An Open Letter to Social Autopsy

I’m not usually a fan of open letters, but given the history of their founder with exposing private conversations, why not? I’ve been trying to write this post for 3 days, but every attempt has resulted in way more snark than I’m comfortable with because I’m really that angry about everything that’s happened so far. Fuck it. This post is not at all a complete and exhaustive list of everything that is wrong. It’s just the bullshit that is pissing me off the most.

To the founder of Social Autopsy, Candace Owens (or is it Candace Amber? Your company lists you with two different names. Pick one.):

Hi, welcome to the fight against online harassment. There’s a lot of us working together on this problem, but it’s small enough that we all know each other, and we talk a lot. It’s a pretty diverse group of people. We all recognize that we’ve got different strengths, so we tend to focus on educating others on our specialities while listening and learning from the rest of the group.

I’m Randi Lee Harper. I focus on the technical aspects of online harassment. I provide tech companies with advice on social component design, create tools to help people being harassed, research community and communication patterns on social media, and speak a lot to the tech industry in an attempt to shift their priorities onto this very serious and growing problem. I’ve been doing this for a while. Prior to this, I was an engineer for 15 years. My primary focus was systems, but I’ve had a pretty broad career and have filled most tech roles at some point, so I can speak to many aspects of the tech industry. I left my career to focus on online harassment after a domestic violence incident targeting my friend Zoe Quinn (yes, the woman you spoke to on the phone) escalated into the most publicly discussed online harassment campaign to date. I spoke out about this harassment, and in return, I was targeted as well. I wrote some code that blocked most of those people on Twitter, and in return, someone tried to kill me in an attempted SWATing. I’ve had to go into hiding. My own mother doesn’t know my home address. I know a little about what it’s like to be harassed online and how that harassment can escalate.

I’m telling you my credentials so you can understand where I’m coming from when I tell you, unequivocally, you are a goddamn trainwreck.

You seem to think that online harassment is just mean words on the internet. This is not the case. Online harassment is far more nuanced and escalation takes many forms including but not limited to:

  • dogpiling: when a large group of people flood one person with enough messages that sorting through the mess is nearly impossible.
  • violent threats, often sexual in nature when the target is a woman
  • doxing: this includes posting someone’s home address, phone number, or other personal information that is not intentionally publicly available such as employer. De-anonymization is also a form of doxing.
  • SWATing: when a false threat is called into the police with the home address of the target in an attempt to get a SWAT team to descend. People and dogs have died because of SWAT. This is attempted murder by cop.
  • mail fraud: once someone has been doxed, it’s not uncommon for them to be signed up for a large number of subscription services. In many cases, people have been mailed dangerous or toxic items in an attempt to harm or intimidate.
  • career threats: employers, conferences, and anyone that publicly associates with the target will be emailed with the intention of causing ostracization and long-term financial harm.
  • SEO bombs: creating multiple webpages with defamatory statements that will be at the top of Google’s results when searching for the target’s name
  • social media impersonation: creating accounts with the target’s name and photo. This is often followed by sending messages with that account to associates of the target. These accounts are often protected by the ‘parody’ clause in most ToS.

All of those sound pretty bad, right? Some things we can all agree are awful, like doxing or SWATing. But when we start talking about dogpiling, that’s when labeling someone as being a ‘harasser’ becomes a problem. Yes, the target is being harassed. But a lot of social media platform design makes interactions mostly 1-to-1. It’s not obvious that someone with an unpopular statement is receiving hundreds of similar messages. If blame must be issued, most of it can be piled at the feet of social media companies themselves for creating a platform that makes this problem so common.

Mean words suck. But few people wake up in the morning thinking “I’m going to be an asshole, today!” People are complex, and a few mean words without context doesn’t make them bad people. Most people aren’t good or bad. They have bad days, and they might have politics or beliefs that you don’t like, but that doesn’t mean that they belong on some kind of naughty list created by some kind of naive online harassment Santa Clause.

I’m giving you this free advice after you decided to publicly shit on Zoe after she tried to talk to you about your platform. Going to Twitter to talk about it immediately afterwards on the social autopsy account is shady as hell. I see that you deleted the tweets, so I’ll remind you of the content. You stated that some gamergate woman was being aggressive, that she didn’t understand what you were doing, and that she started crying on the phone because she was so upset. This is gross. Why would you make a private conversation where she was trying to help you public? You then proceeded to state that she was leading GamerGate, and that she’s the cause of all of the harassing messages you’ve received.

That’s right. The person that was the original target of the most publicly known online harassment mob, the woman that made Forbes 30 under 30 list for her fantastic work in creating Crash Override, a resource for victims of online harassment, tried to patiently give you free advice, because we all want to be helpful for new people that are trying to create online harassment solutions. In return, you sent a flurry of tweets with the GamerGate hashtag talking about your conversation, blamed your harassment on her, and told Cathy Young that she was bullying you.

You are a fucking idiot.

So, gloves off. I’m going to tell you now why your idea is shit. I’m doing this as a public service, because I am terrified that more people are going to step up and make the same mistakes as they try to capitalize on an industry without having any clue what the fuck they are doing. It has taken me nearly two years to figure all of this out, so it’s no surprise that anyone blindly wandering in is getting it wrong. You aren’t the first, and I’m sure you won’t be the last.

It’s about ethics in harassment data.

Exposing people’s names in list form is a bad thing when you’re talking about online harassment. This includes targets as well as perpetrators. You’ve stated that no one will be able to browse a list, but given your site design and lack of robots.txt, this list is easily exposed by anyone that does a google search. How are you encrypting this data on the backend? What is your security like? I’m guessing you don’t really have a plan with that given the downtime you’ve had due to no scalability. Those lists are often targeted by blackhat hackers that are looking for easy targets. These are important questions.

Cross-referencing social media profiles is really difficult to do. Not on a technical level, but the ethics of this is something you should really spend some time thinking about. This has the potential to de-anonymize people, so making that information publicly available is effectively doxing them. Much harassment is the product of conflicting political beliefs. How long would it take for a political protester to have their data exposed, which could lead to their government jailing them? Are you ready to take responsibility for that happening?

Screenshots of harassment include sensitive information, such as threats or doxing. What assurances of privacy can you give users? The submission form on your site is anonymous, so you have no assurance that the person submitting the harassment is the person receiving it. If they aren’t, that’s a whole new level of fucked up, because now you’ve got other people exposing this sensitive information.

People are submitting screenshots, and these are very easily faked by bringing up the dev console in any browser. You don’t have a URL submission which frankly isn’t surprising given that you’ve stated you intend for friends to de-anonymize the person doing the harassment. Not all harassment happens in the public sphere, as many statuses are set to private. You’ve stated you plan on verifying this data — how would you do so if it’s private? API tie-ins for common platforms would be a better choice.

You have a responsibility here that you’ve repeatedly tried to shrug off. When you put a product like this out into the world, you have to plan on how it will be abused. You have to think about the worst case scenario and how your product can be used to hurt people. There is nothing to keep someone from creating an account impersonating someone else and submitting that data. There’s no contextual awareness. A very common scenario is for someone to say something abusive, then their target responds by saying something that out of context seems overly aggressive and borderline abusive. This is a normal reaction to being abused. Do you just go all “a pox on both your houses” and put both of them in your database? Do you really think that’s helpful? Your platform is going to be used as a vehicle for abuse.

Our industry is built on trust.

When you’re dealing with sensitive information, it’s very important that people know who you are, where you’re coming from, and that you’re reliable. They need to be able to trust you. At this point, I don’t think anyone trusts you. You’ve contradicted yourself way too many times.

In your video FAQ, you stated that you thought this site — which will become a platform for doxing — is great for children. Not only is it really not a good culture fit with the way teenagers use the internet, but this would also be illegal. COPPA protects children, and you should probably talk to a lawyer. Or maybe you finally looked up what this meant after a bunch of people tweeted it at you, because now you’re stating that this site was never intended for kids. We must have just imagined you going on and on about how it would be great for young kids to use your product to report bullying.

You stated you’ve already got 12,000 profiles. Using Google’s site indexing, you’ve got 114 profiles at most.

You stated that the current site has a fake database with dummy data. Those people are real. I manually verified a few of them by doing a reverse google image search. The complete list has already been doxed on some shitty troll board. You are responsible for this happening. This is your fault.

You said that each submission will be reviewed. Your current platform allows anyone to submit information about another person, and that content is immediately posted with no review. In fact, someone exploited this functionality to upload an image called index.jpg, which due to your shitty coding allowed someone to make your front page antisemitic.

You talked about how you wanted trolling to have repercussions and mentioned listing profiles as well as employers. Given how easy it will be to have random people added to this database, this is so going to be abused. I guess you eventually came to this conclusion, because now you’re saying you won’t accept employer data. That’s weird, because it’s still a part of your submission form.

Zoe, a well known activist and anti-harassment org founder, called you to give you free advice. She knows as well as I do how this platform is going to be exploited, but you chose to ignore her, you told her that she wasn’t supporting you, and then you went to the group that’s been targeting her and violated her confidentiality while talking about how you were being bullied by her. You then proceeded to blame the harassment you were getting from that group on her. What the fuck?!

Look, fluffhead. Someone telling you that your idea is shit isn’t bullying, especially when that someone has been doing this for much longer than you. You were condescending, annoying, and thought you knew better than everyone else. I get that someone said mean things to you in high school, and that sucks. I’m empathetic, really. But just because you’ve been harassed doesn’t mean you know how to create solutions to address the problem. This is like saying that just because you drive a car, you would know how to repair one.

Stop with the women in tech bullshit.

Do you have a technical background at all? Can you please not. Being a woman founder of a tech company isn’t easy. In fact, trying to find funding and being taken seriously as a founder in the boys club that is the tech industry is awful. Your whole “gee, I hope we don’t spend all of our KS funding on makeup, teehee, aren’t we adorable” bullshit has to go. It’s hurting the rest of us — those that are actually engineers. It’s perpetuating a stereotype. It makes you look like a fucking moron. It’s okay to be feminine and technical. It is not OK to be “girl power! just joking about misappropriating funds that I might get for my startup to get my nails done. what’s robots.txt?” Your Kickstarter made you come off like a fucking airhead. Why would anyone want to trust you with sensitive data?

Just stop.

I’ve only listed a few of the problems here. There are so many, and this post is already too long. If you really want help in understanding how to do better, I suggest you send a bunch of apology emails and learn to be humble. Learn to accept the help of people that have been doing this longer, people that have done the research, people that know the concerns. We’re still here, and we’ll still help, but you have done fucked up. We don’t trust you. If you really want to become a force against online harassment, you’re going to have to work on fixing that.

You blamed your Kickstarter getting shut down on trolls. You’re wrong. That was us. As long as you’re willfully harming other people by creating shitty uninformed products while kicking the shit out of anyone that tries to help you, we’re going to keep getting you shut down. You have created more work for me in the past 3 days, but I’d rather invest this time now, because if this bullshit doesn’t get nipped in the bud early, it’s just another fucking platform that I’m going to have to try to help protect people from in the future.