Online communities and abuse

A few weekends ago we met a friend for coffee in Palo Alto. As the discussion wandered we ended up talking about some of the projects we’re involved in. Friend mentioned she was working with a group building a platform for community building. We started talking about how hard it is these days to run online groups and communities. One of the things I started discussing was what needed to be built into communities like this to prevent abuse and damage.


It’s a sad fact of online life that trolls exist and have been a part of online life since before Usenet. My perception is this is getting worse. It’s not that there wasn’t harassment in the past. There was. 20 years ago, I managed to annoy some random woman on a newsgroup back in ’96 or ’97. This resulted in months of harassing phone calls to me at home and work, my boss at home and work, the head of the rescue group I volunteered with. The police were involved, but there wasn’t much they could do. There’s still not much police do about online threats.

Now it seems worse. People are getting physically threatened. Women and activists are driven from their homes because someone online decided to attack / doxx / frighten them. We have online platforms that allow hate speech and threats and don’t provide sufficient tools for users to protect themselves. For all the good that comes from the Internet, there’s an awful lot of bad.

A big part of the issue is anonymity. Real anonymity online is hard, as evidenced by how quickly CNN tracked down the real life identity of a Reddit user. They did that in less than 24 hours, without the benefit of any private information. But partial anonymity is pretty easy. It’s trivial for anyone to register any number of twitter accounts, or reddit accounts. I recently heard the term “weaponized anonymity” and it accurately describes the situation. (I don’t agree with all of the opinions in that article, but I think the definition is useful.)
Before my harasser, I was pretty open online with where I worked and volunteered. I think I even had my physical location (at least city and state) on my webpage. Afterwards, I stripped as much info from the space I had control over. I thought about creating a new online identity, but decided that it was both a lot of work and wouldn’t be that effective. It’s near impossible to hide online now.

These are issues we have to address. Unfortunately, too many community platforms (twitter, I’m looking at you) don’t have controls in place to allow users to block harassment. At the volume of users some online communities have there is simply no way to put a human in the loop to deal with every complaint. There’s also a ‘x said, y said’ problem, where abusers claim they’re the victim when called on their behavior. The Mary Sue has an article on a recent example. In some cases, harassment goes back for years and the story is too complicated for an abuse desk worker to absorb in the short time they have to deal with an issue.

I certainly don’t have the answers. But I know that when we’re building online software we have to start prioritizing user safety and privacy. Too many online spaces don’t have walls or fences or locks. That’s a good thing because it lets people find communities. But it is a bad thing because there are folks out there who disrupt communities as a hobby. Anyone building community software needs to think how they and their software will handle it if one of their users is targeted.
These are discussions that need to happen. Those of us with experience in the online abuse space need to be involved and contribute where we can.

Related Posts

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing  in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Read More

Arguing against the anti-spam policy

Not long ago I was talking with a colleague who works for an ESP.  She was telling me about this new client who is in the process of negotiating a contract. Normally she doesn’t get involved in negotiations, but the sales group brought her. It seems this new client is attempting to remove all mention of the anti-spam policy from the contract. As she is the deliverability and compliance person, the sales people won’t agree unless compliance does.
Her sales team needs props for bringing her in to negotiate a contract where the anti-spam clause is removed.
This isn’t that unusual situation. Many well managed ESPs will include deliverability and compliance personnel in negotiations if the customer indicates they want changes to the language of the anti spam clause.
On the face of thing it seems reasonable for customers to want to negotiate compliance terms. They want to protect themselves from unexpected outages. It seems irresponsible to allow a service provider to have the ability to made such a business affecting decision.
Many folks try to negotiate their way out of anti-spam clauses. Just asking for changes isn’t a big deal. However, some companies push the issue with sales and contract folks to an extreme. They threaten to not sign if the anti-spam clauses are removed completely. ContractForBlog
Threatening a contract over compliance issues can poison an entire working relationship. The fact is that most people who argue about anti-spam clauses and compliance issues are people who have had problems with other ESPs in the past. For better or worse, prospects that try and remove anti-spam clauses from contracts are often problem customers.
On the compliance side, if someone is pushing hard to get the spam clause removed, they think a few different things:

Read More

January 2016: The Month in Email

Jan2016_blogHappy 2016! We started off the year with a few different “predictions” posts. As always, I don’t expect to be right about everything, but it’s a useful exercise for us to look forward and think about where things are headed.
I joined nine other email experts for a Sparkpost webinar on 2016 predictions, which was a lot of fun (see my wrap up post here), and then I wrote a long post about security and authentication, which I think will be THE major topic in email this year both in policy and in practice (see my post about an exploit involving Trend Micro and another about hijacked Verizon addresses). Expect to hear more about this 2016 continues.
My other exciting January project was the launch of my “Ask Laura” column, which I hope will prove a great resource for people with questions about email. Please let me know if you have any questions you’d like to see me answer for your company or your clients — I’ll obscure any identifying information and generalize the answers to be most widely applicable for our readers.
In other industry news, it’s worth noting that Germany has ruled it illegal to harvest users’ address books (as Facebook and other services do). Why does that make sense? Because we’re seeing more and more phishing and scams that rely on social engineering.
In best practices, I wrote about triggered and transactional emails, how they differ, and what to consider when implementing them as part of your email program. Steve describes an easy-to-implement best practice that marketers often ignore: craft your mails so the most important information is shown as text.
I re-published an older post about SMTP rules that has a configuration checklist you might find useful as you troubleshoot any issues. And a newer issue you might be seeing is port25 blocking, which is important if you are hosting your own email senders or using SMTP to send to your ESP.
Finally, I put together some thoughts about reporting abuse. We work closely with high-volume abuse desks who use our Abacus software, and we know that it’s often not worth the time for an individual to report an incident – but I still think it’s worthwhile to have the infrastructure in place, and I wrote about why that is.

Read More