Category Archives for Incident Response

Code of Conduct Enforcement Warning Signs

Recently, people have been speaking out about the mishandling of a Code of Conduct violation by the Chaos Computer Club conference. A person was violently assaulted. The conference refused to ban the attendee with the history of violence, even after the organizers were presented with hospital records and a police report. The victim was notified that the person who assaulted them would be attending this year’s event. They were notified during the event setup, after they had already spent time and money traveling to the event.

This event does have a Code of Conduct, so the question is, “Why didn’t they enforce it?” I think some of the answers lie in an older version of their Code of Conduct. Cultural change takes time, and events often put on a veneer of polish to silence critics while still not having a plan to enforce a Code of Conduct.

CC BY Michael Coghlan

As someone who runs a business that provides diversity and inclusion consulting and trains people on Code of Conduct enforcement, I read a lot of Code of Conducts. There’s often warning signs that a Code of Conduct is not likely to be enforced. I’ve compiled my list of common warning signs.

Many of the warning signs that a Code of Conduct won’t be enforced apply to the CCC Code of Conduct. In particular, the old CCC Code of Conduct exhibited warning signs #3, #4, #5, #6, #8, #9, #10. The new CCC Code of Conduct attempts to address the issue of hate speech in #9, but still includes the original sentence about freedom of expression, which leads me to assume there are still organizers who disagree about whether hate speech should be allowed. The new Code of Conduct now lists some (but not all!) of the common protected classes (#5). The five other warning signs (#3, #4, #6, #8, #10) still apply to the new CCC Code of Conduct.

Here’s the full list of common warning signs that an event won’t enforce their Code of Conduct:

  1. The email address to send Code of Conduct incident reports to is an info@ or reports@ email address with no indication of who is on the recieving end. Is there an actual person who will answer an emailed report? I’m never sure.
  2. The email address to send Code of Conduct incident reports to is a single person, who is the lead event organizer. This indicates that the event doesn’t have a group of people trained to be incident responders. What happens when a Code of Conduct violation involves the one person who is designated to receive incident reports?
  3. The Code of Conduct text lists no contact information at all. Maybe the organizers are giving attendees the contact information at the event. However, conference attendees ditch paper. They don’t read the program. When an incident happens, they’re likely to be frustrated, angry, distraught, or maybe even in shock. They might be stuck in a bathroom trying to avoid a drunken attendee and physically unable to flag down a staff member. Most people will try to find contact information on the event website. If a simple Google search for “EVENT NAME Code of Conduct” doesn’t come up with the contact information for the event’s incident response team in the first five hits, incidents are less likely to be reported.
  4. The Code of Conduct doesn’t list a range of consequences for violating the rules. This typically indicates that event organizers aren’t prepared to enforce their Code of Conduct. Vague phrases like “violators will not be welcome at the event” may mean an event doesn’t have an incident response plan that includes a tiered level of responses to deal with everything from inappropriate jokes up to interpersonal violence.
  5. The Code of Conduct doesn’t include a list of protected identities. Will the conference organizers understand why a homophobic comment is wrong? I don’t know, because the Code of Conduct doesn’t say organizers are looking out for LGBTQ attendees. Will the conference organizers respond to a sexist comment, or will they try to argue “it was just a joke”? I don’t know, because the conference doesn’t list gender as a protected identity. Will the conference organizers deal with an attendee who refuses to stop using abelist terms? I have no idea. Without a list of protected classes, I can’t assume what the event organizers’ views on systematic discrimination are.
  6. The Code of Conduct assumes a baseline of unbiased “good will”. When a Code of Conduct uses a phrase like “Be excellent to each other” it means the authors assume the worst case scenario they’ll have to deal with is someone being “mean” to another. It means organizers are less likely to believe a victim’s report, especially against a well-known event attendee. It means the organizers are likely to be dismissive of CoC incident reports of verbal abuse, harassment, or comments that perpetuate a system of inequality, such as sexism, racism, homophobia, transphobia, and ableism. It means organizers are unlikely to have a plan for handling serious Code of Conduct violations like on-going harassment or stalking.
  7. The organizers introduce the Code of Conduct in a dismissive way. If they use a phrase like, “We’re all adults here, and I’m sure people understand the Code of Conduct,” then that tells me that the event has never had to deal with a Code of Conduct violation that involves adult crimes like assault, sexual harassment, domestic abuse, or rape.
  8. The Code of Conduct makes philosophical arguments about morality that undermine it. Some people (especially those in the infosec community) try to argue that there is no “one true moral compass” and that people should be free to do whatever they want. In a moral-less society, there are only consequences to actions, and if you’re willing to accept the consequences of your actions, “do as you will,” these folks argue. However, one of the consequences of refusing to “take sides” or asserting that conference attendees are the only ones responsible for their behavior is that people may decide not to attend the event, your community may lose trust in you, and your event might lose sponsors.
  9. The Code of Conduct talks about “freedom of speech” or “freedom of expression”. When I see this phrase, I always replace it with “freedom of expression for the privileged”. For example, say a speaker starts spouting off xenophobia in the middle of a talk, and the only three Muslim attendees choose to leave a conference because they know the organizers will protect the speaker’s “freedom of speech”. In that case, the organizers are silencing the voices from a group who are underrepresented in tech in order to protect the “freedom of expression” of the majority group in tech. This phrase means the organizers will protect the speech and expression of the privileged over the safety of people who face discrimination.
  10. The Code of Conduct doesn’t list the team members who are in charge of enforcement, or the event allows enforcement team members to join on the day of the event. This is a bad privacy practice, because it doesn’t tell victims who their incident report is going to be shared with. Will it be shared with a friend of the person who assaulted the victim? Unknown. When I don’t see an enforcement team list, I have to assume the enforcement team isn’t trained on how to handle Code of Conduct incident reports.

Training a team of Code of Conduct incident responders is a commitment to the safety of your event attendees. It’s a commitment that your Code of Conduct will be enforced, and is more than just words on a page. Otter Tech can help you train your event staff with a Code of Conduct incident response workshop. Please send us an email if you’re interested in Code of Conduct enforcement training.

Sage Sharp is the founder of Otter Tech, and is an expert on Code of Conduct creation and enforcement. They have over 10 years experience with open source communities, ranging from being the Linux kernel USB 3.0 driver maintainer to being an organizer for Outreachy, which connects people from groups under-represented in tech to paid internships working with open source.