This week, at the prominent hacking conference Chaos Communication Congress (CCC), Iranian-Canadian internet researcher Mahsa Alimardani was scheduled to give a talk on censorship and surveillance in Iran. But during the presentation, Alimardani decided to go off-topic, taking a moment to highlight allegations of assault and harassment made by current and former conference attendees, displaying a slide of their tweets and blog post onstage.
"I had this really disgusting feeling that I had a talk. I had a lot of friends' talks rejected specifically about harassment and these issues that happen in our community, but I was given a platform to talk about something completely unrelated," Alimardani told Gizmodo. She said that she'd heard of instances in which talks about harassment were rejected, and found it "really disappointing that these conversations are not welcome in a space that seems to be in the most need of it."
The information security community has long struggled with issues of inclusivity, harassment, and allegations of physical and sexual assault. Frustration exists among women and nonbinary individuals in the hackerspace community as they watch alleged abusers quickly absolved, kept on payroll, and even still welcomed by some in the field. A number of prominent figures in the space have recently been accused of sexual predation, including Jacob Appelbaum, who resigned from the Tor Project last year amid mounting sexual assault allegations, and star privacy and security advocate Morgan Marquis-Boire, who was publicly accused by a number of women this year of sexual assault. Appelbaum denied the allegations at the time, calling the accusations "a calculated and targeted attack." And even when abusers are cast out of the community, organisations at large - like this year's Node.js chaos — and conferences like CCC still grapple with toxic, permeating sexism.
Chaos Communication Congress is an annual conference organised by hacking collective Chaos Computer Club. The 34th iteration of the conference (dubbed "34C3") is happening now through December 30th. A faction of attendees are advocating for a safe, inclusive conference and for the inclusion of talks focused on the topics of harassment and abuse. However, several allegations have surfaced implicating conference organisers in their handling of alleged misconduct. At the same time, there is purportedly another faction explicitly ignoring these issues, with groups assembling "code-of-conduct free" gatherings where attendees are apparently unburdened by 34C3's code of conduct, which demands conference-goers "be excellent to each other."
On Tuesday, programmer Thomas Covenant said in a thread on Twitter that the man whom Covenant claims physically assaulted them last year would be an attendee of this year's conference. Covenant described the assault as "hurting" them and "strangling" them "several times till I couldn't breathe." Covenant said that they reported the assault to the conference organisers on August 31st and claim they made documentation available to the organisers — Covenant said that they pressed criminal charges and had hospital records after going to the emergency room in Amsterdam, where they say the assault took place.
When asked what action they took in response to Covenant's allegations, CCC spokesperson Dirk Engling said in an email that they have an investigative process when they are informed of allegations, which involves "at least the core organisation, the security and safety team, the awareness team and (if needed) the CERT."
"The process was followed in the case you refer to, including interviews with all persons concerned and a detailed review of all material provided," Engling added. "The outcome of this process was that no ban was issued. The process, in this case, had several unfortunate delays that led to the decision taking way too long. This is an issue we are discussing internally and will address in the future."
After Covenant shared their experience of abuse online, Tor developer Isis Agora Lovecruft published a blog post outlining CCC's recent history of allegedly enabling alleged abusers and ignoring issues of harassment and assault. Last year, Lovecruft spoke out against Appelbaum, and in their post this week wrote that "the CCC delayed for more than a month in responding" to the allegations against Appelbaum in June 2016, belatedly but ultimately expelling him from the organisation.
Leigh Honeywell, a security researcher, detailed her own account of Appelbaum's alleged sexual abuse last year. Honeywell said in an email that Covenant's account of their abuser, who was not named in their statements, and CCC's complicity "was totally unsurprising to me given how poorly the CCC handled banning Jacob Appelbaum last year."
Lovecruft also claimed in the blog post that at 33C3, last year's conference, "every Tor talk sumbitted [sic] was silently removed by the CCC," which she believed was in an effort "to 'avoid controversy'" around the sexual abuse allegations against Appelbaum. (Engling denied this and pointed us to three Tor-related talks in 2016 and two at 34C3. Tor's traditional State of the Onion talk was not on the agenda in either 2016 or this year.) At 34C3, Lovecruft claimed, "the CCC rejected talks discussing harassment and abuse." Caroline Sinders, an online harassment researcher at Wikimedia said that she submitted three talks on harassment for this year's conference, one of which was on behalf of Wikimedia. All of them were rejected, Sinders said.
"This is the year of #MeToo and Harvey Weinstein allegations," Sinders said, when pointing out that there are no 34C3 talks on harassment. Joseph Cox, a reporter at the Daily Beast, said on Twitter that his talk on spyware and domestic violence was rejected. Sinders said that she was told by an individual affiliated with the CCC that the reason her talks were rejected was because the talks centered on harassment. The available panels at 34C3 include Doping Your Fitbit, Internet of Fails, How to drift with any car, and Deconstructing a Socialist Lawnmower, but none centered on harassment or abuse.
Engling said that the proposed panels were all submitted for different tracks, each of which has an independent team reviewing lecture submissions. "The track teams take pride in their independence and would not tolerate any inside or outside pressure on their selection of topics and presentations," he said.
When asked how many panels related to harassment and abuse were submitted to CCC this year, Engling said, "A quick search for keywords 'harassment', 'abuse' or 'sexual' reveals a low one-digit number of submissions that look related."
In the absence of talks on harassment and abuse, there are also groups hosting "code-of-conduct free" zones, or gatherings proclaiming that they aim to ignore the conference's code of conduct, which outlines a set of rules for acceptable behaviour. The Wau Holland Foundation, a Germany-based nonprofit organisation named after the co-founder of CCC, is hosting one of these code-of-conduct free zones, as Lovecruft pointed out in their blog post. The description of the gathering ends with the warning, "Enter at your own risk." Berndcon also detailed on their C4C3 event description that their assembly is a "code-of-conduct free zone." Neither the Wau Holland Foundation nor Berndcon immediately responded to our requests for comment about their gatherings or their reasons for holding them.
"Rejecting all discussion of harassment and abuse within the hacker community while happily hosting groups that brag about being 'free' of codes of conduct is a clear indicator of where the organisers' priorities lie," Honeywell said. "They want their community to stay the same - insular, hostile, and unsafe."