 Hi folks, I'm so sad I couldn't be there with you in Dublin for Open Source Summit Europe 2022 But I do hope I can see as many of you as possible at a future conference or you can always find me on Twitter Today, I'm going to talk about why we need codes of conduct and also why they're not enough My name is Eva Black. My pronouns are they and them. I work at Microsoft in the office of the CTO But I also work in a couple other communities and different roles Now I'm gonna give you all a few examples throughout this talk I'll start with this one. The code of conduct is written so vaguely that you could claim anything as a violation This was a direct quote from someone who was involved in a reported incident In one of the many communities I work with and I'm not gonna say which one But this wasn't just anyone saying yet. This was actually an elected community leader Does that surprise you that someone who was elected to represent an open source community so strongly opposes codes of conduct? What surprises me honestly is I've only heard it once Now that I have your attention even more. Hello Like I said, I work in Azure. I've also do a bunch of work in the cloud native computing foundation I am also active in the open SSF where I'm on the technical advisory committee I'm currently on the board of directors of the open source initiative as well And I've done work in several other open source foundations and projects and most notably I served for a while on the board of directors for the consent Academy Which informed a lot of the content in this talk and my work around consent And I've worked at a couple companies and a couple startups. That's not really interesting though So in addition to technical work where I've started some projects and written some code I was also elected to the Kubernetes code of conduct committee back in 2019 If you read the abstract for this talk that might be the the piece of my background you you latched on to My work with a consent Academy, however preceded that by several years and Through that work now, this is a 501c3 non-profit based in the Pacific Northwest Seattle Portland area a lot of the What that foundation does is primarily try to teach and advocate for consent based practices in different types of communities they've been branching out to do more work In in the tech industry and so a couple years back. I helped bring That group and their expertise Into train the Kubernetes code of conduct committee and so to start this I want to share two of the key concepts From from that group that consent is a voluntary agreement Made without coercion between persons who have decision-making capacity knowledge understanding and autonomy and each of these are critical components these four components autonomy this is the principle does someone have sufficient power privilege or agency to express their free will to give consent right if my boss is Telling me to do something there is an implicit power difference there if I don't do it They might fire me so we can talk about the power difference there or if someone is Significantly more privileged and that can vary by context. What exactly that privilege means that can also affect our ability Our autonomy in that situation Now capacity the second pillar here. Does someone have the mental emotional financial or legal capacity to give consent? Can they actually do the thing that they're being asked to do? Information do they have enough information to really understand what they're consenting to are? Their language barriers or cultural differences that just make the words mean something a little bit different Between the speaker and the listener. So these are are really important to consider and lastly agreements and boundaries And these are ideally explicitly negotiate though. Sometimes it might be implicit and that's okay, too We're conditions drawn around any negotiation or express request and Was coercion used to compromise? Or to win a compromise on a stated boundary that might not be as consensual then So In the Kubernetes code of conduct committee several years back. We applied that training these four pillars of consent And a little bit of a trauma-informed approach to how we thought about codes of conduct and so In in applying that we developed a process the link is on the slide. It's published and Tried to also take into account if there were potential traumatic events around Any report we were taking or situation we were investigating So among the things that that Come out in that process that we developed. It's really important to set clear expectations such as timelines when You're going to follow up or when a decision might be made When taking a report not to ask leading questions, it's unfortunately easy to tamper with a witness as it were To ensure that there is a it's important to have a well-documented process For taking reports and how you protect confidentiality with whom information information is shared under what conditions what visibility the Report will have once received and to make all of those expectations clear to anyone who chooses to file a report So that they know what they're getting into and how long it might take And of course Shouldn't have to say this but if you are take if you are receiving a report Don't share information that was given to you without the explicit consent of the person who is making that report So I'll dive into a couple additional lessons we learned Code of conduct are themselves not legal documents Though when you registered for this event in Dublin you agreed to abide by a code of conduct That agreement itself functions as a sort of legal document It defines the boundaries of the community and who can enforce that boundary Codes of conduct are not laws and like laws. They are inert There needs to be a body of practice behind of code of conduct that can interpret it. I Saw this Example when I joined a destiny themed discord server once and I thought wow This is so simple it encapsulates the two most important functions of every code of conduct It's first to communicate and make explicit your cultural norms In this case, there's a huge assumption here and shared context I assume between folks on that on that discord server of what the word jerk means Even if I didn't know when I joined I could guess from cues and from asking people and Second this code of conduct makes visible the power structure of the community Right and every code of conduct should do that should define the social boundaries Where the community ends? Where the code of conduct applies and does not apply and who has the power to enforce those boundaries a Second lesson we learned is that a code of conduct should not center punishment many folks over the past decade have criticized Codes of conduct for being too vague. This is unfortunately out of necessity They might include examples of good behavior, but it can't be an exhaustive list They might include examples of bad behavior, but again that can never be an exhaustive list If we tried to enumerate every single good or bad thing you might do that anyone might do in any community would never have a complete list one of my personal Challenges and using the contributor covenant 2.0 is that it includes a punishment ladder and that can can actually be detrimental to enforcement because it can bind the committee and Limiting what they can do when responding to an incident or even compel them to act in certain ways that aren't in the best interest of all parties because people are messy and mistakes happen and When we cause harm it's important to try and understand the intent and to see what happens after that When accidents happen we all deserve a second chance to say sorry to make amends however Patterns of bad behavior do need to be identified as they can cause repeated harm to a community and eventually push people out So if there is repeated harm It's important to track that And every security engineer knows that when we build a system It needs to be resilient against those who intend to game the system to break the system to skirt the rules and hack in Trolls if you will social trolls who will test rules for no reason no other reason than just to buck the system and in the case of codes of conduct that can manifest in a number of ways I am Unfortunately sad to say that I now know of some high-profile lawsuits around codes of conduct in the tech industry Some are public at this point. I'm not going to name them and draw further attention to them But when I gave a similar talk to this one last year, there weren't any public ones now there are I'm not quite sure how the industry as a whole is going to adapt to that But moving on The third thing we learned is that code of conduct committees Ultimately should support community health and to do that to focus on individual safety By fostering as best they can an inclusive and safe environment So connect patterns of behavior and support individuals Identify people who might need a little bit of extra coaching to help bridge gaps One of the the patterns that I've seen over over the last 20 years in open source is More often than not Projects that do not have a benevolent dictator. There's no single person in charge forever tend to do better they tend to become more inclusive as Leadership rotates. It's not necessarily true, but the pattern is Has held more often than not But to do that we also need transparency into how the governance structure of a foundation and of an open source community and project all work Transparency reports Have been a pretty new tool past couple years for code of conduct committees or Foundations at large to provide more transparency into the health of a community Ultimately The without the safety of individuals the community as a whole is not healthy either One of my old mentors Used to say this that the culture of any organization is determined by the worst behavior its leaders tolerate and that leads me to the fourth principle That a code of conduct committee has to enforce these norms To take action commensurate with circumstances while respecting privacy and confidentiality and to be mindful of increasing community risk through the action they take and Balancing that To act in private Whenever possible and still be seen to have acted in some way so that other people know that the community is being kept safe for them It's a delicate balance, and I don't have a a magic eight ball giving me any good answers here So if you've been with me so far, I Want to check in with all of you? And because we're not here together in person I can't see your reactions. I'm going to pause on the screen for a little while and say I'm going to dive into some difficult examples here This is if that's uncomfortable for you now is a good chance to leave the room Go to the bathroom get some water check in with your friends look at your phone plug your ears If we were at a conference together that had a crisis site crisis hotline or or emergency mental health services, I would Promote those right now and say hey if anything that I'm about to say is too triggering There's some resources for you. I don't know if this event does And also in these examples all identifying details have been removed like I said earlier I do a lot of volunteer work with multiple communities and I have heard from other people who've shared Confidentially and anonymized reports from their communities. So If you think in any example, I'm talking about here replies to you It probably doesn't and if you are pretty sure you know who I'm talking about Keep your guesswork to yourself. Do not share that. You're probably wrong and even if you're not Just keep it yourself But I want you to do though as I go through these examples is think about how you would respond if You were on a committee and received a report like this and each example. I'm gonna sort of step it up from the initial Here a little bit. Oh, that's interesting to More and more detail and watch how your own reaction changes as you learn more information through these sort of mock investigations The purpose of this in a constrained format like this talk is to demonstrate How complex it can be to receive a report Figure out what to do about it and then to give you some insight into the kind of liability and safety and accountability That that comes with a volunteer role trying to do this sort of community support work So deep breath here we go Starting nice and simple a chat bot joins your slack or your IRC or whatever and it starts to spam shit Do you know who has the power to block it? Is that even the policy to block it? Is there an instance owner for your slack? What if they're not online? Is there somebody else who can step in and block that bot? In Kubernetes was actually a team of admins slack admins who are all volunteers who know the guidelines They've been you know, they're standardized and those slack admins would typically just handle this kind of thing They don't need to escalate to anybody else, but they do check in or they'll they'll sort of roll up a Summary of how many things they had to block To the code of conduct committee second example Imagine you just hear a report. I Don't even want to say it it It's yeah, can you tell what's wrong with this? I guess as a starting point here, right? Let's unpack this joke a little bit It's a reference to slipping a roofie a rohipknoll into someone's drink to drug them now for men This could lead to robbery. I have heard that reported in some countries, but for women This is a pretty existential threat and so this joke could have very different impacts for different people who hear it and And it's also just incredibly culturally insensitive to say something like this about an entire country Those two things alone Make it pretty inappropriate in my opinion So take a moment to think Should something be done about this Now let me add a little more color What if this was said on? stage in front of an audience Does that change what you think should be done? What if the speaker was Japanese or an executive So you see context is incredibly important and Can really change how we Interpret a code of conduct report and the context is often not obvious at first so let's just say You overhear this one line and without context this is pretty hard to understand now imagine That a trans woman is explaining why she doesn't feel safe in a city Traveling for work walking home back to her hotel room after dark and a much larger cisgendered man says that maybe a few more deaths would be acceptable Is that merely insensitive It does perhaps a lack of intent excuse The insensitivity and the anxiety this might cause So when receiving report it's important to listen to the reporters Interpretation of events and to understand both local context or the broader social context in which this occurs. I Hate to cite stats, but in 2020 there were 44 deaths of trans women declared to be targeted hate crimes, so it's kind of an issue now if this were said during an official event Of your community between community members should something be done Would taking an immediate action Perhaps even expose that woman to an increased risk So it's difficult to balance What should you do when now? Let's say you got this report just in an email That one contributor says another contributor Suddenly blocked them everywhere that they had been in a relationship with and so Second contributor Had to tell their colleagues like suddenly I they couldn't work with the first contributor But then first contributor threatened to sue them for what they said now this spat is happening in your community Between contributors and the whole community is kind of torn up about it. What do you do? And this is a sticky one. I don't know how many good good Suggestions here other than Offer support, maybe if your community has a budget for therapy Yeah It's tricky lastly Nope, nope. I'm not quite a second to last you hear reports that a particular subcommittee in your community is Getting labeled as unpleasant is not very welcoming And there's a history of people joining the meetings or meet-ups and then leaving after just go attending once or twice Thankfully, it's recorded because you record all of your public meetings, right? And so you can review them and you see a pattern What do you do? What do you do about a pattern? Can you proactively as a code of conduct enforcement team? Can you proactively investigate if nothing is filed when you notice a pattern like this? What do you do? No, that was a weird fade Hmm. Yeah, and what do you do if you get reports that a member of the staff of Whatever foundation or community maybe event staff at a venue Oversteps the boundaries of an attendee or a member of your community and And that employee contractor or whatever Denies intent to cause any harm. They don't think they did wrong. What do you do? How do you balance the needs of a community member and the needs of the people who are paid to support the community and make your events go? who all super tricky stuff really heavy That was a lot of stuff all at once. So let's just take a breath check in with our bodies The talk is going to get a whole lot easier now and a whole lot less emotional from here on out. We're going to apply Well, I talked about in the beginning the lessons the Kubernetes code of conduct committee learned from applying the Consent Academy's training Looking through the lens of these examples and the kind of complex situations that that can arise in small and large communities online and offline And I'll give some tangible things that we can all do So I hope that you come away from this third section of the talk with things you can now go back to your community as an implement first a quick recap a Code of conduct is not a legal document, but there often are legal issues at play You should not center punishment in the documentation Your code of conduct itself or process documentation and you do need to anticipate nuance Focus on supporting community health and Individual safety those two go hand-in-hand. You can't really have one without the other and lastly the code of conduct committee needs to be empowered and Often seen to act to keep people safe when something really bad does happen So why is all this important? because for open-source projects, especially large ones and small ones the community is the value Fundamentally and so if you are a company invested in the success of an open-source project, you've built your business on around it in some way integrated in your product even taken a small JS library and You're using it somewhere deep in your dependency stack in your product Well a cultural risk in that open-source community is a product risk now And if you're wondering why can't HR take care of this? Let me explain a little bit Companies have long established in-house practices to limit liability, but as the industry has shifted over the past 15 years To do so much more collaboration outside of corporate boundaries in open-source communities We have also externalized our risk We've distributed the cost of infrastructure engineering throughout these communities It's fantastic Accelerator for economic growth for the evolution of science But the risk has moved That community is now an external and unmanaged risk And so we need to adapt our practices because HR cannot manage an external risk There are no employment contracts. There are no Non-disparement clauses no NDA is and very little authority in many cases to block somebody you can block them Maybe in a local area, but you can't block them from the internet And so if one of HR's jobs is to limit the liability of a company to lawsuits The corollary here is the code of conduct committee's responsibility is to steward the health of the community Without exposing themselves to liability And we're basically today asking for volunteers who are informed experienced and capable of doing sophisticated emotionally difficult work Who are also naive enough to sign up for that work without protection that has to change Because an unmanaged community risk is an unmanaged supply chain risk and we've probably all Heard a lot about slaughter supply chain security I'm sorry, but Community management is a part of managing our supply chain risks Right. We've externalized our risk outside of companies into open source The risk didn't evaporate even if we're not accounting for it It rests on the staff the foundation the boards the maintainers of projects now if a community fails in public invisible ways Or is unable to provide a safe environment for its members to collaborate What happens to the product that a cut that all of our companies have built based on that project? We've all seen examples of maintainers leaving projects when it's too difficult to collaborate Or there's a toxic leader who's just being rude to people and making it an unwelcoming space That's bad for all of us So we have to consider community health and longevity and Community sustainability as part of the risk we manage when we talk about open-source software development This isn't all doom and gloom here about to get to the actual concrete specific things we can all do First of all Shift from policing to supporting I Labeled this as priority zero because it's the foundation of everything else I'm going to suggest for a lot of people the word code of conduct today carries a negative connotation But folks this is the result of under utilizing the support services that are available It leads to people who think that the code of conduct committee is only function is to kick or ban If we want to change that If we want to build diverse vibrant communities We need functional support organization who's actually there to support people in Their learning and growth emotionally It's time to raise the bar from simply asking projects to adopt a code of conduct document To establish enormous of practice across communities Like I said earlier the document itself is inert like any law You need people to interpret it. You need people who know how to have the emotional skill to walk through an incident response And so to do this I suggest we all start establishing body of practice around the emotional and physical safety creation across communities With a clear expectation about enabling participation in this I Suggest as well that we normalize the publication of transparency reports because nearly everything that a code of conduct committee does Is shrouded in privacy to protect the confidentiality of all parties in an incident and that's important But a community cannot grow after an incident It can't heal if there is no awareness of where to grow of how to grow as They say shame in private praise in public So a transparency report can demonstrate that a community is providing support for its members where and when needed progress in creating safe spaces for historically marginalized demographics and to help hold the community itself accountable to stated goals of Doing better at inclusion having better events and And Well, my usual script for the slide would be to say that we've been fairly lucky As of 2022 I'm now aware of three code of conduct committee is being sued for actions or community leadership for for the act of banning someone I'm also aware of several non-tech communities Whose leaders have been sued by members of their own community and it's it's really quite a shame What we're doing today is really asking for volunteers to step up and do this work and Not have any legal protection around illegal risk that has to change. I don't know exactly how Possibly through, you know directors and officers insurance for people who are on a board of a foundation That that has to change if we want to keep doing this kind of work to build inclusive spaces and We need to fund training In how to handle an incident how to handle someone who's just been traumatized Or someone who has caused a harm and doesn't understand what they did doesn't feel like they did anything wrong We have to train people who were asking to do that work and how to do it And so I suggest our our community is start to formally train COC COC committee members or Higher mediators or trained crisis response therapists or fund dedicated roles so we don't burn out all our volunteers The quick recap here is to establish norms of practice across communities share knowledge learn from each other learn from our successes and our failures Publish transparency reports as a baseline so we can track our own improvement publicly that builds trust Provide liability coverage where we're important and to fund Training and or staffed roles. I really want to stress that this is stewardship In open source in my opinion the best leaders are stewards of a community We don't lead through authority that we may occasionally wield authority We don't control after all most communities are free to vote us out of a leadership role or simply fork the project At best we steward a community of practitioners towards a common goal And if we're fortunate no one steps on any social landmines along the way I want to leave you with one or two closing thoughts that consent When applied as a lens both socially and to business interactions is transformative and That the ideas in this entire talk are not new I May have done some synthesis and come up with some good examples But I learned all of this second hand from indigenous people social activists and other community organizations Some of that can directly be traced to the Occupy movement and there are a Lot of demographics who still have their consent violated in small ways in unmanaged public spaces all The time the open source communities can be better Than the general public square But only if we hold each other to that bar if we support new members who are joining these communities Coming from all corners of the world and all ages and all walks of life and that is Part of the wonderful joy of open source is that it is so accessible to everyone and it can also be more accessible we can make That knowledge and awareness of our cultural norms more visible to people when they join So they aren't surprised when they step on a toe There is I think here an opportunity for each one of us to become a better steward of our own communities Thank you so much