Tag: code of conduct

Thoughts on recent Drupal governance decisions

(Content warning: This post discusses BDSM and abuse.)

[Updated 12:20 PDT 28 March 2017: Corrected spelling errors and added a few clarifications, including the opening notes 1-3 below.]

[Update 9:30 PDT 31 March 2017: Dries and Drupal Association have posted a thoughtful follow-up regarding this situation. Link added in-line below as well.]

[Updated 18:50 PDT 3 April 2017: Fixed minor typos. Added clarification about targets of kink-shaming. Added notes 4-5.]

[Updated 10:30 PDT 18 April 2017: Added notes 6 and 7.]

Note 1: In many contexts, including when talking about community governance, I use a rather broad definition of “abuse” and “abusive.” Abuse includes not just physical and sexual assault, but also repeated interpersonal misconduct as well as harassment. Interpersonal misconduct includes many things such as: lying, deception, and manipulation; violating the boundaries of others; not respecting the agency, autonomy, and equality of others; and more. These types of transgressive behaviors are often hard to detect and discern by others in a way that is actionable and can go on for a long time without the person engaging in them being brought to account.

Note 2: Many have characterized what I have written below as evidence of my passing unfair, hasty judgements about the contributor who was asked to step down from Drupal leadership. Some assume I made these judgements based on the sole fact of that contributor’s participation in the Gor community. In reality, I reviewed a lot of the contributor’s publicly available writing, including Drupal-related ones and formed my opinions based on that. If you haven’t done that and are vehemently defending the expelled contributor, I encourage you to reassess. And if you have and found the writing perfectly okay, I question your experience, maturity, and judgement.

Furthermore, I intentionally and specifically did not make direct statements about the “guilt” or “innocence” of the contributor or whether or not he is an abuser and nothing below should be read as such. Rather, the below should be read for two things: a) an explanation and refutation of common misconceptions people have about these kinds of situations when they arise, and b) a hypothetical alternative point of view of what might have happen in a situation such as what unfolded recently in the Drupal community.

Note 3: Several people have commented that Drupal has a Code of Conduct and a conflict resolution process, that it was followed and that the Community Working Group (CWG) found that the contributor had not violated the code of conduct. This is true, but doesn’t mean that there wasn’t a serious issue to address. In fact, the CWG indicated this to be the case and escalated up the leadership chain. Those who have experience in these matters know that even the most well-thought out and well-written policy isn’t going to handle every edge case and that you will need to have a process for handling those edge cases. That is, community governance doesn’t end with your code of conduct. In the most recent situation with Drupal, I believe they found an edge case where a contributor’s conduct was counter to the kind of community they wanted to foster but that they hadn’t accounted for in their code of conduct. (And, this doesn’t really surprise me, Drupal is using one of the weaker codes of conduct, one that I do not recommend, for this very reason, among others.)

Note 4: See this twitter thread for a follow-up analysis regarding those wanting a clear “victim” and wanting to know what the “rules” of conduct are. Also see this thread about consent and BDSM and this blog post about autism and compliance. See this thread for details on what makes me qualified to speak about the intersection of BDSM/Code of Conduct issues.

Note 5: A few people have asked which of the Drupal contributor’s public writings I read that informed my thinking on this issue. These include:

Note 6:  Below is a list of follow-up responses from various groups involved.

Statements from Drupal Community Working Group (CWG):

Statements from the Drupal Association:

Statements from Dries Buytaert:

Note 7: Members of the Drupal community and outsiders (including alt-right brigaders) who oppose the decision to ask LG to leave have created Drupal Confessions (DC) to pressure a reversal along with other governance changes. A lot of the language in DC’s statement reminds me of statements from LambdaConf organizer and Fantasyland Code of Professionalism (FCOP) author John de Goes. I wrote about what’s wrong with the FCOP earlier this year and updated my analysis in this twitter thread.


The Drupal community recently asked a long-time contributor to leave. (See follow-up post from DA/Dries on the matter here.)

A lot of the public response I’ve seen has been negative. And, most troubling, the separate decisions by the Drupal Association and project leader Dries are being cast by some as bigoted and exclusionary. I am seeing this sort of response from folks who are normally supportive — at least on a surface level — of projects having a code of conduct and of supporting diversity and inclusion. Interestingly, I am also noticing who is staying silent about the manner — a lot of women and folks who I generally know to have experience and good judgement in this area.

I am not part of the Drupal community, though I was part of the PHP community for many years. I do not have insider knowledge of the situation.

From my view as an outsider, I think the Drupal Association and Dries made the right decisions. If anything, they likely could have acted more decisively and skillfully sooner than they did, but that is often the case with these situations. Hindsight is 20/20, of course, and the FLOSS community is just started to exercise these type of governance skills. We have a lot to learn and we’re going to stumble along the way.

What I want to address in this post are the misunderstandings and misconceptions I see repeated every time one of our FLOSS communities reaches the point of imposing significant consequences upon a long-term, well-known contributor. And I want to share an alternative idea of what might have happened, one not based in bigotry or ignorance about consensual BDSM.

BDSM is not a protected class

While those who engage in BDSM might feel marginalized by mainstream society, they are not, as a class, subject to oppression anywhere near equivalent to what queer and trans folks, non-Christians, people with disabilities, and persons of color are. I believe folks have a right to privacy, including in regard to their sex life, and don’t believe in kink-shaming. However, to equate engaging in BDSM in and of itself with being a member of an oppressed class is incorrect and gross. (Furthermore, on a personal note, I loathe the equating of BDSM and queer in this way because it re-contextualizes being queer as being about sex, which it’s not.)

Furthermore, I do not think folks are commonly ostracized from communities simply because it becomes known that they engage in consensual BDSM play. In fact, I’ve never encountered this at all. (Update 3 April 2017: When I wrote this I was thinking in terms of white, straight, hetero cis men as those who are not kink-shamed. I absolutely recognize marginalized folks are subject to kink-shaming. See Shanley’s twitter thread for more on this.)

What I do now to be common are the following two scenarios.

One, a non-BDSM community or community member sets a boundary and asks someone not to discuss their BDSM practices within that community setting. This is entirely appropriate. No one is entitled to share and have an audience to share the intimate details of their sex life whenever they want. This isn’t oppressive or bigoted. It’s reasonable and appropriate boundary setting. (Tangentially, it’s not appropriate to “come out” as BDSM either, especially during times set aside for queer folks to do that.)

Two, a BDSM or BDSM-adjacent community ostracize a community member who has been engaging in transgressive behavior. Usually this is abusive behavior conducted under the guise of consensual, above board BDSM but instead crosses the line of established norms and practices into abuse.

BDSM and Gor are not equivalent

Okay, so the bit about Gor is kind of specific this Drupal incident…I hope? Regardless, it exemplifies the kind of discernment skills we need to be able to apply in these situations. One (acceptable) thing can look like another (not acceptable) thing and we need to practice telling the difference.

Even a cursory bit of research tells you that Gor and BDSM are not the same thing. Predominantly, those who engage in Gor are into the philosophy (not the fantasy) of the Gor novels. These novels posit that women are intrinsically inferior to men and should be rightfully dominated by them. For many who call themselves Gor, these ideas exceed the realm of fantasy enacted as part of recreational roleplay and extend into their everyday world view. This fact, to me, crosses the line from the privacy-deserving consensual power exchange of BDSM into something unacceptable and deserving of scrutiny. A “lifestyle” follower of Gor is overwhelmingly likely to negatively impact any community in which they participate in a non-trivial way.

Perhaps this seems harsh. Maybe it is. I strongly believe folks have a right to whatever weird private life they want to have. But there are limits. If on weekends you like to roleplay as a Nazi in charge of exterminations at Auschwitz, or a white plantation owner who whips Black slaves, I have a hard time believing you are a perfectly decent person during the week at work. Maybe it’s possible, I don’t know. My personal experience with kink is minimal and tangential (never really my thing). But I know folks with kink experience and they confirm the Gor sub-community is not well-regarded.

(For more details about Gor and how it isn’t BDSM, check out this article.)

Slippery slope!

Some folks have invoked a slippery slope argument: Well, if we exclude folks based on their misogynistic private life, are we also going to exclude fundamentalist evangelical Christians who publicly espouse misogyny and homophobia?? To which is say: Yes.

Yes, it is okay, and, I would argue, just, to exclude people from your community who publicly express cis, white, male, straight, Christian, heterosexual supremacy (in any combination of those attributes). Those who do this are the people keeping everyone else who is not them away. You do not need to coddle or protect these people. If you think your project cannot survive without the support of white male supremacists and their enablers, stop to consider if perhaps you are part of the problem.

Lack of public details does not automatically indicate bad governance

Those of us who have been a part of FLOSS communities for a long time are used to certain ways of working. We’re used to “working in the open” via written, recorded media. We expect to be able to get up to speed on an issue by reading though a mailing list’s archives, an IRC channel’s log, or a bug’s comment thread. We feel entitled to access and absorb this information and then chime in with our own view of things, be it lay opinion or reasoned expertise, or something in between. We expect to have this point of view meaningfully considered in the process of decision-making.

These norms work relatively well for collaboratively producing software. They do not, however, work for addressing certain community governance topics, including most conduct issues. These require private communication, limited numbers of people involved in making decisions, and a vagueness when publicly reporting outcomes.

All but the most trivial issues regarding community members’ conduct requires careful handling. The security principle of least access necessary applies. Only those who need to be a part of the decision-making process should be party to the often very private details of conduct-related incidents. This is especially true of situations regarding on-going or long-term abuse.

When a decision is reached it is unwise and likely unethical to share the details of the evidence that was considered in making that decision. Public statements you make about individuals involved in the decision are subject to libel and defamation law suits. The more specific your statements, the greater the risk. Not only to project leads have an obligation to limit the liability they expose their projects too, they also have an obligation to protect the privacy of all those involved, perpetrator and victim alike.

Unlike with technical decisions, decisions about governance, especially conduct, can never be as transparent as we’d like. As such, a certain amount of opaqueness is not necessarily a sign of bad governance. In fact, it can be a sign of good governance. At best project leads should, if they are able, share the nature or category and volume of evidence considered as well as the process that was followed.

Because in these cases good governance prohibits complete transparency, it’s incredibly important that you trust your project leaders. And, likewise, it’s important that project leaders work to establish and build trust continually, not just when code of conduct issues arise.

Lack of understanding of abuse dynamics

Each time one of these conduct issues arise, I’m reminded of how insidious abuser dynamics are and how little awareness there is with in our community about how they work.

This lack of understanding combined with lack of information about specific incidents causes a lot of otherwise decent community members to come to the defense of those who have engaged in transgressive behavior, including serial abusers.

Abusers are master manipulators. They are adept at shaping how people perceive them and they use a whole array of techniques to do this, deflection and distraction chief among them. Abusers always have the upper hand when it comes to (mis)information because they aren’t playing by the same rules as the rest of us. They will lie, violate others’ privacy by reveling intimate details, and overshare irrelevant details. Anything they communicate serves the purpose not of genuine communication and connection, but of creating a particular outcome in their favor.

In terms of public opinion, organizations who take action against serial abusers are almost always at a disadvantage. It’s the prisoner’s dilemma (to use an imperfect analogy). You always lose when you play with a cheater unless you’re also a cheater.

Abusers leverage social power and privilege to gain access to potential victims and to maintain their ability to abuse. It’s not unheard of to discover abusers have been masquerading as advocates for women in tech, for example. Doing so gives them credibility, cover, and access.

Abusers groom victim as well as accomplices. This is an incremental and long-term effort. Abusers do not exist in a vacuum. Their abuse is enabled by others who look the other way, come to their defense, and otherwise provide cover. Perfectly reasonable, “good” people participate in this all the time. It’s hard to spot and hard to break away from. Abuse endures through denial. It’s “normal” for those subject to abuse to minimize and lie about what they experience until they’ve been able to breakthrough this denial. Having previously said good things about your abuser, characterized their behavior as okay, or come to their defense is not an indication you weren’t abused.

Most abuse is never reported. As such, most abusers aren’t reported until they’ve abused multiple people and most communities don’t or aren’t able to take action until they’ve received multiple reports about a single person.

Fruit of the poison tree

Sometimes we hear things about others we’d rather not have been told. Sometimes we are given information obtained through questionable or even transgressive means.

In US law, evidence obtained through illegal or improper means is usually excluded from consideration, as being “fruit of the poison tree.” While I think this is an important standard in criminal legal proceedings, I do not think it applies in the same way to community stewardship. I’ve written before about how communities can and should act extra-legally and I believe the same concept applies here.

So, as opposed to in a court of law, in community we must still account for the fruit of the poison tree, even when we’d rather not.

Earlier I invoked the prisoner’s dilemma, in which the only way to win against a cheater is to either not play or to cheat as well. Dealing with abusers is not all that dissimilar. It’s hard to gather enough information about a potential abuser in order to confirm their abuse, and to do so, you often have to play their game, at least a little bit.

Am I condoning outright digging into anyone’s personal life and sharing those details with project leadership or the public? No, I’m not. There’s great potential there for abuse, especially of already marginalized folks. But if that’s the only way to reveal serial abuser? Yeah, then a certain amount of it might be justified.

Furthermore, the appearance of poison fruit could be an intentional distraction designed to deflect blame, or even a mere coincidence. It is not unheard of for abusers, when their abuse is revealed, to claim discrimination or persecution based on some unrelated aspect of themselves, including participation in BDSM activities.

What might have happened

Again, I don’t have insider information about the Drupal situation. But I have been on the leadership side of complicated community conduct situations. It is never easy or straightforward.

In the case of Drupal, it’s my best guess that something like this happened:

It was an open secret that the long-time contributor (LTC) they asked to leave held problematic views. He did not act on them so egregiously as to provide a clear, unequivocable reason to expel him. Instead, some in leadership positions grimaced at LTC’s conduct, while others looked the other way, or failed to see the problematic behavior at all or as problematic. People warned their friends to stay away from this LTC and tried to shield them as much as possible from his bad behavior. At the same time, this LTC had allies who supported him and helped him maintain his leadership position.

Over some period of time, people started coming forward with reports of abuse by this LTC. As is often the case, the folks making the reports request privacy and that the details of their reports not be made public or otherwise shared widely (and so most of us will never have direct knowledge of it). Perhaps also at this time people who felt this LTC’s behavior was problematic took it upon themselves to try to help and started mining private message boards for incriminating information about him. They found some and shared with project leadership.

At this point, project leadership has several reports of abuse by this LTC (which they can’t tell us about in any detail) along with information about LTC private life they’d rather not know, but that they feel they must act upon, particularly in light of the several other reports of misconduct they’ve received.

So, project leadership works their process, perhaps skillfully, perhaps less so, and this culminates in LTC being asked to step down from their leadership position and/or leave the project. Being less than experienced at dealing with such issues and wanting to respect people’s privacy as well as limit the liability exposure of the project, they refrain from making a public statement.

The LTC, seeing an opportunity to gain back some of the upper hand, posts his own story in which he includes a bunch of semi- or completely irrelevant details, crying BDSM discrimination, in hopes of obfuscating and confusing the real reason he was asked to leave. Project lead, in turn, responds with a post attempting to explain as much as he can, as clearly as he can, without violating anyone’s privacy or exposing the project to a defamation/libel action.

I have no idea if I’m right, but that’s my intuition about what’s going on in this case. I certainly find the above scenario far more plausible than a project expelling someone who is otherwise completely decent for consensual BDSM play in their private life.

An Analysis of the Fantasyland Learning Code of Professionalism (FCOP)

Update 17:15 PDT 2017-04-12: The FCOP has been modified since I wrote the analysis below. I do not believe any of the updates resolve any of the concerns I raise below. If you’re curious about which version I analyzed, it was probably commit 9a5fa97. And if you want to see what’s been updated since then (as of today, commit 051d3ed), take a look at the nice diff I made. One of the primary authors of the FCOP is going around asserting I am a liar, so I want to be clear about which version I analyzed and that I maintain the concerns I raise are still valid in the current FCOP. 

Update 11:45 PDT 2017-04-14: For an analysis of the “current” FCOP, see this twitter thread.

I have a good amount of experience regarding codes of conduct for open source communities. I am co-author of the Citizen Code of Conduct. I was part of the incident response team for Open Source Bridge and Stumptown Syndicate for several  years. I know what’s involved in responding to the code of conduct you adopt for your community.

Part of my experience includes reading a lot of other communities’ codes of conduct and providing feedback on what is likely to work well and what is not likely. Creating governance policies is not easy, and is more difficult so the less experience you have.

Recently the organizers of LambdaConf drafted and adopted a code of conduct, which they call the Fantasyland Institute of Learning Code of Professionalism (FCOP). This code is beyond mediocre. It’s downright dangerous. I do not recommend you adopt it in your community nor that you attend any event using this as its code of conduct.

To demonstrate why, I will give a detailed textual analysis of the FCOP.


STATEMENT OF PURPOSE

The Fantasyland Institute of Learning Code of Professionalism (FCOP) dictates the terms and conditions under which we allow you to participate in the community.

First off, the name “Fantasyland” gives me the creeps. I either think Disney-style amusement park, or the adults-only connotation of “Fantasyland” related to sex toys and porn. Neither of these have much to do with what I think of as professional programming spaces.

Also, “dictates” and “we allow you to participate” indicates a very top-down, hierarchical approach.

The purpose of FCOP is to facilitate inclusiveness and productivity (towards our professional goals) in our community despite operating in a pluralistic society.

Use of the word “despite” presupposes that community and diversity are necessarily at odds with each other. My way of looking things is that conflict in inevitable in any community, and that certain types of conflict arise when you have a very diverse community. Conflict is a normal part of social interaction. It’s how we learn and grow together. Conflict is not the same as abuse, though conflict not appropriately resolved can lead to abuse and abuses certainly create conflict as a way to exercise power and control.

To accomplish this goal, we restrict the community to civil people, and protect such people from discrimination, stereotyping, harassment, judgmental communication, and breaches of privacy.

What is meant by “civil” is defined later on, and I find the definition given a bit bizarre. Before I get to that, I want to examine the text with regard to the dictionary definition of civil. The one that adds the most meaning to this context is: “adequate in courtesy and politeness.”

To me it doesn’t make sense to prohibit people from being discourteous or impolite. To do so is to confuse niceness for kindness and to prioritize manners over genuine interaction. What is considered mannerly behavior is highly contextual and is based on class, culture, ethnicity, age, gender, and more.

Part of being in community is giving space for people to express themselves even if that means doing so angrily or impolitely or in another manner you might find distasteful. Expressing anger is not necessarily the same thing as acting violently.

Moreover, it is entirely possible for a person to act abusively all the while doing so politely. In fact, this is how many serial abusers get away with their behavior for so long.

But, like I said, the FCOP authors aren’t using the dictionary definition, or even really a conventional meaning of “civil.” Here’s how they define it:

Civil. We define civil individuals as individuals who, in our sole estimation, do not and will not engage in the following behaviors during active participation or inactive participation:

Crimes. Any criminal behavior in which there is a victim.

Community Sabotage. Any behavior (excluding non-violent communication) directed at sabotaging the community for political, religious, ideological, or moral reasons.

Professional Sabotage. Any behavior directed at sabotaging a member’s career for political, religious, ideological, or moral reasons; including attempting to no-platform a member or pressuring an employer to fire a member.

So, to FCOP authors, and LambdaConf organizers, being civil and participating meaningfully in community is defined solely by not engaging in criminal behavior for which there is a victim, or any behavior that counts as sabotage of the community or any of its members.

Pretty low bar, don’t you think?

If anything, it tells you what they value most: Not wanting any responsibility for making decisions about handling “criminal behavior” (whatever that means, they don’t specify), and not wanting to have to respond to any negative criticism at all, which they characterize as sabotage.

FCOP is explicitly not intended to impose any system of politics, religion, ideologies, morals, or values onto members.

Perhaps not, but it is certainly doing so implicitly as any standard of community norms and behavior does, whether it is written or not. FCOP authors seem to be trying to impose an apolitical worldview upon their community, which is not possible (because there is no such thing).

SHORT-FORM

We welcome all civil people to participate in the community. We do not allow discrimination, harassment, judgmental communication, or breaches of privacy. We do not exclude any civil people from our community unless they have been banned by us for a violation of these terms and conditions.

Again, the use and emphasis on civility tells me “you can get away with a lot if you sound polite.”

(My former evangelical co-worker who, in one email, tells me how much he respects me but then reiterates that my invalid marriage threatens the very fabric of his and also that I am godless would love this provision.)

But, of course, once you scroll down to the TERMS section you’ll realize that’s not even how FCOP authors mean civility. You’re civil as long as you don’t perpetrate crime upon another or sabotage the community.

Furthermore, this is how FCOP authors define discrimination (from the TERMS section):

Discrimination. We define discrimination as any favoritism shown or withheld to someone either on the basis of a stereotype or a non-community related group membership.

When discrimination is defined without an reference to power dynamics, it is usually a bad sign. I’ve seen this definition used countless times to dismiss or discourage any program or effort designed to get more folks from underrepresented groups involved in tech. Those who cry “reverse racism love this definition.

WELCOME STATEMENT

We welcome civil people of all genders, gender-expressions, sexual-orientations, gender-orientations, races, ethnic origins, skin colors, physical handicaps, mental handicaps, ages, sizes, political views, religious views, philosophies, beliefs, and attitudes.

Again with the use of “civil.” Also, I am pretty sure “handicap” is not the preferred term any more.

We pledge that we will not tolerate discrimination, harassment, judgmental communication, or breaches of privacy. We pledge to hold ourselves to these same standards and, in so doing, set a positive example for others to follow.

Most of this sounds okay. But what is “judgmental communication”? Can’t wait to learn what they mean by that! It smells bad to me already.

Saying “we pledge to hold ourselves to these same standards” is a weird way to indicate that these rules also applies to leadership. The whole code of conduct should apply to leadership as well as “regular” community members.

We greatly value integrity and pledge to establish the highest levels of trust in members.

Who is doing the establishing here, leadership or members?

BEHAVIOR

Oh, now we get to the good part. First, they create a distinction between “active” and “inactive” participation. We don’t learn how each of these types of participation is defined until the end of the FCOP in the TERMS section:

Active Participation. We define active participation to include the behavior of members while they are in the boundaries of the community.

Inactive Participation. We define inactive participation to include the behavior of members at all times and under all circumstances.

Ah, so FCOP authors distinguish between “active” and “inactive” participation as a way to clarify scope: within community activities and outside of it.

ACTIVE PARTICIPATION

During active participation, you must behave as described in this section.

Don’t Stereotype. Treat everyone as unique. Do not infer characteristics of a person based on their [perceived] membership in some group or category.

This might sound like a good thing to include in your code of conduct, but is likely to have unintended consequences.

First, not all stereotypes are negative or invalid. If someone introduces themselves as a born-again evangelical Christian, and they don’t explicitly tell me they support marriage equality, there is a very good chance they do not. Second, stereotyping is an important cognitive tool that helps us make sense of the world. It’s not possible to prohibit it because it’s something we all do.

What’s important is how we act on the information an assessed stereotype has given us. And there’s nothing inherently wrong with making initial judgements about others based on stereotype. This is how we survive in the world. Stereotypes become problematic when we do not update our understanding of someone based on new information, when stereotypes are used to perpetuate biases not based in reality, and when they are used to reinforce existing unjust power structures.

Don’t Communicate Judgmentally. You must not communicate the idea that any person, place, thing, idea, or action is superior or inferior to any other. Instead, talk about observations, analyses, models, and your own personal preferences.

I can’t think of any way it would be possible to have meaningful discussion while following this rule. As worded, it is a prohibition against discerning right from wrong, or even good from better, about anything, even in the most relative or contextual ways.

As written, you couldn’t give a technical recommendation in the form of “Given what you just told me about your situation, I think X would be the best solution.” Rather, you would have to phrase it as “In a similar situation, I have observed A solution have B result, and X solution have Y result,” or as “In that situation, my preference is for X solution.”

What is the value is in asking your community members to jump through such linguistics hoops?

Furthermore, stating something as a personal preference doesn’t preclude folks from implying (and thereby communicating) the idea that something is inferior or superior. Saying, “I prefer that society only recognize the marriages of heterosexual couples and that all sexual activity outside of legal marriage be punished” sends a pretty clear message about what you find superior and inferior.

Don’t Harass. Do not interact with anyone who does not consent. For verbal and written interaction you may assume consent for the first interaction, until the recipient communicates otherwise. For physical interaction, close physical proximity, and persistent gaze, you must assume non-consent until the person clearly and unambiguously communicates otherwise.

Harassment is not defined here, but later on under TERMS with this very narrow scope:

Harassment. We define harassment as an attempt to interact with someone who does not consent to the interaction.

Neither statement addresses the issue of repeated, verbal and written communication to which there is no response or the many other forms of harassment which might occur.

Don’t Pry. Do not go out of your way to read, watch, or listen to the private communications of other members (including trying to read their screens or listening to their private conversations). If you do read or overhear a private conversation, do not share it.

This feels weird to me as worded and I wonder why it’s in here. Is the intent here to be respectful or people’s privacy, or is to shield bad actors from scrutiny?

Don’t Obstruct. Do not attempt to disrupt communication between members, the activity of members, or the congregation of members.

I feel the same about this provision as I do “Don’t Pry.” Would intervening when another community members appears distressed be considered obstruction? What about speaking up during a talk if the speaker is presenting inappropriate material?

Assume the Best. Assume the best intention when others communicate with you. If you don’t understand what someone meant, or have questions about it, ask them directly rather than speculating or spreading rumors. If someone appears to be communicating judgmentally (“Coffee is good”), assume they did so only as a shorthand way of speaking, and ask them to clarify what objective metrics and personal predictions and preferences they are implying (“I like coffee”).

Not everyone acts with the “best intention” and operating with those folks like they do can be detrimental. It is your choice how much good or bad intention to assume about another person’s behavior. No one else has the right to dictate that for you. It’s a highly personal decision, based on many factors including your lived experience in the world and possibly your prior history with the person, community, or context in question.

If “assuming good intent” works for you personally, great. But it’s a tactic that doesn’t serve everyone equally. And when you require community members to assume good intent, you take away their personal agency. It is a tool of domination. Don’t do it.

These requirements on behavior apply to members only while they are actively participating in the community.

If it applies to members only, what rules, if any, apply to guests in community spaces?

The standing of members is unaffected by behavior that does not comply with these requirements if this behavior occurs in other communities.

This is one of the most dangerous provisions in the whole code.

It means that anyone with a past or present history of bad conduct in another community is completely exempt from consequences in this community. Did you abuse your position of authority in another community? No problem in this one, you’re welcome to have a position of authority here. Are you a serial harasser and abuser of women elsewhere? No problem here, we welcome you with open arms! Have you been sanctioned by other communities for homophobic, transphobic, racist remarks? We welcome you!

The best predictor of future behavior is past behavior. It is patently absurd to make it a rule that you will ignore any and all information about a person’s past behavior in making decisions about how to include them in  your community.

INACTIVE PARTICIPATION

During inactive participation, you must behave as described in this section.

Be Civil. Do not engage in criminal activity, and do not sabotage the community or member’s careers for political, religious, ideological, or moral reasons.

Does that mean it’s okay to sabotage them for other reasons?

It can be dicey to draw lines around criminal activity, especially with regard to non-violent crimes for which people of color, for example, are arrested and punished for at much greater rates than their white counter parts. It also excludes a whole section of our citizenry who have almost no economical opportunities except those that are underground. Or those who break unjust laws for good reasons.

The reference to “sabotage” here reads to me like a prohibition against doing anything that might possibly create negative consequences for the community or one of its members. That’s problematic because: a) it’s not something one has total control over, b) it implies you’re supposed to subjugate your own needs to avoid even the possibility of bringing unwanted attention to the community or one of its members.

Don’t Dox. Do not disseminate any private details about others learned within the community without express permission, including but not limited to real name, address, phone number, or photo identity.

Other codes of conduct define doxing and “posting” or “publishing”, which implies doing so publicly, in a place available to a wide, uninterested audience (“uninterested” here meaning: without a valid interest in the information).

That FCOP authors use “disseminate” implies to me that you’re not to share anything you’ve learned about community members outside of that community, even in a non-public, secure way to an interested audience.

Sharing information about people, in order to increase the safety of the community as a whole, is not the same thing as doxing.

Don’t Shame. You must not negatively communicate about a member’s behavior (which occurred inside the community, or which you learned about while inside the community) with anyone outside the community without express permission of the discussed members, where the discussed members themselves decide what is negative.

Also one of the most dangerous provisions of this code.

It prohibits you from telling anyone outside the community about any “negative” experience you had with another community member without their permission. Someone harasses you? Can’t tell anyone about it unless the person who harassed you says it’s okay.

Moreover, the person who engaged in the behavior defines what is “negative”  so you might very well break this rule without meaning to or even knowing you did.

These requirements on behavior apply to members at all times, even when they are not actively participating in the community.

Ah, okay, so what you do outside of the community doesn’t matter as long as you don’t do something that happens to bring negative attention to the community. Got it.

PRIVACY

Private Communication. During active participation, you may take phone calls, direct messages, emails, and other semi-private forms of communication. Although private communication is not bound by FCOP, we expect all communication that can be seen or overheard by other members will comply with the requirements of FCOP.

Why is this even in here? It adds nothing except an onerous requirement than anyone you’re conversing with follow the FCOP if there’s any possibility they can be overheard or seen.

Private Consumption. During active participation, you may consume material on your own personal devices and from your own channels of communication, and this material does not have to conform to FCOP, assuming the material is not easily discernible to others.

Watching porn or reading ESRs blog out in the open in a community space is fine as long as no one knows you’re doing it. Okay. Wait, is porn even actually prohibited by the FCOP?

VIOLATIONS

No Victimless Crime. If you are a victim but you do not feel victimized, you may choose to not report the violation. In this case, we will not treat the incident as a violation.

In other words, we only want to do work if someone makes a stink about it. And we’re very specific about who is allowed to make a stink about it.

Reporting Process. Active participation violations must be reported to us within 15 days by victims, and may not be reported by third-parties. Inactive Participation violations may be reported at any time, and by anyone, even non-_members_.

Two weeks and a day. That’s all you get to rest, recover, and reflect upon anything that happened about which you might want to report. Take longer than that to process? You’re SOL. Get distracted by a work deadline, vacation, or come down with the conference crud? Sorry Charlie, you’re SOL.

I can’t think of any good reason for this provision other than reduce the amount of work for those tasked with responding to reports.

Want to report something you witnessed on behalf of another conference attendee? Nope, not allowed. Even if they’ve asked you for help.

Oh, except “inactive participation” violations can be reported at anytime, by anyone, including non-members.

 

Unofficial Resolution. For minor offenses and in cases where they prefer doing so, we encourage victims to speak to violators, using the language of non-violent communication (NVC). If you would like to do this with the help of an independent mediator, contact us and we will arrange for one.

This tells me organizers want to do as little work as possible, putting as much of it on those who are subject to transgressions. This is not how you empower those in your community, especially those who are marginalized.

Official Resolution. If you want an official intervention, we will appoint a judge. The judge will speak individually to all parties, including witnesses, before deciding on a course of action, which will involve rejecting the reported violation, or accepting it and imposing a penalty on the violator.

Correct me if I’m wrong, but don’t judges usually determine when a “person, place, thing, idea, or action is superior or inferior to any other”? Isn’t that disallowed by this FCOP?

The writers of the FCOP are so unimaginative and ill-equipped to be leading community, they can envision only two ways to respond to a report: outright rejection of it or a punitive measure. In my several years experience responding to code of conduct issues, the needed response has almost always been somewhere in-between those two extremes.

Penalties. Violators may be warned, asked to apologize, forced into training, counseling or mediation, or ejected and banned from the community, at the sole discretion of the judge.

That being warned, or asked to apologized, is framed as a penalty tells me a lot about how the FCOP writers think about stewarding community. Getting feedback on your behavior along with a request to modify it is not a penalty in and of itself. Nor is it handing out a penalty if you’re the one giving that feedback. It is part of being a social being. We all engage in inappropriate or unskillful behavior at one time or other and get feedback from others about it. Yes, sometimes this hurts and we feel shame, but this isn’t the end of the world. Learn from it and move on to do better next time.

You can’t force community members into training, counseling, or mediation. You can ask that they go as a condition of continued participation in the community, but that’s about it.

It’s not a good idea to have one person solely responsible for addressing code of conduct reports, as this implies.

Social Rehabilitation. No one can be banished for life, only for a determined number of years, not to exceed 5 years. Formerly banned parties can be reintegrated into the community through a rehabilitation process determined by us.

I would generally applaud a nod to rehabilitation, but I at this point I have zero trust in the authors of the FCOP. And including an arbitrary prohibition against lifetime banishment and a maximum of 5 years makes little sense to me. It implies banishment expires after 5 years, regardless of the circumstance.

Confidentiality. Reporting a violation is a confidential process. We will not publish information on any reported incident or the parties involved in the incident. Note that criminal behavior of any kind will not be kept confidential.

Again, I wonder how they determine criminality, at what point they make that decision and what they do with information they don’t consider confidential. This does not inspire trust as worded.

DISPUTES

In the event there is a dispute about the meaning of any term or clause in FCOP, we alone will clarify the intent.

In other words, it doesn’t matter how the community at large interprets what we’ve written in the FCOP. We’re free at anytime to clarify what we actually meant by what we wrote and use that instead.

More thoughts about the neveragain.tech pledge and what you can be doing instead

The neveragain.tech pledge continues to gain traction (if you can call it that) and I continue to analyze why I find it so troubling. For my initial thoughts, see this blog post.

A code of ethics or a call to collective action?

It’s not clear what the pledge is supposed to be. Is it a code of ethics and and conduct for our profession, or is it a call to collective action? I think it’s trying to be both, and it’s doing both very poorly.

Our profession already has a code of ethics.

In terms of trying to be a code of ethics: our profession already has this and has for some time. In fact is has a few to choose from. There’s the ACM Code of Ethics and Professional Conduct, the joint ACM/IEEE-CS Software Engineering Code of Ethics and Professional Practice, and the IEEE Code of Ethics. One of these are referenced by the pledge, but only way on down in the resources section and without context.

Whenever you eschew an existing standard, you ought to give a compelling reason why. Otherwise you give the impression of ignorance (not knowing about it in the first place) or egotism (doing something new so you can put your name on, h/t @JohnMetta).

I suspect a lot of us have never heard of any of the existing codes of ethics for our profession, or if we have it hasn’t been in any serious context of actually applying the code in our day to day work. If this is because so many of us are self-taught, or because these codes aren’t taught in computer science curricula, or some combinations there of, I don’t know. I am interested in finding out and in helping to educate my colleagues and put these codes into wider practice with commensurate accountability mechanisms.

If these existing codes are flawed and need revising, let’s work on that together. You can comment on the ACM’s revised draft now through 15 January, 2017. If you care about this stuff, go do that now. Don’t put it off.

In terms of serving as a code of ethics for our profession, the neveragain.tech pledge is significantly lacking. It is simultaneously uncomprehensive and overly prescriptive.

A poorly thought call to action.

In many ways, the pledge looks much more like call to collective action, especially given the part that commits signers to resigning their employment if they are forced to comply with behavior defined as misuse of data. This is a kind of direct action.

But in this it fails too, for any metric more significant than shallow performance. Where is the accountability, the support, the education, the building of trust required for effective collective action? Where is there any clue that the organizers of the pledge actually understand how to lead a collective action?

There are some glaring statements and omissions that make it clear to me they do not. First, the pledge requires people to quit their jobs rather than comply. Now, resigning might be the right thing for an individual to do based on their own sense of dignity or respect or emotional well-being. And, it might feel like a righteous and just action. But it isn’t necessarily the most effective action to take. For it to be effective many people would have to quit at once. And perhaps not even then. In their guide on Effective Strikes and Economic Actions, the IWW says “Workers can be far more effective when they take direct action while still on the job.”

It’s clear the organizers are overwhelmed and delighted by the volume of response to the pledge. However, it’s not clear to me they’ve given any real thought to the number of people required to partake in a collective action in order to make it effective and whether or not those numbers are achievable starting with this kind of online pledge.

How many does it take to be effective?

There’s no definitive participation rate at which strike-like actions are guaranteed to be effective. While we have a rich history of labor organizing upon which to draw, every direct action is different. What we do know is that whatever the circumstances, enough of the labor force needs to participate such that the target organization feels or fears significant, negative, long-term financial consequences.

Let’s say, for sake of this thought exercise, that the number is 20%. (Here is where I would love to hear from managers or executives about which percentage would cause you concern and make you change course.) According to the Bureau of Labor Statistics, approximately 4 million people are employed as tech workers. This doesn’t include those who are self-employed, and it might also be excluding those who have other job classifications but happen to write software. Again, this is a thought exercise, not a scientific paper. The idea here is to get a rough idea of scope.

20% participation x 4 million tech workers = 800,000 signers to pledge

As I’m writing this, 1943 people have signed the pledge already.

1943 / 800,000 = 0.24% towards goal

What would it take to reach the goal of 800k? Let’s say another 8k folks hear about the pledge through word of mouth, are sold right away, and show up to sign the pledge. That would bring the total to 10k.

10k / 800k = 1.25% towards goal

Now what would it take to get those additional 790k signers? Each existing signer would need to convince 79 of their colleagues to sign.

Applying the 20% goal to individual companies looks something like this to reach 20%:

  • Google (Alphabet): 13.9k
  • IBM: 75.5k
  • Facebook: 3.14k
  • Oracle: 27.3k

I’m using these companies global workforce numbers, because that’s what is most readily available, but you get the idea.

I bring up these numbers not to shit on the efforts of the neveragain.tech pledge organizers. I bring them up because I continually see our community fail to coherently, meaningfully discuss and analyze our tactics for driving change. It’s not enough just to have enthusiasm. You also need to know what you’re doing and have a good plan!

(The above numbers assume that everyone who signs the pledge will also follow through on their commitment to take direct action in their workplace. Assuming 100% is highly optimistic.)

There is more at stake than a Muslim registry. And there has been for a long time.

I say this not to minimize the threat to Muslim Americans or Muslim refuges living in America. That threat is very great.

It is also great to women, Latinos, Blacks, queer folks, those who are trans and gender non-conforming, those who are neuroatypical, those living with differently-abled bodies, those who struggle with houselessness, and those who are poor. The scale and nature of likely harm to individuals with differing intersections of these identities will vary, of course. I list them here not to equate them, but to demonstrate the scope of probable harm to our fellow citizens (of America and of the world).

Moreover, these folks have already been subject to varying kinds of harm and oppression and for quite some time. This did not start with the election of Trump. Tech has always had an obligation to stand up for these folks and by and large it has done a very bad job. Just look at how many of your co-workers are not white, straight, cis, male, and abled-bodied.

Every conversation about diversity and inclusion you stood by and watched or played “devil’s advocate” in was a missed opportunity to stand up for injustice. Every time you did not take us seriously about Gamergate. Every time you let your “difficult” colleague (who was likely a women, or Black, or queer, etc.) stand alone and be ostracized for raising an issue about how something your company was doing would have negative effects.

Tech colleagues, you’ve had a lot of opportunities that you’ve just completely squandered. I personally, have very little confidence, you will suddenly start to do markedly better.

And my confidence is not raised when the mechanism by which you are promising to do better repeats the very same mistakes we as a community have been making all along.

Continuing the status quo.

In my earlier blog post, I mentioned that I can’t join a movement when I don’t know who its leaders are. It turns out that the organizers of the pledge aren’t anonymous. They are revealing themselves to the media and on Twitter and probably elsewhere. But this isn’t the same as transparency or accessibility.

The pledge itself gives no background on how it was created or by whom. One should not have to dig for this information. It should be available via the pledge itself or no more than a link away.

Obfuscating leadership and process doesn’t promote individual responsibility nor does it make an effort more inclusive. All it does is obscure the context and motivation conferred by the project and make leadership less accountable to participants.

In tech, we have a long history of imposing our solutions on those who are marginalized, without their input or consent. We compound this error by ignoring or dismissing feedback when given.

Because the organizers have chosen to obscure who they are and by what process they created this pledge, I can only assume this same pattern is true. This is all the more true when at least one of the organizers is has a history of being hostile towards others’ religious practices and of ignoring the feedback from the people of color in communities they steward.

What I do see is a lot of (white) people on Twitter defending the pledge and Black folks saying it’s performative, shallow, and not helpful and not being listened to. Go see for yourself.

Not every effort deserves merit.

In my earlier blog post, I countered the idea that the pledge is the least folks can do. I want to expand on that by saying it might actually be quite counterproductive to support this thing.

It can hurt and does hurt to give attention to ill-conceived efforts. Attention is a finite resource. Giving our attention to poorly conceived or implemented efforts means there is less to give to ones that are better designed and better serving of their communities. Positive attention often brings benefits of all kinds: social and financial capital, credibility, etc. Folks with greater privilege, like white folks, receive more than their fair share of these benefits for work of lesser quality. And once they do, their projects and methods are remembered as good examples. And thus the cycle of mediocrity reinforces itself.

This is dangerous and counter-productive. It inhibits our ability to learn and grow. It reinforces the status quo and is antithetical to building solidarity.

Right action is way more complicated than you think.

Something else implied by this pledge is that there will be definitive moments where you know you are being asked to do something wrong and you will have a clear choice to comply or to walkaway.

In my experience, the actual situations we end up facing are nothing like this. They are complex and confusing and how best to act is quite often not clear. It takes continual, stumbling practice and a trusted network of advisors to gain enough experience to skillfully embody the ethical action we commit to.

And, for the most part, steps towards wrong action are gradual and indirect. I’ll illustrate this with a story.

Once upon a time, at my old job, I was on a call with the marketing team. We were discussing a project aimed at raising awareness about the importance of the open web. I noticed that the team, who was solely responsible for sourcing content for this project, was all men. I asked about the plan for including some women on the team. The response was deafening silence and the energy completely drained from the “room.” After some moments, someone responded with some kind of non-answer so empty I don’t recall now. The call continued and then concluded.

Sometime later, this same project published a pro-gamergate piece. All hell broke loose. Leadership had to deal with the ensuing PR mess. The project lead left the organization. We lost yet more credibility with our community.

Now, I’m not saying that having a woman on the team would have prevented the selection and publishing of a pro-gamergate piece. But I think it would have lessened its likelihood.

More importantly, the team’s and leadership’s failure to respond to the diversity issue I raised is directly related to the giant misstep it look later in publishing that gamergate article. No one was asked on that call to find and publish a pro-gamergate piece. They weren’t even asked to stay silent about the topic I raised; they simply did so because that was the prevailing culture. And in doing so, they took a small step towards creating the conditions for that later bad action to occur.

The lesson here? Start developing your senses now. Be on the look out for repercussions five, ten, twenty steps down the line. Speak up for all the little things because they lead to big things. Listen to your “difficult” colleagues when they raise issues even if you don’t quite understand where they are coming from. Use your privilege to assert publicly that what your colleague is saying is important and needs to be addressed. Start spending your social capital. Don’t wait for a rainy day, it is already upon us.

Some things you can do.

There are things you can do that require a lot more work than signing a pledge, but will be much more meaningful and impactful. Starting with the most specific and moving to the most general:

Read everything you can about labor organizing. If you’re curious about strike actions in particular, start here. Haymarket Books has a good collection of books about the labor movement and is having a 50% sale. While you’re ordering books from Haymarket, you might as well also get some on black politics and feminism. Read everything you can on IWW’s website. Then join if you are eligible. Figure out how to apply what you are learning in your workplace and in your community. A general strike is being planned for inauguration day. Learn about it and figure out if it makes sense for you to participate and how.

Commit publicly to abiding by one of the established codes of ethics for our industry. If you can’t decide, use ACM’s. Write a blog post saying that you’re committing to it and why. Tweet about it referencing neveragain.tech so folks following along know there is another option. Ask your colleagues to commit publicly as well. Encourage them if they hesitate. Start brining up the code of ethics in your daily work. You can do this by asking questions in your team meetings such as, “How does feature X abide or not abide with the code of ethics we’ve agreed to uphold?” Do this for processes that are already in place as well as new ones you are asked to create. Do this until it feels natural and then keep doing it. Hold your colleagues accountable, in whatever mechanism makes most sense, if you see them doing something contrary to the code. Likewise, support them if they seem to be struggling to uphold the code or being pressured to ignore it. Share your experiences doing all of these things, via which ever channels make most sense.

Find ways to materially and emotionally support the existing efforts of those who are most marginalized and at greatest risk. Support these efforts publicly, when it makes sense. Ask others to support these efforts. Listen deeply and learn from the folks leading these efforts without burdening them or colonizing their spaces.

Look for ways to build and support community where you live and to help meet the needs of those living closest to you. Pay attention to your neighborhood. Be a meaningful, respectful part of it.

Find ways to do the hard work of changing yourself. Prepare to give up things you have long taken for granted.

The complex reality of adopting a meaningful code of conduct

A number of prominent, globally distributed open source projects are debating the adoption of a Code of Conduct: Ruby, PHP (rfc, discussion), WordPress. There are probably others. Additionally, thousands of smaller projects have adopted codes of conduct as have many conferences.

Why are some communities able to quickly and effortlessly adopt a code of conduct while others become mired in conflict and division whenever the topic arises?

In this post I explore what I see as the main reasons we experience conflict when talking about adopting codes of conduct in our communities:

  1. misalignment of perceived shared values
  2. the relative difficulty of facilitating organizational change
  3. lack of governance infrastructure and non-technical leadership

What I hope people take away from this post is a greater appreciation for the potential complexities of FOSS communities meaningfully adopting a code of conduct and some ideas for confronting these challenges constructively, including:

  1. closing the non-technical leadership gap in our communities
  2. embracing multiple viewpoints and integrating conflict productively
  3. employing compassion and unconditional positive regard whenever possible

Some Background

Why the current momentum around adopting CoCs?

Many FLOSS communities have been around for years, yet the push for codes of conduct is relatively recent, picking up steam about 5 years ago.

What is the reason for this momentum?

First, let’s examine what a code of conduct is for. The purpose of a code of conduct is to make explicit the agreed upon social norms of group interaction within the community. There are many ways to accomplish this, but generally a code of conduct should document:

  1. expected behavior;
  2. unacceptable (transgressive) behavior,
  3. a mechanism for reporting problematic conduct and grievances, and
  4. consequences for unacceptable behavior.

All communities already have an implicit set of social norms. This is important, so I’m going to repeat: All communities already have a set of norms that govern group interactions, whether they are written or not. What a code of conduct does is make a subset of those norms explicit by putting them in writing where everyone can see them.

Over the last few years there has been a significant push for tech communities to adopt codes of conduct that make explicit a specific set of norms that strive to make these communities more equitable, welcoming, and safer for individuals from groups generally underrepresented in tech. This includes explicitly defining the destructive behavior that those from underrepresented groups are disproportionately subjected to and specifically labeling that behavior as unacceptable. The reason this is important is that the opposite standard of behavior generally remains the status quo across our communities. We may want to believe that harassment and other problematic behavior rooted in racism, classism, homophobia, sexism, transphobia, misogyny, ableism, etc., does not happen in our communities because we have never personally witnessed or been subject to it, but it happens nevertheless.

Making explicit a set of social norms that so clearly strives to re-balance power dynamics is one reason why some have such a vehement reaction against adopting a code of conduct. Those previously in the dominant social group will, on average, have to give up some of their power. Everyone will have to learn new ways of interacting. Change is scary.

Let’s not forget intersectionality

Before I continue, I want to make the intersectionality of my approach clear. Those who generally belong to the group with the dominant social power can suffer abuse and injustice too. Everyone in a community needs to abide by the community norms. Everyone is deserving of compassion and unconditional positive regard. And, many who, because of their relative privilege, are not accustomed to doing so will have to yield power, tolerate some loss, and stretch their emotional muscles further than they have generally been required to do. Some will have to do this while learning how to heal from their own experiences of abuse and injustice.

Two Personal Examples

Case Study 1: Citizen Code of Conduct

We wrote the Citizen Code of Conduct for use at Open Source Bridge in early 2011. We’ve modified it a few times since then and now use it for all Stumptown Syndicate events. Starting with text from a sample conference anti-harassment policy written by members of the Geek Feminism community, we modified and added text as needed to represent and embody the values of our community.  For example, for us, it was important to include not just a list of prohibitions, but also to set positive expectations for community interaction.

We’ve fielded a handful of reports or otherwise acted on our our code of conduct since we adopted it in 2011. None of them matched what I had imagined. Often they were more mundane yet more complicated to respond to than I had anticipated. Adopting our code of conduct did not stir up controversy, though at least one of our responses did. Generally the feedback we’ve received is that our code of conduct makes the conference more welcoming to underrepresented groups and this has been reflected in our changing demographics (more women, more PoC, more queer folks). A small number of people have expressed their discomfort or have stayed away entirely.

We’re a relatively small, contained community. In a given year, about 500-800 people are involved in Syndicate events and we operate almost exclusively in Portland. This has made adopting a code of conduct and responding to it a relatively manageable thing.

But we still have missing stairs. We have a mechanism in place for responding to code of conduct reports, but it’s almost entirely implicit. That works in the short-term, but it’s not scaleable and doesn’t ensure stability and adaptability over time. Communities need ways to transfer critical institutional operating knowledge as new leaders come aboard. Stumptown Syndicate just elected six new board members and Open Source Bridge is looking for new co-chairs, so we’re figuring out how to do this right now.

Another thing that made adopting and responsibly using a code of conduct possible was the reason Stumptown Syndicate was founded in the first place. We created Stumptown to be a trusted holding institution for the open source projects we cared most about. From the beginning we were about providing important governance and other structures that help ensure the long-term health of open source communities.

Case Study 2: Mozilla Participation Guidelines

In late 2012, Mozilla adopted their Participation Guidelines after a months-long and highly contentious process that was kicked off by the Planet Mozilla controversy. I was heavily invested in seeing Mozilla adopt a code of conduct. This cost me a lot emotionally — I got a threat from a co-worker (still employed by Mozilla and now a manager) as well as an anonymous death threat. Looking back it almost certainly burned a good deal of my social capital, too.

I suppose all that would have been worth it if I could say now with confidence that the Participation Guidelines have been useful for improving community interactions and improving diversity and inclusion.

But I can’t. (I would love to hear from you if they’ve been useful to you.)

For the most part, the weird, uncomfortable, blocking, and transgressive behavior I encountered while involved with Mozilla wasn’t (and still isn’t) addressed clearly by the Participation Guidelines. And in the few cases where you’d think the Participation Guidelines would be helpful, they weren’t. One involved a co-worker and was addressed via our employee anti-harassment/discrimination policy through HR channels (to a less than satisfactory end, but that’s another story). The others were from anonymous sources and thus weren’t easily actionable.

What are actionable events according to Mozilla’s participation guidelines are by no means clear to me. What are “exclusionary practices” in this context? The guidelines say

“Intentional efforts to exclude people from Mozilla activities are not acceptable and will be dealt with appropriately.”

But “intentional efforts” aren’t defined or exemplified.

And then the guidelines includes this bit, which to me signals a fundamental misunderstanding of how institutional oppression manifests in individual behavior:

“It’s hard to imagine how one might unintentionally do this, but if this happens we will figure out how to make it not happen again.”

It’s not hard for some of us to imagine how others can unintentionally make spaces unwelcoming because it happens all the time.

Most people who engage in behavior that makes others uncomfortable or otherwise transgresses a social norm do not do so intentionally. And these are the people who benefit most from explicit norm setting and compassionate intervention. The group that engages in transgressive behavior intentionally is much smaller and does so for a varied, complex set of reasons, some of which is more easily addressed by community governance than others.

If the participation guidelines are getting invoked more than I realize, I wonder, by what mechanism are issues being resolved?

Early on the guidelines mention “groups for escalation and dispute resolution” but what are these groups? Later on, the guidelines instruct you to do the following if you experience conflict, you’re to engage with:

  1. the person with whom you have conflict,
  2. other “trusted Mozillians,” or
  3. Conductors.

To my knowledge, Conductors is completely self-selected (no training,  qualifications,  vetting, or standard of conduct) and…mostly defunct. Defunct as in many of the people listed are no longer employees and may or may not even still be involved in Mozilla projects.

Furthermore, the values indicated by the Participation Guidelines conflict with my direct experience of the community and its capacities.

This line would seem to indicate Mozilla values differing perspectives and spending energy to surface and integrate these different perspectives:

“Try to understand different perspectives. Our goal should not be to “win” every disagreement or argument. A more productive goal is to be open to ideas that make our own ideas better. “Winning” is when different perspectives make our work richer and stronger.”

However, Mozilla seems to have no functional, consistent mechanism for doing this. Many times during my four years with Mozilla I saw people who voiced differing perspectives ignored or outright silenced. (Example: Those of us who calmly, clearly, and respectfully voiced concerns about migrating to Gmail were invisibly silenced — our managers were instructed privately to make us stop.)

This line would seem to indicate we value working through conflict respectfully:

“Be respectful. We may not always agree, but disagreement is no excuse for poor manners. We will all experience some frustration now and then, but we don’t allow that frustration to turn into a personal attack. A community where people feel uncomfortable or threatened is not a productive one.”

But we have no effective channels for resolving conflict so we vent publicly and in back-channels, or simply stew in silence.

And how does the value of “respect” as alluded to in Mozilla’s Participation Guidelines apply to the co-worker who proselytizes to people in project spaces without their consent? Or the contributors of religious faith who worry that private demonstrations of their faith could be used to expel them from the project? Or the queer employees who wonder why their company remains silent while nearly every other tech company celebrates the SCOTUS ruling on gay marriage?

Who is getting use from this document? Did the protracted and divisive process the Mozilla community endured to get this document create any lasting, useful change? I don’t know what percentage of the community buys-in to the Participation Guidelines or even knows about them. Does the mere existence of the document make some more comfortable knowing they are there even if they’ve never invoked it?

A comparison to frame the issue

Is adopting a code of conduct like adopting a FOSS license?

Reinventing the wheel bugs me a lot. In tech, I think we waste a lot of resources and make a lot of unnecessary blunders not building upon and learning from what has come before. It’s why we’ve put effort into the Citizen Code of Conduct and making it easy for other communities to adapt and use. It’s why I’m glad others have engaged in similar work, like the Contributor Covenant, the Geek Feminism Wiki sample policy, and others.

Let’s look at a similar activity that should be familiar to a lot of FOSS contributors: licensing.

In the same way that adding a license to your project is “easy” — especially now that Github includes a drop-down selection of them during repository creation — it’s also easy to add a code of conduct.

But how many project owners who have added the GPL, or MIT, or any other open source license actually qualified, capable, and willing to enforce these licenses? And how do they determine, if they’re not well-versed in IP law, which license is really best for their project? Or what the long-term ramifications will be of their selection? Project leads already give a lot of their free time to open source development and community organizing; Do they really have more time to learn the skills required and then respond to licensing questions and concerns? Is that a fair request to make of our technical leaders?

Let’s say a project is five, ten, or fifteen years old by the time someone suggests adopting a license. How is consensus achieved across long-term contributors when some of them are very MIT-leaning and others are very-GPL leaning? Not just that, but when some folks already assumed everyone in the project was pro-GPL and are astounded the topic is even up for discussion.

This analogy has its limits, so I ask you not to over analyze it or take it too far. I don’t think it makes sense to have a third-party body doing code of conduct enforcement, for example. I think enforcement needs to stay within communities. Though I do think we need third-party experts providing training — and there’s a handful of us working on that now.

(Though if you do want to explore the idea of copyleft licensing and codes of conduct further, I suggest reading Sumana Harihareswara‘s excellent essay Codes of conduct and the trade-offs of copyleft.)

The licensing analogy demonstrates two main issues related to meaningful code of conduct adoption:

  1. The complexity of selecting and adopting a code of conduct especially in larger, already established and highly distributed projects/communities.
  2. That code of conduct response requires skills and resources many project leaders don’t already have.

Misalignment of shared values and the painful process of re-alignment

The role of shared values in conflict resolution.

Ultimately, a code of conduct is one part of a community’s conflict resolution strategy.

Making a plan for how to resolve conflict is one of the first things any community needs to do, long before any conflict arises. And it starts with reaching agreement and making explicit what your shared values are. Why? Because the values you agree as a community to prioritize in your work together need to drive decision-making about that work. Do we value unconstrained free expression of speech, or do we value inclusion of underrepresented groups? Do we value “free as in beer” or “free as in freedom”? Do we value shared public resources or do we value private ownership? Do we value adherence to using open source software, or do we value promoting the open web? In cases where are shared values fall somewhere in the middle of two extremes, where do we draw the line and which side is most important?

When communities are young, values alignment is usually implicit. This makes sense. A small number of folks get together to work on a project or advance a particular mission. Often times these folks already know each other. They may know intuitively and from past experience what their shared values are and so they don’t think about spending energy to make them explicit.

If the shared values that were implicit when a community forms are not made explicit as the community grows, you end up with divergent thinking about what the shared community values are. People who where there at the beginning have one thing in mind. People who joined at different points in time think another thing, based on what attracted them to the project and their own experience of interacting with the project/community. It’s really easy to assume the shared values of our FLOSS communities are what we want them to be. Because why else would we be there?

Misalignment of perceived shared values is at the heart of conflict

I see this misalignment of perceived shared values to be at the heart of numerous conflicts in open source communities. I see it pop up in every discussion about whether and which code of conduct to adopt. I saw it over and over again at Mozilla (migrating to Gmail, supporting EME, integrating Pocket, appointing Brendan as CEO, how community is included, etc.). I noticed it each time we struggled with a decision around Open Source Bridge / Stumptown Syndicate, which is why we spent a whole weekend last year debating what our shared principles are and then made them explicit and public.

Adding a code of conduct often requires the painful process of values re-alignment

So, one reason it is so much more complex to add a code of conduct to long-standing projects is because a code of conduct is an operating document born from a community’s shared values and in many of our large open source communities we do not have an agreed upon set of shared values. Adopting a code of conduct is a forcing function that brings that values misalignment out in to the open.

Values re-alignment requires organizational change capacity beyond what we have

To realign on values, a community needs to go through the process of agreeing what its shared values should be (not are — because people have been operating under mixed assumptions) and then put them in writing and make them public. This will inevitably require some change in the community. It’s likely that everyone will have to shift their position at least a bit. If not, some will need to leave the community. The larger and more complex the community, the longer this change process will take and the more facilitation it will require.

Organizational change is extremely difficult and most FOSS communities do not have the capacity and experience to manage the change. For the change to be navigated successfully, great care needs to be applied and community leaders, as well as everyone participating in the discussion really need to step up their game. There needs to be room for anger, for disagreement, for being weary of change, for being ravenously hungry for change. People have to be willing to change their minds. There need to be mechanisms for dealing with the inevitable flood of disruptive outsiders and blocking/sabotaging insiders. Leaders need to be able to hold the environment well enough to drive change but not let their communities implode. Everyone needs to understand and be patient with the reality that the process will take time. Months, not days or weeks.

Adopting a code of conduct in larger communities is not a technical problem with clear, templated solutions. Rather, it is an adaptive one that requires the community learn how to change itself.

The role of governance

Having a code of conduct is part of having a conflict resolution strategy, which is, in turn, essential to good governance.

What do I mean by governance? Governance includes everything about how a project carries out its work and engages with its community.

Key governance questions are:

  • how are decisions made and communicated?
  • how is conflict resolved?
  • how are conflicts of interest handled?
  • who are our leaders, and how are they selected, evaluated, and held accountable?
  • how is community membership decided?
  • how are tasks tracked and delegated?
  • what is our mission, vision and how are we planning to achieve that?
  • what are our values and are we living up to them?
  • what is our reputation within our own community and outside of it?
  • do ensure we have the resources we need to carry out our mission both in the short-term and the long-term?
  • how are we developing our community members and leaders?
  • are we serving our mission or just ourselves?
  • are we in compliance with with local laws? are we up to date on our taxes?
  • are we doing what our community needs us to do?
  • are we hearing all the feedback we need to be? from whom we need to hear it?

Having mechanisms that answer these questions in an explicit, transparent way is key for long-term sustainability and success.

In the same way that shared values are implicit when communities first form, so are the ways in which community members work together. And so must they be made explicit as a community grows. Many communities have not made these governance structures explicit. Or if they have, they are incomplete, out of date or simply don’t match how the community actually operates.

In some situations, generally when communities are small and relatively contained (e.g. to a geographic locality like a conference), it works to start with a code of conduct and make explicit the other governance structures as you go. But that becomes much more difficult the larger and more complex a community becomes.

In the same way that a large community will have misalignment in their perceived shared values, they will also have misalignment about how they think the community works together. Re-aligning is a process that takes time and care.

Does a community need to have all the above questions answered and documented before adopting a code of conduct?

No. But any community, especially large and highly distributed ones need to answer these governance-related questions when figuring out how to meaningfully adopt a code of conduct:

  • Who’s going to be responsible for holding the community accountable to the standards documented in the code of conduct?
  • How will those people be chosen, what training & resources will they need, and by what mechanism will they be held accountable?
  • How will code of conduct reports be collected? Will their resolution be communicated to the larger community? How?
  • What are the legal/privacy/etc. implications of our chosen method of reporting?
  • Have we selected a code of conduct that accurately reflects our community’s shared values, as they are actually practiced?
  • Have we selected a code of conduct we are actually willing and able to enforce?

I can’t stress the importance of the last two enough. No community should adopt a code of a conduct they think people want to see if it’s not a true representation of their community’s values and one they are willing and have the capacity to enforce. It’s immensely damaging for a community to have explicit policies that it doesn’t, for whatever reason, live out in practice. Integrity is essential for healthy community.

There’s also a danger is trying to make the perfect plan before acting. This is impossible. Sketch out a reasonable starting policy, practice it for a while and work with your community to adapt as needed over time.

If you’re trying to adopt a code of conduct and members of your community seem overly focused on legalistic analysis or want to negotiate every conceivable yet hypothetical situation before moving forward, it’s a sign that trust in governance and leadership is low.

The role of non-technical leadership

Community leaders, both those with formal authority and those without it, are critical to a community’s ability to successfully navigate change. Those with power in a community need to be on board with the change required be willing to do the work otherwise meaningful change is very unlikely to happen.

It’s entirely possible some of the FOSS communities that we have so much invested in aren’t willing or able to go through the change we need of them in this moment. For our  well-being and to avoid burn out, it’s important we develop the wisdom to be able to identify when that’s the case so we use our energy to build alternative communities.

(I do think there are strategies for bringing leaders on-board when change is needed and they are reticent to productively engage. But discussion of them is out of scope for this post.)

Some strategies for making things better

Close the leadership gap in our FLOSS communities

By now it should be clear that we have a non-technical leadership gap in our FLOSS communities and it’s harming our ability to navigate change and thrive.

To close this gap we need to develop, recognize, support, and elevate non-technical leaders. Non-technical leaders need to be recognized as valuable experts in the same way we recognize technical leaders for their expertise.

Embrace multiple viewpoints and integrate conflict productively

We need to avoid denigrating and silencing those who are reticent of change or raise concerns over adopting a code of conduct. I’m not talking about folks who show up for the sole purpose of trolling, derailing, and abusing. Let’s not increase the damage those people inflict by casting everyone who’s not automatically on board as one of them.

Conflicting points of view are crucial tool for learning. Ronald A. Heifetz in Leadership Without Easy Answers says:

“the mix of values in a society provides multiple vantage points from which to view reality. Conflict and heterogeneity are resources for social learning. Although people may not come to share one another’s values, they may learn vital information that would ordinarily be lost to view without engaging the perspectives of those who challenge them”

Respond compassionately to people’s sense of loss brought about by change

Some may respond with concern or be against a code of conduct because of the loss of power and privilege it represents to them (whether they are conscious of this or not). While we may feel that these folks have long enjoyed what they did not rightfully earn and that a redistribution of power as might occur with a code of conduct is fair, just, and necessary, we still need to respond to their sense of loss with compassion, not derision. Some will never adjust to the changing world in which they live, but many are capable of doing so and will, but they need help doing so.

Good governance and leadership prevent abuses of power

There are a handful of folks (example) who keep playing the dog whistle of impending fascism in response to their community’s proposal of adopting a code of conduct. This assertion simply has no merit and serves mostly to distract and derail. It also serves as a rallying call to those who feel disenfranchised by the changing social, political and economic environment.

Fascism and other abuses of power can happen with or without a code of conduct. Good governance, of which an explicit, written code of conduct is a part, is the antidote to abuses of power. In fact, I believe that keeping the ways your community works implicit and unwritten is more fertile ground for abuses of power than having written, communally available policies you actually follow.

Well-written codes of conduct are enforceable yet flexible enough to adapt to a community’s changing needs and circumstances over time. They are one mechanism by which conflicts can be resolved judiciously (as in, with good judgement, not related to a court of law) and consistently. Without a code of conduct or similar operating procedure, conflicts still arise but a community has no way to consistently approach or resolve them.

Some words of caution: A code of conduct won’t enable abuse of power where previously none was possible, but it might shift the the targets of that abuse or create unintended ones. It may also provide a false sense of security if there are not robust mechanisms in place to receive and respond fairly to reports. This is why a code of conduct needs to be backed up by skilled, ethical leadership and good governance infrastructure.

One last thought about compassion, unconditional positive regard, and emotional labor

Several times in this post I’ve stated we should show everyone compassion and unconditional positive regard.

When I say that, I’m not asking every individual and every given time to show compassion and unconditional positive regard for everyone else, including those who are or have engaged in abusive behavior or are members of social groups that have relatively greater power and privilege. Instead, what I ask is that people cultivate compassion and practice unconditional positive regard as they are able and willing.

Community is a shared burden, as a well as a shared resource. At any given time, some of us will be more capable of and willing to do certain things than others. Sometimes we need to concentrate on our own needs and healing.

Cultivating compassion, understanding, and unconditional positive regard is a communal activity, a communal responsibility. It’s how we’re going to move forward together towards a brighter future.

Death Threats in Open Source Are not Occurring in a Vacuum

Individuals who make death threats start with less egregious behavior and systematically test the boundaries of the communities in which they exist. When they get away with small violations, they often move on to larger ones. They watch what others are able to get away with, too. The pattern of behavior is common among abusers. If you’re an abuse survivor, you know this implicitly.

The open source community consistently condones the type of behavior that can escalate to death threats. The “free as in freedom” philosophy has created a haven for privileged individuals to act without accountability. Harassment, discrimination and exclusion of women, queer and trans people, racial minorities and other individuals from marginalized groups are commonplace. This is not okay. Not only is it morally wrong to exclude people in this manner, but communities thrive on diversity and stagnate without it. Open source is no different, and we have largely been failing to address this issue.

If you’re not actively working to make your community welcoming to a diverse set of individuals, you are part of the problem. If you are a white, straight cis man and you look around at your community and the majority of what you see are straight, white, cis men, then you are part of the problem. If your project or community does not have a code of conduct and you are not actively providing meaningful enforcement of those standards, then you are part of the problem. If you are not holding your technical leaders accountable for their behavior that is harming the community, then you are part of the problem.

We can no longer operate under the fantasy that maintaining healthy open source communities is solely a matter of technical skill or competence. As Matthew Garrett recently stated:

No matter how technically competent a community leader is, no matter how much code review they perform or how much mentorship they provide, if they’re expressing unacceptable social opinions then they’re diminishing the community. People I know and respect have left technical communities simply because people in positions of responsibility have engaged in this kind of behaviour without it causing them any problems.

Want to lessen the number of death threats that women (and others) in open source receive? Adopt a strong code of conduct and enforce it. Do not allow misogynist, sexist, racist, homophobic, etc. comments or behavior, no matter how trivial they feel to you. Don’t ask people like me to explain to you ad nauseam why a fellow community member saying “we don’t want you around” is a threat. Don’t argue when we say that a co-worker  who advocates against universal marriage is advocating legislative violence. Instead, hold those who make these statements accountable.

In other words, reducing and eliminating death threats in the open source community starts with being intolerant of microagressions.

On Accountability

Back in July, someone claiming to be a “Mozilla member” made threatening comments here on my blog, directed towards myself and my colleague Tim Chevalier. I reported the comments immediately to Mozilla HR. It look nearly three months, but I can now report a resolution.

The person who left the comments is a Mozilla employee. They have been contacted by Mozilla HR and directed not to make these kind of comments to Mozilla employees or community members in the future, or else face disciplinary action. They have also issued an apology to me personally. Unfortunately, the person has declined to provide a public apology and isn’t being compelled to do so.

I find the lack of a public apology disappointing and a detriment to the Mozilla community. Those who violate community conduct standards should face the consequences of their actions and they should have to face them publicly.

Why? Many reasons. Without having to face consequences, abusive behavior is likely to continue, and likely to escalate. When those who violate conduct standards are held publicly accountable for their actions, it gives those who might have been a target of such behavior in the past a chance to finally speak up. And, it demonstrates that the Mozilla community takes its employees’ and contributors’ conduct toward one another seriously and doesn’t tolerate abuse. A public apology gives those who transgress an opportunity to make amends with the community.

In the case of the person who left the threats on my blog, their desire not to look bad is being placed above our (mine, Tim’s and others from marginalized groups) need to feel safe, and thus represents a refusal to acknowledge their deleterious effect on our entire community.

The commenter’s actions harmed not just the two of us who were the direct targets, but the Mozilla community as a whole by setting the example that if a queer person feels they are being discriminated against at Mozilla and speaks out about it, they will be penalized with a public threat. Why was the original comment a threat? Because saying “we don’t want you two around” implies that they would do their best, either directly or indirectly, to make sure Tim and I were not able to continue to be around. Furthermore, their use of “we” created anxiety that there was not just one, but many people at Mozilla who wanted to force out people who speak out against discrimination.

More generally, the commenter’s actions set a precedent that if somebody is in a vulnerable minority group, they must choose between being silent and accepting what they experience as discriminatory treatment or risk being humiliated and threatened if they speak out against it. Being in a situation where the only choices are to accept abuse without criticizing it or be retaliated against for speaking up, is unfair. A community where people in minority groups are treated unfairly is one that many such people will either leave, or not join in the first place, because they don’t feel welcome. And driving away people in minority groups hurts the community. It deprives the community of all that minority group members can contribute, and means Mozilla won’t have the best employees and contributors it can possibly have.

In the lack of acknowledgment that the commenter’s actions harmed the community, I hear unwillingness to say that Mozilla values its contributors who are queer. If harming us does not harm the community, then the only logical conclusion is that we’re not an important part of the community. It’s hurtful to see that the facts apparently point to this conclusion.

While it’s true that I could reveal the identity of the anonymous commenter, I don’t feel comfortable doing so publicly, here on my blog because I fear a lack of support from the Mozilla community. On the one hand, many of you expressed your outrage and disapproval of the commenter’s behavior, but on the other hand, some of you also expressed doubt that the commenter could even be part of the Mozilla community. Also, I have not seen a lot of outspoken support for those who speak up on these issues, and have certainly experienced a lack of institutional support on behalf of Mozilla leadership.

What I will do is encourage those of you who have been the target of threatening behavior, even if it seems insignificant, to document and report it.

Update 3 October 19:45 PDT: Read Harassment, Accountability, and Justice for Tim’s response to this issue.

Mozilla Now Has Guidelines for Community Participation

Mitchell Baker announced today on mozilla.governance that Community Participation Guidelines have been posted.

While I remain critical of the version that has been put forth (for reasons I don’t have time to articulate now, but will try to later), I recognize adoption of any standard for participation as a step in the right direction.

Thank you to all those involved in moving this forward and getting it published.

Note: If you haven’t been following this issue, read my previous posts on the subject here and here.

To the Anonymous Mozilla Member Making Threats on My Blog

Update (31 December 2016): This person was identified easily via their IP address, which matched that of one used regularly by a Mozilla staff member. After a protracted effort on my part, our head of HR assured me the person had been appropriately reprimanded. (As was I, incidentally, for not being able to “work things out” with this person.) I left Mozilla in August 2015. The staff member who threatened me, on the other hand, was rewarded with a promotion and now manages a team of seven people. 


I’m not going to publish any of your comments, so you might as well stop leaving them. Also, you’ve been reported to Mozilla leadership.

I will, however, share this bit with everyone here so they understand what kind of crap I and others receive simply for speaking out about the issues that are important to us.

mozilla@member.com writes (emphasis mine):

Or, to put it another way, we don’t want you two around, really. You’ve spent months creating drama and attacking anyone who disagrees with you in the most passive-aggressive “I’m a poor victim” fashion.

Feel free to find the door to more perfect folks who agree with your politics and allowed means of expression.