zfe: No this is not the kitchen
<zfe> aren’t you women?
<redacted> zfe: you are welcome to go into your own kitchen and make yourself a sandwich.
<redacted> zfe: please read the channel guidelines in the topic
-!- mode/#ubuntu-women [+o hypa7ia] by ChanServ
<zfe> ok i will while you make me a sammich
-!- mode/#ubuntu-women [+b *!*=Gianluca@88.252.29.*] by hypa7ia
-!- zfe was kicked from #ubuntu-women by hypa7ia [http://xkcd.com/322]

Nicknames redacted to protect the innocent.