[personal profile] mjg59
Free software communities don't exist in a vacuum. They're made up of people who are also members of other communities, people who have other interests and engage in other activities. Sometimes these people engage in behaviour outside the community that may be perceived as negatively impacting communities that they're a part of, but most communities have no guidelines for determining whether behaviour outside the community should have any consequences within the community. This post isn't an attempt to provide those guidelines, but aims to provide some things that community leaders should think about when the issue is raised.

Some things to consider

Did the behaviour violate the law?

This seems like an obvious bar, but it turns out to be a pretty bad one. For a start, many things that are common accepted behaviour in various communities may be illegal (eg, reverse engineering work may contravene a strict reading of US copyright law), and taking this to an extreme would result in expelling anyone who's ever broken a speed limit. On the flipside, refusing to act unless someone broke the law is also a bad threshold - much behaviour that communities consider unacceptable may be entirely legal.

There's also the problem of determining whether a law was actually broken. The criminal justice system is (correctly) biased to an extent in favour of the defendant - removing someone's rights in society should require meeting a high burden of proof. However, this is not the threshold that most communities hold themselves to in determining whether to continue permitting an individual to associate with them. An incident that does not result in a finding of criminal guilt (either through an explicit finding or a failure to prosecute the case in the first place) should not be ignored by communities for that reason.

Did the behaviour violate your community norms?

There's plenty of behaviour that may be acceptable within other segments of society but unacceptable within your community (eg, lobbying for the use of proprietary software is considered entirely reasonable in most places, but rather less so at an FSF event). If someone can be trusted to segregate their behaviour appropriately then this may not be a problem, but that's probably not sufficient in all cases. For instance, if someone acts entirely reasonably within your community but engages in lengthy anti-semitic screeds on 4chan, it's legitimate to question whether permitting them to continue being part of your community serves your community's best interests.

Did the behaviour violate the norms of the community in which it occurred?

Of course, the converse is also true - there's behaviour that may be acceptable within your community but unacceptable in another community. It's easy to write off someone acting in a way that contravenes the standards of another community but wouldn't violate your expected behavioural standards - after all, if it wouldn't breach your standards, what grounds do you have for taking action?

But you need to consider that if someone consciously contravenes the behavioural standards of a community they've chosen to participate in, they may be willing to do the same in your community. If pushing boundaries is a frequent trait then it may not be too long until you discover that they're also pushing your boundaries.

Why do you care?

A community's code of conduct can be looked at in two ways - as a list of behaviours that will be punished if they occur, or as a list of behaviours that are unlikely to occur within that community. The former is probably the primary consideration when a community adopts a CoC, but the latter is how many people considering joining a community will think about it.

If your community includes individuals that are known to have engaged in behaviour that would violate your community standards, potential members or contributors may not trust that your CoC will function as adequate protection. A community that contains people known to have engaged in sexual harassment in other settings is unlikely to be seen as hugely welcoming, even if they haven't (as far as you know!) done so within your community. The way your members behave outside your community is going to be seen as saying something about your community, and that needs to be taken into account.

A second (and perhaps less obvious) aspect is that membership of some higher profile communities may be seen as lending general legitimacy to someone, and they may play off that to legitimise behaviour or views that would be seen as abhorrent by the community as a whole. If someone's anti-semitic views (for example) are seen as having more relevance because of their membership of your community, it's reasonable to think about whether keeping them in your community serves the best interests of your community.


I've said things like "considered" or "taken into account" a bunch here, and that's for a good reason - I don't know what the thresholds should be for any of these things, and there doesn't seem to be even a rough consensus in the wider community. We've seen cases in which communities have acted based on behaviour outside their community (eg, Debian removing Jacob Appelbaum after it was revealed that he'd sexually assaulted multiple people), but there's been no real effort to build a meaningful decision making framework around that.

As a result, communities struggle to make consistent decisions. It's unreasonable to expect individual communities to solve these problems on their own, but that doesn't mean we can ignore them. It's time to start coming up with a real set of best practices.
From: (Anonymous)

You are of course correct that doctors, lawyers, and other protected professions have to submit themselves to (somewhat) extralegal mechanisms.

Which brings me back to the earlier question you seemingly keep avoiding: how do you define "community" and "membership"? Is a community a) something which is as organized as Debian; or b) any group, and they cannot be left loose. Or is it "something in-between," which you will undoubtedly define?

When I picked up Debian as an extreme example of a "community," and mentioned the high costs (and low participation) it engenders, I did not foresee that your next move would be to pick something even more extreme.

The bar, AMA, etc. are professional associations. They exist, and are tolerated by the legislature, 1/ for historical reasons (if not intense lobbying), and 2/ because they are very careful not to do anything which may be considered amateurish. They operate at great expense (membership fees are all but trivial), within well-defined frameworks which are supervised by the rest of society, and with rules which change at a glacial pace.

Moreover, the first things one learns when first considering such a domain of activity is that: the occupation is protected; the state delegates some of its monopoly to a single association (usually); the association is handled and supervised by responsible professionals which are deeply invested; a member can be hurt by the association, and its judgment may be, in effect, final; the rules won't change randomly or quickly; being invested—professionally and financially—in that association will grant one some special and serious privileges.

I don't suppose what you call a "community" is a group of people which has made the conscious choice of submitting themselves, "for life," to the authority and fees of a professional association, in exchange for a monopoly in the domain and some serious privileges?

(Note that I am *not* saying that ours should *not* become a protected profession with mandatory membership into such an association; that is an entirely different question.)

> Participation in Ubuntu is contingent on adhering to the Ubuntu Code of Conduct.

Ubuntu is the exclusive property of a private company; the rules are written and checked by lawyers, which are themselves financed by private funds. Those lawyers will advise Canonical to rest on firm legal grounds for anything nontrivial. Those are essentially part of Canonical's "Terms of Service."

I don't suppose such a private organization is what you call a "community"?

(Moreover, I am pretty sure that you will find that any "participation" in Ubuntu whose magnitude exceeds occasional drive-by patches delivered by amateurs which could be coerced to sign the CLA is governed by an ad hoc contract undersigned by at least two legal persons.

Canonical may try and negotiate adherence to the CoC as a clause—which they probably do, and which I would undoubtedly do in such a situation—but enforcement of that clause, and "punishment," is backed by "contract law" and the judicial system.)

You have been vocal about Ubuntu's CLA in the past. Participation in Ubuntu is contingent on entering into a legal contract with Canonical; this is not by chance.

Is a "community" something you enter into a legal contract with?


P.-S. — "CoC"s are flourishing right now. I recently heard of two big French companies which include "CoC"s as clauses in the contracts they force on their small suppliers.

While I recognize the positive effects this may have, I don't think that relegating "basic decency" to ad hoc contracts drafted by powerful entities is how you achieve social justice; I see it as a symptom of society breaking up rather than a "win."

I would rather try and advance our "enlightened" society, backed by a democratic state and separated powers, than move towards a medieval landscape where protection and "justice" is assured by the "Lord" of some "community."
From: (Anonymous)
Right. I see that you do not understand what I am trying to convey. And I do not understand where you think you are going as I see your writing evolve from advocating basic decency to encouraging the systematic establishment of a kafkaesque system of "local" justice.

We are discussing a complex matter, with deep ramifications. In fact, I don't know that there is anything which is more complex or delicate. This is why I keep advising caution and restraint; it would not be smart to assume that "just slap a CoC on it" is an adequate answer to deep societal problems. Some (if not all) "cultural revolutions" do not end up having the intended consequences.

Now, it may be that I am confused or wrong, or that my explanatory skills are not adequate. In any case, your own explanatory skills have not been adequate to convince me of the former.

When you write:

> A development community that exists of me and one other individual who contributes patches can be held to the conditions of a code of conduct I've chosen - if I feel that the other contributor has breached that, I'm free to block them from any project-related resources even if doing so causes them professional harm.

you are (explicitly) assuming ownership; the "community" you are talking about is effectively private property, which you indeed have a right to manage it as you wish.

But ownership does not scale. Nobody will object as long as your "community" remains pretty small and unimportant—but as you manage to grow it, and make it "successful"—or, in other terms, impactful—your ownership (and, consequently, authority) is going to be contested.

At some point, society is going to try to turn your private "community" into "commons," or at least into some kind of regimented association. This often entails domain-specific regulation, but can also, potententially, nationalization or outright breakup. You may fight it, succeed for a while, and ultimately negotiate a comfortable position for yourself—but inalienable private property, no matter its impact, only exists in libertarian fantasies.

So. Your post:

> aims to provide some things that community leaders should think about when the issue is raised.

and talks about "acceptable," "punishment," "removing." This is all and well as long as you are talking about your private property, but at the risk of repeating myself, you better expect that "leadership" to be seriously questioned as the "community" in question grows to become increasingly impactful.

And even if a "community" (by your definition, which still isn't clear) doesn't grow much, an orthodoxy growing *across* communities is going to cause any outgroup to consider the linked-by-orthodoxy faction as a whole. This is why you keep hearing nonsense such as "the open-source community," "techies," or even "liberals." Are those "communities"?

What I see growing in society is increasingly defensive and weaponized ideological groups which resist societal reintegration. Consequently, "resistance" is also mounting on both sides. If you see this as a "good thing," or "winning," then you are, in my opinion, seriously deluded. This is a mounting "cold civil war," and its potential outcomes are ghastly.


P.-S. — I will add that while I am reacting to a specific, particularly tactless tweet of yours, it is only the last straw; I have been observing a pattern in your "evolution" which worries me greatly.

It is some kind of "appeal to authority" which does not limit itself to being a rhetorical device—as bad as that is—but then gets transformed implemented into inescapable artifacts by industrious application of technical competence. "Code is law," in other words. And I believe you see "CoC"s as "just some other form of code."

In my opinion, your *methods* in trying to improve social justice, your work on TPMs and other security apparatus, your willingness to be employed by one of the GAFA, when all taken together, tell me that despite unquestionably good original intentions, you seem to be sliding into something pretty ugly and terribly misguided.

You (unfortunately) are not alone in this, and the pace is accelerating. The worst offenders do not have to be named, but I as taken aback, for example, when I saw Tim Bray advocating embedding more inescapable "security" mechanisms at the core of basic devices:


Mark Carrigan calls it "techno-fascism," and while the term is controversial, I would certainly agree that the underlying trend is a terrible threat to free society.

P.-S. (bis) — I will not comment much on your "nope" and other bizarre claims regarding participation in Ubuntu. You know perfectly well that it's a commercial entity, that they defend their private turf, and that they will only let you have an influence if it's on their terms—or happens to coincide with them. You have conveniently omitted to specify whether you considered that to be the kind of "community" your essay addresses.
From: (Anonymous)
So I'm trying to convey how I believe that our society slides into authoritarianism; that any authority ought to be legitimized; that growing "communities" (or orthodoxies) cause pressure for the outgroup, and eventually resistance; that such groups, particularly when they focus on the "protection of their own" rather than collaborating with wider society, are antithetical to freedom, equality, and are medieval in nature; that people will only submit to organizations if they are unconscious, desperate or can enter into a "contract" which they consider equitable. I'm saying that all of those are deep and difficult sociological issues which cannot be "solved" by naive technical means.

You tell me that legal persons (or even fuzzier "communities") ought to be allowed to manage their private property, independently of their size; that legal frameworks are superfluous, seemingly ignoring the purpose of legal frameworks; you mention highly controversial, historical professional associations and tell me that they are, indeed, powerful—seemingly ignoring that they are only tolerated because they work very hard and pay a humongous price to appear somewhat legitimate; that it's okay if some people's livelihoods are destroyed by extralegal means, while rejecting all concerns wrt. scale, proportionality, or temporality.

You tell me that Canonical will let you exercise their mailing lists and IRC server without signing a formal contract, as if that meant "participating in Ubuntu" in any meaningful sense of the phrase. (Nevermind that it is true only for historical technical reasons; that people are pushing for mailing lists and IRC to be considered obsolete; and that the first thing you see on "modern" "forums" is a subscription box with what amounts to "terms of service.")

I do not find this to be a very productive discussion. Worse: it does nothing to reassure me that you are not a (possibly witless) crypto-authoritarian, which is what I was trying to clarify.

I would happily consider corrections to any misrepresentations I may have caused, but have a sinking feeling that you will keep pointing out manifestly irrelevant (if not blatantly wrong) points to avoid specifying which "communities" and "membership" you think "leadership" should unquestionably have authority over, and explaining why you believe that the rest of society will bend to your edicts as you keep making them louder and louder.
From: (Anonymous)
I'm honestly not sure this is worth our time at this point, but let me try once more:

> 1) I am free to choose to refuse to associate with any individual for almost any reason, even if they rely on me professionally. There are no circumstances under which I may be compelled to associate with zombie Hitler, even if zombie Hitler has caused no direct harm to me.

This is true, to the extent that you are not bound by a contract. It is also wholly irrelevant, because we are not discussing whom *you* are choosing to associate with. Quoting myself, what we are discussing is your:

>> writing essays legitimizing extralegal punishment and banishment from groups which are growing (and growing intensely) within society.

which you fully assumed in replies.

You are working hard to weaponize "communities"—or, rather, their "leadership"; furthermore, you are claiming that rescinding the "membership" of people who sometimes have been invested in "communities" for decades, without any clear breach of contract, a clear way of seeing it coming, or a clear way to adapt to new rules without negating beliefs which they did not hold as controversial, is no big deal.

It is a fricking big deal.

(I just came across that Drupal/Garfield affair, following another tweet of yours. I now suppose that this is what prompted your essay, and my!—what a clusterf*ck. Is that the event which you punctuate by "The lesson is that Drupal considered these issues and made an appropriate decision"?)

> 2) Canonical are free to choose to refuse to provide any services to any individual for almost any reason, even if they rely on Canonical professionally. There are no circumstances under which Canonical are obliged to provide service to zombie Hitler, even if zombie Hitler has caused no direct harm to them.

This is true, to the extent that they are not bound by a contract, and that it does not fall under the purview of discrimination or some other law. (Which is not something either of us is qualified, and even less mandated, to decide.)

It is also wholly irrelevant; the only reason Ubuntu was brought into this was my pointing out that the number of people who have to submit themselves to various Debian social contracts is, in effect, negligible; that, consequently, resistance is minimal and thus the case largely unproblematic.

Moreover, Canonical, as a decently-sized corporation, is already weaponized with lawyers, and subject to the legal systems of the jurisdictions in which they operate; it would be silly to believe that they are going to be swayed by your essays—besides perhaps when reusing words such as "community" and "CoC" for propaganda purposes.

Quoting myself,

>> people will only submit to organizations if they are unconscious, desperate or can enter into a "contract" which they consider equitable.

If you invest in the Ubuntu "community" without an equitable contract, you are being played by Canonical. Sure, use their mailing list and IRC server with moderation all you want—seriously, could you have picked a more ridiculous example?—but you also better figure out what your move is going to be when the music stops.

> 3) Zombie Hitler is a deliberately hyperbolic and unrealistic example, and most decisions would not be as easy. Having a clear set of guidelines regarding the circumstances under which a body of people will choose to either no longer associate with an individual or make their association conditional is better than not having a clear set of guidelines.

You could have spared us the Godwin material, but my point is precisely that you are *refusing* to clarify the boundaries within which such "guidelines" (actually, by your own admission, unappealable summary decisions which can easily threaten the livelihood of others) apply. You even brushed off the idea that legal frameworks may be of use. This as "clear" as it is medieval.

Your initial intentions may have been good, but as of today, you are publishing fuzzy essays full of fuzzy words which try to justify the "disciplining" of others for "reasons" which are not even covered by the relevant CoCs (if I correctly understand your position wrt. Drupal); writing righteous-sounding and arrogant "threads" such as this one:


("appropriate"? According to whom?); and seemingly confounding a "fan club" of vigilantes with actual legitimacy. Not only do I find it all pretty unsavory, I seriously doubt that that brand of lynching can spiral down much further without causing serious damage, with serious repercussions, for increasingly large subsets of society.

> It sounds like you're arguing that it's wrong for people to be able to choose who they decline to associate with, which doesn't sound like an argument for liberty.

I certainly am not making an argument for unbridled liberty! Conversely, neither am I arguing that it's wrong or problematic for *individuals*, or small, inconsequential groups, to be able to choose who they decline to associate with.

I have tried to make it clear that my argument was about the relationship between legitimate authority and scale. I even wrote:

>> At some point, society is going to try to turn your private "community" into "commons," or at least into some kind of regimented association. This often entails domain-specific regulation, but also, potententially, nationalization or outright breakup. You may fight it, succeed for a while, and ultimately negotiate a comfortable position for yourself—but inalienable private property, no matter its impact, only exists in libertarian fantasies.

You may order your home. You will, perhaps, be allowed to order your circle of friends. But if you think that your self-proclaimed righteousness enables you to order arbitrary and emergent "communities"; to strike other members with impunity, no matter their history with that "community," you are in for a bad surprise. And I hope that you don't believe that persuading armies of naive vigilantes to act "in your name" instead absolves you from any responsibility.

So. You see? I don't disagree with any of the points above, because they are strawmen. Assuming that those were not erected deliberately, I would encourage you, once more, to avoid "hyperbolic and unrealistic example"s, and to rather focus on the fact that group dynamics are not O(1), that side-effects exist, and that encouraging the "punishment" and "banishment" of strangers outside of a legal context is not a mission society has entrusted you with.

(Not that I care much; I'm unlikely to end up in your path of destruction. I'm just warning you, and preempting any excuses, when you find that things turn even sourer in some of the "communities" which have "benefited" from your consulting.)
From: (Anonymous)
Zombie Hitler does not exist, Matthew. Grow up.
From: (Anonymous)
> Under what circumstances should the community surrounding an open source project be obliged to associate with Jacob Appelbaum?

Well. At least we're making *some* progress…

But: do you mean *before* of *after* you have expanded years of efforts plastering posters picturing him as the devil incarnate all over town?

Because that makes it a tad more difficult to come to a resolution which is acceptable to everybody, doesn't it, Matthew?

In any case, when I suggest that you should stop pretending to be a judge (if not judge and party; I don't know the details!) in some kind of secret court where only "professionals" have access to evidence (cf. your recent tweets), it's not because I want to fill those shoes! We both are incompetent.

Anyway: the "community surrounding an open source project" is not a jurisdiction; it's just a subset of society which has been drawn along some accidental fault lines. Please stop pretending that you are able to discern characteristics which make it so special that it needs its own notion of justice and tribunals—doubly so when the latter are patterned on a Monty Pythonesque vision of the middle ages.

We can rephrase your question:

>> Under what circumstances should *a group of friends* be obliged to associate with Jacob Appelbaum?

The answer is pretty clear: never, why would they be? Now, replace "a group of friends" with "the village." With "the city." With "the world." Or you can go in another dimension: "An employer"? "A customer"?

What is the reach of your posters, Matthew? Are you going to be the "judge" in all these cases? What makes you believe that you are somehow qualified, and that your endless "burn her!" and "MASA!" cries are unquestionably good for society?

Worse, still: your latest post was not about Jacob Applebaum, was it? So am I correct assuming that you (and your secret tribunal) are fighting a new "Zombie Hitler"—to take your idiotic, but revealing, example—and that you have taken it upon yourself to crush it at all costs?


P.-S. — If I understand correctly, Applebaum still hasn't been convicted of anything?! I had mistakenly assumed—partly because of your megaphone—that some things had been proven, and that conviction was on its way… but that doesn't seem to be the case at all!

So not only are your constant character assassination efforts distasteful, they don't rest on anything tangible besides the personal experience of a small group. I'm sorry for those who consider themselves as victims, but please stop misrepresenting the universal recognition of the deeds!

In general, please stop relentlessly mounting kafkaesque, inescapable, intemporal "devices" to lock up the monster-of-the-week, Matthew. You're watching too much TV. You're not "Judge Dredd" + "Ghostbusters," all in one hero. And there is no "Zombie Hitler"—only other humans.
From: (Anonymous)
> for the groups that are at the "it's reasonable to do this" end of the spectrum

According to whom?
From: (Anonymous)
Not at all—that was just the first question.

> So there's a spectrum, and somewhere along that spectrum there's a threshold where we flip from it being reasonable for a group to ostracise somebody based on their behaviour outside that group to the consequences of said ostracism being so severe that it should only be possible based on a meaningful legal process.

as if it were a unidimensional spectrum. It most definitely isn't.

Even if it were, why would "spectrum" imply that there must be a single threshold, where everybody "flips"?

Even if it were, what makes you believe that everybody who hasn't "flipped" yet is going to find an universal "decision making process" agreeable?

(And even if all of these things were true, which they obviously aren't, what makes you believe that that mythical "consistent" view should be focused on "disciplining," rather than minimizing friction and damage?)

P.-S. — Case in point:


Again: "appropriate"… according to whom?
From: (Anonymous)
Yes; there is evidently a core on which we agree. (I am not here for trolling, and appreciate you tolerating my "pushing." Oh—while I'm at it: agreeing does not imply "right.")

I have nothing against you contributing approaches to mediation.

One reason I have not answered this earlier question of yours as is, is because it is a fallacy (not implying intent, but bias):

> Is it better for every group to make entirely ad-hoc decisions, or is it better for there to be some degree of consistency?

No group makes "entirely ad-hoc" decisions. There is always "some degree of consistency," if only because the "leader" (there is often one; sometimes referred to as "dictator"—WTF?) has limited power to make themselves respected in the face of (real or perceived) unfairness.

This is why I kept asking you to define "community," "membership," etc.; we cannot possibly ourselves be consistent if we don't consider the solidity of the pillars of our reasoning—which is particularly negligent if we are discussing any kind of punitive measure.

To circle back to my original point: I am not questioning your motivations, only the method and vocabulary—and pointing out that you may be severely underestimating collateral damage. Some of the words you have been using can easily be interpreted as an attack by those who do not hold your views. In which case: congratulations—you now have two problems!

I hope that I, and perhaps some others, will still be able to enjoy your constructive insights without feeling like we are being drawn to totalitarian talk. And whether you mean those words or not does not matter as much as whether you project them; propaganda works.

Cheers, -D

P.-S. — There is still the largely-but-not-quite unrelated TPM subject: as briefly mentioned, I highly question your seemingly unrestrained enthusiasm and advocacy for the current crop of "solutions."

I do not wish to debate it here and now, but I believe the second- and higher-order effects of these systems is something which merits deep consideration, and hope to one day find an opportunity to express my concerns—preferably not prompted by an outrageous tweet!


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags