Abuse as DDoS
This post was originally published in Model View Culture's abuse issue on April 28, 2014.
[Content notices: abuse, threats, violence, sexual assault, transphobia, homophobia. Tweets and illustrative examples used with permission.]
Denial-of-service (DoS) attacks are a serious threat for technology organizations. A DoS attack is “a type of network computer attack that attempts to render a particular service (e.g. web site) unavailable to its audience”. When this type of attack comes from multiple sources, it is referred to as a distributed denial-of-service (DDoS) attack.
DDoS attacks are abuse of computer systems until they slow down, stop working, and often eventually fail. Abuse of human beings has a similar impact. People dealing with abuse stop being their best, stop working, and eventually fail. As an industry, we spend a lot of time trying to counteract attacks on our systems, but we often overlook abuses directed at the people who develop and maintain those systems.
DDoS attacks are so difficult to deal with largely because of their distributed nature. Even if the individual attacks aren’t particularly powerful, deal with one and dozens more will sprout up like some terrible mythical creature. Systemic abuse in the tech industry is also like this. Even seemingly minor acts of misconduct become a problem because they don’t happen in isolation.
These tiny acts of misconduct are sometimes referred to as microaggressions. Words and actions forming small abuses that nip at people. A paper cut. A mosquito bite. A frustrating comment or joke. A stereotypical expectation. An ignored idea. An excluding activity. Unpleasant, but manageable when infrequent and isolated. But they’re not infrequent, and they’re not isolated. It’s a swarm of mosquitos, death by a thousand paper cuts.
A tricky part about these abuses is that they’re often not obvious to others. They might see the occasional snipe, but they don’t understand that it’s just one of many. How difficult it is to deal with at scale. Underrepresented groups suffer the brunt of these attacks. Those in the majority are unlikely to be directly impacted, so they often don’t empathize.
The majority of the narratives about systemic abuse in tech center around privileged white women like myself. This ignores and erases the issues that impact people in other demographics. Women and men of color, transgender women and men, people with disabilities, lesbian/gay/bisexual/queer individuals, and others are even more underrepresented and disadvantaged than the white women we often hear about. Additionally, these groups are often treated as silos in isolation despite the fact that many people are dealing with abuses that hit at the intersections of these parts of their lives.
Discussions about abuse of underrepresented groups in tech very frequently focus on privileged white women. Data from the NSF shows us that many other women, racial minorities, and people with disabilities are even less represented in the computing field. Unfortunately, data is not currently available for other underrepresented groups.
Those under attack spend time and resources being distracted, growing thicker skin, trying to fight off the attacks, and, eventually, on recovery. Collecting data. Documenting incidents. Agonizing over the decision to speak up or stay quiet. Doing free emotional labor to try to make things better. Trying to avoid people and places more likely to cause problems. Wasting vacation on “mental health” days for recovery. Time and resources they can’t get back. Energy they could have spent focusing on things they care about. As a result, it’s difficult for them to keep up. They have to spend more time and energy to achieve the same goals as others.
The damage often doesn’t stop at microaggressions. The denial of service attacks just get worse. Compensating people less for the same work. Active discouragement and disparagement. Attempts to hold people back, redirect them elsewhere, or push them out entirely. Ignoring them. Excluding them. Harassing them. Punishment and escalation if they speak up.
In many places, transgender women and men face difficulty even finding and keeping a job because they can be passed over or fired just for who they are. In the United States, only seventeen states and the District of Columbia explicitly prohibit discrimination on the basis of gender identity. Many jobs in the tech industry do background checks that can reveal a name change or a lack thereof as part of the hiring process, outing someone to a potential employer. Lesbian, gay, bisexual, and queer individuals also face risks in finding and keeping jobs. Lack of protections add additional anxiety to already intimidating job searches and can discourage individuals from pointing out harassment or other mistreatment in the workplace.
Even for people whose identities are legally protected, it is difficult to bring up issues of abuse at work. Many small and even mid-size technology companies don’t have trained HR staff. For example, Github did not hire an HR lead until January 2014 when they had at least 150 employees. Even where there is trained HR staff, many people have stories about reporting an incident and being punished or fired relatively soon after.
Some forms of abuse are so insidious they get the target to start attacking themselves and others. Like some horrifying infection that turns your own body against itself and encourages you to spread the disease. These abuses leave people second-guessing and putting down themselves and others like them. It’s a distributed denial of self.
Tell someone they cannot do something enough times, and eventually they may believe it. If enough people say it, maybe it’s true.
Now, imagine that feedback targeted at entire demographics of people.
Stereotype threat is “the experience of anxiety in a situation in which a person has the potential to confirm a negative stereotype about his or her social group”. The scary thing about this threat is that it can decrease someone’s abilities and performance even if they don’t believe the stereotype.
A form of self-preservation when dealing with these sorts of attacks is to present oneself as an exception to the rule. That they are special and different. Willing to do their best to fit in and make nice, even if it means ignoring or joining in abusive behavior. Those other people are “just looking for things to get angry about”. Believing they are special and different can help boost their self-esteem, and putting down others like them can help magnify just how different they are. Unfortunately, this sort of behavior comes at the cost of others.
Some people who have been fortunate enough to avoid these abuses entirely have difficulty empathizing with those who have been impacted. They can be dismissive of others, convincing people that the abuses aren’t real. “This other person from the same group hasn’t experienced this. It can’t be that bad.”
Not all abuses are a problem because they are distributed. Some of them are a dangerous threat even in isolation. Exponentially worse when they are many. Death and rape threats, stalking, threatening phone calls, attempts to get you fired, organized attacks by online hate groups, physical violence, and more. These abuses terrorize and destroy not only their immediate targets, but also those around them.
When someone is dealing with these types of attacks, they’re not just distracted. They’re afraid, and with good reason. These attacks often cannot be solved with a change of venue - the attacks follow. Authorities are rarely willing to help. Even if the attacks stop, the damage is often long lasting and can take months or years to repair. Sometimes it isn’t repairable.
A recent example at the forefront of many people’s minds is SendGrid’s firing of Adria Richards following a DDoS attack, harassment, and a pastebin entry calling for her firing and threatening customers and investors. All because she identified people telling inappropriate jokes at a conference. The text of the pastebin entry was hard to read as anything but blackmail. SendGrid withdrew their support for Adria and gave in to the demands within hours of the pastebin by doing something most HR staff would advise against, public firing. Giving in to blackmail so quickly and so publicly set a dangerous precedent that directly impacted Adria and had a chilling effect on others in the industry. Is this the risk someone takes in pointing out inappropriate behavior? What will their employer do if they are blackmailed? Are they one DDoS attack away from being fired? It makes it scary to work for companies that are less able to withstand DDoS attacks. It makes it scary to be visible - even little things like letting people know what projects you’re working on. Tech companies like Meetup and SurveyGizmo that have been recent targets of DDoS attacks associated with financial blackmail recognize the danger in giving in to demands. It’s not immediately clear if these companies have different priorities overall, or if money matters more than people in this industry.
Sometimes it’s threats of violence. If the target is a woman, those threats frequently include sexual assault. The threats often start via email and social networking. They are often accompanied by photoshopped images depicting the violence. Sometimes threats include doxing - publishing someone’s private information online. Things like their social security number, address, or phone number. Once that happens, threats move into places like phone calls, letters sent to their home or work, and more. They often escalate to include pets, friends, family, and and others the person cares about. Things that are difficult or impossible to ignore.
A prominent example that is both years old and ongoing is Kathy Sierra, a programmer once well-known for things like being the author of programming books, her popular blog, and public speaking. Since March 2007, she is unfortunately also known for being the target of threats and abuse. She received violent threats, including death and rape threats, in large numbers. False allegations were propagated about her and her family. She was doxed. Her social security number, address, and other information were posted online, so that the people targeting her knew where she lived and could easily steal her identity. As a result, she had to move to a different city and disappeared from the public parts of the tech community for over five years, only returning recently in 2013. The threats and doxing still continue years later. To make matters worse, one of the people responsible for these attacks is lauded as some sort of folk hero by certain parts of the tech community despite taking part in intentionally harming someone and damaging their livelihood. Kathy’s story often comes up when people talk about fear of abuse in the tech industry. The thing many of us think, but are often afraid to voice is that if we get too well known, too visible, we could be the next Kathy Sierra. The possibility of these sorts of threats becomes a sword of Damocles hanging over our heads. Someone could cut the thread at any moment.
Sometimes it’s physical and verbal intimidation and harassment. Sometimes it escalates to violence. Sometimes that violence is sexual assault. The number of people I know personally in the tech industry who have been sexually assaulted by other members of the tech industry are in the double digits. The few who went public with what happened have been punished for it. Held up as a warning to others that no public disclosure of being harmed will go unpunished. Doubly so if the person that harmed them was well known and well liked in the community.
There aren’t industry-specific statistics about sexual assault, so we don’t know if it’s better or worse than overall rates. What we do know is that it happens enough to do harm. That it happens enough to worry those at risk and trigger those suffering from PTSD from prior assaults. Those worries are exacerbated by the skew in gender demographics. Add in the frat-like culture in certain parts of the industry. Add in the hostility to banning known predators.
Part of the DDoS attack is making people afraid to participate in certain parts of the industry because sometimes it puts them at an increased risk of being sexually assaulted. That sometimes if this happens, few people will care. The “sometimes” is part of the attack.
These abuses don’t just harm their immediate targets. It’s terrifying to see people like you being targeted. That maybe you could be next. That you can’t predict how bad it will get. People become afraid of doing the things others take for granted. Applying for a job. Speaking at a conference. Writing a blog post. Submitting a pull request. Attending a user group.
Leaving the house.
The area of effect doesn’t just hurt individuals. It impacts the communities and the industry as a whole. The difficulty in hiring certain people in certain parts of the industry because pattern-matching suggests that it’s not safe for them. The knowledge and contributions that are lost when those people are too afraid to speak or write or share.
As the strength and number of attacks get greater, people’s worlds get smaller and smaller. Less energy. Less resources. Less options. The knowledge that no matter how good they get at their work, how well known they are for their skills, how much they help others, the place they have built for themselves in the tech community can be dismantled by small people working together in great numbers.
These aggressions occur at a global scale across the whole industry. Leaving one toxic workplace does not guarantee that it will stop. Often after a sustained period of abuse, people don’t just stop being their best. They burn out. They fail. Skin can only be so thick. People can only sustain so much for so long. Recovery only so possible. The stress outweighs the value. They leave and often that’s it. They never come back.
I know more than a few people saving up money not for a car or a house or an exciting vacation, but for the day they leave. Hoping that if they save enough money, they’ll be able to leave when they need to and still pay their bills. In some sense, these people are the lucky ones. They will have the ability to leave and take care of themselves for some time.
Others are not so lucky. For them, leaving means risking loss of medical care or leaving a country they have a life in because of their visa or being unable to pay their bills or ending up homeless.
The threat model for systemic abuse in the tech industry is worrisome, but not insurmountable.
The first step is education. Understanding that there is a problem and what it looks like. Awareness that all abuses are serious, even the little ones. Realizing that you may only be seeing the tip of the iceberg. That there are unconscious biases that make it difficult for you to see abuses you don’t personally experience. One of the best ways to learn and understand is to listen when people are willing to tell you their stories.
One part of prevention is refusing to participate in the distributed attacks. An important step further is asking others to stop. Going along with peer pressure is easy. Making rude comments is easy. Giving in to stereotypes is easy. Standing by while others do these things is easy. Put in the work to hold yourself and your peers to a higher standard.
Just like with computer security, you should have plans in place to identify and address attacks. At conferences, user groups, and other events, this can take the form of a code of conduct along with a policy for enforcement. In workplaces, this often takes the form of an employee handbook. These types of policies help mitigate attacks when they happen, so that decisions don’t have to be made on the fly when something goes wrong. These policies are far from perfect fixes for everything, but they’re better than doing nothing.
We can’t just leave it to those being targeted. They’re already at a disadvantage because of the attacks. They need help. Step up.
A common saying is that “security is everyone’s responsibility.” Dealing with systemic abuse in the tech industry is also everyone’s responsibility.