Vegas Ally Skills 2017

For the fourth year in a row, I’ll be teaching a free Ally Skills workshop the week of Security Summer Camp. Previous years have been a lot of fun, and I’m looking forward to once again not attending Defcon but still doing my part to make security a better place for underrepresented people.

Me giving a talk, looking all fancy
I won’t look quite this fancy while teaching the workshop. Photo by Mike Bridge https://twitter.com/michaelbridge/status/875801248888311808

The Ally Skills workshop teaches concrete skills to fight biases like sexism, racism, and transphobia through a (very) short talk followed by a series of scenarios that are discussed in small groups. There’s no awkward role-playing, and people are always surprised by how much fun it is. This isn’t a tedious legally mandated workshop, it’s a practical set of tools that you’ll use in your every day work and life.

The workshop will be on Saturday from 1-3 in a suite at Caesar’s Palace, graciously provided by the fine folks at Atredis Partners.

If you’re interested, please sign up here. I’ll be in touch a week or so before to confirm your attendance.

Again the workshop is free, but if you like the work I do, I always appreciate folks donating to the ACLU (disclosure: I work there, but this is on my own time and I’m paying my own way to Vegas) or Equal Rights Advocates.

Joining the ACLU

In a couple of weeks, I will be joining the ACLU’s Project on Speech, Privacy and Technology as a Technology Fellow. I will be working on activist issues near and dear to my heart – encryption, surveillance, and privacy rights that are facing renewed threat under the new administration. I am so excited to get to apply my decade of work in the security industry to helping shape conversations and policies on these topics.

More so than ever before, cyber security issues are at the forefront of public conversations about freedom and democracy. In my time on the Patch Tuesday team at Microsoft, doing incident response at Salesforce, and most recently at Slack, I have learned a lot about the nuts and bolts of how security is practiced in the real world – and how to communicate about it with the public. I further honed those skills through my work as an advisor to the Ada Initiative, the creator of the neveragain.tech pledge, and in providing behind-the-scenes security assistance to activists and public figures. Building on this foundation, I am looking forward to being an outspoken and effective advocate for our digital rights during the year of my fellowship and beyond.

My role will include collaborating with the ACLU’s lawyers and other staff to identify, understand, and potentially litigate issues related to security, technology, and civil liberties. I am also looking forward to working with journalists as a source for commentary on security and privacy issues. Please feel free to reach out to me via email (leigh at hypatia dot ca) or Twitter DM for my Signal number. My PGP key is also available here.

I am deeply grateful for and proud of my two years at Slack and will miss everyone a bunch (though I’m not going far – I’ll be working out of the San Francisco ACLU office). I was the third security employee at Slack, and helped grow and evolve the team over the past two years, eventually becoming manager of our incident response team. Early in my time at Slack, I worked to streamline and improve our highly successful bug bounty program and update our security documentation. I got to interview my boss Geoff before we hired him as our first CSO. I worked with colleagues to build a next-generation secure development process, and most recently my work has focused on hiring and building our incident response practice. I’m happy to be able to help hire our next incident response leader in my last couple of weeks at the company – you can check out the job description and apply here, and I would be glad to talk about the role and my time at Slack with interested candidates.

But is it systemic?

Back in January 2015, I was fortunate to be able to attend the Ontario Ombudsman’s “Sharpening Yor Teeth” training program for administrative watchdogs. I’ve long been a fan of the Ontario Ombudsman’s Office’s work – from their meta-investigation of the Ontario Special Investigations Unit (itself a watchdog which investigates police misconduct), to the reforms they engendered in the lottery and gaming system, to their work on expanding access to vital cancer medications. I’m a bit of a nerd about this stuff — I’m pretty sure I was the only attendee who was there out of my own interest, rather than on behalf of an employer.

One of the key roles of an Ombudsman is to identify when issues are systemic rather than one-off cases. Australia’s Financial Ombudsman Service has a succinct definition of systemic issues — they are those which “will have an effect on people beyond the parties to a dispute.” The training I attended included a couple of hours on this topic, and a rubric for evaluating issues that came in through the triage process to determine whether or not they represented potentially systemic issues.

With this context, I was shocked to see the confidence with which Uber board member Arianna Huffington declared that the company’s sexual harassment issues were not systemic. If you haven’t seen it already, watch this interview with her. It’s… honestly just appalling. She claims to have talked to “hundreds” of women at Uber, and when asked at the end if there is anything that would make her consider that Travis isn’t fit for the job, her answer is a clear “no”.

It is deeply inappropriate for Huffington to be making this assessment before the investigation that she’s overseeing (but ostensibly not part of?) is completed. Based on what’s been reported in the press, and what friends have been saying behind closed doors for years, I feel confident in saying that she is wrong to be drawing that conclusion at this juncture. She is also undermining any chance of credibility that the actual investigation has, by conflating her own… research? meddling? whatever she’s doing… with the investigation itself.

But you don’t need to just listen to me. To confirm my gut feeling, I decided to apply the Ombudsman’s rubric to what is known about the situation at Uber. The parts in bold are more or less verbatim from the course notes; there isn’t a copy online, but there’s a shorter version in an essay by the former Ombudsman at this link. Or if you’ve got CAD$124 burning a hole in your pocket, you may be interested in “Conducting Administrative, Oversight & Ombudsman Investigations,” but you’re probably not as much of a weirdo as me and therefore haven’t asked for that book for your birthday. ANYWAY, on to the rubric:

What Happened?

Lots of ink has been spilled on Uber’s gender issues both before and in the wake of Susan Fowler’s post. Joey deVilla has an extensive and colourful roundup of the history of Uber’s malfeasance, gender and otherwise, here.

Does the case have systemic implications?

Some of the factors to consider in determining if an issue has systemic implications or not are:

  • Are there a number of similar complaints? We have Fowler’s account, and, well, real talk here – the Silicon Valley women’s backchannel has had stories like hers going around for years. I don’t know of a single woman engineer who was surprised by Fowler’s story – what many were surprised by was that anyone listened this time.
  • Are there obvious systemic issues? HR’s (mis)handling of Fowler’s complaints just screams “obvious systemic issues” to me.
  • Does the issue encompass a range of policies/processes? At a rough guess, I’d say – HR, recruiting, engineering management – so yes.
  • Does it affect a lot of people? It certainly sounds like it has both within Uber as an organization and also outside – there are plenty of stories going around about crappy, biased engineering recruiting experiences at Uber. And that’s without even touching on how they treat drivers, or passengers who’ve had issues with sexual harassment/assault by drivers. So yes.

Is the issue sensitive and/or high-profile?

This is an easy one. A Google News search for “uber sexual harassment” returns nearly half a million results. Definitely high-profile.

Is an investigation in [the organization’s] interest?

In the Ombudsman’s rubric, this question is asked about the public interest rather than the organization’s interest – I’ve modified the rubric a bit to apply to a private entity. Factors to consider in determining interest include:

  • Is the alleged injustice so egregious (on the face of it) that an investigation is
    clearly necessary? I’d say yes, here.
  • What other organizations are involved or investigating? I expect that entities such as the EEOC have this issue on their radar, and they definitely will if employees file formal complaints.
  • Is it a matter of public discussion? Yup we’ve definitely got that one covered, that’s for sure.
  • Will the case likely result in significant recommendations for change if the
    complaint is substantiated? The HR processes that Fowler describes are profoundly broken and indicate substantial failures in organizational leadership. I’d sure hope that it becomes clear that significant change is needed.

Will the fact-gathering process be complex or protracted?

This is the one where Huffington’s statements really fall on the floor, as her rush to judgement makes it clear that either any investigation that’s taken place so far has been utterly biased (not that this is going to surprise anyone) or that she’s quite simply talking out of her posterior. Some factors that lead to thinking this needs to be treated as a systemic issue include that there are clearly facts in dispute, many potential witnesses will need to be interviewed, and many documents need to be assessed – starting with the entire record of Fowler’s correspondence with HR. And finally, multiple parts of the Uber organization need to be involved (HR and engineering management, to start with).

Will the investigation be a judicious use of resources?

This is less of an issue for a billion-dollar “unicorn” startup than it would be for a resource-constrained public service Ombudsman’s office. Uber has millions in the bank, and can easily afford a proper independent investigation. The cost of not properly investigating could potentially include: additional sexual harassment lawsuits down the road that could have been prevented, responding to independent investigations from organizations such as the EEOC or Department of Justice, an inability to hire engineers and other key employees, and the harm to current and former Uber employees’ career prospects as Uber becomes a toxic stain on their resumes.

Is there any potential to resolve the issue(s) informally?

It is clear from Fowler’s post that she made heroic efforts to have her mistreatment addressed through appropriate, pre-existing formal channels. Since it is amply evident that that didn’t work, informal resolution isn’t appropriate in this case.

Conclusion

Based on the Ontario Ombudsman’s rubric, the gender issues at Uber clearly meet the bar for a potential systemic issue worthy of deep investigation. In cases like that, a truly independent investigation is in order — not one conducted by a board member who has spoken dismissively of the issues. Last summer in our No More Rock Stars post about fighting systemic abuse in tech organizations, Valerie, Mary and I wrote that combating abuse in organizations requires “[starting] with the assumption that harassment reports are true and investigat[ing] them thoroughly“, and Huffington’s dismissal of Fowler’s complaint as a non-systemic issue violates that principle. The principle is not about “assuming guilt” but about thoroughness. It is about diligent, methodical, rigorous follow-up. Which I wholeheartedly hope Eric Holder’s investigation will involve, although I’ll be skeptical until I see it.

Breakup Comfort Reads

broken-heart
thanks, emojipedia

Obviously there’s much more Serious Business going on in the world than my romantic (mis)adventures, but a recent breakup has given me time to reflect on the things that have brought me comfort and meaning when my heart has faced tough times. I wanted to share them for others who are going through heartache, and just to have them all in one place should I need them again someday.

The first  is from one of the earliest Captain Awkward posts, “The Golden Retriever/Kwisatz Haderach of Love“. NB: I’ve never read Dune nor seen the movie, the post is worth it even without knowing the references 🙂 Among the pieces of advice to the heartbroken letter-writer is this wonderful musing on love:

It’s okay to still be in love. Love is – as this hideous wedding-cake topper excruciatingly reminds us – patient, it is kind, it believes all things, hopes all things, endures all things. So there you are, all shaggy and embarrassing bounding toward your person wagging your tail and doing that adorable thing you do where you pretend that you’re not going to hand over the ball you’re carrying in your mouth and your person doesn’t even want your stupid ball and then the leash of reality yanks you back. That part of you is the purest and best and truest part of you, and you can’t really turn it off. It’s just going to love for a while.

I say this because it’s really fucking frustrating to try to talk yourself out of having a feeling or beat yourself up for having a feeling at the same time you’re having the feeling. So just have the feeling. Just be the Golden Retriever of Love. You’re not stupid for feeling it, you’re not a bad person, you didn’t do anything wrong. You just feel what you feel, and you’ll feel until one day you stop, and you can’t decide when that is, so don’t even try.

For me it’s one of those pieces of writing that I come back to over and over, like a worry stone. Just have the feeling. Just be the Golden Retriever of Love. It’s such a beautiful reminder to be kind to the best and most loving parts of yourself, even when they are hurting. Especially when they are hurting.

Next up is the Beyonce Freelancing Method, a delightfully raunchy reflection on the economic value of romantic attention by the Scottish writer and video game critic Cara Ellison:

This frame of mind has been percolating unconsciously for a while. It’s mainly about valuing men monetarily. I weigh up how much money I lose as a freelancer by spending time on pelvic sorcery rather than writing, and I calculate whether it is worth losing that money. […] It’s all about the pleasure return and the impact on my work. Does the sex, the hanging out, the effort to keep my attention leave me energised? Or does it make me really exhausted and sad and angry so that I can’t work? The first type is worth more monetarily. The second type is not worth it and I’ve been learning to refuse to invest in it.

Grieving and forgiveness are two things that I think about a lot in the context of breakups. A breakup leaves one grieving the end of what was, what was imagined to be but never really was, what could have been, or some combination of those. There’s plenty of pop-psych writing on grieving, but a thing I found very helpful was just understanding that the classic 5 stages “are not stops on some linear timeline[…]. Not everyone goes through all of them or in a prescribed order.” Grief is often a messy thing, but I’ve found the 5 “stages” to be a helpful lens to understand my feelings.

On forgiveness, I think often of these quotations from an essay in the journal Character, which Emily Yoffe (the former Dear Prudence) excerpted in a column on choosing whether or not to forgive abusive parents:

In a 2008 essay in the journal In Character, history professor Wilfred McClay writes that as a society we have twisted the meaning of forgiveness into a therapeutic act for the victim: “[F]orgiveness is in danger of being debased into a kind of cheap grace, a waiving of standards of justice without which such transactions have no meaning.” Jean Bethke Elshtain, a professor at the University of Chicago Divinity School writes that, “There is a watered-down but widespread form of ‘forgiveness’ best tagged preemptory or exculpatory forgiveness. That is, without any indication of regret or remorse from perpetrators of even the most heinous crimes, we are enjoined by many not to harden our hearts but rather to ‘forgive.’ ”

In the documentary version of Margaret Atwood’s Massey Lecture “Payback: Debt and the Shadow Side of Wealth,” she interviews Louise Arbour, former Canadian Supreme Court justice. Arbour says, on forgiveness:

Forgiveness is a link between the past and the future, it’s not the restoration of the past prior to the injury.

And it was one of those lines that jumped out at me so much that I paused the film to write it down. It’s available on Netflix in Canada or Amazon in the US, if you’re interested in watching it.

I mention forgiveness specifically because there’s often a rush to try to make nice with an ex, to preserve social bonds and mutual friendships, and that to me often feels like a jump to the “exculpatory forgiveness” Elhstain describes. A friend pointed out to me a few years back that often the reasons one might choose to break up are the same reasons one may not want to be friends. And that’s ok. The rush to be friends is often about one person’s absolution, particularly when it’s the dumper asking it of the dumpee. It’s such a frequent theme in r/relationships posts and Captain Awkward columns that it feels cliché to even mention, but you’re under no obligation to stay in touch or stay friends, and it’s often healthier not to.

It’s not a read either, but this clip of Oprah and Maya Angelou talking about Angelou’s exhortation to believe someone when they show you who they really are, the first time is worth a watch. Or several 🙂

On the longer side, there are a couple of books I come back to over and over as I process relationship stuff. I’ve read a lot of terrible garbage self-help books over the past few years, but these stand out as being works which have helped me grow and change as a person.

A couple of books which talk about attachment styles have been very helpful: Attached: The New Science of Adult Attachment and How It Can Help YouFind – and Keep – Love by Levine and Heller, and Hold Me Tight: Seven Conversations for a Lifetime of Love by Canadian family therapist Sue Johnson, who is it turns out a different person from Canadian sex educator Sue Johanson whose Sunday Night Sex Show educated an entire generation of Canadian radio listeners. I digress. Both of those books are relevant to people of all genders, and manage to avoid the pitfalls of heterocentricity that many relationship books fall into. Emily Nagoski’s Come as You Are: The Surprising New Science that Will Transform Your Sex Life has helped me unpack the inner mechanics of my desires. It is primarily directed at cisgendered women (and their partners), but it also has a great primer on attachment theory as it pertains to sexuality that is broadly applicable.

Three books have helped me through times I’ve been uncertain/ambivalent about relationships I’ve been in: Lundy Bancroft and JAC Patrissi’s Should I Stay or Should I Go?, and Mira Kirshenbaum’s Too Good to Leave, Too Bad to Stay, and her embarrassingly named Is He Mr Right. That last one helped Valerie and me develop this really cool spreadsheet for thinking about relationship preferences. In Mr. Right Kirshenbaum defines her “essential five elements of chemistry” as “ease & closeness, respect, safety, affection & passion, fun”, which I think is super helpful to read about just on their own – here’s a summary. Of the three books, Should I Stay and Mr. Right are aimed at women who date men. Too Good to Leave is less gender-specific (though still fairly heterocentric) and is in a neat Dr. House style “differential diagnosis” format I found very useful.

On the more seriously dysfunctional end of the spectrum, Lundy Bancroft’s book Why Does He Do That?: Inside the Minds of Angry and Controlling Men is essential reading and has been instrumental in my avoiding getting involved with abusive people in recent years. Despite the title, it’s worth a read regardless of your gender as the patterns of abusive mindsets are super helpful for people of all genders to understand.

And finally, when your heart is sad, you can always summon a calming manatee.

Looking back on 2016

For the past couple of years, I’ve done Jen Dziura’s “Design Your $next_year” workbook towards the end of the year. It’s been a very helpful exercise. It’s definitely worth the couple of bucks.
One of the things it includes is making a list of the things you accomplished in the year you’re closing out; I did so in the workbook in my terrible handwriting, with items ending up in the margins and upside down as I tried to fit them all in. Which feels pretty good, I must say. This year I decided to also type it up and post it for posterity.

It’s a bit of a brain dump, and incomplete by necessity — this year included a fair bit of working towards goals that will not be public for a while, but also supporting people through crises that are not mine to disclose. The latter friend-crises came in the form of mental health stuff, intimate partner violence (which this book is an utterly essential read for friends who are trying to help), workplace harassment, and mass-scale online harassment.

That said, here’s the stuff I can talk about:

  • Throughout the year stuff:
    • Taught at least 5 Ally Skills workshops — at Slack, during (but not at) Defcon, and elsewhere, and finally attended a Train-The-Trainers for it so I could learn from how others teach it
    • Mentored a bunch of folks including some interns, yay!
    • Gained just over 2,000 Twitter followers. Thank you all for listening to me babble ❤
    • Did a bunch of skiing and coached friends
    • Helped hire a bunch of folks at Slack
    • Generally helped things not be on fire at Slack
    • Wrote some PHP for the first time in a decade
    • Wrote some very funny tweets on @SlackHQ but you’ll never know which ones were me!!!
    • Started lifting weights in earnest again. I learned a lot from Julian’s guide and Stumptuous. My biceps are AMAZING 💪

      Seriously, biceps
    • Made some good progress towards getting some gut health stuff that’s been annoying for a long time figured out (if you have IBS and haven’t heard of SIBO, there’s a bunch of new and interesting research!)
    • Generally ate super healthily and cooked lots of things (especially pork chops and also poached eggs) with my Nomiku (and finally got to meet Lisa, the founder! who just got funded on Shark Tank holy crap!!)
    • Volunteered for the Hillary campaign both on the infosec side and the more general GOTV side
    • Donated a few thousand dollars to causes I support like the ACLU and Callisto
    • Maxed out my 401k
    • Took good care of my brain by going to therapy regularly and (with medical supervision) tapered off one of the brain meds I had been taking
    • Rediscovered my childhood love of Star Wars and watched the entire Clone Wars and Rebels series and read several of the New Canon novels
    • Started painting
  • One-off stuff, in rough chronological order

I learned a few things in 2016 as well — I need to work on saying no to things a bit more, as I’ve been very overcommitted and definitely dropped a few balls last year. I’m going to travel less and do less speaking this year, particularly for the first half.

I’m still working on the “plan your 2017” part of Jen’s workbook. I started it before the election and then put it aside for a couple of months. And then the election happened. I’m still figuring out how to re-prioritize how I spend my energy now that “fighting fascism” is a higher priority than “getting an MBA.” I’ll write more about that soon.

Happy New Year, and for all the good that I was fortunate enough to got done in it, good riddance to 2016.

Some of my best work

Comedy is tragedy mellowed by time.

–Carol Burnett

A few years ago I ended a particularly unhealthy relationship. With the distance of a few years, a very traumatizing time in my life just feels very funny, and I’ve told this story enough times that it felt time to write it down.

We had been seeing each other long distance for several years, and I’d eventually decided to move to his city. This required my going back to school for a year to finish my degree so that I could get a visa to work in his country and move across the continent. About the only part of this that I don’t regret is finally finishing my damn degree.

Things lasted 10 weeks after I got there. It was the relationship equivalent of constructive dismissal; my partner was at times absent, at others cruel. But he was mainly just extremely focused on someone he’d started seeing over the summer as I finished my final class in university. I hadn’t yet figured out that polyamory is just too damn complicated for my tastes, and I didn’t particularly get along with her – an arch libertarian whose explanation for why she wanted kids started with “have you seen the movie Idiocracy?”

On a cold Saturday in December, I finally had enough. The only time I was going to be able to see him was around a talk he was giving at a local geek group, so I figured I’d tag along for that and then have The Conversation afterwards. When I got to his place, he was the most affectionate he’d been in the weeks since my transcontinental move, and my resolve weakened…

But not for long, because a few minutes into the half hour drive to the geek event, he sprung on me that New Partner would also be there. Well, that explained things.

We arrived at the meetup and I let New Partner know through clenched teeth that I couldn’t handle talking to her today. She left me be. I listened through the mildly interesting presentations, then there was some awkward socializing that involved my trying not to talk to old nerdy men, then we departed.

The arrangement was that my soon-to-be ex would drive me to my next engagement for the day – volunteering at the SPCA. It was a 40+ minute drive, of which I remember nothing.

We got to the parking lot, and I initiated The Conversation, and was met by the kind of “wow, you’re actually breaking up with me” that only those who have dated the intensely self-absorbed are familiar with. I had been mainlining the first year of Captain Awkward posts – he was an archetypal Darth Vader Boyfriend, but I did my best to be clear that it was not a negotiation.

He was quiet for a bit, and it finally dawned on him:

“Did you get me to take you to the SPCA so that you could break up with me in their parking lot and then go pet cats?”

I sure had. It worked out great.

Part-time Power

Background: Y Combinator (YC) is an influential seed accelerator and VC firm founded by Paul Graham and run by Sam Altman. Sam may remember me from the time I counted how many women he follows on Twitter. One of YC’s part-time partners is Peter Thiel, who spoke at the Republican National Convention. He also donated $1.25 million to Trump’s presidential campaign in mid-October after more than a dozen women accused the candidate of sexual assault and Trump once again repeated his calls for imprisonment of five innocent black men. For more details, see Project Include’s post on the topic, or Erica Baker, Nicole Sanchez, and Maciej Cegłowski’s numerous and wise tweets around it.

One of the things I teach in the Ally Skills workshop is a concept in moral philosophy called the Paradox of Tolerance – in short, the one thing a tolerant society must be intolerant of is intolerance. It’s really helped me frame how I’ve been thinking about this situation – to consider whether or not Thiel’s support of Trump puts him into the “intolerable intolerance” camp or not. It wasn’t a particularly tough call for me – were I in Altman’s shoes, I’d ask for Thiel’s resignation. But there’s part of the situation that I haven’t seen addressed anywhere.

When you bring someone into your organization as an advisor/mentor/office-hour-holder (which is what Thiel’s role at YC seems to consist of), you are doing three things:

  • Giving them power over the people in your organization that they are tasked with advising
  • Endorsing their advice as being something that people in your organization should follow
  • Sharing your social capital with them

Now, obviously, Thiel has those first two powers in droves in his various other capacities, but in keeping him on as a “part-time partner”, YC is both saying that they value the advice he can give their founders as well as implicitly giving him a position of power over them – the power of making introductions or not, writing letters of recommendation or not, and so on – the power of a sanctioned mentoring role.

They are also saying that they trust him to not discriminate against the people they are giving him power over – the founders in their program – in ways that are not aligned with YC’s values. Thiel has made it clear through decades of public writing and actions what his values are. He wrote a book called “The Diversity Myth”, for starters. Thiel also considers women having the vote to have “rendered the notion of ‘capitalist democracy’ an oxymoron“. This hits me particularly hard as I can’t vote right now – I am in the US on a visa, not yet a citizen, and as a non-resident can no longer vote in Canada.

One last thing: I stressed for two days about writing this post, knowing that Thiel is willing to fund multi-million dollar lawsuits against his critics. I have no connection to him and he has no other power over me. Imagine how it would feel should any of his mentees need to criticize him.

We all get to make a choice as to what constitutes “intolerable intolerance”. YC has made it clear that Thiel’s actions and words are tolerable enough to them to continue to give him power over people in their organization, and I find this unconscionable.

Take action to stop police violence

Just over a year ago, in the wake of a white supremacist terrorist attack, I wrote about taking action to fight white supremacy in its many forms. I recommended a couple of specific charities, and called on white people to cut it out with the white guilt crap and put their money to work for racial justice instead.

Police violence is an absolute crisis in this country, and if you want to have an impact on racial justice in America, I don’t think there’s a better way to do it than to give to groups which are fighting it. In the wake of the two latest horrifying shootings, I’m giving $500 to each of the ACLU and We The Protestors, and I invite you to do the same, and tell people that you are donating. Especially if you work in tech – put your dollars where your woke tweets are. Here is more information on these two organizations, taken from last year’s post:

The American Civil Liberties Union works on the fight for voting rights, against the infuriating school-to-prison pipeline, and on many other racial justice issues [2016 edit: and on police use of force]. Follow @aclu on Twitter, and donate here. Donations to the ACLU are not tax-deductible or employer-matchable; if that matters to you, donate to the ACLU Foundation here.

We the Protesters/Campaign Zero works to “fulfill the democratic promise of our union, establish true and lasting justice, accord dignity and standing to everyone, center the humanity of oppressed people, promote the brightest future for our children, and secure the blessings of freedom for all black lives.” Follow the amazing activists behind this movement on Twitter, or donate via the PayPal button at the end of their homepage. Donations are not tax-deductible.

If you’re White and you live in the United States, you have centuries of unearned economic advantage at your back, from slavery and Jim Crow to the New Deal, from the GI Bill to redlining. Take some of that unearned cash and use it to stop cops from killing Black people. It’s the least you can do.

No more rock stars: how to stop abuse in tech communities

Content note for discussion of abuse and sexual violence.

In the last couple of weeks, three respected members of the computer security and privacy tech communities have come forward under their own names to tell their harrowing stories of sexual misconduct, harassment, and abuse committed by Jacob Appelbaum. They acted in solidarity with the first anonymous reporters of Jacob’s abuse. Several organizations have taken steps to protect their members from Appelbaum, including the Tor Project, Debian, and the Noisebridge hackerspace, with other responses in progress.

But Appelbaum isn’t the last – or the only – abuser in any of these communities. Many people are calling for long-term solutions to stop and prevent similar abuse. The authors of this post have recommendations, based on our combined 40+ years of community management experience in the fields of computer security, hackerspaces, free and open source software, and non-profits. In four words, our recommendation is:

No more rock stars.

What do we mean when we say “rock stars?” We like this tweet by Molly Sauter:

Seriously, “rock stars” are arrogant narcissists. Plumbers keep us all from getting cholera. Build functional infrastructure. Be a plumber.

You can take concrete actions to stop rock stars from abusing and destroying your community. But first, here are a few signs that help you identify when you have a rock star instead of a plumber:

A rock star likes to be the center of attention. A rock star spends more time speaking at conferences than on their nominal work. A rock star appears in dozens of magazine profiles – and never, ever tells the journalist to talk to the people actually doing the practical everyday work. A rock star provokes a powerful organization over minor issues until they crack down on the rock star, giving them underdog status. A rock star never says, “I don’t deserve the credit for that, it was all the work of…” A rock star humble-brags about the starry-eyed groupies who want to fuck them. A rock star actually fucks their groupies, and brags about that too. A rock star throws temper tantrums until they get what they want. A rock star demands perfect loyalty from everyone around them, but will throw any “friend” under the bus for the slightest personal advantage. A rock star knows when to turn on the charm and vulnerability and share their deeply personal stories of trauma… and when it’s safe to threaten and intimidate. A rock star wrecks hotel rooms, social movements, and lives.

Why are rock stars so common and successful? There’s something deep inside the human psyche that loves rock stars and narcissists. We easily fall under their spell unless we carefully train ourselves to detect them. Narcissists are skilled at making good first impressions, at masking abusive behavior as merely eccentric or entertaining, at taking credit for others’ work, at fitting our (often inaccurate) stereotypes of leaders as self-centered, self-aggrandizing, and overly confident. We tend to confuse confidence with competence, and narcissists are skilled at acting confident.

Sometimes rock stars get confused with leaders, who are necessary and good. What’s the difference between a rock star and a leader? We like the term “servant-leader” as a reminder that the ultimate purpose of a good leader is to serve the mission of their organization (though this feminist critique of the language around servant-leadership is worth reading). Having personal name recognition and the trust and support of many people is part of being an effective leader. This is different from the kind of uncritical worship that a rock star seeks out and encourages. Leaders push back when the adoration gets too strong and disconnected from achieving the mission (here is a great example from Anil Dash, pushing back after being held up as an example of positive ally for women in tech). Rock stars aren’t happy unless they are surrounded by unthinking adoration.

How do we as a community prevent rock stars?

If rock stars are the problem, and humans are susceptible to rock stars, how do we prevent rock stars from taking over and hijacking our organizations and movements? It turns out that some fairly simple and basic community hygiene is poisonous to rock stars – and makes a more enjoyable, inclusive, and welcoming environment for plumbers.

Our recommendations can be summarized as: decentralizing points of failure, increasing transparency, improving accountability, supporting private and anonymous communication, reducing power differentials, and avoiding situations that make violating boundaries more likely. This is a long blog post, so here is a table of contents for the rest of this post:

Have explicit rules for conduct and enforce them for everyone

Create a strong, specific, enforceable code of conduct for your organization – and enforce it, swiftly and without regard for the status of the accused violator. Rock stars get a kick out of breaking the rules, but leaders know they are also role models, and scrupulously adhere to rules except when there’s no alternative way to achieve the right thing. Rock stars also know that when they publicly break the little rules and no one calls them out on it, they are sending a message that they can also break the big rules and get away with it.

One of the authors of this post believed every first-person allegation of abuse and assault by Jacob Appelbaum – including the anonymous ones – immediately. Why? Among many other signs, she saw him break different, smaller rules in a way that showed his complete and total disregard for other people’s time, work, and feelings – and everyone supported him doing so. For example, she once attended a series of five minute lightning talks at the Noisebridge hackerspace, where speakers sign up in advance. Jacob arrived unannounced and jumped in after the first couple of talks with a forty-five minute long boring rambling slideshow about a recent trip he took. The person running the talks – someone with considerable power and influence in the same community – rolled his eyes but let Jacob talk for nine times the length of other speakers. The message was clear: rules don’t apply to Jacob, and even powerful people were afraid to cross him.

This kind of blatant disregard for the rules and the value of people’s time was so common that people had a name for it: “story time with Jake,” as described in Phoenix’s pseudonymous allegation of sexual harassment. Besides the direct harm, dysfunction, and disrespect this kind of rule-breaking and rudeness causes, when you allow people to get away with it, you’re sending a message that they can get away with outright harassment and assault too.

To solve this, create and adopt a specific, enforceable code of conduct for your community. Select a small expert group of people to enforce it, with provisions for what to do if one of this group is accused of harassment. Set deadlines for responding to complaints. Conduct the majority of discussion about the report in private to avoid re-traumatizing victims. Don’t make exceptions for people who are “too valuable.” If people make the argument that some people are too valuable to censure for violating the code of conduct, remove them from decision-making positions. If you ever find yourself in a situation where you are asking yourself if someone’s benefits outweigh their liabilities, recognize that they’ve already cost the community more than they can ever give to it and get to work on ejecting them quickly.

Start with the assumption that harassment reports are true and investigate them thoroughly

Over more than a decade of studying reports of harassment and assault in tech communities, we’ve noticed a trend: if things have gotten to the point where you’ve heard about an incident, it’s almost always just the tip of the iceberg. People argue a lot about whether to take one person’s word (the alleged victim) over another’s (the alleged harasser), but surprisingly often, this was not the first time the harasser did something harmful and it’s more likely a “one person said, a dozen other people said” situation. Think about it: what are the chances that someone had a perfect record of behavior, right up till the instant they stuck their hand in someone else’s underwear without consent – and that person actually complained about it – AND you heard about it? It’s far more likely that this person has been gradually ramping up their bad behavior for years and you just haven’t heard about it till now.

The vast majority of cases we know about fit one of these two patterns:

  1. A clueless person makes a few innocent, low-level mistakes and actually gets called on one of them fairly quickly. Signs that this is the likely case: the actual incident is extremely easy to explain as a mistake, the accused quickly understands what they did wrong, they appear genuinely, intensely embarrassed, they apologize profusely, and they offer a bunch of ways to make up for their mistake: asking the video of their talk to be taken down, writing a public apology explaining why what they did was harmful, or proposing that they stop attending the event for some period of time.
  2. A person who enjoys trampling on the boundaries of others has been behaving badly for a long time in a variety of ways, but everyone has been too afraid to say anything about it or do anything about other reports. Signs that this is the likely case: the reporter is afraid of retaliation and may try to stay anonymous, other people are afraid to talk about the incident for the same reason, the reported incident may be fairly extreme (e.g., physical assault with no question that consent was violated), many people are not surprised when they hear about it, you quickly gather other reports of harassment or assault of varying levels, the accused has plagiarized or stolen credit or falsified expense reports or done other ethically questionable things, the accused has consolidated a lot of power and attacks anyone who seems to be a challenge to their power, the accused tries to change the subject to their own grievances or suffering, the accused admits they did it but minimizes the incident, or the accused personally attacks the reporter using respectability politics or tone-policing.

In either case, your job is to investigate the long-term behavior of the accused, looking for signs of narcissism and cruelty, big and small. Rock stars leave behind a long trail of nasty emails, stolen credit, rude behavior, and unethical acts big and small. Go look for them.

Make it easy for victims to find and coordinate with each other

Rock stars will often make it difficult for people to talk or communicate without being surveilled or tracked by the rock star or their assistants, because private or anonymous communication allows people to compare their experiences and build effective resistance movements. To fight this, encourage and support private affinity groups for marginalized groups (especially people who identify as women in a way that is significant to them), create formal systems that allow for anonymous or pseudonymous reporting such as an ombudsperson or third-party ethics hotline, support and promote people who are trusted contact points and/or advocates for marginalized groups, and reward people for raising difficult but necessary problems.

Watch for smaller signs of boundary pushing and react strongly

Sometimes rock stars don’t outright break the rules, they just push on boundaries repeatedly, trying to figure out exactly how far they can go and get away with it, or make it so exhausting to have boundaries that people stop defending them. For example, they might take a little too much credit for shared work or other people’s work, constantly bring up the most disturbing but socially acceptable topic of conversation, resist de-escalation of verbal conflict, subtly criticize people, make passive-aggressive comments on the mailing list, leave comments that are almost but not quite against the rules, stand just a little too close to people on purpose, lightly touch people and ignore non-verbal cues to stop (but obey explicit verbal requests… usually), make comments which subtly establish themselves as superior or judges of others, interrupt in meetings, make small verbal put-downs, or physically turn away from people while they are speaking. Rock stars feel entitled to other people’s time, work, and bodies – signs of entitlement to one of these are often signs of entitlement to the others.

Call people out for monopolizing attention and credit

Is there someone in your organization who jumps on every chance to talk to a reporter? Do they attend every conference they can and speak at many of them? Do they brag about their frequent flyer miles or other forms of status? Do they jump on every project that seems likely to be high visibility? Do they “cookie-lick” – claim ownership of projects but fail to do them and prevent others from doing them either? If you see this happening, speak up: say, “Hey, we need to spread out the public recognition for this work among more people. Let’s send Leslie to that conference instead.” Insist that this person credit other folks (by name or anonymously, as possible) prominently and up front in every blog post or magazine article or talk. Establish a rotation for speaking to reporters as a named source. Take away projects from people if they aren’t doing them, no matter how sad or upset it makes them. Insist on distributing high status projects more evenly.

A negative organizational pattern that superficially resembles this kind of call-out can sometimes happen, where people who are jealous of others’ accomplishments and successes may attack effective, non-rock star leaders. Signs of this situation: people who do good, concrete, specific work are being called out for accepting appropriate levels of public recognition and credit by people who themselves don’t follow through on promises, fail at tasks through haplessness or inattention, or communicate ineffectively. Complaints about effective leaders may take the form of “I deserve this award for reasons even though I’ve done relatively little work” instead of “For the good of the organization, we should encourage spreading out the credit among the people who are doing the work – let’s talk about who they are.” People complaining may occasionally make minor verbal slips that reveal their own sense of entitlement to rewards and praise based on potential rather than accomplishments – e.g., referring to “my project” instead of “our project.”

Insist on building a “deep bench” of talent at every level of your organization

Your organization should never have a single irreplaceable person – it should have a deep bench. Sometimes this happens through a misplaced sense of excessive responsibility on the part of a non-abusive leader, but often it happens through deliberate effort from a “rock star.” To prevent this, constantly develop and build up a significant number of leaders at every level of your organization, especially near the top. You can do this by looking for new, less established speakers (keynote speakers in particular) at your events, paying for leadership training, creating official deputies for key positions, encouraging leaders to take ample vacation and not check email (or chat) while they are gone, having at least two people talk to each journalist, conducting yearly succession planning meetings, choosing board members who have strong opinions about this topic and a track record of acting on them, having some level of change or turnover every few years in key leadership positions, documenting and automating key tasks as much as possible, sharing knowledge as much as possible, and creating support structures that allow people from marginalized groups to take on public roles knowing they will have support if they are harassed. And if you need one more reason to encourage vacation, it is often an effective way to uncover financial fraud (one reason why abusive leaders often resist taking vacation – they can’t keep an eye on potential exposure of their misdeeds).

Flatten the organizational hierarchy as much as possible

Total absence of hierarchy is neither possible nor desirable, since “abolishing” a hierarchy simply drives the hierarchy underground and makes it impossible to critique (but see also the anarchist critique of this concept). Keeping the hierarchy explicit and making it as flat and transparent as possible while still reflecting true power relationships is both achievable and desirable. Ways to implement this: have as small a difference as possible in “perks” between levels (e.g., base decisions on flying business class vs. economy on amount of travel and employee needs, rather than position in the organization), give people ways to blow the whistle on people who have power over them (including channels to do this anonymously if necessary), and have transparent criteria for responsibilities and compensation (if applicable) that go with particular positions.

Build in checks for “failing up”

Sometimes, someone gets into a position of power not because they are actually good at their job, but because they turned in a mediocre performance in a field where people tend to choose people with proven mediocre talent over people who haven’t had a chance to demonstrate their talent (or lack thereof). This is called “failing up” and can turn otherwise reasonable people into rock stars as they desperately try to conceal their lack of expertise by attacking any competition and hogging attention. Or sometimes no one wants to take the hit for firing someone who isn’t capable of doing a good job, and they end up getting promoted through sheer tenacity and persistence. The solution is to have concrete criteria for performance, and a process for fairly evaluating a person’s performance and getting them to leave that position if they aren’t doing a good job.

Enforce strict policies around sexual or romantic relationships within power structures

Rock stars love “dating” people they have power over because it makes it easier to abuse or assault them and get away with it. Whenever we hear about an organization that has lots of people dating people in their reporting chain, it raises an automatic red flag for increased likelihood of abuse in that organization. Overall, the approach that has the fewest downsides is to establish a policy that no one can date within their reporting chain or across major differences in power, that romantic relationships need to be disclosed, and that if anyone forms a relationship with someone in the same reporting chain, the participants need to move around the organization until they no longer share a reporting chain. Yes, this means that if the CEO or Executive Director of an organization starts a relationship with anyone else in the organization, at least one of them needs to leave the organization, or take on some form of detached duty for the duration of the CEO/ED’s tenure. When it comes to informal power relationships, such as students dating prominent professors in their fields, they also need to be forbidden or strongly discouraged. These kinds of policies are extremely unattractive to a rock star, because part of the attraction of power for them is wielding it over romantic or sexual prospects.

Avoid organizations becoming too central to people’s lives

Having a reasonable work-life balance isn’t just an ethical imperative for any organization that values social justice, it’s also a safety mechanism so that if someone is forced to leave, needs to leave, or needs to take a step back, they can do so without destroying their entire support system. Rock stars will often insist on subordinates giving 100% of their available energy and time to the “cause” because it isolates them from other support networks and makes them more dependent on the rock star.

Don’t set up your community so that if someone has a breach with your community (e.g., is targeted for sustained harassment that drives them out), they are likely to also lose more than one of: their job, their career, their romantic relationships, their circle of friends, or their political allies. Encouraging and enabling people to have social interaction and support outside your organization or cause will also make it easier to, when necessary, exclude people behaving abusively or not contributing because you won’t need to worry that you’re cutting them off from all meaningful work or human contact.

You should discourage things like: semi-compulsory after hours socialising with colleagues, long work hours, lots of travel, people spending almost all their “intimacy points” or emotional labour on fellow community members, lots of in-group romantic relationships, everyone employs each other, or everyone is on everyone else’s boards. Duplication of effort (e.g., multiple activist orgs in the same area, multiple mailing lists, or whatever) is often seen as a waste, but it can be a powerfully positive force for allowing people some choice of colleagues.

Distribute the “keys to the kingdom”

Signs of a rock star (or occasionally a covert narcissist) may include insisting on being the single point of failure for one or more of: your technical infrastructure (e.g., domain name registration or website), your communication channels, your relationship with your meeting host or landlord, your primary source of funding, your relationship with the cops, etc. This increases the rock star’s power and control over the organization.

To prevent this, identify core resources, make sure two or more people can access/administer all of them, and make sure you have a plan for friendly but sudden, unexplained, or hostile departures of those people. Where possible, spend money (or another resource that your group can collectively offer) rather than relying on a single person’s largesse, specialized skills, or complex network of favours owed. Do things legally where reasonably possible. Try to be independent of any one critical external source of funding or resources. If there’s a particularly strong relationship between one group member and an external funder, advisor, or key organization, institutionalize it: document it, and introduce others into the relationship.

One exception is that it’s normal for contact with the press to be filtered or approved by a single point of contact within the organization (who should have a deputy). However, it should be possible to talk to the press as an individual (i.e., not representing your organization) and anonymously in cases of internal organizational abuse. At the same time, your organization should have a strong whistleblower protection policy – and board members with a strong public commitment and/or a track record of supporting whistleblowers in their own organizations.

Don’t create environments that make boundary violations more likely

Some situations are attractive to rock stars looking to abuse people: sexualized situations, normalization of drinking or taking drugs to the point of being unable to consent or enforce boundaries, or other methods of breaking down or violating physical or emotional boundaries. This can look like: acceptance of sexual jokes at work, frequent sexual liaisons between organization members, mocking people for not being “cool” for objecting to talking about sex at work, framing objection to sexualized situations as being homophobic/anti-polyamorous/anti-kink, open bars with hard alcohol or no limit on drinks, making it acceptable to pressure people to drink more alcohol than they want or violate other personal boundaries (food restrictions, etc.), normalizing taking drugs in ways that make it difficult to stay conscious or defend boundaries, requiring attendance at physically isolated or remote events, having events where it is difficult to communicate with the outside world (no phone service or Internet access), having events where people wear significantly less or no clothing (e.g. pool parties, saunas, hot tubs), or activities that require physical touching (massage, trust falls, ropes courses). It’s a bad sign if anyone objecting to these kinds of activities is criticized for being too uptight, puritanical, from a particular cultural background, etc.

Your organization should completely steer away from group activities which pressure people, implicitly or explicitly, to drink alcohol, take drugs, take off more clothing than is usual for professional settings in the relevant cultures, or touch or be touched. Drunkenness to the point of marked clumsiness, slurred speech, or blacking out should be absolutely unacceptable at the level of organizational culture. Anyone who seems to be unable to care for themselves as the result of alcohol or drug use should be immediately cared for by pre-selected people whose are explicitly charged with preventing this person from being assaulted (especially since they may have been deliberately drugged by someone planning to assault them). For tips on serving alcohol in a way that greatly reduces the chance of assault or abuse, see Kara Sowles’ excellent article on inclusive events. You can also check out the article on inclusive offsites on the Geek Feminism Wiki.

Putting this to work in your community

We waited too long to do something about it.

Odds are, your community already has a “missing stair” or three – even if you’ve just kicked one out. They are harming and damaging your community right now. If you have power or influence or privilege, it’s your ethical responsibility to take personal action to limit the harm that they are causing. This may mean firing or demoting them; it may mean sanctioning or “managing them out.” But if you care about making the world a better place, you must act.

If you don’t have power or influence or privilege, think carefully before taking any action that could harm you more and seriously consider asking other folks with more protection to take action instead. Their response is a powerful litmus test of their values. If no one is willing to take this on for you, your only option may be leaving and finding a different organization or community to join. We have been in this position – of being powerless against rock stars – and it is heartbreaking and devastating to give up on a cause, community, or organization that you care about. We have all mourned the spaces that we have left when they have become unlivable because of abuse. But leaving is still often the right choice when those with power choose not to use it to keep others safe from abuse.

Responses

While we are not asking people to “cosign” this post, we want this to be part of a larger conversation on building abuse-resistant organizations and communities. We invite others to reflect on what we have written here, and to write their own reflections. If you would like us to list your reflection in this post, please leave a comment or email us a link, your name or pseudonym, and any affiliation you wish for us to include, and we will consider listing it. We particularly invite survivors of intimate partner violence in activist communities, survivors of workplace harassment and violence, and people facing intersectional oppressions to participate in the conversation.

2016-06-21: The “new girl” effect by Lex Gill, technology law researcher & activist

2016-06-21: Patching exploitable communities by Tom Lowenthal, security technologist and privacy activist

2016-06-22: Tyranny of Structurelessness? by Gabriella Coleman, anthropologist who has studied hacker communities

We would prefer that people not contact us to disclose their own stories of mistreatment. But know this: we believe you. If you need emotional support, please reach out to people close to you, a counselor in your area, or to the trained folks at RAINN or Crisis Text Line.

Credits

This post was written by Valerie Aurora (@vaurorapub), Mary Gardiner (@me_gardiner), and Leigh Honeywell (@hypatiadotca), with grateful thanks for comments and suggestions from many anonymous reviewers.

He said, they said

Content note for discussion of sexual violence.

A number of people are now coming forward with details of the long record of sexual misconduct committed by Jacob Appelbaum. The stories I have read are entirely consistent with my own experiences being sexually involved with Jacob in 2006-2007.

I am writing this under my real name because I am fortunate enough to be able to afford to. I am lucky to have a stable economic and immigration situation, and I am not close enough to Jacob’s world to be in any way dependent on his opinion of me, or on the opinions of people who might support him. I know that’s not true for everybody, and I recognize that many of the people speaking up about Jacob’s abuse are marginalized – by state surveillance, by gender, by sexuality, by geography, by poverty, and by other factors. I stand with their decision to publish their accounts of his actions in a way that allowed them to feel safer speaking out. I am also glad that Nick Farr has also felt able to come forward with his own experience under his own name.

Jacob and I were involved on and off over the course of 2006 and 2007, mainly spending time together at security conferences. During that time, I was also seeing other people, with the consent and awareness of all involved. In that time we spent together, he violated boundaries I set as though they were a game, particularly at times when I was intoxicated. There were a number of times I felt afraid and violated during interactions with Jacob. Being involved with him was a steady stream of humiliations small and large as he mistreated me in front of others and over-shared about our intimate interactions with friends who were often also professional colleagues.

For example, on several occasions in professional situations, he told other people that I was good at a particular sex act. On another occasion where my primary romantic partner at the time, Paul Wouters, was also present, Jacob ignored my use of a safeword when his sexual behavior turned into violent behavior that violated my limits. Paul and I both had to repeatedly tell Jacob to stop, and the experience was profoundly upsetting. I believe that one of the common elements of Jacob’s abusive behavior is humiliating one or another member of a couple in front of the other – as other accounts of his actions are published, that is something worth watching out for. (NB: I am including Paul’s name here with his consent – because that matters.)

Jacob was a charismatic and central figure in the security community I spent the early part of my career in. Many of our friends and colleagues saw the way he treated me and did nothing about it, so it took me years before I realized how abusive he was to me. Until that realization, I remained “friends” with him. It was witnessing his uncritical support of Assange and smearing of Assange’s accusers – something I disagree with intensely – that made me understand the true measure of his character. It was seeing him deny other women’s experiences of sexual violence that made me fully realize how bad my own experiences with him had been.

If you are horrified by this and want to take action, here’s what I suggest.

  1. Believe victims.
  2. Educate yourself on your role in enabling sexual violence: victim-blaming, the phenomenon of “missing stairs“, the effects of misogyny in activist communities, and why “go to the police” is so often bad advice for victims. Learn more about what you can do to fight it.
  3. Donate to nonprofits which fight sexual violence, such as SF Women Against Rape or Sexual Health Innovations, whose Project Callisto is trying to automate the process of collecting reports of sexual assault and connecting victims with each other, much in the same way Jacob’s alleged victims connected with each other. (Disclosure: I’m a volunteer on their advisory board because I care so much about what they do.)

One final note of warning: I’ve noticed at least one person who also has a history of sexual assault spreading word about the accusations about Jacob in a supportive way. I just want to say that, like Jacob himself, simply talking the talk about consent and sex positivity and “yes means yes” does not make someone a safe person to be around. Watch for people using this technique to groom future victims and don’t let someone’s words speak louder than their actions, big and small.

Comments are open but will be heavily moderated. I would prefer that people not contact me to disclose their own stories of mistreatment, as I am not (currently) a trained counselor and am already struggling with the emotional toll of publishing this. But know this: I believe you. If you need emotional support, please reach out to people close to you, a counselor in your area, or to the trained folks at RAINN or Crisis Text Line.