Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: harassment

  • Failure to Protect

    Failure to Protect

    Something I knew would come up after I posted about my ongoing harassment is the question “How do we fix this?”

    Now, the cause of all this actually can be boiled down to two things:

    1. A systemic failure of social services to help those in need
    2. The overall lack of awareness of how tools are abused

    I can’t really fix the first one. The world is broken on many levels and the fact that people in pain and anger have no help, and thus lash out in anger at me, at you, at people who write code, at people just trying to help … That’s all of us. We need health care (physical and mental). We need fair and equal pay. We need a living wage, not a minimum one where companies literally pay you that because they don’t have to treat you like a human.

    That one is huge.

    But the other problem? That’s why I posted.

    How Can Code Be (Ab)Used?

    When we write code, and this is pretty much all of us, we’re trying to solve a specific problem. Sometimes that problem is huge, with multiple layers and facets and complexities that make us look like a scene from “A Beautiful Mind.” If we’re lucky. Usually we look like this guy”

    Charlie from "it's always sunny in philadelphia" in front of a conspiracy theory wall.

    Regardless of how twisty-turney our code is, though, at the end of the day the question many of us forgot to ask is “What’s the worst thing someone can do with our code?”

    Let me give you an example.

    “What’s a bad thing someone can do with Akismet?”

    Right? It’s an anti-spam plugin that checks via a closed-API (meaning, I have no idea how it works) so it’s not easy at all to abuse, you might think. Well, without any forethought, the very first thing that comes to mind is I could write a bunch of clearly spam comments, spin up my VPN, and use someone else’s email address to leave spam comments on a hundred or a thousand blogs. That would get the email flagged and they’d probably have to constantly struggle until they figured out why, if they ever could. All they’d know is their comments never show up. Give me a couple hours and I could automate that, set it out into the world, and reap the joy of annoying someone.

    I’m fairly certain I just screwed up someone’s day with that, by the way. Sorry/Not Sorry friends over at Akismet. Because that’s my point. If Akismet has not already sat down and made a list of all the shitty, terrible, vile things someone could do with their product, they’ve failed to fully protect its users.

    Disruption Makes Harassment

    When we build to ‘disrupt’ we do so with the knowledge we’re breaking the system. Sometimes we’re breaking it stupidly, like “Uber is disrupting taxis!” really is “Uber figured out that people would rather know what they’re going to pay, and wanted an easy way to hail a gosh darn taxi in the first place! Let’s go!” And yes, I have a low opinion on the ideas to ‘revolutionize’ the bus system (spoilers? invest in public transportation, not privatization).

    The thing is, we continue to attack a single, specific problem. Big, large, whatever, we’re solving a thing.

    But the problem with this is our disruptions create opportunities for harassment.

    Did you get a delivery from Instacart or DoorDash? They know where you live and what you eat. Those are all known risks of course. Could someone roofie my food or tamper with it? Sure! Now the solving of that falls onto the people who package the delivery. Restaurants will tamper-proof seal their deliveries, but that’s on them. What did DoorDash do? Nothing I can find. Instacart? Most of their stuff is pre-packaged, but if you get fresh fruits etc, gosh they could. It’s like those stupid Halloween rumours we heard growing up. None were true, but …

    Uber received 235 reports of a rape occurring during a ride in the United States in 2018. Those are the numbers of reported cases, provided by Uber. Remember, rape is wildly underreported in the US (probably everywhere). Now think about all the information an Uber driver has on you? They know where they picked you up, they know where they dropped you off, and they know your name. And they can get your phone number.

    All those great innovations? Actually yes. They’re really helpful to people! Calling a car to your door that’s more reliable than a Taxi? Hell yes! But they are incredibly easy to use to harass someone. Of course they require you to be in the same general location, but still. What are they doing to make us safer? What about the drivers? Someone I know quit driving because the guy wanted her to drop him off inside a super suspect parking lot. She dropped him off outside. He called her a four letter word that starts with a C.

    Social Media Makes Monsters

    I’m sure I don’t have to list out the problems with social media. If someone harasses me, I block them, but they can make a new account and a new account and a new account. They can get a VPN and a fake email, and we’re always and forever behind the 8 ball catching and stopping.

    Why do Facebook moderators have PTSD? Why do content moderators on YouTube have to sign a waiver agreeing that they know their job may case mental breakdowns, and it’s not YouTube’s fault?

    And the answer here is because our solutions are HUMANS.

    We disrupted communication, but we opened the door for harassment because there was little to no forethought put into how to protect anyone. In fact, I bet I know how the conversation went (spoilers? I had this conversation with someone):

    “Hey, someone could make a hundred fake accounts all to call someone a jackass.”
    “Yep. No point trying to stop that. We block ’em they’ll just make new accounts.”
    “Yeah, good point. Okay, next item on the agenda? Bots!”

    Oh yeah, Bots totally extended from that problem. I used to use something called Block Together to catch and block bots and spammers and harassers, but the fact that it shut down and Twitter never made anything better is … well it tells a story, doesn’t it? Can anyone tell me what Twitter’s done?

    Well they, and Facebook, claim to be using machine learning to find and track abuse, but here’s the funny thing. I have a friend who has been permabanned from Twitter for telling someone to jump in a volcano. The claim was she was violent and sent a legitimate and plausible threat. About a volcano. Which she does not own. I mean, do any of us? it’s not even that it was a bad joke about suicide, it was flagged as a violent threat.

    Want to know how that happens? It’s easy. She tells a man to shove it, he and his friends mob-report her, Twitter’s AI decides “Gosh, if all these people flagged her, it’s real!” and ban her. No appeals. Done. And this story is repeated over and over, that the AI caught something (people talking about black and white chess pieces was pretty recent), banned someone, and that’s the end of it.

    All this is not to mention the ongoing racist and sexist biases of AIs, like how Asian people can’t use FaceID, or how Google’s AI labelled black people as gorillas? All of those things come down to the problem of people with biases (which is a systemic issue related to the failure of social services) building AIs and not thinking about the abuse therein (which is … an us problem).

    To put this a different way, we’ve been fighting spam in email since email was born, and everyone still gets some in their inbox. If we can’t win with that? We’re never going to win with an AI and abuse.

    Democratizing Abuse

    Now, I’m going to say something controversial.

    WordPress democratized abuse.

    I’m not talking about WordPress.org and the forums and plugins and themes. I’m talking about your blog. If you have comments open, what’s to stop someone from leaving comments pretending to be you? Heck, if you have comments open, what’s to stop someone from leaving comments pretending to be ME? How do you ban someone from your site? How do you ban them from a network? How do you stop them from making an account or email one after another and using your contact form to be a jerk?

    I have 10+ rather insane messages from a contact form that tells you that even for me, someone who is pretty much awesome at WordPress code, this is not easy. For a long time, you couldn’t filter contact form messages to block spammers on Jetpack. How long? Well I opened the ticket in 2014, so it was a long time until 2020, when someone else made a new ticket about.

    Is all this WordPress’ fault? Absolutely not! I don’t have to have comments on most of the time, or a contact form. You’ll notice I have neither on most posts on this site, and it’s for a reason. Abuse and harassment. In fact, WordPress gives me the agency to both harass people via my blog (if I wanted to) and protect myself from the harassment by others. That’s a fun one when you say it out loud, ain’t it?

    WordPress is a weapon, like all websites. When wielded by the good and just, it’s a weapon for good and justice. When it’s not? Let me just point out that there are a lot of ‘revenge porn’ type sites out there, powered by WordPress. And again, none of that is WordPress’ fault.

    We built WordPress to make it easier to publish whatever we want, whenever we want. We build features and plugins and themes to share stories. Not all of those stories are good. Some of them are abusive. And while there are already laws out there about it, technology is a massive whole of lawlessness where the laws can’t be applied.

    We’ve all heard “Guns don’t kill people, people kill people.” Some of you even know the common retort “Guns make it a heck of a lot easier, though.”

    WordPress isn’t the harasser, but gosh it makes things easier. And if that doesn’t give you chills and nausea, you’re not paying attention to the world. It sure scares the snot out of me.

    The Open Consequences Net

    I have to preface this bit with the fact that I don’t believe in ‘Cancel Culture’ but I do believe in consequence culture. Do I think you should be ‘canceled’ for telling a single off-colour joke 5 or 10 years ago? Hell no. But do I think you should be canceled for telling multiple jokes, being a defensive jerk when called out on them, and showing your literal penis to people? Hell yes.

    Actions have consequences. Or at least they should. And the problem we’re facing is that by making an Open Internet, which I’m in full support of, we failed to put in any way to enforce consequences. Everything is silo’d so I can ban you from site A or B, but not C or D. Worse, because you can make another email or get a new IP, I cannot permanently ban you forever, just from each account.

    Whack-a-Mole gif of someone ... whacking a fake mole that pops up in a game.

    Basically? We built something so wild and free and open, we cannot contain or control it anymore.

    Can We Fix It?

    This is the part where I tell you how much I hated making this post.

    See, I have no idea. Seriously.

    Even if we make the internet ‘invite only’ (as if that was possible), it’ll still be abused. But I don’t think that means we should do nothing. I think we’re not doing enough to make it difficult and hard for abusers and harassers to get a foot in the door. We’re making it so the only way people can protect themselves is to simply not be social online. Given the pandemic, I suspect you can all see why that’s a flawed prospect.

    Everything we need to do needs to be balanced. For example, it’s easy (and probably right) to say we need to begin to disrupt ‘anonymity’ but… What about people who can’t say who they are for fear of retribution? I immediately think of all those kids out there who are terrified for their ultra conservative, homo-hatin’ family members to find out they’re queer? They should be allowed to be anonymous and learn that there’s a world out there who loves them.

    I do like to bag on Twitter and Facebook for their lack of nuance when it comes to handling harassment and abuse, but I am also a realist. At their scale? How the hell do you tackle things? The only answer is really to throw more humans at it which would make more jobs, but it’s some of the most soul destroying work you’re ever going to do. And they don’t see it as a beneficial investment, so they’re not going to pay the people who do this a solid wage, with great health care, rotating them in and out so they don’t flame out.

    Proof? Okay. Read what happened to WangGuard.

    WangGuard worked in two different ways: as an algorithm that I had been refining for 7 years, and which was getting better as the sploggers evolved, so that it was always one step ahead of them, and also as human curation, in which I reviewed many factors, among them sites of sploggers to see if their content, could improve the algorithm and make sure that it worked correctly both when it was blocking or not blocking a site. The great secret of WangGuard was this second part. Without it WangGuard would not ever have become what it was.

    This human component is what I have been doing for 7 years, and also what has led me to close WangGuard (along with other considerations that are not relevant).

    Why WangGuard was Closed by Jose Conti

    And I have to agree with Jose, doing that job eats at your soul. The ‘fix’ is to change the world, and that’s just exhausting.

    What Can We Do?

    When you make a product, ask yourself “How can this be abused?” If you can’t think of anything, look around the room of the people you’re working with. Are they all from the same ethnic or socioeconomic background as you? Get people who aren’t. Get minorities in the room. Get PoC, get women, get queers, get kids. Get people who didn’t go to college, those who did, those with and without children, those from other nations. Get them and ask them “Hey, what’s the worst thing you could do to someone else with this?” Ask them “Do you see any flaws?”

    And then? Listen to them. If women tell you “That’s going to make it impossible to stop people from sending us dick-picks” take it seriously. But for the love of Pete the Plug, take them seriously.

    This means we are all going to have to accept when we’re wrong, when our ideas have flaws, and learn from those moments. It’s hard! We don’t want to hear our great idea is screwed up, but sometimes it is.

    We’ll never change the world for the better if we cannot change ourselves.

  • Bad Actors: Block or Not?

    Bad Actors: Block or Not?

    So here’s a fun question… Say you’re being harassed or bothered by a single person. Do you block them?

    This should be a simple answer, right? Obviously block. If you block, you don’t have to see them, they can’t get to you, it’s great. Except, as anyone who’s been harassed will tell you, if the person is particularly an asshole, they will make more accounts with which to try and contact you! I’m not joking when I saw my particular headache has used over 100 separate emails. Even if you report them to the email services as soon as possible, some will tell you “There’s nothing we can do to prevent abuse.”

    That’s a different issue for another post. This one is … do I block or not?

    The ‘dude’ in this story is an amalgamation of at least five separate men, all of whom did the same thing, and all of whom claim to be ‘woke’ feminists. No names are mentioned nor will they be, but I suspect they’ll see themselves…

    The ‘splain Drain

    There’s no way around this one, and some people I know on Twitter do this. If you block people on an account, they use another. I’ve blocked people for being perpetual mansplainers. Like someone who was offering advice on how to travel after it was mentioned a friend and I were going to a specific location he was familiar with. Now, you’d think “Oh but he meant well, right?” The problem was he had a history of un-thinking hot-takes. We were going to a specific convention (not WordCamp) and we knew we’d be working that con basically 12 hours a day, making notes, recording interviews, and so on. Our goal was not to to that town and party, it was work.

    The advice? Lots of places to have fun, how to handle working conventions, etc etc.

    Now. Anyone who actually knew us and followed our tweets knew that my friend and I had all that locked down. We’ve worked cons before, ones way the hell bigger than this one, and we knew how to handle ourselves. We knew how to optimize our packing, how to prioritize, and we were not asking for advice or help. Simply, we said we were excited to go to this event.

    Again, you could think “Oh but he meant well.” The thing was, he took zero time to read the room. He didn’t scroll back and see the older tweets, he didn’t see any of the conversations prior. He saw one moment, and jumped in. All of the other comments were about who we were going to meet/interview, how nice it would be to be at a convention like that, tech talk about devices and charging and packing and carrying. We weren’t going to go to party, we weren’t going to go to fancy restaurants. We had jobs.

    If you’re a woman in tech, you’re tired of that behaviour. Because now it’s suddenly your job to roll back, re-explain everything, and thank this person for their time but you’re good. And I have to tell you, it’s exhausting to do that over and over and over. I cannot begin to tell you how many times my reply to someone has been “Thanks, but per the discussion, we’re doing X. Please re-read the whole convo.”

    It is an ongoing, perpetual drain that men (and yes, I do call out men here) jump in with ‘help’ without giving anyone the respect and time to actually read the freaking room. They don’t do the research, they don’t read the scroll back, they don’t even ask “Is this all sorted out or can I help?” They assume that you need help, and they believe they’re the one to do it.

    Mute Them

    I’m sure a lot of guys I know are pissed off at me right now, but guess what buddies? That’s why I mute a lot of you. Some women too, yes, and if a single one of you idiots jumps in with ‘not all men!’ I will escalate and block you, because the ‘all’ isn’t the point. The point is that a majority of men (especially in tech) do this. They are the Hero. The Saviour. The Champion. They can help YOU!

    So when people, of any gender, jump into my timeline and offer advice where they clearly have not read a blessed thing, I mute them. The guy I’m talking about who mansplained? Wanna know what he did? He kept on explaining how he was trying to help. My friend told him “Thanks but no thanks.” and I didn’t reply at all, but he went on. So I blocked him. And that sucked, because he was someone I did like as an acquaintance. I’d even gave him asked-for advice to get a better job. He has one now, and I’m happy for him.

    Anyway. Blocked him, moved on, and a couple years later he had yet another hot-take which was also entirely wrong. It really doesn’t matter what the subject was, but what matters is I was complaining about a stupid part of a contract that told me I was to do thing A in advance of a release but also not to do thing A until after the release.

    A very confused Nicole Haught, using the confused math meme format.

    So I complained about this on twitter, remarking how daft it was. One of the blokes I’d muted hopped on the reply-train to tell me that’s because I wasn’t really part of the process.

    Repeat that meme above, eh. Signed contract. Told I was supposed to to X for the process, but also not to do it… And if you’re wondering “Mika, didn’t you block him?” yes, yes I did. He used another account to contact me with another bad take. A 100% incorrect take, born of his own ignorance about the subject matter and the contract. I replied, correcting his assumption (and at that time not realizing who he was).

    The next reply from him was that he actually had understood but he wanted to say something ‘different.’ At that point I thought ‘this sounds like one of those guys …’ and I looked at the account. Oh yes, it was. But I thought maybe he was redeemable, maybe he’d changed, and I asked him if he had any experience or expertise in this area at all (it’s not WordPress related). That reply was the nail in the coffin. He said it was a joke, he offered to explain the joke, and he said I knew who he was, and his credentials were available.

    Right. I replied, told him the joke wasn’t funny and if it needed to be explained, it was a bad joke, and I muted him.

    My thought process was as follows:

    1. Someone who always replies with ‘jokes’ isn’t someone I feel like listening to.
    2. People who reply constantly with ‘jokes’ aren’t listening to me in the first place, they’re listening for bullet points they can joke about.
    3. The ‘it was a joke’ defence suggests it wasn’t a joke, he knew that, and he’s hurt I called him out.
    4. Anyone who tells me his credentials are online, and yet flat-out cannot be bothered to correct his assumptions about mine is disrespectful.
    5. I already blocked his personal account.

    Why not block?

    Well. As you can see from this story, I had already blocked him and he was using a secondary account to follow me and comment on things. Did I know, prior to the conversation, that he was in charge of that account? Not at all. I had no reason to look. Now that I have looked, I see his feed is still filled with low-key racism and ignorance all over the damn place. He probably doesn’t even see that, and if he figures out this post is talking about him, he’s probably livid.

    But again, this isn’t about Mr. Mansplainer, it’s about why I didn’t block him right away. I muted him.

    I didn’t block him because I don’t want to encourage him to make a third account (or use another one he already has) to try and talk to me. I just don’t want to hear from him.

    And that is a decision that women online make every day. We recognize that blocking people just makes them madder and that sometimes they jump around and use more accounts to be jerks. It’s happened time and again to me, I’m sure it will again, and it’s why I heavily mute people all the time.

    Amusingly enough, I’ve been blocked by a couple people I’ve muted, one of whom screamed murder because I didn’t accept his DMs. I don’t accept DMs from anyone I don’t follow for a reason: I’m tired of people being assholes. So it wasn’t personal, John Doe, but way go.

    Okay but … How can I mute on my site?

    You mean comments and contact forms? Good question!

    First? Turn off comments and remove your contact form. You don’t need them most of the time. If you do want them, for the love of the flying spaghetti monster, use the comment moderation tools! In WordPress go to Settings > Discussion. Now, add in their info. Twitter handles and emails go directly into the Disallowed list. First names (especially if they’re common) go into the moderation list.

    But this is also where I’m kind of a bad person. See, if I have someone who is a jerk in emails and I know they may use a contact form, but as I’ve been saying since 2014, you should be able to blackhole their messages. By blackhole I mean their emails should appear to be sent, but you never see them.

    In short? They’re treated like spam. This sometimes has the side effect of them being flagged as spam elsewhere, which is why I’m kind of a bad person, but to be honest I don’t care at this point. I want them to go away.

    The downside to this is a lot of plugins don’t have a way to do this. I have spent a lot of time writing code for Contact Forms that actually blocks people (or spams them) when they’re people I’m done wasting my time with. I do think more contact forms need to make this a built in option. “Use your Disallowed lists to block …” but that is a different conversation.

    How can I make sure I’m not muted?

    If you’ve gotten this far, and you’re angry or you think I’m an asshole for blocking you or posting ‘about’ you, first you should know this: this post is actually about five separate guys. So if you’re seeing ‘you’ in this, you’re not alone, and I’m probably not the only person who wrote you off. Here’s my advice:

    1. Think before you reply. Read the tweet/post, look at the other replies or the followup posts. If you’re not sure, err on the side of respectful caution.
    2. Stop all ‘hot takes’ and ‘joke’ replies unless you know the other person really well.
    3. If you met someone at a WordCamp or chatted online, you DO NOT actually know them really well! You are causal acquaintances.
    4. If someone tells you ‘that isn’t a funny joke’ you reply “Sorry.” and shut the hell up.
    5. If you have to explain the joke, you screwed up, it wasn’t funny, and you’re the one in the wrong.
    6. If someone blocks your account do not use a second account to get around it.
    7. If you’re super mad that someone disagreed with you, walk away. You don’t owe them your time.
    8. If you’re blocked, don’t ask why you’ve been blocked.

    Now once in a while people will hit me up and ask why they were muted/blocked. I’ve replied to one of them, and that was because I took one look and thought “Hang on, I like him! What the hell?” And I looked and found out my old block tool had caught him for retweeting someone I’d blocked (he was explaining why the other guy was a dingus). I’ve turned that off.

    And I know someone is thinking “Wait, you said don’t ask.” Here’s the thing, that person I unblocked? Did not ask! He just pinged in another venue and said “Hey, I read about your dad dying and I wanted to say how sorry I am. You always talked about him so kindly. I would have tweeted but apparently I’m blocked. I’m sorry for whatever I said.”

    Isn’t that nice? It caught my attention. I looked, I unblocked. Because that was someone who acted like a human, didn’t expect a goddamn thing from me, and wanted to treat me like a human.

    It’s tragic that acting like that is rare.

  • Bummer Of A Birthmark, Hal

    Bummer Of A Birthmark, Hal

    I gave a talk in 2019 at WordCamp NYC about what happens when you’re the target. Anyone in any form of a ‘leadership’ or visible role of authority in any community has had a bad day where they woke up and found out everyone hates them.

    Not that they’re actually doing anything wrong, but people are targeting them for perceived slights. Regardless of right or wrong, all anyone wants is for their phone to stop pinging, their email to calm down, those Facerange and Twooter groups to stop attacking, and maybe everyone could have a beer.

    I have absolutely been there before. For the last decade I’ve worked with the support forums and plugin review teams in myriad roles, including representing those teams to the community. I’ve had a lot of bad days. The good news is I’ve learned that are things you can do to protect yourself and to alleviate the problems.

    It Is/Isn’t Your Fault

    If you’ve been in any sort of leadership or front-facing role, you’ve probably gotten this at least once. Someone has a bad day, maybe they got banned, maybe they got fired, maybe they just failed on their own. Whatever the reason, it’s YOUR fault. They shouted at you, they screamed in person perhaps, and they left you shaking and a little scared about what the heck was going on and what do you do?

    Before I jump into how to protect yourself, which will be the majority of this talk, I want to stress something. No matter what, these situations are not ever entirely your fault. Any time something like this happens, it’s from a breakdown in communication, and that speaks to both sides.

    However. You do have to take some responsibility here for your own actions. If you don’t, you’ll find yourself here again and again, over and over, and that’s really stressful. So when these things happens, yes, reflect on what you did, but also keep in mind you didn’t do this alone.

    Regardless of fault, you have a right to protect yourself. This isn’t an inalienable right. This isn’t a law. This is my firm belief that you have a right to take measures to protect yourself from people who have gone crazy on you. It doesn’t matter if it’s your fault or not, it matters that you should protect yourself.

    What Happened?

    In order to understand how to protect yourself, you need to be aware of what you did. That’s why I said it’s your fault. You did, or you were perceived to have done, something. Keep a hold of that word, perceived, because it matters a great deal. If people think you did a thing, it has the same net effect on their actions, but drastically changes your emotions.

    More than once I’ve woken up to my Twitter mentions and emails filled with people losing their minds about how evil I am. In 2018 it was all about Gutenberg. To be clear, I was accused of deleting bad reviews on the Gutenberg plugin. Since I hadn’t been doing that, it took a lot of stress and reading to figure out why the mob was actually mad at me. In one case, it was a developer who tweeted, at-ing me, complaining it was unfair that Gutenberg had reviews removed, but he couldn’t get his one-star’s removed. That one tweet, for some reason, infuriated the masses and I had DMs and @-messages demanding I explain myself.

    I had to ask myself “Did I actually do this?” Did I actually delete reviews in a way that could cause this reaction? This was false and I knew it, because I had not deleted a single review about Gutenberg. However due to my history as a forum moderator, the finger was pointed at me. Here, what I had done was act as a moderator of some renown at some point in my past.

    Now that I knew what was going on and where it started and that I didn’t do anything, I had to uncover what actually happened. I’m still a forum admin, so I logged in and looked at the posts and I could see who had moderated what. And then I privately pinged those people and asked for details. In talking to the other moderators, I determined that the removal of Gutenberg reviews were valid. The 1-stars were made by sock puppets, which is to say fake accounts made by people to unethically alter a star rating. It happens a lot.

    Now What?

    Okay great, now what? Now it’s time to take action and decide what to do about these people. You have two options though. You can respond to them or … not. They both have a lot of pros and cons, but there is one universal truth you need to know going in: Whatever you chose, to reply or not, you will be wrong.

    There is absolutely no way to ‘win’ or even come out ahead here. You just can’t. If you reply, people will hate your answers. If you don’t, people will claim it’s proof. There’s no safe course here. So you need to make sure you understand why you’re doing this.

    Why You ReplyWhy You Don’t Reply
    Reply if you want to have your say in the matter. That’s it. It doesn’t matter if you’re right or wrong, or if you’re apologizing or not. You’re trying to have your chance to talk. By replying you’re opening up the doors for a discussion. Don’t pick this option if you don’t want to talk to people!Don’t reply if you know it’s a muggs game and you’ll just waste time arguing with people who’ve made up their minds about you. Not replying feels like a safer choice, except it eats at you so much. You’re going to hear people rip into you over and over, and you will have to stick to your guns and not reply.

    And if you’re still not decided, remember that sometimes you can’t reply. That usually happens when you’re aware of a bigger issue that’s preventing public disclosure, or you’ve signed an NDA, or your company asked you not to… Those are really hard because you absolutely cannot engage with people when this happens. You have to suck it up.

    There’s one middle road here. You apologize. This is really hard, though, because no matter how you do it, someone will grab on your word choices and use them as proof one way or the other. Usually it’ll be how they prove you’re terrible.

    It is a good rule in life never to apologize. The right sort of people do not want apologies, and the wrong sort take a mean advantage of them.

    P.G. Wodehouse, The Man Upstairs and Other Stories

    How to Apologize

    I have three rules for how to apologize. Those three rules have served me well, because it reminds me to level-set that no matter what I say, I’m not going to come out ‘ahead’, and I should expect nothing at all in return.

    1. Be respectful
    2. Be sincere
    3. Expect nothing

    There are some things you can be mindful of. Don’t use ‘if’ statements, like “I’m sorry IF this hurt you…” Take ownership of the consequences, regardless of your original intent. It doesn’t matter why a thing happened, it matters that you actually apologize for what happened. You can use “But”, just be mindful that it’s not for making an excuse.

    You still should consider an apology when you’re not the reason for the drama. However this gives you a little room, because now you can use those weasel works. “I’m sorry you feel this way.” Notice the feel part? That should normally be avoided. Here, we want to use it because it’s actually the only thing you can claim auspice over. You acknowledge their emotions as valid. Which they are.

    The follow up to that is you need send them to the right people. “I’m sorry you feel this way. You should talk to X about that. Here’s how…” This is not the equivalent of sending someone to your manager, you’re just getting them to the right people. Oh, but be a mensch and tell the other person what’s incoming.

    And remember: forgiveness is not the point

    I know this is hard to swallow. When you apologize, you never do it in order to be forgiven. Never. Ever.. If you are, then you’re going about it all wrong. You apologize because you hurt someone. It doesn’t matter if you meant to or not, and it doesn’t matter if you can fix it or not. It matters that someone is hurt, and you did it. It’s up to them to forgive you if they want to, but you owe them a sincere apology.

    And just so we’re clear, I’ve screwed this up too. Just as recently as last spring. It’s going to happen. No one is perfect. Try not to do it again.

    Practical Defense

    Now that you’ve done some ‘active’ things, you need to take the steps to protect yourself. These are hard because it starts with not looking at it.

    Don’t look at what they say about you. Its in our nature to want to know what people are saying about us, but I’m here to tell you not to look. Don’t look. Ignore the comments on other forums and blog posts. Walk away from what’s out there.

    If you do look, document. And there will be things that come at you regardless. You’re going to want to keep a record. I have a spreadsheet with the title and date of every single email someone sent regarding an altercation with Plugins. 300 emails a month, on average, for three months. It was painful to record, but I did it to have a history of his behavior. Which is still going on.

    Are you getting emails? Block them. Did they make a secondary account? Block that. Did they make 69 accounts over multiple email providers and rotate through the accounts to try and talk to you? By the way, yes, that happened. You block them all and you report them. You keep doing this.

    Put their emails in your comment blacklist. Don’t dismiss this. If you use Jetpack contact forms, you can use the blacklist to block them from that. IP block if you have to, though I don’t recommend that. Do what you can stop them from getting to you. If you can’t turn off comments (like I did here), then I recommend requiring all first-time comments be approved, and using the Comment Probation plugin.

    What about social media? If they’re ‘friends,’ I recommend you unfollow and possibly mute. There are people in WordPress whom I’ve muted, because we don’t get along and will argue about everything. It’s not worth it to fight, so I block and I mute very fast. This is for my own sanity because emotional attacks hurt worse.

    It someone calls you names, it hurts. If someone attacks your choices, it hurts. Well when someone continues to belabor a point, argue past the point of sense, and absorb hours of your time, they’re hurting you. You are allowed to ask them to stop and leave you alone. Of course, this doesn’t often work.

    The Warning Signs

    As many people will tell you, asking someone to stop, even a simple “I don’t want to continue this conversation here, please email X,” can result in unexpected explosions. This is an escalation in behaviour, as someone is demonstrating a distinct lack of respect for you, and human decency. Usually this is because they’re hurt too and lashing out, and it’s hard for people to look past that.

    Bear in mind, a threat doesn’t just mean “You better not walk down a dark alley alone” — and yes, someone said that once. Sometimes a threat is “I sent a package to your office.” Now, I bet nearly every non-male reading this just nodded. For those of you who didn’t, let me elaborate.

    When an online conversation crosses into the ‘physical world’ (for lack of a better term), it’s a major red flag. If you’ve been tweeting or emailing someone, and they send you, say, an apology letter, or email a photo of their company apologizing, you need to worry. This is because they’re attempting to play to your emotions.

    When they make that next step, though, claiming to send you flowers, that’s when you need to get a hold of authority figures and friends. Fast. I will warn you, if the person making the claim is out of state or out of country, it’s very hard to get legal help. You can, but it’s hard. If you work at a specific location, make sure they know. Make sure people you live with are aware. Anyone you think might be targeted, you need to warn.

    There are a number of micro-aggressions that indicate this behavior, from Sealioning to Gaslighting. But that’s a talk in and of itself. What you should hang on to here is that you need to trust your gut. Women, people of color, queers, any minority, we’re pretty in tune with that bad feeling that a conversation is going to go sour. Trust that. If someone turns to you and says “Hey, this person looks like they’re escalating,” then you should listen.

    Get Help

    I said it before, let me say it again. Give your teams a heads up. I had someone follow me all the way to my company, and we had to get legal involved because of threats expressed. I’ve even had to have a security officer on site for a WordCamp talk because someone went far enough that I felt concerned for my physical safety. These aren’t jokes. These are people who have lost the ability to see reason.

    You need to tell people in charge. If you’re afraid to tell your boss, you can try this with them or your HR rep or a trusted co-worker:

    I’m sorry to bring some personal issues into work, but there’s someone who has been harassing me, and I think they’re going to bring it into the workspace.

    No template is perfect or nuanced enough to handle all situations, and if you need help figuring out how to tell your employers, grab a trusted friend and ask for help.

    Beyond warning people you work with, get help. Ask for what you need, even if you know it’s the wrong person to ask. They may know who to talk to. I needed a new feature built into WordPress’ tool for plugin reviews to blacklist people so we stopped getting 30 emails in a day in our inbox. Speak up. Your teammates and friends should have your back. And if they don’t listen, go louder and over their heads as high as you need to. Go public if you have to.

    Practical Defense

    Even if you do all this, you have to keep in mind that once you are pointed at as ‘the bad guy’ people will go bonkers. They will be obsessed with every single thing you do. And this means you cannot bait them. Look, I love a good subtweet as much as anyone, but for the duration of this drama, you must not poke the bears. Don’t even drop a hint. While being harassed by said the aforementioned serial emailer (we’re up to 1000 emails now by the way), I complained about someone else, my cable company as it happened, but he took it to mean I was talking about him. It sucked.

    This is the scary thing, and the reason you’ve got to walk away from them. When they get obsessive, reading thousands of tweets deep or dredging up a forum post from before you were a moderator to prove a point, they’ve gone past sense and into obsession. This is terrifying. Which is why you’ve got to put your shields up.

    I want to point out the specific things you can do here. These are generally easy to do from a technical perspective, but not emotionally.

    Twitter

    First you de-friend. If they’re not a friend, you mute. If they escalate, you block. Some people you will jump right to a block because they’re just so wrong. But do it and walk away. The nice thing about a block and a mute is that it prevents you from reading their tweets at all.

    Turn off Twitter notifications for young accounts and people who don’t follow you. Use the quality filters. Disable DMs from people you don’t follow.

    If somerone attacks you or is vulgar, report the tweets and block them. Blocking an account you’ve reported will increase the chances that Twitter will actually do anything. Also ask your friends to report and block anything else they made public. It will help.

    Facebook & Instagram

    So I hate Facebook for a lot of reasons, and this is one. See, pretty much all you can do is build a wall. Facebook cares more about selling your personal information than protecting you from harassment. All you can do is lock your account away and block people. Report, yes, but if my wife’s death threat is any hint, they will do nothing.

    Still, I recommend you report content. You need to report the individual posts as well as the user account.

    Also curate the hell out of your friends. If you can’t remember why you friended them, it’s a good time to un-friend.

    Everything Else? You set your account private and block judiciously. You don’t have to worry about Google+ any more, but lordy, I promise that was a nightmare trying to block people. Snapchat is pretty ephemeral, things don’t stick around long, so it’s not an easy place to manage but still report and block.

    I have to mention this because we use Slack for WordPress.org work. And here, there is only one thing you can do when someone’s harassing you. You need to find an admin. Go into the Slack group and click “Customize Slack.” Then pick “About this workspace”. Click on the “Admins & Owners” tab. Ping one, explain the tl;dr and make sure you have logs of your harassment. Good luck.

    On a forum? Ask for moderator help. If this is an in-public ask, keep it simple. “I need a moderator. Someone is harassing me. Who can I speak to about this?” If you’re on WordPress.org’s forum, tap the ‘report topic’ button after you post and a Moderator will be alerted. Or come to the #forums slack channel and ask for help.

    I Hope You Never Have to Do This

    I really do. I hope none of you ever have to do this, and that your takeaway is “Gosh, I should make it easier for people to protect themselves on my systems!” And if you are going through this, protect yourself as best you can and remember, just because you’re the bad guy doesn’t mean the other person is a hero.

  • Spam Your Blacklist

    Spam Your Blacklist

    As mentioned when I began my hiatus, there would be the occasional code post. Here’s one that is born from how annoying someone is.

    The Situation

    I have a serial harasser. He’s a troll and a semi-stalker who doesn’t understand the meaning of “No.” I’ve blocked him on social media, his emails are blackholes, and as I don’t have contact forms on my sites, nor do I have open comment forms at the moment, it’s a non-issue here.

    However, I do have another site which he found and decided to use my contact form to spam me and my co-admin with 10+ emails. When I found out, I blocked his IP address. He was on mobile, though, so I knew this would only last as long as he was on his phone. I needed a better solution.

    This is not a rare problem. Especially not for women online. One of the many ways in which men drive women offline is by upping the emotional labor needed to be online. That is, they attack us with message after message, generally in the guise of being ‘a nice guy,’ or ‘just trying to have an open conversation.’ But the reality is that they want to wear you down and get you to do what they want.

    It’s exhausting. If you’ve ever gone car shopping and had the dealer call you over and over with the hard sell, it’s like that.

    The Paradox

    Contact Forms are meant to be a way for people to contact you, outside of the comments on your site. That being so, they really do need to exist outside the confines of the comments, which means your comment moderation list is a bit inappropriate. You want people who are having comment problems to get a hold of you.

    At the same time, if you’ve blackholed someone, you don’t. You don’t want them to bother you at all, as reading their messages, even though you’re deleting them, is draining. So you want to be able to block them.

    Here’s the problem: most contact forms don’t let you do this out of the box.

    Yeah, think on that for a moment.

    Here are the top four contact form plugins:

    I use Jetpack, and while I may be annoyed I’m also a developer. So I did made an answer.

    The Caution

    This will not block everyone. If your harasser changes emails a lot, you’re out of luck. And this is the ‘excuse’ I see a lot of the time. Why bother if they’re going to change emails? The answer is obvious. If I can inconvenience them enough, and make it clear I don’t care, they’ll go away.

    Also if you do this right, they never know they’ve been blacklisted, so they think they’re getting to you and you’re sipping a damn mai tai.

    The Solution

    In March 2014, I opened a ticket asking for a way to blacklist people. They have made zero forward momentum on this in the 4.5 years since. So this little red hen is doing it herself.

    By using the built in filter for spam (which Akismet uses), this code checks if someone’s on the comment blacklist by IP or email, and if so, flags the message as spam. You don’t get an email. You do still get the message in your spam, which is not a great fix. I’d rather it just get dumped into trash, but there’s no filter I can find for that.

    Still. This works, and it shut the guy up.

    add_filter( 'jetpack_contact_form_is_spam', 'jetpack_spammers', 11, 2 );

function jetpack_spammers( $is_spam, $form ) {
	if ( $is_spam ) {
		return $is_spam;
	}

	if ( wp_blacklist_check( $form['comment_author'], $form['comment_author_email'], $form['comment_author_url'], $form['comment_content'], $form['user_ip'], $form['user_agent'] ) ) {
		return true;
	}

	return false;
}

    But. That only helps what’s on the blacklist. And the blacklist has a couple drawbacks. First of all, while it absolutely does handle multiple words (so I can block ‘milady mika’ if I want), it’s a little more complex if you wanted to block someone using gmail and a plus sign in the email address. So if you want to block example+spammer@gmail.comthen you either have to add that in literally or you get creative. I went creative.

    add_filter( 'jetpack_contact_form_is_spam', 'jetpack_harassment', 11, 2 );

function jetpack_harassment( $is_spam, $form ) {
	// Bail early if already spam
	if ( $is_spam ) {
		return $is_spam;
	}
	$badlist   = array();
	$blacklist = explode( "\n", get_option( 'blacklist_keys' ) );

	// Check the list for valid emails. Add the email _USERNAME_ to the list
	foreach ( $blacklist as $spammer ) {
		if ( is_email( $spammer ) ) {
			$emailparts = explode( '@', $spammer );
			$username   = $emailparts[0];
			$badlist[]  = $username;
		}
	}

	// Check if the comment author name matches an email we've banned
	// You'd think we didn't have to do this but ...
	if ( in_array( $form['comment_author'], $badlist ) ) {
		return true;
	}

	// Check if the email username is one of the bad ones
	// This will allow spammer@example.com AND spammer+foobar@example.com to get caught
	foreach ( $badlist as $bad_person ) {
		if ( preg_match( '/' . $bad_person . '/', $form['comment_author_email'] ) ) {
			return true;
		}
	}

	return false;
}

    My original take was hardcoded in, but this way is more elegant and covers the majority of the ways ‘nice’ people try to get around blocks. Now, if you’ve blocked spammer@example.com and someone submits a form with spammer+avoid@example.com this will catch them. It has a higher chance of catching ‘innocents’ (like innocent@spammer.com) however considering I’m looking for something like rosbeitam@example.com I’m reasonably confident in this for my personal application.

    The Take Away

    If you make a contact form, you damn well better make a way for users to block people from the back end, without having to code it.

    Merry Christmas, ya filthy animals.

  • Not Mailbag: Where Contact Forms Fail

    Not Mailbag: Where Contact Forms Fail

    My friend Andy, reading last Friday’s post, remarked no one should have to put up with crap like that. He’s right, and I mentioned that most contact forms don’t allow you to filter via your WordPress blacklists or comment moderation settings.

    Surprised?

    You should be.

    Back in March 2014, I raised this with Jetpack, saying that the Feedback ignores Blacklists.

    You have a moderation list and a blacklist.

    You have a user you want to block from commenting forever. You add them to the blacklist. Surprise! They can still use the feedback form!

    This should behave just like the blacklist on comments: It blackholes them. Done and gone. After all, you didn’t want them around.

    Logically I can see why it doesn’t use the comment checks. If you have a check to only let users who have an approved comment, leave more comments freely, this would be a problem. There’s no ‘pending’ value for feedback.

    And the first reply … Well it made me mad back then. I say this as someone who is good friends with the fellow who commented, but back in 2014, I wanted to smack the back of his head.

    This would be super easy to get around, just changed the alleged from email address. Besides, blacklist tends to be things that shouldn’t be displayed publicly automatically, allowing contacts would let them appeal the blacklist.

    I could see grounds for adding a filter to have grunion follow the commenting blacklist though. Less sold on an admin option.

    Now go back and read last week’s post. I have not blacklisted the rather vile word used in that comment because I have a friend who is dyslexic and often says ‘cuntry’ instead of ‘country.’ It’s an honest mistake on her part. We added in an autocorrect to her phone and tablet. But blocking short words is hard. Still. The IP address? You bet that hit my blacklist.

    If I still had a comment form, that moron could still harass me.

    As I replied to George:

    Sure, and it’s just as easy to get around the current blacklists in WP. The point is, though, if you’ve put someone’s email on your comment blacklist, the assumption can be made that you have a good reason. You DON’T want this person commenting on your site, so why are you making it easy for them to harass you? And yeah, I used ‘harass’ intentionally.

    Certainly I can and do block their emails on the server, but I still have to go in and clean out the messages in feedback once and a while, and I for one get a lot of pretty vile garbage from people. So having one less place to have to read their BS would be beneficial.

    It’s always been relatively easy to work around if you’re a dedicated troll, but if the blacklist just blackholed their contact messages, it does a lot for your mental health.

    Because he’s right that a dedicated asshole will work around the blacklists. They do it today. Still, I feel there’s no reason to make it easier for them. And while I can block from a server level, not everyone has my skills. And for those people, should we not introduce Akismet level scans on feedback forms?

    You see, the reason I was mad at George back then is his argument felt like he was saying “since it can be worked around, this is a bad idea.”

    That is absolutely not what he meant.

    Even if I didn’t know George well, I have simple proof he didn’t think this was a stupid idea, he thought it was an idea that begat caution. What proof? He didn’t close the issue. In fact, he gave it a milestone to review.

    Now, sadly, it’s been two years with no traction. Every so often someone bumps the milestone, which means it’s among the 600+ tickets that need attention. But it lingers. It’s not a priority.

    Jetpack and Akismet are both owned by the same company. If you have the Akismet plugin installed and activated, and have an active subscription, every form submission will be checked for spam.

    They need to take it to the next level. So do all forms plugins. From what I can tell, Ninja Forms has a field simple spam prevention but no blacklists. Gravity Forms has an old, not-updated, 3rd party plugin for a Gravity Forms Email Blacklist.

    In fact … the only contact form plugin I could find that actually uses WordPress’ built in blacklist would be Takayuki-san’s Contact Form 7.

    Let us protect ourselves from abuse.