 Hi welcome everybody. I am Joanna Lee. I'm Joanna Lee. I'm the vice president of strategic initiatives and legal at CNCF and the Linux Foundation and we're gonna talk about the DEF CON code of conduct litigation and what code of conduct enforcers and community leaders can learn from it as well as some best practices for managing legal risk when when you are enforcing code of conduct codes of conduct and responding to incidents and just a little bit more about my background before joining the Linux Foundation and CNCF staff I was a practice law for about a decade and a half and also did strategic consulting and they've always been in the tech industry I love love love open source open standards open hardware all of open collaboration and I just love living at the intersection of economics and business technology and law and policy so we'll talk about the pending lawsuit against the organizers of DEF CON which is an annual hacker conference and the security space and what we can all learn from it and we'll go through some best practices and tips for managing legal risk and by by show of hands how many people in this room are community leaders or moderators or organizers excellent excellent and how many of you and have a role in enforcing codes of conduct fantastic well thank you all for the work you do in this space it's so so valuable and important the work of keeping our communities healthy thriving and safe so the vast majority of the code of conduct incidents where the the severity of the behavior is low you know for example if it's just you know rudeness or you know arguments about why a poor request wasn't merged the legal risks are very very low when the legal risk increases is going to depend on the type of violation and its severity as well as what remedy you're considering so in the event that somebody was physically assaulted or there's sexual harassment or if you're considering permanently banning somebody from a community or issuing some of a public or semi public statement that could have an impact on their either their personal reputation or their their professional life or their business that's when the legal risk is much greater so lawsuits can be brought by a variety of parties for a variety of reasons so lawsuits can be threatened or brought by the accused person and you those are typically when typically the defense is well I didn't actually violate the code of conduct or the penalty was too harsh and the types of legal claims tend to be in the libel slander defamation arena or intentional interference with a contractual or economic relationship and I'll explain later what that means and also a couple of things one is this is a very US centric presentation based primarily on the US legal system I am a US licensed lawyer I'm not licensed to practice another jurisdictions I do have some experience with international law but but this is going to be based primarily on use law also I'm going to try as hard as I can to make this understandable to non-lawyers but just like you know engineers when you're speaking with business folks even the same company sometimes you have to do a little translation and there's an acronym they don't get please please please interrupt me if I'm speaking legalese and there is a term you don't understand so lawsuits can also be brought by the party claiming to have been harmed by the incident and this is usually going to happen if if they're harmed and they're blaming the conference you know conference or community organizers or project leaders for for having if they would allege that you know there's a responsibility to protect the community or community members from harm that the community leaders or organizers knew of this risk and did nothing about it so if there is for example if there is repeated incidents by the same same accused person and nothing is done about it that could increase the the and then harm really results that could create in a situation where a harmed party would be motivated to and could have grounds to bring a lawsuit thirdly if employees of hosting foundation or if it's a company that is sponsoring an open source project employees are the ones who have been harmed that could also create a situation of workplace workplace employment claims and for example hostile work environment so we have a case study in process in progress so the organizers of death con which is a security hacker conference annual hacker conference have been sued by an accused person so just a little bit of background about it so this is an annual conference and late last year an ex-employee of a company called social engineer LLC that's Chris Hadnagy is a plaintiff in this case he's the owner and president of social engineer LLC so one of his ex-employees didn't directly go to the def con organizers but went indirectly through third party and essentially we don't know and we don't know whether it was part of an official complaint or an unofficial complaint there's actually a lot we don't yet know about this lawsuit and later on I'll explain a little bit why that is but the event organizers found out through a third party that there were allegations of abuse harassing and controlling behavior by this ex-employee and then the conference organizers claim that they connected with at least half a dozen other community members who had similar complaints about this individual and for that reason they decided to ban him from the event we still don't actually know what the type of misconduct is beyond the that big statement about harassment and controlling behavior so additionally so def con conducted its investigation and then notified Chris Hadnagy that he was going to be banned from all future def con events so permanently banned from this community and they also as many communities do they publish a transparency report on their website that summarizes at a high level what what code of conduct incidents have been reported and how they're resolved and so there's a public statement on their website in the form of a transparency report and this is a screenshot of I'm going to go ahead and read this because this transparency report is both the motivation and really the subject matter of the lawsuit okay so it says we received a multiple code of conduct violation reports about a def con village leader Chris Hadnagy of the southeast village after conversations with the reporting parties and Chris we are confident the severity of the transgressions merits a ban from def con we have also taken the rare action to disband the def con group dg dcg 414 code of conduct violations by the group's primary point of contact and subsequently mishandling the event left us without confidence in the group's leadership so there are there are a lot of things going on here and there's the incident itself and then there you know there are still a lot we don't know but there there's questions about the code of conduct enforcement process in the body so in August of this year Chris Hadnagy the accused person and his company social engineer filed a lawsuit against both def con communications which is the organization that plans these conferences and its president Jeff Moss and this is filed in the US District Court for the Eastern District of Pennsylvania so the the essential facts that the complaint alleges is that the code of conduct itself for def con is vague and ambiguous so the accused wasn't really given notice of what type of behavior it did and didn't prohibit also it alleges that Chris has never been still to this day has not been informed about what behavior he engaged in that allegedly violated the code of conduct despite the fact that he's made multiple requests he claims that def con communications has not provided any support or evidence or any explanation whatsoever justifying the ban and also that it was given to him completely without warning he didn't know that there was an investigation ongoing etc and this does suggest you know though the complaint doesn't explicitly alleged this it does very much suggest that he was not interviewed as a witness that he wasn't given an opportunity to provide his side of the story or present his own evidence so there are there's at least it appears that one can make it an argument that this investigation didn't follow all best practices for due process and that it wasn't a thorough a completely thorough balance investigation so how is Chris harmed so he claims that due to these vague and ambiguous statements that nonetheless were very concerning because they do say the the violations were so egregious that it warrants a permanent ban he's claiming that there was a firestorm of social media commentary on this and that the community has speculated that it must be something really really really terrible like sexual assault or other abhorrent behavior especially because this is a community that supports supports eccentricity and weirdness so if there's something he did that was so terrible it warrants a ban it must be you know people are going to assume the worse so he's claiming that his personal reputation has been harmed and damaged he's also claiming damage to his business dealings through social engineer the complaint alleges that several that at least one of his clients terminated the relationship with social engineer and that there are other potential clients that have refused to work with social engineer because of this publicly known about ban from the DEF CON community and he's also claiming that this resulted in emotional distress mental anguish embarrassment and humiliation so the he's brought several claims or causes of action and these are these are a lot of these are legal these words that just start their different types of claims that a plaintiff can bring in in this factual situation what and I'll and I will explain what what each of these means in a bit more detail in the future slides defamation is one of them intentional and tortuous interference with contractual relations is another invasion of privacy and false light is another an intentional infliction of emotional distress so those are the different claims that are being brought so what what does defamation mean so I'm going to go through so Eastern District of pencil so Pennsylvania every state has slightly different laws on what each of these types of claims mean so the exact wording of what constitutes defamation in Pennsylvania might be a little bit different than you know what constitutes defamation in California so here I'm going to be talking because I want to make this more universally applicable if you actually read the complaint in Pennsylvania law it's a little bit different what I'm going to present but I'm going to present the more general definition of defamation so first there has to be a false statement that purports to be a fact in order for defamation for a claim of defamation succeed there also has to be either a publication of that or communication to a third person so it doesn't necessarily have to be something that's you know publicly available on a website it could be you know saying something untrue about a company to their their customer that would be an example of a communication that could qualify for this element there also needs to be some type of fault amounting at least to negligence so it could be something you know intentional so intentional lying intentional misstatement would qualify but it could be less than that it could be just acting kind of without without any real regard to is this true or false you know it could be based on a rumor that you heard you didn't actually make any effort to verify whether it was true or not and you know if you communicate either to the public a third person something that turns out to be false you're acting negligently that would that would support a claim for defamation and then there also needs to be some type of damage to the person which could or harm to the harm to the reputation would be would qualify for this because invasion of privacy and false light is so similar I'm going to I'm going to talk about this next and then and then talk about the defenses to both of them collectively so invasion of privacy and false light is very similar but whereas defamation is really about about reputational damage invasion of privacy and false light the focus can be a little bit more on the embarrassment and humiliation and in loss of privacy rather than rather than the more objective standard around around reputational harm so false light is a claim that involves publicity so some type of public or semi-public statement that places a person in a false light and in a manner that would be highly offensive to reasonable person and that's made with knowledge or reckless disregard as to the falsity so very similar to defamation so defcon communications their defense to these claims is first of all you know it's true that you know he did in fact violate the code of conduct and also the the defense says that well the ban announcement isn't really it's not really susceptible to defamatory meaning it's clear that this is presenting a subjective view it doesn't say you know Chris did a B and C and that's the truth but it just says we conducted an investigation and we found that the behavior was so egregious that you know wanted to ban him so that that's their that's their argument and defense also they point out that the announcement itself does not say anything about abhorrent conduct or sexual misconduct and they're essentially not responsible for you know what people may or may not be gossiping about I'm going I'm showing a screenshot of the of the announcement again I mean just to just to have context again for appreciating that that defense so it does say we received multiple multiple code of conduct violation reports you know that that is arguably true right and Chris Hadnagy of the southeast about Chris Hadnagy of the southeast village and after conversations with the reporting parties and Chris we are confident the severity of the transgressions merits a ban from Defconn so it is phrased as an opinion statement and while this is you know I'm not going to there's still so much we don't know about the case so I'm just not in a position to really provide an assessment of whether I think you know which party is right or wrong or whether they love who's likely to succeed in this case but I will just say that this is probably I think that this is probably well worded from a defamation perspective if you read these statements hard to argue that they're objectively false but false light claim is a little bit there doesn't have to be such overt explicit falsity to succeed in a false light claim it could be just you know you're suggesting something that is untrue so for example if there is a news article you know talking about there's a news article talking about you know how an organization has engaged in you know some some terrible behavior and there's a picture of an employee of that organization in that news article and that employee actually had nothing to do with the behavior that just the fact that that picture is there suggests that they were involved and so that person could probably bring a false light claim even though the picture itself doesn't isn't actually it's not conveying in a false statement but there is a presentation of a and suggestion that that that implies involvement so another claim has to do with the economic damage that Chris and social engineering his company claimed to have suffered and so this is intentional or atrocious interference with contractual relations again a big legalese phrase that you know essentially means this so that there is a contractual relationship that exists between Chris or his company social engineer and other party in this case his customers and at least one existing customer who terminated that the relationship also the defendant so organizers of conference would need to have known about this contractual relationship and at this point it's not it's not known whether or not they they knew or not and that the defendant intentionally and improperly interfered with that contractual relationship and that the plaintiff suffered some damage as a result you know in this case the damage is that he lost at least one one customer relationship and in death con communications at response to the complaint their primary defense was that they you know maybe some damage had resulted from their actions but this third element has not been satisfied there was no intention there was no intention to harm Chris or his company by interfering with his customer relationships and there was nothing improper about their actions in publishing a transparency report so that's that's essentially the core of their defense on this claim and the final claim is intentional infliction of emotional distress and in order to succeed with this type of claim these these elements need to be satisfied so there needs to be the defendant needs to have engage in conduct that is extreme and outrageous and again this is we're talking about deaf con communications here so the conference organizers would have had to engage in conduct that is extreme and outrageous they would have had to act intentionally or at least recklessly this would have had to cause emotional distress that is severe and then under Pennsylvania law also physical injury or harm there's some case law that says physical injury or harm is required so deaf cons defenses that you know first of all Chris had a genius company have not been physically harmed in any way but moreover that there is nothing extreme or outrageous in publishing a transparency report and the the bar for what constitutes extreme and outrageous behavior is you know it is fairly high I mean it really has to be atrocious behavior and so deaf con is arguing well clearly publishing a transparency report is not is not extremely outrageous and furthermore that they were trying to protect the community safety and the community interest that there was there was a community there's a larger good public public interest and good that that justified this behavior also undermining the the claim that it could have been extreme and outrageous so the case is in progress deaf con communications has filed a motion to dismiss and what that means is that essentially what that means is they are they're they're trying to persuade the judge that this claim is completely meritless just by reading the complaint it's meritless we don't even have to go to trial we don't even have to go to discovery that so they're seeking dismissal before we proceed to the further stages of the investigation so if the motion is not denied though and it will it will advance so it's possible that some of these claims will be dismissed but if there is at least one claim that the judge thinks there should at least be discovery of factual evidence on the case will proceed and then we'll proceed to a phase of litigation called discovery this is where each party and their attorney gets to issue subpoenas depose witnesses and ask for doc documentary evidence and I want to this is really really important and I think one of the perhaps the most compelling reason why we should do our best to avoid litigation with regard to code of conduct enforcement in discovery highly personal and sensitive information of reporters and victims and witnesses who participated in the investigation could come to light and become publicly available and in order to make help keep communities safe we need to create safe spaces for reporting and litigation is unfortunately only under unusual circumstances can very unusual circumstances can parties get the record sealed so that so that the the information is not is not made publicly available also witnesses reporters victims they could all be compelled to testify and that you know for somebody who has who has suffered harm or at least feels that they have suffered harm you ask me to testify in an illegal setting and you know confront the person that you know they see as an abuser can also be it can be traumatizing and very very emotionally upsetting so the the complaint does in the discovery plan does set out some of the intended discovery that Chris had Nagy and his company plan to conduct if the the case continues to proceed and then includes information and documentation pertaining to the code of conduct violation identities of any fact witnesses they would depose all of the witnesses which basically means you know not not in a court but in a in a in a private setting well not not exactly a private setting but as part of a an official proceeding with attorneys present they would be interviewing the witnesses on record to find out more information Chris is also going to seek information about the transparency report who the author was you know and want to interview them and find out what potential motivations they may have had and depose the conference organizers as well so issues that are likely to be scrutinized include whether the and debated are whether the investigation's fair or their own partial the credibility and possible motivations of witnesses and reporters and whether all available evidence have been considered the fact that I mean if it's true what said in the complaint that Chris was never did not have any notice that there was an investigation pending and still doesn't know what the alleged misconduct is you know that that does highly suggest that not all information had been considered because they never spoke to the they never spoke to the accused person so you know that that's not necessarily going to result in success on these legal claims are being brought but it does you know it does raise questions about the the fairness and thoroughness of the code of conduct process we're still a lot we don't know about this because there's very little information in the pleadings that have been filed so far to date and that is that is very much intentional so some of the lessons that we can learn from this I'm actually going to start with the one at the bottom first so there is a tension between wanting between presenting a very strong defense in litigation and protecting privacy of of the victims reporters etc right the read part of the reason why DCC the DEF CON organizers have they could actually they could actually disclose you know even at the pleading stage they could disclose more facts you know this is the behavior he engaged in you know these are all the witnesses we spoke to these are the dates and times that you know he engaged in atrocious behavior so on so forth they could have included in some ways they could have bolstered their defense early on by including more factual background but they didn't and although you know I I'm not involved in this and I can't I can't speak for the organizers or their lawyers I believe it's because they are trying very hard to protect privacy of the victims and reporters and their anonymity to protect them from both embarrassment and potential retaliation so I believe I mean that's why they're really focusing on defects in the arguments that Chris has raised rather than presenting facts in their defense at this stage and they're hoping that it's going to be dismissed so we don't have to proceed to discovery and incur the stress and expense and potential embarrassment to those who participated in the investigation so some of the other lessons learned about this any type of public statement that is potentially embarrassing is often both the motivation for and the and the grounds for filing a lawsuit by the accused if you are going to issue a public statement either stick to the verifiable facts or make sure you're presenting it as you know as an opinion statement as I do think that the organizers of DEF CON did do that well at least with regard to positioning themselves well to defend a defamation suit the false false slight claim is a little bit a little bit trickier as I as explained earlier and if there are any failures and due process you know it's not going to look good when that when that scrutinized in in a court of law so you know I know code of conduct enforcement is thank you it's stressful it's time consuming you know but when we do cut corners it can it can expose expose you to more risk and yeah we have five minutes left so I'm going to I'm going to really push through these last slides but I am available afterwards and you're you're welcome to slack you know DM here in slack or email me if you if you have any follow-up questions so litigation is very expensive that's one good reason to avoid it but it's also time-consuming and stressful and emotionally taxing for everybody involved the code of conduct enforcers the conference organizers or community organizers and leaders the witnesses the the victims etc and it's very difficult to protect the privacy of the people involved if if your project does have a hosting foundation behind it and it seems that there is a meaningful legal risk or you know you you need an assessment of whether there's a legal risk you know I encourage you to get the lawyers involved at least to evaluate is this you know is this something that's going to need legal support in council throughout the process also having documentation that shows that your that your investigation was fair and thorough is also is also very helpful these are some of the factors that increase legal risk you know we talked about you know there's public statements that increase the risk of well that could cause reputational damage or embarrassment also if the actions taken could impact a person's career you know being banned permanently from a community that somebody you know their business or professional life depends on is going to you know could be motivation and grounds for a lawsuit obviously if you know laws were violated and then if the person who engaged in the misconduct or alleged misconduct is a community leader or an employer or contract of hosting foundation that creates another set of risks and then if there is physical harm suffered that also increases legal risk note that when there is meaningful legal risk it can be helpful to have the lawyer perform the lawyer perform the investigation and the reason why is because of attorney client privilege so when a lawyer performs an investigation there's something called attorney client privilege that attaches to both their conversations with the code of conduct committee and foundation staff if there if there are there is a foundation and also the notes from their investigation so notes with interviews etc. So there is and when that privilege attaches that means in litigation and discovery that's the court can't compel disclosure of those documents so that is a that is one reason why you know again only if the only if there is meaningful legal risk it can it can be helpful to have a lawyer do the investigation note that any message you send to anybody including victims reporters the accused if you go to litigation those will become public or they will be public they will be scrutinized or they will at least they will be scrutinized by the court so also be thoughtful about what what you are discussing in spoken conversations you know for example a private code of conduct committee meeting versus an email and writing because anything in email and writing you know even if it's just you know you're joking around you're being sarcastic and you're like oh yeah you know they keep certain you know such a such a jerk or whatever you know you're you're just making it's you're thinking it it may not be you may not think it's it's a serious conversation but if that gets exposed in litigation you know whatever you said could be used against you insurance this is a very this is a question I get asked about very very often so Linux Foundation and CNCF does have insurance and it does cover volunteers but every insurance policy has lots of exclusions and limitations also if a community member is acting in their individual capacity rather than under the authority within their role as a volunteer that's not going to be covered by insurance and insurance cannot pay for I mean although it can help with the monetary cost of litigation it can't protect you from all the other costs meaning the the time the stress how emotionally draining it is and then it also can't you protect the the privacy of victims and reporters so we are out of time I'm sorry we don't have more time for Q&A but thank you so much for being with me today and thank you for your good work in the community and I will be around in case you have questions