 All right, let's get started. Welcome, everyone. My name is Joanna Lee. I'm an attorney, mediator, and consultant. And I work with open source foundations and projects and communities. And one of the many things I do to help support projects and communities is help develop code of conduct processes and assist with code of conduct incident response. So some of the things we'll talk about today, we'll talk about the role of code of conduct responders and why this work is so important. How codes of conduct have been evolving and how they continue to evolve. We'll also talk about some of the risks associated with code of conduct incident response, in particular legal risks. So some of you may be aware that there is a pending lawsuit against the organizers of DEF CON arising from a code of conduct incident. So we'll talk about that a bit today as well. We'll also talk about fairness and best practices throughout the code of conduct incident response process. We'll talk about restorative justice and transformative justice frameworks and how those can apply in code of conduct incident response, the role of mediation in code of conduct response, and some tips for managing communications throughout the process. How many people in this room are code of conduct responders? Great. How many of you are thinking about volunteering to help with code of conduct response? Awesome. For those of you who are thinking about this work or who have done this work or are doing this work, thank you so much. This is really, really hard work. And it's also very important. So it's emotionally taxing. With any incident, however you resolve it, you almost certainly can't make everybody happy. It can be stressful, it's time consuming. You're often dealing with stressful situations and conflict and sometimes emotionally distraught people. So it's very important work. Part of the role of code of conduct responders is to help safeguard the health and safety of communities and ensure that they are welcoming safe spaces for everybody. Incident response can impact both the reality and perception of whether a community is a safe space. And the decisions that you make as incident responders can also impact people's careers. The decision, the ability to ban somebody from an event or from a community, either in temporary or long-term basis, should not be taken lightly. So code of conduct incident responders can't make everybody happy. This is an inherently controversial line of volunteer work. Whatever decision you make about how to resolve an incident, there's almost always going to be somebody who's very unhappy with the result. And some violations can be very public in nature and very divisive within a community. And any failure to follow best practice and implement due process will be scrutinized and criticized by the community and can increase both legal and community health risks. So actual fairness is really essential and the optics really matter as well. Let's talk about how codes of conduct have evolved and continue to evolve. So roughly 10 years ago, codes of conduct were a relatively novel concept in open source. It could be an uphill battle just to get a community to adopt a code of conduct. And the reason here is codes of conduct have become quite pervasive. Most communities and projects have codes of conduct. It's becoming increasingly recognized that just having a code of conduct isn't enough. How you enforce it, who enforces it, how you go about resolving incidents, how clear your documentation is, transparency, all of these factors matter as well. Most communities, well, many communities with mature government instructors tend to have a code of conduct committee that oversees incident response, along with published documentation that details the procedures from beginning receiving a report to the end when it's resolved and the results are communicated to the accused person and to those reported. And code of conduct incident resolution is continuing to evolve and it will continue to evolve in response to social, political, and philosophical movements such as theories of justice, transformative justice, and restorative justice. Also, it will continue and is evolving in response to developments in social science and psychology, including thinking and best practices and trauma-informed care. There are risks associated with code of conduct incident resolution, including legal risks and lawsuits, also community health risks. If a code of conduct incident is not handled in a way that is seen to be fair and transparent, it can become very heated and politically divisive within a community. In a community, you can lose confidence in leadership or the governance processes and the code of conduct may just be perceived as something that's not that meaningful or even something that's used as a weapon. So, particularly because there is a pending code of conduct lawsuit that some of you may have heard about, we'll talk a little bit more about that, the DEF CON lawsuit. I'm going to focus a little bit more on legal risks today than I have historically when I've given the same presentation. So for minor types of code of conduct violations such as just rudeness, the legal risks are typically very, very low. But when we're dealing with more severe types of violations such as physical assault or sexual harassment or identity-based discrimination, the risk to the community, the hosting foundation, code of conduct responders, and the risk of legal liability and lawsuits increases. So lawsuits can be brought by the accused person for defamation, libel and slander, also tortuous interference for contractual or economic relations, if the results of the code of conduct investigation somehow damage their relationships with customers, vendors, others in their economic sphere. Also intentional infliction of emotional distress. Lawsuits can also be brought by a party who was injured as a result of the incident. And if an employee or multiple employees of the hosting foundation are victims of harassment, a code of conduct incident can also create risks of hostile work environment claims and other employment related claims. So these are some of the factors that increase legal risk. So if somebody suffered physical harm, the person accused of a violation as a community leader or an employee or contractor of the hosting foundation, if the remedy could meaningfully impact somebody's career, also if there are public statements made about an individual that could harm their reputation. So there is a, some of you may have, may already be aware that there is a pending lawsuit against the organizers of DEF CON, which is an annual hacker conference. And there's still so much that's not known about the incident, the underlying incident that was investigated and the lawsuit itself. So I'm not gonna comment on the merits of the lawsuit or the incident or how it was handled, but I do want to talk about the basics of a lawsuit, what is publicly known just as to provide an example of the type of lawsuit that can come up from incident response and how it's handled. So earlier this year, the organizers of DEF CON informed Chris Hadnaghi, who's a DEF CON village host, that he wouldn't be allowed to tend, contribute to or participate in the event moving forward due to alleged violations of the DEF CON's code of conduct. And so that's both the event that took place this year and then future conferences in perpetuity. And additionally, they made a public statement on their website in a transparency report saying that they received multiple code of conduct violations about a DEF CON village leader, and they named the accused person in this public transparency report on their website. And they haven't described the nature of the violation of the code of conduct, but they have said that these are severe enough that it warrants a permanent ban. So in August of this year, Chris Hadnaghi, the accused person in that code of conduct incident, and a company that he is a founder and CEO of, social engineer LLC, filed a lawsuit against both DEF CON, Communications Inc, the organizer of the conference, and its president, Jeff Moss. And the claims brought by Chris Hadnaghi include defamation, intentional and tortuous interference with contractual relations, invasion of privacy in false light, and intentional infliction of emotional distress. So in addition to denying that he violated the code of conduct, Chris Hadnaghi's complaint further alleges that the transparency report, the public transparency report in DEF CON's website, created a firestorm of social media and Twitter commentary that damaged his reputation, that because of the vague statements that were made on the website, many in the community have assumed the very worst about what the nature of the violation was, and have assumed that there must have been some type of sexual harassment or sexual assault leading to the ban. And that the statements damaged his reputation, had an harmful impact on his business dealings, caused some of his customers to terminate their relationship with his company. And furthermore, the complaint alleged that Chris Hadnaghi had requested numerous times information about what the actions were that he allegedly took that resulted in this finding of a code of conduct violation, and that the organizers of DEF CON had never provided that information. And in defense, DEF CON communications has asserted that the public statements made about Chris Hadnaghi's behavior are absolutely true, and that an ex-employee of Chris Hadnaghi's company was the one who came forward and complained about harassment from Chris to that ex-employee that was precipitated by that ex-employee trying to leave the company. And DEF CON communications further alleged that they had talked with at least half a dozen other members of the hacking community who described similar inappropriate behavior. So where the case is now is that the organizers of DEF CON plan to file a motion to dismiss in October, and they're going to be challenging personal jurisdiction as well as a legal sufficiency of Chris Hadnaghi's claims. And if the motion is denied, the parties will proceed with discovery. Something to keep in mind when this proceeds with discovery, so there's generally, when in code of conduct incident response, there's almost always a promise that we make both explicitly and implicitly to reporters in the community of confidentiality because we want to protect community members from retaliation. We want to create a safe environment in which people can report alleged violations. When there's litigation, that is sometimes impossible because during discovery, with rare exceptions where there might be attorney client privilege involved in communications with counsel or if counsel performed, external counsel performed the investigation, some of those investigative materials and reports may be privileged. But in general, in most situations where you have community, volunteer community members performing an investigation, it's very difficult to withhold those investigative documents in the course of a lawsuit. So this is one of those exceptions to confidentiality and code of conduct response. And partly why lawsuits are, they're stressful, they're time consuming, they're expensive, but the other adverse consequence is that it's very hard to protect reporters and victims' confidentiality when there is a lawsuit. So if this lawsuit proceeds and it's not dismissed, there will be discovery and every aspect of the investigation is going to be very, very carefully scrutinized. The plaintiff is going to attack any potential, any issue in due process and fairness, they're going to be scrutinized in credibility of witnesses and reporters, as well as motivations and potential conflicts of interest of the people who were involved in the investigation and the ultimate decision to ban Chris Tadnegie. And again, there's still a lot we don't know about the code of conduct violation itself, the investigation, the lawsuit, it's possible more information will come out later. In, at the member summit, the Linux Foundation member summit in Lake Tahoe in November, I will be doing a much deeper dive into both this lawsuit and a focused presentation on how to avoid litigation and manage legal risks in code of conduct enforcement. Let's talk about fairness and due process throughout code of conduct incident response. So this is what fairness and due process looks like from beginning to end. So everyone needs to have notice of the rules of acceptable behavior. And that's usually expressed in the code of conduct itself. And of course, it's important that the code of conduct be published readily available to everybody who participates in the community. The process for enforcement should be clear and transparent. The investigation and evaluation needs to be thorough. All relevant and available evidence should be considered. And if consequences beyond a warning or in some cases, a temporary suspension or under consideration, in a vast majority of cases, it's really important that the cues be given an opportunity to be heard and present their own evidence. There are some exceptions where that might create a community health or safety risk or an undue risk of retaliation. But in general, giving the accused person opportunity to present their own evidence is a critical component of fairness and due process. It is important the triers of fact be impartial and that conflicts of interest be dealt with appropriately. It's also important that a code of conduct be applied consistently. So you're not gonna treat one person who engaged in a particular type of behavior one way and somebody else who engaged in the same behavior a different way because one of them is more popular or has a different identity. If a violation is found, it's important that the determination be communicated in a way that allows the accused person to understand why their behavior was not acceptable and what the impact was on the community. There are some rare exceptions, but those are exceptions rather than the rule. And any consequences should be appropriate given the severity of the behavior and the impact to the community. So it would be pretty extreme to ban somebody permanently because of one or two rude remarks, but if there's a pattern of consistent behavior or the severity is such that it creates community health and safety issue, perhaps a permanent ban is appropriate. So here are some things that your code of conduct documentation should address if it doesn't already. So obviously what behavior is acceptable and what's not? What's the process for reporting violations? There are still so many communities and projects they come across with codes of conduct, but there's no clear process for who do I report to, how do I report? Who is responsible for responding to and resolving code of conduct incidents? This is, again, an important part of transparency. It's not a safe space for reporting if it's not, it can't be known to the reporter who's gonna receive that report because what if it's somebody on the code of conduct committee that's an accused person or an involved person? Also a policy for dealing with conflicts of interest. So what is a conflict of interest? What's the process for recusal, et cetera. Also, what are your policies related to protecting the anonymity of reporters and victims and targets of the alleged wrongdoing? Your code of conduct documentation should also address whether the code of conduct can be enforced with respect to actions that take place outside of community spaces if those actions are likely to impact community health. I can think of numerous of instances of where there is harassment taking place in social media. It could be on Facebook or Twitter or in a Slack channel. Although a Slack channel, of course, is a community space but there may be other spaces or there could be harassment taking place at an offsite sponsored event that's co-located with a conference or an association of the conference but is not technically a community space. And if it has an impact on community it can be helpful for the code of conduct to clarify that its jurisdiction is broad enough to reach those spaces. If you do have an appeal process make sure that's well documented. And also document your code of conduct committee's ability to delegate or escalate investigation or incident resolution. For example, if everybody in the code of conduct committee has a conflict of interest, this does occasionally arise. How are you going to deal with that? How are you going to pull an alternates or escalate or perhaps hire an outside investigator? Also this is something that I think is very, very rarely documented even in communities with very mature governance structures. How does your code of conduct enforcement team fit within the larger governance structure of your project? What's the scope of its jurisdiction and authority relative to the technical leadership bodies and the governing board, for example? A few tips on navigating conflicts of interest and impartiality. So the following are examples of people who would have conflicts of interest and should not participate in the code of conduct incident response team investigation. Other than as a witness. So obviously the accused person, anyone who is a direct victim or target of the incident, anyone who has a close personal or professional relationship with either a victim or the accused person. I'd also encourage you to consider distinguishing between hard conflicts and soft conflicts. For example, some communities have this idea that anything on this list would be hard conflict and that person could not even participate in discussions about the incident. So they would have to be completely recused from all discussions. And sometimes there are soft conflicts where maybe there's a friendship but it's not a very close friendship. Maybe there's some type of professional relationship but there's not a direct supervisory relationship. They work in completely different divisions of the company and rarely interact. And those people it can be helpful to have them in the room to talk about the incident but they shouldn't be allowed to vote because even the perception of bias in voting could contain perceptions of whether this is truly a fair decision-making process. It's important to have options for escalation and delegation. As I mentioned before, in some cases, there are no members of the code of conduct committee who don't have conflicts of interest. And then in some situations, there's such heightened legal risk that it may be really important to involve foundation staff or an external professional investigator or mediator in incident resolution. We talked about the DEF CON lawsuit and the fact that there are going to be a lot of investigative materials. They proceed with discovery that are going to be discoverable. Part, one of the many advantages of having an external law firm or investigator perform an investigation is that there will be attorney-client privilege that covers many of the communications between the responders and that investigative firm or council. And also, if it is a high-risk incident that could result in litigation, having legal counsel involved every step of the way is really, really important because they can always be looking at a lens, from a lens of, okay, if we go about it this way, how is that going to look if there's a lawsuit? And having that advice is something that's I think really, really critical when the legal risks are higher. We talked a little bit about consistency earlier. So treat similar violations similarly. And whenever you are making a decision about what consequence to apply when a violation is found, keep in mind that you're setting precedent. You are setting precedent for how future behavior of a similar nature is going to be treated. It's important to balance transparency and privacy. Now, in open source, there's so much, we value transparency and openness so much. But here, there are other interests as well. It's in order to create a safe space for reporting, it's so important that victims and reporters and witnesses, identities and anonymity is protected. If it's not, community members may be unwilling to submit reports. So it's helpful to design an anonymous reporting mechanism as an option for people who are uncomfortable, who are uncomfortable having their identity known to the entire Code of Conduct Committee. And the report investigation notes and all deliberations of the Code of Conduct Committee also need to be kept confidential. We'll talk about communications later. In some situations, your Code of Conduct Committee might decide to make a public announcement at the conclusion of an investigation, but if that's the case, that needs to be a group decision-making process, not something that committee members decide on unilaterally while an investigation is suspending. So this is sort of a map of the Code of Conduct Process. First, you receive a report, or you learn that there is a potential incident, then there's an investigation. Sometimes there's a mediation that helps resolve the dispute. If it's more of the nature of an interpersonal conflict and we'll talk more about that later, evaluating and terminating what the consequences or remedies are, if a violation was found and then communicating the results to the reporters and to the accused person and in some cases to the broader community. When performing the investigation, it will sometimes be necessary to interview the accused person and the victim or target and all known witnesses. Again, part of fairness is considering all available evidence. So, and that means interviewing all people who might have important information who are willing to be interviewed. In some cases, there will be people who are unwilling to speak with the Code of Conduct Committee, but if they are willing and they might have relevant information, it's important to give them an opportunity to be heard. Care should be taken in deciding who's going to perform the interviews and whether to have one person or multiple people conduct the interviews where there is a higher risk of the accused person being rude or abusive, consider having more than one person present so that there's an additional person both for support and as a witness and also be thoughtful about how to frame the request for a meeting and how much information to volunteer in advance because in some cases, notifying an accused person that they're under investigation can create a risk of either retaliation or tampering with evidence or destruction of evidence and tampering with other witnesses. Make sure to take careful notes and keep documents. And of course, ask all involved parties for any supporting documentation or evidence that they have for you to review. When conducting an interview, find a safe, quiet space. If the incident just occurred and you're speaking with somebody who's in emotional distress, it's important to be kind and empathetic but also keep things focused. It's really important not to engage in any questioning that could make somebody feel like there is a victim blaming going on. Remind the person that, let the person know that they can take breaks, they can end the conversation at any time and that they can care for their own needs. When an investigation is pending, don't communicate conclusive determinations. It can be tempting to in the moment when you're empathizing with somebody who's telling you about something that was very upsetting to them. It can be very tempting to say, oh, what happened to you was terrible. That's clearly a code of conduct violation. We need to ban this person. You can empathize and show compassion for somebody's experience without agreeing with the final outcome because that needs to go through a process before any decisions can be made. Once an investigation is concluded, the Code of Conduct Committee will generally meet and evaluate all the evidence and discuss and determine whether a violation occurred. And during that process, it's important to refer to the text of the code of conduct to determine what provisions of the code of conduct may have been violated. There are situations where a binary outcome of violation or no violation is not necessarily essential. And sometimes it's very subjective. Sometimes there is behavior that's really kind of borderline in that it's impacted a lot of people negatively but it's not such a clear case of whether or not this violated the code of conduct. So in those situations, it may still be helpful whether there is a finding of violation or not to have a conversation with the accused person and help them understand what the impact of their behavior was on others in the community. On deciding what the consequences and remedies should be, this is both my personal view and I think the view of held by many, many community, many open source community folks, which is that the goal of Code of Conduct Enforcement is not to punish anybody. It really is to safeguard the health and safety of the community. And so in a couple of slides later, we will talk about retributive versus transformative and restorative justice and what that means. So when a violation has occurred, consider the following factors when deciding upon what the consequences should be. So severity of the behavior itself, the risks and impact, the community of the behavior, as well as the remedies that are under consideration. Also, whether the violators are willing and able to learn from their mistakes. I do think that if somebody shows genuine remorse and willingness to take responsibility for their actions, lighter consequences, perhaps a warning is sufficient. Whereas if somebody really digs their heels in and is unwilling to accept responsibility, in that case, more meaningful consequences to help them reflect maybe warranted. Also, consider whether the problematic behavior is a single isolated incident or if it's a recurring pattern of behavior. In general, any permanent remedies should only be imposed after the investigation and valuation is completed. But in some cases, if the alleged violation poses such an imminent significant threat to a community, it might be necessary to impose interim protective measures immediately. So for example, I recently assisted with a Code of Conduct investigation where there was a real possible threat to community health and safety and the decision was made to immediately impose a temporary ban on this person from participating in the community until the investigation was concluded at which time it would be decided whether or not to lift that ban or make it permanent. So there's a lot of talk in Code of Conduct communities about restorative and transformative justice. And I find this one of the most exciting innovative areas of Code of Conduct enforcement. So here are a few common theories of justice. There are more theories than this, but these are some of the most commonly cited ones today. So retributive justice is focus on punishment. Corrective justice is focused on making the injured party whole. Restorative justice is about restitution and healing harm with input from victims and offenders. And transformative justice is focused on restitution of larger societal injustices and systemic problems and equities. Restorative justice is a theory and framework that was developed in the 1970s. And in a traditional restorative justice process, the victim and the accused have a meeting and they talk about what happened. And the thinking behind why that's restorative is, it gives the accused person an opportunity to show remorse, to fully understand and internalize and appreciate the impact that their behavior had on the victim. And it also gives a victim an opportunity to speak their truth, to witness the accused person giving an apology. So the idea is that it facilitates learning and healing between the victim and accused person. But for that conversation to take place in a traditional restorative justice framework, the accused person has to take full responsibility for their actions and the impact. And in an ideal world that would always happen, but that doesn't always happen. And I would say it rarely does. It's challenging to apply this in code of conduct resolution because of that prerequisite. I mean, sometimes it will happen. But also any conversation that takes place has to be voluntary. You cannot force people to speak to each other. And particularly for somebody who's a victim more been harmed, that could be re-traumatizing to them. Not all of them want to speak to the person that they see as a wrongdoer. Transformative justice is a framework that evolved in the 90s in response to what were received as, thank you, the perceived failings and limitations of restorative justice. And transformative justice goes beyond just the accused person and the victim. And it asks, what are the more systemic societal and community issues that may have resulted in the problematic behavior? And how do we cure that? So I'll give an example for a crime of theft in a transformative justice framework. We would be asking, are there social inequities that contributed to that theft? Were there a lack of opportunities for gainful employment? Were there other situations, duress, influence from family members or peers? What were all the contributing factors? In a community, questions that you might ask are, are there ways in which this community is maybe implicitly encouraging or rewarding this bad behavior? Are project leaders modeling bad behavior? Are we failing to educate community members about acceptable norms of how we treat each other? So even though the traditional restorative justice framework that involves a conversation between accused and victim doesn't always work, I think that the general thinking about how do we create healing? How do we address harms is a helpful question to ask during Code of Conduct Enforcement? And how do we support the wrongdoer and other community members in learning and improving? And then the transformative justice questions that I encourage all Code of Conduct responders to also ask is, how do we create resolution and healing in the broader community? And are there systemic issues in this community that have contributed to this issue? And how do we as a community address those? So the traditional consequences in Code of Conduct Enforcement are generally warning, a ban, whether it's temporary or permanent, sometimes a revocation of a leadership role or certain privileges, again, either on a temporary or permanent basis. More restorative or transformative remedies might be public or private apology, providing the accused person with training, coaching or mentoring to improve their behavior, asking the accused person to engage in some type of community service that helps, that helps in some ways address the harm that's related to their behavior and addressing other systemic issues. We are running out of time. So I'm giving a talk tomorrow about mediation, particularly transformative mediation, which is a newer approach to mediation as a tool for resolving incidents. So I'm not going to do a deep dive into that right now. At the end of an investigation, it's standard to notify both the accused and the reporters of the results of the investigation and for the accused, letting them know what the behavior is that was at issue, why the behavior violated the Code of Conduct, how it impacts others in the community, what the remedies are and what the appeal rights are if any. A few notes on managing communications. One is that any message you send to an accused person or a reporter, you could be made public. If they're unhappy for any reason, they could post it publicly. So just keep in mind that those are not private communications and if there are going to be any public statements, it's important to go through an approval process for that. And if there's a risk of litigation or legal liability, have those run by a legal counsel first. After an investigation, consider the extent to which you want to make a public statement. Many Code of Conduct committees have transparency reports. Most of those do not publicly identify or name the accused person or the victims or witnesses. They're just general generic. Some of them are just statistical statistics about, we received X number of reports this year and found a Y number of violations. Some actually include summaries of the nature of the reported violation and whether a violation was actually found as well as a brief description of the consequences. Are there any questions? We only have a couple minutes. Yes. You have a project, it went to the default Code of Conduct that so many young projects reach for. It goes into a non-profit that might have its own Code of Conduct and a violation happens at a conference run by the non-profit. How do you layer those? Okay, good question. So Steven's question is about layered Code of Conduct incidents where there might be a violation at a conference and it might be related to something that happened in an online community space. And it might be a violation of both the project level and the foundation level. And how do you deal with that? Yeah. So that's challenging, of course. I can say within the LF, we're in the process of developing really clear documentation around jurisdiction and escalation. So what incidents are resolved at the project level, what incidents are resolved at Linux Foundation, when there's going to be joint jurisdiction of a foundation, Code of Conduct, Enforcement Team and a project level, Code of Conduct Enforcement Team. So I guess the answer is that it's gonna depend on the community and the project and what the agreements are. And I would say that there are probably many projects who have not even thought through how to deal with that and therefore don't have clear guidelines. We're out of time but I will be in the hallway after this and happy to chat one-on-one with any of you. Thank you.