![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
synonymousFor clarification and testimonial purposes.
(link)
azarias: azarias:
azarias: azarias:
(link)
azarias:
PAC
(link)
KollehFri 16 Jun 2023 11:35PM EDT
I heard from a recent PAC volunteer that there have been no cases of CSAM being linked to or hosted on AO3 for several years, and that the volunteer assigned to handle those specific cases is currently satisfied with the amount of support they're getting. Similarly, apparently they did tell volunteers how to stop email images from auto-loading and other self-defence measures against a similar attack in the future.
The fact that they apparently hired experts to deal with the cyberattack while reporting it to the authorities seems like the right call to me as well, even though it seems that they jumped to conclusions with the volunteer who got their access cut off and owe them an apology if they haven't already.
Tickets have always been self-assigned - you pick what you want to work on. Az used to pick up a lot of is-it-CP tickets - I did read a comment she wrote here that this was to spare anyone else having to work on them? I took some of those tickets too, but I often found Az had taken them as soon as they'd come in. I appreciate her care for us all, but I really wish she'd known she didn't have to do that. We're a team! You don't have to take on the horrible stuff alone!
I'm not comfortable revealing current PAC processes that might identify volunteers or quote people who have not agreed to be quoted here, but I will say that I know the person the original comment on the newspost refers to, that the information that comment OP recounts is correct, and that the fact that we only have to see the comment saying 'luv nepi vids hmu at this protonmail address ;)' to swing the banhammer, instead of squinting at porn gifs wondering if they might be CSAM, makes a massive difference to how we feel about it.
azarias: Hi. I think I need to respond to part of this, because I can see it getting flung in my face later.
I took some of those tickets too, but I often found Az had taken them as soon as they'd come in.
That's because they needed to be taken as soon as they came in.
I admit that I had a savior complex going after a while, and it wasn't healthy. My wife's already made me take a good look at that, and voluntold me to therapy over it. I got a thrill out of jumping into action when someone said "There's a CP ticket" or that godawful time in October 2021 when there was real CP sitting in Zoho from the attacker.
Okay, that's my confession.
From a practical standpoint, those tickets could not be allowed to sit. If someone is offering to distribute CP, or asking others to contact them on Wickr to have CP watching parties, or those goddamned videos from South Africa etc, those tickets need to be dealt with as highest priority. That's as a matter of law, ethics, and the well-being of users. And PAC did not have a system to prioritize tickets beyond "Whoever sees can take it if they want." No one was told what tickets to take. No one routinely monitored what tickets there WERE aside from the one queue-tracking volunteer who was doing it all manually. You know the volume we dealt with, and how quickly tickets could get pushed back and back in Zoho on a busy day. You know how even quite serious harassment and other issues could sit for months, even years, if no one got to it.
No one could point at a ticket that had been sitting for days and decide "This is serious and needs to be dealt with. I can't, you do it." It was all entirely voluntary and self-directed. Meaning that the only way I could be sure those tickets were dealt with promptly was to deal with them myself. I couldn't know when you or someone else would come along and decide to do them. Maybe it would have been better for me to let them sit and just feel guilty about it. I definitely should have been more proactive in asking for help. I looped in the chairs every time, but I never told them "I can't do this, give it to someone else." I knew none of the chairs were experienced in personnel management, customer service, or trust and safety, and if I needed them to do something specific, I would need to tell them. They were emotionally supportive. But also, getting new systems or policies in place was a fight. It was always a fight. Even convincing everyone that there was a potential solution to a problem and it was worth finding was a problem. I was so, so tired of having to have a fight about every single goddamned thing that needed to be changed, and I just didn't want to have a fight about this. I just wanted the tickets to be done.
Here's where I awkwardly apologize because I want to be sure I'm not offending you: I can take a guess at who you are (maybe 50/50) and I want to be clear that I want to be clear that when I say 'flung in my face' I don't mean by you. You're being honest and accurate to the best of your (and my) knowledge and I really appreciate someone else from PAC speaking up to offer information and insight. Please keep doing it. Trying to remember things through year-old memories with no access to cases or boilers has been hard and I worry I've been getting some facts wrong. I just want the record on my motivations to also be straight.
azarias: Similarly, apparently they did tell volunteers how to stop email images from auto-loading and other self-defence measures against a similar attack in the future.
If this was in the form of a Google document giving step-by-step instructions to disable images in browsers (Chrome, Firefox, Vivaldi, Safari, maybe others?), I wrote that document after the first attack in October 2021. For the record. We had to figure that out for ourselves.
WARNING: Explicit mentions of Child Sexual Exploitation/Abuse Material, and how it is defined or occurred
(link)I really wish we'd have any idea of what the number of actual CSEM is that has been found on AO3. There have been two incidents where PAC was emailed CSEM in late 2021 and the two email to parts of the volunteers in May 2022.
There is the image that Az describes they found as an embedded GIF to an underage story that was ambiguous (I assume because it clearly read as underage because of its context?). Was that removed and reported?
And this is not an attempt to minimize OTW as a clearly dysfunctional organization nor to suggest that working in PAC isn't emotionally and mentally draining. OTW clearly must find ways to reorganize and reform, and volunteers should clearly have the organizational framework of all the support that can make their difficult work easier.
But I do think that the size of the issue is something that would be useful to have in the conversation. We know that antis often put in abuse tickets for CSEM for stories, so how is the percentage for actual illegal material that needs be reported and removed in contrast to someone complaining about Harry/Draco?
azarias: I can't give you hard answers but I can maybe spitball?
CSAM, images of real children involved in sexual acts, was quite rare. Not counting the cyberattacks, the majority of cases I saw were either ambiguous or indirect, and were not a large number of cases overall. By ambiguous, I mean content like a real minor's head badly photoshopped into live action pornography, or gifs that were presented as illustrating a child being raped but where I could not determine whether or not the bodies involves were actually children, rather than petite adults with secondary sexual characteristics altered or obscured. By indirect, I mean instructions on finding CSAM elsewhere on the internet, or requests to share and trade CSAM, or to hold viewing parties, but without directly linking or embedding CSAM on AO3. I would also include users bragging about having raped children or expressing a wish to rape children IRL in this category. AI generated art was not the hot topic last year that it is this year, so I never had to deal with AI generated images that appeared to be CSAM. I have a horrible feeling that's something today's PAC does have to worry about.
CSEM, images of real children being used in ways that are sexual but don't memorialize real life sexual abuse, was much more common, though still infrequent compared to other report categories. US law is less clear on CSEM than on CSAM, and websites require more nuanced policies for identifying and dealing with it. I don't think AO3's policies were very good at all, nor were our tools adequate, nor did we have anyone with much relevant expertise on the matter. But this is a much greyer area and one in which reasonable people can disagree.
To be clear, I don't mean fiction. I want everyone to have the freedom to write all the nasty, raunchy, extreme fiction they want; I just won't read it. In every case, I mean real actions being done to real children. We certainly fielded far more complaints from antis complaining about fiction than we did reports of actual CSAM/CSEM. I'll go further and state that antis made it harder for us to deal with actionable reports, because it was difficult to quickly identify the real issues among the flood of merely offended users.
I would love for AO3 to make a good faith effort to quantify these problems.
...When I was there, I was often told not to do this - don't look for violations, we should just focus on the reports, etc. Is that a policy that changed?
I also remember, once, with plagiarism, that when we banned someone permanently via banhammer, you could chose to delete all the content of the account. But I think you said that wasn't possible. Did it change, or did you mean you couldn't do it because of a policy?
azarias: When I was there, I was often told not to do this - don't look for violations, we should just focus on the reports, etc. Is that a policy that changed?
Yes and no. In general, we weren't supposed to police the Archive, that is, we weren't to go looking for problems. There are real legal reasons for this that have to do with "safe harbor" provisions for websites that host user-generated content, which are dry and technical but the point is that "don't police the Archive" isn't something PAC or Legal made up. It's basic protocol for UGC sites.
That said, when a user is reported as violating the site's TOS, to my understanding there isn't a legal reason not to act on other violations you find while investigating the report. If a work gets reported for harassment in the tags, and when I look at the work I notice that there's also a link to the author's Patreon in the summary, I can ding them for both harassment and breaking the commerce rule. I don't have to pretend I don't see it.
Now, what about looking through the user's account to see if there's Patreon in all there works? That's more ambiguous. I don't recall us being told we couldn't do that, only that we don't have to. In practice, we mostly dealt with this by saying "Remove the Patreon link from [specific work] and from any other works or comments you've created. If you get reported again and we find more Patreon links, we'll give you a second strike and suspension, even if those links predate this message to you." We did it that way because going through all of someone's work to compile a list of what they need to change is a lot of work and it's easier to tell the user to do it themselves Or Else.
Now, what if I'm banning the user because they offered to distribute videos of toddlers being sexually abused? Obviously I'm going to remove what got reported. Am I going to cross my fingers and hope that they only did it once? Do I just pray they haven't embedded their Wickr contact info in all their other works so that other people can get in touch with them to share CSAM? Is that a good idea? I don't think it is.
I would have greatly preferred to remove or hide all of an account's contents once we caught that account distributing or trying to distribute CSAM. You're right that there's a tool in admin that can delete all works and comments for an account; the tool is intended for spam accounts, but works on anyone. I would have loved to just be able to use that tool. But that might have meant removing content that did not violate the TOS, so I wasn't allowed to do so. Therefore my choices were either to look through everything or to let potential CSAM sit. I decided I could sleep better at night if I looked.
To be clear, no one told me to do this. Everything in PAC is voluntary. I didn't have to take these tickets at all, and having taken them, I wasn't required to do more than the bare minimum. But, I mean ... that's bad, right? Having very good reason to believe an account is full of CSAM distribution info, having just banned the owner for that very thing, and deciding to let it sit because I don't want to look would be bad? At minimum, no one told me not to, and it seemed evident to me that I should. I thought a better solution would be to get rid of everything, but that was not allowed.
Legal
(link)
https://www.transformativeworks.org/annual-report-2021/
Contributed services of $186,589 and $186,589 were recorded as operating contributions during the years ended December 31, 2021 and 2020, respectively. The contributed services consist of legal services donated to the Organization by the volunteers of the Legal Committee.
It seems they very much are providing the org with actual, "yes this is my advice to you as a lawyer" legal advice.
azarias: The stated reason for why Legal would only communicate with PAC chairs, who would have to summarize Legal's decisions for PAC members, was that their advice to chairs fell under attorney-client privilege. If that advice was given to PAC members, or if chairs showed Legal's words to PAC members directly instead of summarizing in their own words, then the attorney-client protections for all Legal communications would be nullified.
So, yes, as far as I understand or was told, Legal were definitely acting as lawyers when they provided advice or made decisions for PAC.
