OTW response to @rahaeli
Jun. 16th, 2023 02:12 pmToday, the OTW issued a response to
synecdochic's thread/post as referenced here.
The response in question can be found on the OTW website here (archived).
It has not been crossposted to AO3.
azarias:
The response in question can be found on the OTW website here (archived).
It has not been crossposted to AO3.
This post hopes to address some claims made yesterday by Rahaeli on Twitter and her site, Dreamwidth, for purposes of clarification. After the illegal attack on OTW volunteers in May, 2022, the OTW took numerous steps to protect volunteers, including hiring an outside law firm with expertise in cybersecurity, working with contractors and firms that investigate and handle security incidents, and comprehensively revising our internal volunteer practices and updating our technological tools, including email systems, as well as making all necessary reports to NCMEC and others.
These actions, revisions and updates are ongoing. We also communicated with volunteers, both through personal and organization-wide communications, providing advice on actions to take if they had been sent CSEM, information regarding safety precautions they could take regarding personal information we believed could have been compromised, and identification of further resources that they could use.
The Legal Committee has always worked closely and cooperatively with the Policy & Abuse Committee, and continues to do so. This work includes organization-wide policy and technological measures to reduce stress and strain on our Policy & Abuse volunteers, and these measures are ongoing and continuing. We, and everyone else at the OTW, have always taken CSEM very seriously and the OTW reports (and has always reported) as required to NCMEC and others. Our Abuse processes are not limited to what appears in the Archive code, as we have internal measures in place (including some which are intentionally confidential), and we are always seeking to improve them. People who try to abuse the Archive are, unfortunately, flexible and evolving — therefore, we are too.
We are confident that we are compliant with the laws, including U.S. and EU laws regarding privacy, data protection, and data retention, that apply to the AO3. (It is relevant to the legal analysis that the AO3 does not host images other than 100×100 pixel user icons, which cannot be “orphaned” within our system). As Rahaeli noted at the end of her thread, these laws do not include COPPA, the Children’s Online Privacy Protection Act, as it does not apply to nonprofits like the OTW, but as a matter of policy we do not allow children under 13 to make accounts, as noted in our Terms of Service.
Rahaeli is an expert in running an important social media/content hosting site, but not necessarily an expert about the facts in this instance, or about the OTW. We respect and have often listened to her expertise in the past; had she contacted us directly, we could have addressed her questions and concerns. We did not ignore her advice in 2022 and would not do so now.
Comments
Azarias commented: The first such attack on OTW volunteers was actually in October 2021! PAC as a whole and I personally warned the Org that further attacks and escalations were expected. Can you explain why the Org took zero steps to protect volunteers the FIRST time this happened, and instead waited until the attacker gained greater access and was able to threaten more volunteers more severely?Follow-up on FFA: (link)
At the time [October 2021], the ticketing system was also set up so that all tickets got copied to PAC members' personal email accounts. IHNI if the attacker knew this, but the result was that all of PAC got CSEM in our inboxes when the attacker figured out how to send it directly to the ticketing system, bypassing the web form. That setting got changed immediately, but we worried other systems would be similarly vulnerable. We warned Support directly because we knew Support used the same ticketing system. We warned Legal and Board to take care of the rest of the org
The attacker's emails to PAC also contained threats of various degrees of unhingedness, so their intent to escalate was self-evident.
Kutti commented [line breaks my own, for clarification]: Hi Legal, I am a current volunteer with the OTW and I am posting this here because I have been waiting more than 3 weeks for Board to answer my questions regarding the May 2022 situation and its aftermath, and have received no response. My questions (asked on 28th May 2023) were: 1) Who is in charge (board or legal or volcom) of creating the documentation for defining what an emergency is and what is authorised in it 2) What timeframe can we expect for this documentation to be drafted
I would also like to let you know that I received only 2 all-org emails after the May CSEM attacks, and the advice in them was limited to:
"If someone outside the U.S. received CSEM, they may also want to also report to NCMEC, since what they received came via U.S. servers. They should use their own judgment about reporting it to their own local, national, or regional authorities. Anyone who receives CSEM should delete it from their e-mail and hard drive. If you think you may have been a target of this malicious activity, do NOT open any unknown e-mail to investigate or find out what it contains." (dated 5 May 2022)
"We strongly recommend not opening any messages from unknown senders claiming to be from the OTW, particularly if they contain attachments. Delete them immediately. [...] We encourage you to choose a password that you haven't used before and cannot be easily guessed, and we strongly recommend that you enable 2-factor authentication. [...] "there is a possibility that any personal information you included in your Slack profile may have been compromised. We recommend that you take steps to protect yourself in the event this does occur. You may want to make changes such as: reviewing and removing information on your Slack profile, such as social media accounts; if your Slack profile has links to social media, removing location information and other identifying data from those accounts; changing your login data from those social media accounts, changing their protection level, or deleting them entirely."
You did not share any information about what to do if we were SWATTED, what to do if we were doxxed, or how to deal with the trauma if we were exposed to CSEM material. You did not offer any psychological assistance, and over a year later, according to the latest information, there are still no resources available for volunteers should we be attacked again. You did not even, as rahaeli's thread did, provide us the peer-reviewed citation to play Tetris.
Former Volunteer & Victim of the 2022 Attack commented [line breaks my own, for clarification]: As one of the volunteers who was sent CSEM in the attack last year, thank you for speaking up about this. I am no longer a volunteer due to this incident, and likely will not attempt to resume volunteering if there is another opportunity to do so, especially since it seems that nothing has changed in a full year. While I did receive support, I remember it coming primarily from other volunteers higher up the chain than I was. Most of the immediate aftermath is a blur now, but here's what I remember:
- I can't say for sure whether legal directly posted anything concerning this incident in the channel(s) I was part of, but regardless, a LOT of the heavy lifting was done by volunteers higher up the chain than I was. There was a lot of language like, "This was the advice given to us by legal and/or the board."
- I'm not going to go too deeply into detail about the email I was sent in the attack, but in addition to the CSEM, there was an angry rant that made references and included specific details about conversations that had taken place in Slack (some of them in channels I was part of), as well as threats of violence and/or extortion against the volunteers (each of them named in the diatribe). The sender had also left several email addresses (presumably of other volunteers) in the recipient list, which I provided to the volunteer who helped me through the immediate aftermath.
- I don't remember there being much confirmation one way or another which platforms had been compromised. The platforms I used for my volunteering work were locked down immediately, but I was afraid to post anything in Slack. This was a concern I saw echoed by other volunteers, but eventually conversation picked back up without any confirmation provided one way or the other that it would be safe to do so.
- I don't remember who it was that helped me through the immediate aftermath, but I remember their advice lining up almost word-for-word with what azarias has posted recently, about the support she personally provided to volunteers that had been sent CSEM (specifically the really practical stuff about how to lock your stuff down, clean your hard drive, etc). In fact, it was so close that that post had me wondering if maybe it WAS azarias that helped me back then (and if it was, and you happen to be reading this, thank you so much!)
The thing is, even if there HAD been more support provided for mental health purposes, I'm not sure I would have taken it at the time. Not from any OTW volunteer, no matter where they were in the hierarchy. I remember feeling terrified to even check my email or open Slack, because I had no idea what had been compromised and I didn't want to take any chances. I sure as hell didn't want to tie any part of my irl identity to my fandom identity, which I was worried would happen if I asked for any more support than what I received. I really don't know what kind of support I would have been most receptive to back then, but to the volunteers who helped me in the immediate aftermath, I can't thank you enough. Thank you so much for being so kind and patient with me during such a scary and tumultuous period, and walking me through that crisis. Thank you for continued work in addressing this and protecting volunteers from such incidents in the future, even at risk of retaliation.
fall commented: I'm a bit baffled by the clarification that images aren't hosted on the AO3 servers - we all know this, but you have to realize that allowing links to CSEM, even if not hosted, still counts as distribution, right...
Impertinence commented: It's also quite literally not true. They create & distribute work downloads with images embedded. The implication that distribution doesn't count is wrong but their statement around hosting is also flat-out provably false.
Azarias commented: I have personal knowledge of at least one image of a real, identifiable minor's head that was photoshopped onto a pornographic image, embedded in a work on AO3, and allowed to remain there for years after being reported by a concerned user. If that does in fact constitute CSAM - I thought it did not since we could tell it was manipulated, but people with greater expertise than me have said it does - then AO3 has certainly not been compliant. I hope they are going forward!
hopefully_unique commented: "(It is relevant to the legal analysis that the AO3 does not host images other than 100×100 pixel user icons, which cannot be “orphaned” within our system)." I have been told otherwise by Julie from Open Doors in reference to imported archives being allowed to import, and thus directly embed, fanart. This was a public interaction under AO3's announcement post for importing Slashknot, and can be found here https://archiveofourown.org/comments/594075447