Before the Shadow Play

Category: Opinion/Rant

Email handling: a rant
Okay, this is probably preaching to the choir for anyone who reads my blog, but I’ve just gone through a supremely frustrating experience with Hilton and I’m going to vent, because I can.

This is also partially humor, and an excuse to repeatedly mention the name of the person who triggered all this. Enjoy, Lisa Neumann of Spearfish, SD.

The triggering incident

Back in the day, specifically 2004, when GMail was new – so new that you had to know someone who could invite you to it – I got my name as my GMail address, because, hey, I could! 20 years on in hindsight, I should have constructed an alias and used that, because people are idiots and companies are as bad.

So why am I ranting today in particular? Because Lisa Neumann, of Spearfish, SD (yes, I am SEOing the hell out of good ol’ Lisa here) decided that she wanted to open a Hilton Honors account. And like any sane person, she picked a random email out of the air, in this case mine, and used that. I know I always want to enter things like my home address and name, and send those to some random person on the internet who I don’t know who can then sign me up for all kinds of mailing lists or do any number of other nefarious things based on knowing my actual physical address.

Pardon me, my sarcasm sequencer is overloading.

Specifically, she used a variation on my GMail address. I use a version with a dot in it; she used one without. GMail allows you to add periods to your address in any combination you like, so if your GMail address is firstmiddlelast@gmail.com, then you can use first.middlelast@gmail.com, firstmiddle.last@gmail.com, first.middle.last@gmail.com, etc. etc.

All of these are the same email address as far as Google is concerned, and this is not news. GMail has implemented addresses this way since 2004. However, large segments of the software engineer population do not seem to have figured this out, twenty year later. The Hilton engineers in particular have not, or have said, “not our problem, we just have to push signups”.

(I pause to note that I have no idea who Lisa Neumann is, that I have never been to Spearfish, South Dakota, and that she absolutely had no reason to think using my email address was a good idea. I will also note that if I ever am in Spearfish, I know whose address to go to, and which apartment to go knock on the door of, to ask, “What exactly was going through your mind, Lisa, when you made your home address known to some random person on the internet?”.)

In my current case, Hilton committed not one but two sins:
- They allowed a dot-variation of a GMail address to create a new account. (I personally already had a Hilton account.)
- They did not validate email access. So Lisa Neumann (and yes, I really hope this ends up high in the Google hits for good ol’ Lisa Neumann of Spearfish, SD) uses a random-ass email and Hilton’s software says “hyuk, okee-dokee!” and creates an account.
Why am I ranting about this?

Because it is stunningly common practice. People use email addresses they don’t own all the time, and companes who supposedly want valid data don’t care.

It’s nuts. I have mentioned before on this blog that most of the different Joe McMahons that use my email are idiots, because they know damn well that they don’t own my GMail account and will never see the mails. Apparently they don’t care that the password-reset emails go to the email that they entered, and don’t control. And I use them.

(Have I reset the password on multiple dating sites, and uploaded a bio that says, “In addition to all stuff about that, I am not very bright, because I used someone else’s email, and he has locked me out of this account. No sweet, sweet love for me!”? Yes, yes I have. Did I enjoy it? Oh, very much so.)

The mails I get tend to be one of the following:
- Someone has typed “joe mcmahon” (not the email address, but the name) into the “To” field, and GMail has happily filled in the most likely email, i.e., mine. If it wasn’t someone actually writing me, it’s a genuine mistake, and I don’t count that in the “what are these idiots doing” category. This most often happens when folks in Ireland are trying to send mail to a construction company (It’s Patrick there, BTW, in case someone stumbles on this while trying to figure out why he’s not getting their mail — though I do usually send a “you probably have the wrong email” to those folks, as this is only marginally their fault. Google, if they’ve never written to this person, do you think you should really do that? Maybe mention that an address was assumed, and maybe they should verify it’s right? Naaaaaah.)
- On the other hand, we have the Joe McMahons who sign up for things. Gym memberships. Dating sites. Porn sites. Ashley Madison (a particular favorite, Joe McMahon in Australia. Don’t think I forgot.) I don’t know exactly how to judge these, though my hunch is that these are people who think Google is Magic and just putting their name and google.com will somehow get the email fairies to deliver stuff to them. Or they’re just really freaking lazy and are counting on the email not being validated. Or just don’t think about it, and when the account never gets approved because I delete the verification mail, they just assume “computers don’t work”.
- Last we have the outright “I’m using this email and I know it’s not mine” folks, like dear old Lisa Neumann. Did I mention she’s from Spearfish, SD? It can’t be that they’re completely computer illiterate, else how would they know to use a random person’s name as an email address and expect it to work? Maybe Lisa Neumann knows/lives with/is married to a Joe McMahon in Spearfish? Can’t find one though. I’m grasping at straws here.
But honestly, the people are not the issue here. It’s the software engineers and product managers who could keep this from happening.

KPIs and “conversion” as a scourge on humanity

So why would anyone implement a system guaranteed to make people hate them? Why would you implement a signup process that doesn’t care if you can send email to the person who’s signing up, when ostensibly, you want that address so you can send them email? Why would you implement a signup system that would tell me, some random dude on the internet, exactly where Lisa Neumann of Spearfish SD lives — street address and apartment number, with no recourse or warning?

Because someone in the software development pipeline – almost certainly the product manager – has made the number of signups and/or the number of “conversions” (guest account -> permanent account) a success metric.

It is a truism that if you make some metric critical to a system being judged as successful, people will manipulate the system and its implementation to maximize the value of that metric to the detriment of the actual goal.

If you reward the team that closes the most bugs, teams will spam the issue tracker with trivial bugs and close them – and they’ll even add bugs to be fixed and closed.

If you measure the success of the “conversion” page by the number of signups, then the engineers will be incentivized to “remove friction”. And the absolute easiest way to remove friction is to remove validation.

In the case of email addresses, the dead easiest option is simply to not validate that the email is valid at all. Most engineers will not actually go that far, and allow obvious garbage to be entered as an email, but dropping the confirmation flow, or never implementing it, is a great way to get those numbers up. If any email at all, as long as it looks basically valid, is accepted, then the conversions go way up! Look, another account added! Even though the person will never be able to reset their password, or receive any notifications via email! Hey, that’s what app notifications are for anyway, and they push up our engagement KPIs! User support will figure out how to deal with the passwords!

Sorry, need to reset the sarcasm sequencer again.

So what is good practice?
- If you need an email, then you validate that the person signing up can access that email. You send them an account validation link, and until they click that link, the account is not usable.
- You follow the real world and not what the RFC says. Yes, technically, Google was incorrect to treat foobar@gmail and foo.bar@gmail as the same address, but I think their technical decision was “do we allow every combinatorial version of johnsmith to be a different account? Absolutely not, it’ll be an identity-collision nightmare.” (And when you, the implementer, allow all the combinations? Identity collision nightmare, and no one should be surprised.) So if john.smith@gmail.com has an account at your site, then someone trying to add johnsmith@gmail (Lisa) should fail.
- Allow people to close accounts without massive manual intervention. I still have to call Hilton on the phone and try to talk someone through fixing this issue. Chat support absolutely cannot help me. Their security policy is that two accounts with different personal names can’t be merged, so I can’t merge the two accounts that use variations on the same email. And I can’t edit the name in the account that Lisa opened, so I can’t do anything to fix it myself!
- Do not make it impossible to ever fix a bad account. I’ve had several banking accounts opened using my me.com account, and those simply cannot ever be fixed. They are set up, rightly, to require a second factor to reset the password, usually a phone number, and if it’s some dude in Vietnam who’s opened the account, I have no way to come up with his phone number, and I get to just keep marking all the bank notifications as spam, because the bank has linked his whole online identity to that email address. Even if I get hold of the bank (and good luck doing that), they can’t help me because removing the email would effectively cause the user to not exist anymore.
I honestly think that given the unfortunate trend toward greater and greater enshittification, we’re not going to see a massive come-to-Jesus moment on not pissing off innocent bystanders, mostly because it doesn’t impact the bottom line in any significant way. I like staying at Hilton properties in general, so me boycotting them over their account handling does little to impact them, and takes something away from me.

Unless somehow someone manages a massive fraud based on email account variations, we’re not going to see a change, and I’ll continue to block accounts for other Joes and the random Lisa Neumann (of Spearfish, SD, let’s not forget!) for the foreseeable future.

Questions you may be asking
- But aren’t you by implication exposing your email by saying how the dot thing works in GMail?
  - That horse is out of the barn, down the street, and out on the prairie living its best life at this point. There have been so many breaches where my email has been stolen or leaked that it doesn’t matter anymore. (I can’t think of any other way that Lisa in Spearfish (I can’t be bothered anymore) could have found it.) And GMail seems to fill it in when you type my name in the “to” field, so I’m being shafted automatically anyway.
- Wow, shouldn’t you go touch grass or something?
  - Yes, and I totally do. It’s just that I come back to my inbox full of “WELCOME TO YOUR ACCOUNT” and “YOUR RESERVATION IS CONFIRMED” and “SexyBabe69420 sent you a wink!” messages and I might as well have not bothered.
- Have you never done anything to people who do this?
  - Actually, beyond locking them out of the accounts they’ve opened with my identity? No. I have never cancelled a reservation, rerouted a package, or catfished someone on a dating site. I absolutely could have, but I wouldn’t respect myself for doing actual financial damage or hurting an innocent person. Messing with someone on a sex dating site? I’m only disappointing the bots.
June 3, 2025
Belloq fail: Roblox
In the category of “we can’t handle email right” again, or at least, they haven’t convinced me they can: the email that is this blog’s domain name plus .me.com is apparently on someone’s list of “valid emails you can put in forms”, or there’s a tool that exists somewhere to grab an email off one of the numerous breaches that included it, because it gets used by random people around the world to sign up for stuff.

This is definitely an “I’m doing this on purpose” because the name is unusual for anyone who doesn’t speak Bahasa Indonesia, and I have never yet had a fraudulent sign-up from Indonesia.

As I do for my other email, I usually punish them by resetting the password and locking them out of the account. For dating apps I add a really savage profile about how dumb they are.

But every once in a while there’s one I can’t do this for — Capital One, for instance, allowed ROBIN JEAN (yep, it was all caps) to supply the me.com address as their email for a credit card without verifying that it was accessible by their customer. Their password reset requires, if I recall, the account number to do a reset, so there’s nothing I can do about that one except complain every month when the balance email shows up. (We’re three months in; hasn’t helped, though they keep swearing they’ll fix it.)

The one I’m writing about today, however, is one that leaves me gobsmacked. And somewhat alarmed.

On July 1, I got a purchase confirmation from Roblox that read like this (please note that I do not have a Roblox account):
```
Thank you for your purchase on Roblox, the online gaming platform that is powering imagination globally!

Please contact us at roblox.com/support, or call us at +1-855-333-4734 if you have any questions about this charge.

Your 6/28/2020 3:11:10 AM order:
Item Purchased: Roblox Premium 2200
Item Price: CAD25.99
Next Renewal Date: 7/28/2020
Total: CAD25.99

Billing Information:
sdf sdf
pemungkah@me.com
Visa ending in 1563
sd
sd
fsd v6e
United States
Username: 45dfgerdfwerewr
Sale ID: 543250908

You will be charged CAD25.99 per month for this service until you cancel. You can cancel at any time by going to the billing tab of the account settings page and clicking cancel membership. If you cancel, you still will be charged for the current billing period. We hope you enjoy your membership!
```
Let’s just luxuriate in the utterly transparent fakery of that address and username for a minute.

It is blatantly obvious that whoever is using this credit card is not on the up-and-up. So I immediately tried to reset the password. Nope. No password reset email. Well, they allow several other authentication schemes, maybe I can’t reset it this way . I’ll make sure that Roblox Support knows about this; possibly unauthorized, fraudulent charges are most certainly going to be a serious issue for Roblox, and they’ll want to be sure that they’ve protected whoever this actually was, and they’ll take quick action to fix this.

Ha. No.

I spent the next eleven days simply trying to communicate that someone was very possibly committing fraud, that I had evidence, and that maybe they should do something.

Roblox “support” spent that time sending me their form emails about unauthorized charges. Once I battered my way past that, I said, fine, you can’t tell me anything. Please make sure my email is removed from your system.

They couldn’t find it.

I supplied the email with full headers.

Still couldn’t find it.
```
Do you have any explanation as to how this order ended up in my mailbox, then? Because it certainly was not me or anyone in my household. I would think this would be an issue, that there are orders going out to emails that you don’t have any record of.
```
Time passes. Crickets.

Then I get the automated “you haven’t replied and we want to close this ticket so our KPIs look good” email. All right, I will explain it carefully so we can perhaps get an understanding going here.
```
Hi. Look. This should not be as hard to understand as it seems to be.

I forwarded you an email I got. 

It came to my email address, and had my email address in the purchase record.

The data in the purchase record is obviously random typing on the keyboard.

It’s not my credit card.

It is, however, my email.

SOMETHING must have created this purchase. There has to be an audit trail that points back to some account that this purchase order is associated with, and some transaction that initiated it.

Whatever account it is. Whatever purchase it was.

NONE OF IT should be associated with my email.

Have I made it clear?
```
Reply:
```
To assist with or provide information about any account, we must first verify account ownership. Unfortunately, there is no email address or purchase information associated with the account. Without this information, we are unable to verify ownership or assist further with the account.

Please make sure that with any account you create, you add and verify your email address. This will allow us to verify ownership and also allow you to use the reset password feature.
```
What did I just send you, other than the complete email, with all the headers, containing the account name, the email address, the literal transaction ID for the possibly fraudulent sale…? So I gave up.

I’m guessing that they may actually have caught that it was bogus right away, and immediately deleted the account, and the stonewalling is to prevent me trying to social-engineer my way into, I don’t know, getting them to confirm the credit card is good or something.

I’m guessing that there is a record that this account was deleted because of fraud, but because of policy they can’t tell me that.

But we’ll never know. To whoever owns the credit card, sorry, I did my best. I hope they did protect you, or that you catch the charge and dispute it.

I’ll just say that I don’t feel warm and fuzzy about the whole thing.

2025 update: I now think that this might also, possibly, have been a phishing attempt, very badly executed, similar to the 9000 “YOU BOUGHT CRYPTO” / “YOU BOUGHT MCAFEE” scams that go straight to my spam on Gmail. This was on me.com, which has much poorer spam detection.

If this was a phishing attempt, they should have only supplied the callback number! Contacting support immediately got me “this doesn’t exist”, and in hindsight, probably didn’t! I was supposed to panic and call the number so they could “help me with my account” (i.e., probably tut concernedly and tell me I “had a virus” and would “need to talk to Microsoft” (I don’t have markup that lets that last bit drip with sarcasm enough.)).
July 17, 2020
An open letter to my namesakes

Hi, all you other Joe McMahons out there.

I’m sure you’re all great guys, a pleasure to know, upstanding in your community, and a blessing to your families. Kidding – I know at least one of you wanted to cheat on his wife. Or on someone else’s spouse with their wife.

“Why would you say a thing like that! How could you possibly know that?”

Well, Google tells me. I take that back – actually, you tell Google to tell me, via Gmail.

Many of you seem to have the bad habit of using our name @ gmail.com when you are asked for an email address. I am at a loss as to why you do; I find it hard to believe that you really think that magical email fairies are going to deliver you mail…somehow… because you type in “my.name@gmail.com”. I’m guessing it’s just plain laziness and not being willing to bother to spend the grueling 2 minutes it takes to set up a Gmail account.

This is why all the places you set up accounts for always break, and you can’t log in anymore. Because it’s my frigging email account, you dolt.

Whenever you set up an account to post a personal ad in Liverpool, or sell your used van, or buy a new laptop and set up a Windows Live account, or join Ashley Madison (that was my very favorite) and use that account, I’m the one who gets the confirmation message.

You know what I do? I confirm your account, and then I immediately reset the password on your account so it’s my account, and I set up 50-character passwords and 2-factor authentication if possible.

You know why? Because accounts linked to my Gmail account might be usable to social-engineer someone into access to my Gmail account.

Shorter version? ‘Cause fuck you, that’s why.

And that’s my Gmail account. Keep your grubby paws off it. If not, well, in the words or René Belloq:

“Again we see there is nothing you can possess which I cannot take away.”

December 26, 2015
Pure majority rule considered harmful

2025 update: I ended up abandoning Perlmonks not long after this; one user in particular seemed to have both no life and an unending animus for me, and life is too damn short. I checked in during 2024 and he last posted in 2019. Not surprisingly, his last posts were about how several other people were stupid; it was not going well for him, and I think he quit.

I’ve been discussing an issue on Perlmonks over the past couple days; specifically the potential for abuse of the anonymous posting feature. I’ve seen numerous threads go by discussing this, most of which have focused on restricting the anonymous user. Since the anonymous user’s current feature set seems to be a noli me tangere, I proposed an alternative solution similar to Twitter’s blocking feature. One of the site maintainers very cordially explained why my proposal was not going to be adopted, and in general I’d just let this drop – but I received another comment that I can’t just let pass without comment. To quote:

I’m saying “This isn’t a problem for the overwhelming majority, therefore it is not a problem.”

I’d like to take a second and talk about this particular argument against change, and why it is problematic. This is not about Perlmonks. This is not about any particular user. This is about a habit of thought that can be costly both on a job-related and personal level.

Software engineering is of necessity conservative. It’s impossible to do everything that everyone wants, therefore we have to find reasons to choose some things and not others. And as long as the reasons are honest and based on fact and good reasoning, then they are good reasons. They may not make everyone happy (impossible to do everything), but they do not make anyone feel as if their needs are not being carefully considered. But, because we’re all human, sometimes we take our emotional reactions to a proposal and try to justify those with a “reason” that “proves” our emotional reaction is right.

In this case, what is said here is something I’ve seen in many places, not just at Perlmonks: the assumption that unless the majority of the people concerned have a problem, there’s no good reason to change; the minority must put up with things as they are or leave. Secondarily, if there is no “perfect” solution (read: a solution that I like), then doing nothing is better than changing.

There is a difference between respectfully acknowledging that a problem exists, and taking the time to lay out why there are no good solutions within the existing framework, including the current proposal, as the maintainer did – and with which I’m satisfied – and saying “everyone else is happy with things as they are”, end of conversation.

The argument that the majority is perfectly happy with the status quo says several things by implication: the complainer should shut up and go along; the complainer is strange and different and there’s something wrong with them; they do not matter enough for us to address this.

Again, what I’m talking about is not about Perlmonks.

As software engineers, we tend to lean on our problem-solving skills, inventiveness, and intelligence. We use them every day, and they fix our problems and are valuable (they are why we get paid). This means we tend to take them not only to other projects, but into our personal lives. What I would want you to think about is whether you have accepted that stating “everyone else is happy with things as they are” is a part of your problem-solving toolkit. The idea that “the majority doesn’t have a problem with this” can morph into “I see myself as a member of the majority, so my opinions must be the majority’s opinions; since the majority being happy is sufficient to declare a problem solved, asserting my opinion is sufficient – the majority rule applies because I represent the majority”.

This shift can be poisonous to personal relationships, and embodies a potential for the destruction of other projects – it becomes all too easy to say the stakeholders are being “too picky” or “unrealistic”, or to assume that a romantic partner or friend should always think the same way you do because “most people like this” or “everybody wants this” or “nobody needs this” – when in actuality you like it or want it or don’t need it. The other person may like, need, or want it very much – and you’ve just said by implication that to you they’re “nobody” – that they don’t count. No matter how close a working or personal relationship is, this will sooner or later break it.

Making sure you’re acknowledging that what others feel, want, and need is as valid as what you feel, want, and need will go a long way toward dismantling these implicit assumptions that you are justified in telling them how they feel and what should matter to them.

January 29, 2014
The Node.js “he”/”they” Change: Analysis of a Social Bug

The Node.js foofaraw – concerning a fix meant to remove a “he” and switch it to a “they” – has gone all the way from a one-word patch to a monstrously-long comment chain on the patch and a core contributor resigning from the project.

The controversy continues a week later, with opinions ranging from “good riddance” to “how terrible people would make a good programer quit the project”. I’d like to step back and try to do what good programmers do when something fails in a spectacular way: look at what the situation was, what happened, and try to determine not only a cause but a way to prevent the issue in the future.

Rather than spend a lot of time on the deep analysis first, I’m going to go straight to my conclusion, and then illustrate why I think it’s true.

The social bug

The problem was neither completely a software problem, nor a social problem, but one caused by multiple confusions of software criteria for social ones (and vice versa), and of the essence of software with its representation, followed by not seeing the necessity of cohesion to help correct a community-wide problem.

Node.js is both a software project and a social group. There is code: an agreed-upon, human-intelligible means of communicating information about a set of designs and procedures to other humans, such that the chosen representation of that information can be turned into a different representation that can be executed by a computer. This is shared among the people who are working on it, and all of the people working on it submit proposed changes to a set of core committers who decide what goes in and what doesn’t based on their technical expertise, the quality of the submissions, and the overall goals of the project. So far so good.

Software, however, is not only the expression of algorithms and design, but an expression of the community’s standards, especially when it is a public project. Because we are not computers ourselves, that communication will by necessity include desires, impulses, preconceived ideas, and all those other messy things that go along with being human. Some places the community or readers and writers will share nearly all the same ideas and goals; in others they will have large differences.

So it’s possible, even likely, that “good’ software – it executes properly, meets its design goals, it produces proper results – may communicate a personal or social message that raises a problem for members of the group on a personal level. This is a social bug.

Fixing a social bug

Fixing a social bug requires a very different set of talents and procedures than software debugging does. Among these are careful listening and a willingness to take enough time to reach an agreement, or at least an understanding; a willingness to accept that bad judgement and errors in solving a social bug can cause problems far worse than the original bug; and that sometimes the only tools that can fix them are personal responsibility and acceptance, with ensuing personal costs.

“Too small a change”

The Node.js failure occurred because Ben evaluated a social bug patch as a software patch. The specific change was a one-word change to a comment – a change to a comment is one of the clear signs that this was a human issue instead of a software one. Second, the change was gender-related. Most software developers during the current era are aware that a gender-related question is almost certainly going to be a social issue instead of a software one. Not seeing this and switching to a different problem-solving paradigm was the first error.

Causes for this first error are quite obscure. The very quick escalation of the problem caused by the lack of followup communication (see below) led to it being difficult to see what the proximate cause of the error was. It is possible that the initial evaluation of the change as insignificant was triggered by a cursory look at the patch: (paraphrasing) “one word in a comment? this isn’t worth it”, but we can’t say for sure.

The first error could have been avoided in a couple ways. If Ben had spotted this as a social issue immediately and had deployed social problem-solving immediately, it’s possible that this problem could have been resolved in a couple minutes. Possibly a lack of experience or training in dealing with social issues is the base reason for this particular failure; training, either formal or informal, in dealing with social issues is recommended to provide a base to work from.

“Works for me”

The second error occurred when other users filed “votes” for this social bug; they were attempting to communicate that the social problem was a problem for them as well, and these reports were seemingly ignored – there was no response for some time – or brushed off with a statement that the patch was not significant enough.

This failure can be summed up as a ‘works for me’ closure for a social bug, which, in an open source project, will more likely exacerbate the problem instead of fixing it. Closing a social bug as “works for me” communicates to the person reporting a social bug that the responder disregards the fact that the reporter is not the same as the responder, and that the item complained about is not “working” for reporter; else it would not be being reported! “Works for me” for a social bug communicates “you’re taking this too seriously” or “this doesn’t mean anything, you should ignore it”.

The solution to this situation is to engage the reporters. Talk to them, find out their reasons for reporting the bug, take their input seriously. It may not make sense immediately, but it is critical to be seen as open, willing to listen, and accepting. You may need to say “I’m sorry, I had no idea this was the case.” Apologizing at this point is far easier than doing so after arguing against the reporters’ feelings and thoughts. Only after listening should you take any action. You should offer to listen in private so that persons who might feel at risk in speaking in public can feel safe in speaking to you. You may be on the receiving end of some anger and frustration; do your best to accept it as a communication of those feelings rather than responding to its face value. You do not have to be a doormat; you may ask for less emotionally-loaded communication, but only after acknowledging the sender has a right to those feelings and that you understand that they feel upset/angry/frustrated. Your job is to take all this in and return understanding.

Setting up a private conversation would have been ideal; a second-best would be to have said, “I can see this is more important to people than I thought; I understand this, but I’m still of the opinion this change by itself is smaller than we normally prefer to commit. Can we come up with a solution that expands the scope of the patch – maybe do an audit and clean it all up – and I’ll gladly commit that – or is there another possibility? Let’s talk about this – write me at XXXX@YYYY.ZZZ”.

“Consider yourself chided”

At this point, Isaac attempted to simply solve the social bug by merging the fix; unfortunately Ben apparently continued to view this as a software issue, and reverted the patch with comments about procedures and “chiding” Isaac, who was trying to head off the social train wreck. This sent the message (whether justified or not) that Ben had an agenda and was actively engaged in retaining the social bug, thereby escalating the bug from a small issue to a community-wide one of “what kind of message do the responsible members of the community want to send about this issue?”.

Several problems occurred here. A secondary social issue, no doubt amplified by the Joyent/Strongloop rivalry connected with Node.js, was aired in public instead of sorted out in private. The appearance of dissension among the core committers sent a bad social message – that the basic values of the community were indeed in conflict. This led to the airing of less and less productive attitudes and attacks.

Other persons at Ben and Isaac’s respective employers have explained that the issue was caused by Ben’s not understanding that the use of a gendered pronoun was so loaded. Perhaps this is true; given the amount of discussion of this issue over the past year or so, it seems unlikely. However, a number of people attempted to communicate that this really was an important issue. As far as can be seen, Ben did not engage with them when they tried to communicate this really was a big deal and that he should pay attention. It is always a failure in a social bug situation to appear to not care.

At that point, many different factions within the community, who before the bug was worsened into one of community principles had not even noticed the patch became involved. By this point the discussion had already spread to Twitter, pulling in other persons for whom this was indeed a social bug that mattered to them, myself included. It also pulled in a number of persons who were coming to the “defense” of the committer, further increasing the appearance of dissension in the ranks, and leading to YouTube levels of argument. In retrospect, joining the discussion was not productive, and I should not have done so. Trying private communications first would have been the right call; if there were no other way to communicate, trying to talk to Ben directly might have been acceptable; replying to people arguing with me was definitely not, and I should not have allowed myself to do so. (Again, my apologies to Isaac, who was trying to tamp down the social problem; I’m sorry to have made it harder on you.)

Many of the most rancorous discussions came out of trying to pretend that the software was an entity divorced from its human representation, and therefore social bug reports about the code were inane, hypocritical, or the result of ulterior motives (“white knight” was bandied around with vigor). Unfortunately there was no one at the upper levels of the Node.js informal hierarchy with the ability to choke off the argument (GitHub does not have a means of limiting discussion on a patch), and the core committers as a group were unable to, unwilling to, or simply did not think of establishing a united front and announcing a social bug solution. Isaac deployed a number of good social bug patches (language usage standards, acceptance of the patch, a definite statement that Node.js was committed to being inclusive), but the solidarity of the group had been damaged.

Solutions for this? When a social situation is spiraling out of control, the first task is to restore a consensus. It may be necessary to impose a cool-down period; discussion of the topic is barred in the public forum but encouraged privately. If a cool-down cannot be imposed (as in this case, where commenting could not be blocked), then the putative leaders must establish their own working consensus and reiterate it until it is clear that there is a consensus for now; that observations and complaints will be listened to and all points of view will be considered; that it is clear that there is a problem and that it does need to be fixed; and that the current decision is not necessarily the permanent last word on the subject, but it is the current decision of the leadership of the project, and that it is the end of the public discussion for now. Concerned parties are encouraged to talk to the leadership to help shape policy in this area.

Resignation

Ben has resigned form the project. I am sorry, as he has been a valued participant and has contributed a lot of code. This is the “everybody loses” solution to dissension; one person or another quits or is forced out.

In a hypothetical “everybody wins” version, the people who had the argument are required to resolve it – privately – and to come to an agreement. This may require one of, or all of, the participants to apologize: to each other, to the community, perhaps to others outside it, and the agreement is presented jointly by those who were arguing.

Any further discussion of the topic is cut off by the person on the “opposite” side: in this hypothetical instance, if someone was defending the initial refusal to commit, it would be Ben’s responsibility to step in and say, “we’ve resolved this, and we don’t need to discuss it further here. If you need to talk to us about it, write me a XXXXX@YYYYY.ZZZ.” If someone was saying, “Well, Isaac was right to override,”, then it would be Isaac’s responsibility to do the same. If someone simply is insisting on discussing feminism, or language, or someone’s motivations, any one of the participants should say “speaking for all of us, we’re done with this now; this is the policy. If you don’t like the policy, send your objections and suggest fixes to XXXXX@YYYYY.ZZZ.”

“Asshole”

During this period, various official entities published blog posts support for one committer (the Joyent “asshole”/”fire” post) or another (the Strongloop “second language” post); none of these did much except make one set of people happy and another unhappy.

The Joyent posting chose loaded language (e.g., “asshole”) to describe behavior; worse, “asshole” was not used in a way that made it clear that someone can act like an asshole, but that this does not necessarily mean that they are permanently and unreservedly an asshole. Certain behavior on the first committer’s part was socially inept and appeared condescending and somewhat hostile to an outside observer.

The only real solution, difficult as it is, to someone is calling you an asshole is to stop and re-evaluate your behavior to understand why they are saying this. If your re-evaluation of your actions causes you to realize you were wrong, then you need to say this. Even if your evaluation says you are right, something has caused the name-caller a problem, and for the continued social good health of the project, you need to figure out what it is. This will probably entail talking to someone who is good and mad at you, and it will probably be very uncomfortable. You may have to take timeouts from the conversation. You will probably have to apologize. You will almost certainly have to change your actions and probably your ideas, unless a neutral observer (not someone “on your side”) agrees that the name-caller really is off in na-na land.

Conclusions

It is, yes, a shame when knowledge leaves a project, or when someone loses their enthusiasm for it and gives up on it. It is not a shame that people were willing to stick their necks out and say, “I think that this decision does not reflect well on the project”, especially when some of those people have a lot to lose because of it. (I’ve been in a conversation where someone has actually offered the opinion that if a person using a particular ID is being verbally harassed at that ID, the right solution is for them to abandon that ID an move to another. Apparently the harassers shouldn’t have to do so.)

Persons who have a high profile in a public shared project do need to be willing to listen; to say they are sorry; to say thank you to someone who points out a mistake, no matter the language in which this is done. If you have inflicted a social bug’s results on someone, you don’t get to decide what reaction is appropriate; you don’t get to decide how many people are allowed to react; you don’t get to decide how someone is allowed to speak to you about it. You only get to decide whether or not to say something like “Holy crap. I didn’t realize. Thanks for telling me. I’m sorry about this.” If you decide not to, you may be acting like an asshole. If you always decide not to, you may be and asshole, for the purposes of people who observe this and then give up trying to interact with you.

December 7, 2013