Skip navigation

Monthly Archives: December 2017

After a Year of #MeToo Impacting the Hacker Community, We Still Have Far to Go

This tumultuous year, 2017, is drawing to a close.  Many of us have weathered the holiday season and have sat through the attendant family dinner table discussions that happen over Thanksgiving, Hanukkah, Christmas, and so on.  However, I’m told by many friends that this year something was different.  Yes, there was still the occasional deluded ranting from someone’s racist aunt or uncle who wants to share whatever MAGA-inspired hafefulness they read from FreedomEagle88 on Facebook.  “Yeah, Daryl, sure… Of course there will be another border wall going up very soon, and this time Canada will pay for it,” was possibly the type of conversation someone was forced to silently head-nod along with, as they watched their relative yammer on and ask people to change the channel to Fox News.

But, for many families, people saw something new in the holiday dinner conversations this year.

For perhaps the first time in as long as I can remember, a rising tide has been swelling and the waves have crashed over the rabble of reactionary and misogynistic voices of the past, drowning them out.  I’m talking about #MeToo.  I’m talking about Codes of Conduct at conferences.  I’m talking about the fact that for the first time in as long as I can remember… mainstream, everyday voices are loudly and clearly expressing support for victims and shedding a light of inquisition on the accused.

This sea change which has impacted the dinner table, the hometown newspaper, and even the corridors of power and influence is also notable among the hacker community.

We have seen abusers in the hacker community outed and accusations aired publicly instead of kept quiet.  Conferences which had previously been resistant to adopting Codes of Conduct are now leading the charge and engaging with the community to solidify policy language and better-educate the public about their commitment to keeping attendees safe.  These are important and changes and those in the hacker community who have driven these positive steps deserve thanks and appreciation.

 

But 2017 apparently isn’t going to go out quietly, it would seem.

Some of you have already seen the reports coming out of this year’s Chaos Communication Congress event, but for those who have not… here’s a quick rundown to get you up to speed:

  1. The CCC events are magical happenings of discovery, free association, hacking, and community building.  For many in the community, this is the “big” one that they look forward to attending every year.
  2. The CCC events also have, unfortunately, been one of the cornerstones for abusive behavior… a place where perhaps most-infamously Jake Appelbaum harassed and abused others for years without being stopped.
  3. The organizers of CCC have been resolute in their resistance to adopting a Code of Conduct despite the fact that it is long overdue, especially for an event with such a checkered past.  They have what they refer to as an “anti-harassment policy” but it is pretty toothless given that, as has always been the problem for events without a clear-cut and fully-featured CoC, there are no enforcement mechanisms or policies that speak to how they will keep attendees safe.
  4. In keeping with the CCC’s historical policy of “mediating chats [between] opponents” as opposed to taking action to expel abusers, we see yet another example of a badly mishandled report of abuse this year…
  5. Someone reported to CCC back in August that a documented, verified abuser was possibly considering attending the event this winter.  Ultimately, the CCC organizers ignored this information (and all of the police reports and other evidence) and have allowed the attacker to attend.  And they informed the victim on the eve of the event, after they had spent time and money traveling to Germany.
  6. Even now with public pressure mounting and more and more “are you kidding me?!” comments and “I will never attend CCC if they do not address this!” statements being aired by notable figures in the hacker community, the Chaos Communication Congress has taken the official position of, “We don’t want to get involved, we aren’t going to eject this accused person, and the decision is final.

 

To say that this is tone-deaf and ultimately self-defeating barely covers it.  I am deeply saddened that as a community we have to keep having this battle when people come forward with well-founded accusations against someone in our midst.  However, I understand why this happens.  I know… because I’ve seen it firsthand for myself.

 

Let me take you on a journey to Poland, back in 2013.

For a number of years, my associates and I were a mainstay at an event called CONFidence, run by the ProIdea crew.  We appeared as speakers, we ran hands-on workshops and lockpicking tables, and ultimately we created an immersive, live-action game that took participants on a frenzied journey through hacking and shooting challenges.

While my team and I were present in 2013 to run this contest, an incident occurred on the eve of the conference, after the speaker/organizer dinner at a local restaurant.  Accusations were leveled against Fernando Gont by Georgia Weidman (both of whom were invited to speak at CONFidence that year*) after an encounter in a hotel room.  I want to be as clear as possible about my beliefs regarding how events unfolded that year:  I do not think the accusation was responded to properly.  I do not like that the victim was not shown adequate support.  And I feel personal regret for any role I played in the matter.

Yes, I include myself in the landscape of errors which took place in Krakow that summer.  As a notable figure within the hacker community (and because of the fact that I was an American and thus more personally known to the other American speakers at the event) the organizers as well as the victim both turned to me for support at the time.  And, being totally untrained and ignorant of how to best approach the situation, I was only able to offer unhelpful blank stares and what amounted to little more than a hug and “can I get you anything?” statements.

I offered the same statements we’ve all heard so many times before:

  1. “I wasn’t there when anything happened” (my team and I were not staying at the conference hotel, but rather in another part of the city) and
  2. “I had heard that the local authorities were handling the matter, so wasn’t that the right course of action?”

 

Looking back on it, I regret that my ignorance of how matters like these unfold made me a very imperfect ally and an unhelpful friend at the time.  Of course, now we know better.  As a society (and as a community) we now know that victims shouldn’t be put in a position where they are compelled to make difficult decisions and be responsible for how incidents are investigated during a time when they are hurt and feeling vulnerable.  (This is best seen in the myriad ways that event organizers will ask a victim “what do you want us to do?” or “what do you think the proper response should be?” etc, etc.)

I also allowed myself to be pulled into a Twitter debate over the “merits” of the conflicting accounts and I spoke unkindly to the parties involved.  I allowed my own desire to not be a part of a divisive situation to undermine my ability to act in support of others.  (This is often seen in the “this sounds like a problem between the two of you… leave me out of this” type of statements that organizers as well as other community members will make when they want to see a distressing incident simply “go away.”)

The event put up a blog post afterwards, wherein they offered many of the same sanitized statements that we have heard in one form or another regarding previous incidents elsewhere.  “We verified that both hotel security and the local police were responding to the situation,” the organizers remarked. They asserted that they were “providing all possible support to both of the parties involved in this matter.”  They went on to state, “We handled all logistical arrangements to ensure that they would not be obligated to have any further contact with each other, we continued to serve as a liaison between them and the Polish authorities, and we have offered to do whatever is necessary in order to help them resolve this matter.”

 

It is a response written in corporate-speak, and one which makes it sound like the matter is resolved… at least to corporate ears.  But the response that spring in Poland utterly failed to provide support to the victim and failed to address the incident in the same way that the Chaos Communication Congress is failing to handle things right now.

Passing the buck to local police authorities and then taking the position of “we’ve done all we can, now please leave us out of it” has been recognized time and time again as an inadequate response, and one which usually continues to harm the victim while letting the accused party off virtually scot-free.  Now, I get it… I really do.  I was there** when the organizers*** took this position.  Looking back, I see how easy it was for everyone to fall into the trap of “the police should handle this” as they throw up their hands.  However, passing serious accusations along to local authorities should be the start of the response process, not the end of it.  No one is suggesting that conferences have the same powers of investigation and response as law enforcement, but they still have a duty to consider evidence and take any steps possible to protect their attendees.

The actions of the Chaos Communication Congress have been very lacking in this regard.  Their response to this incident has been to…

  1. Ask the victim to provide evidence of their attacker’s actions
  2. Privately consider the evidence without asking for further input or help from experts
  3. Position the victim before a panel who seems to have been openly contemptuous of her claims and who directly dismissed the evidence being turned over to them
  4. Ultimately land on the “we don’t know what to do, so please leave us out of this” position… and tell both the victim and the accuser that they may attend.  Which, of course, continues to punish the victim while absolving their attacker of any responsibility or consequences.

 

The victim is not the only one harmed by this response.  The community as a whole is hurt.  And this will continue to be the case, with more people put at risk and bad actors not forced out of the scene, as long as we allow corporate-style thinking and passing the buck to take place when reports of wrongdoing surface.

I wish to truly apologize for any part I played all those years ago in an event’s failure to adequately respond to an accusation.

The organizers of the Chaos Communication Congress should apologize for the the way that they are failing the community now.

 

 

So, How Should Events Respond to Incidents?

There is no shortage of people expressing everything from chagrin to outrage over the manner in which the organizers of CCC are handling this situation.  (I am not familiar with anyone, actually, who has yet come out in defense of their decision in this matter.  Please forward me any news of that if you’ve seen such comments.)

However, amid this tidal wave of criticism being directed at the Chaos Communication Congress for doing basically everything wrong, it may be beneficial to take a moment to explore what conferences should do if they wish to get things right.  What training, plans, and policies should an event adopt if they are seeking to build a meaningful, useful toolkit which will help them address incidents that come up?  What ground work should organizers lay as a foundation in order to keep their attendees safe?

I am not an expert in this field, but I have run several conferences and events of varying size and can speak to the bare minimum preparation that organizers should undertake.  These are just considered the minimum best practices.  Speaking with subject matter experts and seeking outside advice and counsel from other sources is recommended.

 

Emergency Contacts

Every event organizer should research and prepare a list of contact information, at minimum, for their venue security, local police, nearest emergency room, local crisis centers or counselors, and have some means of summoning and directing transportation options for others.

Specifically, do you know the head of security for your selected hotel or meeting space?  Do you know their actual name or do you just have an office extension or email address?  Do you know if they work a regular shift?  What happens if the hour is late and they’re not on duty?  Do they have subordinate staff who will respond right away?  If your conference is particularly large, consider reaching out to your local police precinct before your event.  Ask them about the best means of reporting an incident quietly and through proper channels… lest you be left with no other option than to simply dial 911 and be routed through a variety of switchboards only to ultimately have two patrol officers with no specific crisis training appear in a marked cruiser with their lights flashing.  Do you know directions to the closest hospital with an Emergency Room?  Have you researched local facilities that specialize in counseling people who are facing mental health crises or sexual trauma?  Are their staff available at all hours or is an alternate contact line necessary during the night?  Lastly, consider provisioning something like a Lyft account on certain staff members’ phones with payment cards already configured so that your event can summon hassle-free transportation as needed to or from the venue, to local emergency care, etc.

Prepare all of this information in advance of your event and share it with your staff members as part of their orientation.

 

Instruct All Staff on How to Process Reported Incidents

You will not likely have the opportunity to train all of your staff on every detail of handling incidents (especially if your staff consists partially of volunteers) but at a minimum they should be instructed to…

  • reassure victims that they are being heard and supported
  • offer victims a safe and private location to discuss what happened
  • not “push” victims into divulging more information than they are comfortable sharing or taking actions they do not want to
  • ask victims “is there someone you want here with you?” and assist them in fetching this other trusted party
  • take notes and establish a written record of incidents as soon as possible when they are reported (if the victim is comfortable with it, written notes can be taken during the reporting process itself)
  • if everyone is presently physically safe, involve law enforcement or security only at a victim’s request
  • offer to inconspicuously escort (or immediately find a suitable escort) the victim to the next most appropriate location to which they want to proceed.  (NOTE – even very small events should be able to provision at least one person for such duty to ensure the safety of attendees as necessary.  If “escorting someone for the next 20 to 30 minutes” is a burden upon your event met with concerns of “but then who will run the T-Shirt sales?” or “I was able to take this report from you but I have to remain here to monitor the radios” then your event did not plan for adequate staff.)

 

Do Not Ask Victims for Advice on How To Proceed

Do not burden victims further with emotional or logistical work.   A great deal can be said about this but it should be thought of as framing all interactions with the victim as, “We are preparing to follow-up by doing such-and-such, are you OK with that?” as opposed to, “Do you want us to do such-and-such in order to address this?” or, even worse, “What do you think should happen next?”

Imagine if someone were to visit an Emergency Room.  They walk in from the vestibule with a deep laceration on their arm and approach the triage nurse.  They say, “Oh my gosh!  I’m bleeding pretty badly here!”  The ER staff will immediately assess the situation and then spring into action, using all of the tools and training (which they had already prepared in advance) to best attend to this person’s needs as efficiently and professionally as possible.  What the ER will staff not do is have a few nurses, orderlies, and maybe a doctor stand there in a semi-circle and ask in a desultory tone, “So what do you think should be done about this?”

“I’m bleeding here!” the patient might respond again… can you please help?  Stop the bleeding!” is all they can muster.  “Well,” one of the nurses says, “did you do anything in particular to cause this wound?  You aren’t one of those people who juggles knives, are you?”  A doctor perhaps reaches into a drawer and comes over, holding gauze and some suture thread.  “I can press some gauze and quick clot down on it right away if you want this stopped quickly.  Or, i can stitch you up.  That might take a little longer, but could be more effective.  What do you think you’d prefer us to try first?”

Can you imagine this taking place in an Emergency Room?  Of course not.  Because, we all recognize that during a moment of crisis, an individual who has suffered a trauma like this should not be burdened with making their own decisions in that instant.  They are most likely not in the best position or headspace to judge exactly what actions should be taken and this is precisely why they have turned to other people — people whose role is to have more training and preparation — to execute on addressing the issue.  Now, good bedside manner dictates that the hospital staff would be wise to keep the patient informed as to what is taking place (“in a situation like this, we really need to get some disinfectant on the wound.  It is likely to sting, but only for a second.  I’m going to swab it with this alcohol pad now… ready?”) but at no time should the patient be burdened with deciding what is going to happen next.  The only decision that rests with the victim in that moment should be whether they are consenting to the care being provided.

Perhaps an example of a near-perfect response to a hypothetical reported incident at an event would be the following:

OK, I am understanding that you have had a specific individual following you around during the whole event, sitting near you during talk track sessions, and ignoring your desires for them to leave you alone.

In accordance with our policies, we’re going to have them come speak with us in a private meeting room and we’ll be informing them that it’s been reported that they are breaking the rules of our event by harassing someone else in attendance.  We aren’t going to mention you by name, nor will we confirm your identity if they ask.

We are going to make it clear that this behavior is not acceptable and that it has to stop.  If they continue to follow you around or wind up next to you at parties, please let us know immediately.

Are you OK with us following-up on this?  Where would you like us to escort you right now?  Do you have a safe place you can go and any trusted friends whom we can have escort you there or meet you there?  What is the best medium through which we can get in touch with you later?

We are so sorry that this has happened to you at our event.  This is not what we stand for or want to see from our community.

 

Have Specialized Staff who Act On Reported Incidents

While any staff member (or even a monitored email inbox or phone line) can process incoming incident reports, it should be the duty of specific, designated staff members to respond to them.  Have a specific point person (or persons) who are responsible for enforcing your event’s Code of Conduct.  Ideally, such persons would have at least a modicum of crisis intervention training or counseling training.

Incoming reports of any harassment or incident should be passed along to these specific staff members (if the situation permits, such specialized staff may be brought in during the initial time of report-taking when a victim has come forward) for handling in accordance with your event’s policies.  The dedicated staff member should do their best to conduct an investigation and then determine what ramifications, up to and including possible expulsion, are merited.

 

Investigation of Accusations

Ask the victim if there they are aware of any witnesses to what took place.  Do not burden them with heaps of additional logistical work in tracking down such people if possible.  If the individual reporting the incident knows roughly who the other witnesses may be, make the effort to seek them out through channels available to you.

It is also appropriate to speak to the accused party.  It is recommended that this be done in a place of privacy and safety much like the one afforded to the reporting party when they made their initial statements.  (Care should be taken, of course, to not have these two parties cross paths when escorting them in or out of such a space.  The accused party may not be entitled to immediately know the identity of the reporting party right away.  This is not essential to your investigation.)  When speaking to the accused, ask about their own version of events and if they have their own witnesses who may offer a different account.

Most of all, an event should do their best to seek out impartial 3rd party witnesses (but in doing so organizers should do their best to not broadcast the nature of the incident too widely or share private details of what transpired or what has been reported.  One might simply seek, say, a group who was dining at an adjacent table and state to them, “We had a report of a small disturbance earlier, were you eating here at this booth 20 minutes ago?  May we ask if you witnessed anything out of the ordinary?”)

Regarding the “no one else witnessed it” problem… this is perhaps the biggest hurdle over which many event organizers stumble, and stumble badly.  An incident may have taken place in a private space, or off-site, or perhaps even long before your conference was scheduled to take place.  If there are no other witnesses to corroborate any party’s account of what transpired, let these two rules guide you:

  1. Any additional evidence, even if it is imperfect, may be considered
  2. No one says you have to get things 100% right immediately, but err on the side of protecting people

 

Understand that you, as a private event, are not held to the same standards of evidence as police investigators or the court system.  You do not have to reach any specific standard regarding “reasonable doubt” or “admissibility” and the like.  Even if the evidence available to you would not be sufficient to have a judge grant an order of protection or for a prosecutor to bring criminal charges against a perpetrator… you, as the organizer of a private event, absolutely have the right to follow through with whatever ramifications (up to and including expulsion) that you feel would best serve the safety of the victim and the community.

 

On Ramifications and Expulsion

Part of the responsibilities you are choosing to shoulder by organizing a public event is the duty to enforce your Code of Conduct, and this may mean taking action against individuals who act badly.  Before you open your doors and before any incident has ever been brought to your attention, your organization should have:

  • A written policy on how warnings are given to alleged perpetrators who transgress your Code of Conduct
  • A practice of centrally-recording and documenting warnings so that it is known if someone has already been spoken to
  • A written policy concerning how many warnings an individual may be afforded before being asked to leave (to ensure consistent enforcement)
  • A policy that also takes into account patterns of behavior, off-site actions, and other factors which may not have been part of official, reported on-site incidents but which speak to whether an attendee is committed to behaving well or behaving badly
  • Acknowledgement that a single serious or deliberate offense can move someone past the phase of being issued “warnings” and potentially result in immediate expulsion
  • A written policy that explains how attendees who have been expelled may be reimbursed or may appeal this ruling, if they disagree with the nature of the enforcement

If people are gathering together at an event which you are organizing, you have a responsibility to them and to the community.  Prepare for incidents before they ever happen and instruct your staff on how to treat everyone with respect and kindness so that victims are supported and ramifications for rule-breaking are enforced fairly and consistently.

Much in the same way that we as a community have stood up and said “if you can’t follow a Code of Conduct, you don’t belong at an event” we should also acknowledge that if people can’t commit to planning for the safety of attendees at their event adequately, they shouldn’t be running one.

 

 

 

 

 

* At the time, the names of the parties involved were made public on Twitter and through a series of blog posts, but they are being repeated here only after asking Georgia if this would be ok to do while retelling this account.

** Full Disclosure: I believe I may have actually been among the first individuals to see the event’s statement of response to this incident.  As a native English speaker, I was shown a preliminary draft of the text and wound up providing grammar and wording corrections to the organizers.  At the time, I had stated that I was considering blogging about the whole matter myself, but I never did.  It feels pretty shitty, I have to admit, that the only “official” statement out there regarding what happened is written in this sanitized language.

*** Additional Full Disclosure: While I don’t typically disclose internal business matters, I must acknowledge that the last time my team and I worked with ProIdea, a number of invoices were left unfulfilled and we are still owed money from the event organizers.  It’s been years and therefore sadly it is money we don’t honestly ever expect to collect, but I simply want to be up front about this so that no one attempts to levee accusations of “Deviant is looking back on this with a new viewpoint simply because that event didn’t pay their bills.”  That is not the case.  I am looking back on this incident with fresh eyes and new views because my own understanding of these kinds of incidents has grown thanks to the efforts of so many in the community who have spent time educating others about victimization, harassment, and the abusers who have hidden among our ranks for far too long.