The witch-hunt against Larry Garfield, part 3: How far down does this rabbit hole go, anyway?

This entry is part 3 of 3 in the series The witch-hunt against Larry Garfield

I’m going to set aside the original plans for part 3 of this series, since apparently there have been new developments that Larry has posted about in the past couple of weeks that I only found out about the morning I started writing this (Sunday 8/6).

Larry’s post is entitled “Deception and discrimination in Drupal” and, combined with the Drupal Association (DA) blog’s post with statements from both Dries Buytaert and Megan Sanicki, are by far the saddest such posts made in relation to this controversy thus far.

From the DA blog post, we learn that now Larry has been stripped of all remaining leadership roles, leaving intact only his role as an individual contributor. I’ll get back to that toward the end of the post.

Larry’s blog post, on the other hand, lays out a lot of details that were touched on in the DA blog post. Several emails and a police report are included in his latest post.

The first thing Larry refers to is a series of phone calls, of which he is not allowed to discuss the content of due to a confidentiality agreement:

[…] Dries refused to speak to any relevant details unless I signed a confidentiality agreement. (Although it did prompt my 4th post on 16 April.) Sorting out that agreement took several weeks, and we did not speak of anything substantive until 15 May, long after DrupalCon. Megan was added to the agreement for a second call on 9 June and for three further calls, the last of which was on Wednesday 12 July. At Dries’ recommendation we were also joined on the calls by Whitney Hess as an independent mediator, and I thank her for her willingness to attempt to help broker peace.

Because of the confidentiality agreement Dries and Megan required, I am not permitted to discuss what we talked about in any of those calls. I can say that my intent going into them was to get clarity and, ideally, reach a point where we could all issue a joint statement that retracted the insinuations against me and then move on together, with me welcome in Drupal just as anyone else.

Clearly, that did not happen. The timing and speed with which their latest post on 13 July was made (barely 24 hours after the end of our last call) suggests it may have been written even before we concluded talking, and clearly tries to blame me for daring to act in my own defense. It also contains multiple misleading statements that, sadly, I feel need to be corrected.

Let’s think about this for a minute. The last of these phone calls took place on Wednesday, July 12, and the DA blog post goes up on Thursday, July 13. I am willing to give Mr. Buytaert, Ms. Sanicki, and others at the DA the benefit of the doubt that the post was not written before the conversations with Larry had concluded, until and unless proof beyond a reasonable doubt surfaces to the contrary. I don’t feel Larry’s accusation is necessarily out of line; it’s certainly plausible, but it’s pretty damned low even given the past conduct of the parties in the past.

Most of the rest of Larry’s post is a recap of events from February on, this time with (redacted) screenshots of emails. We see that this has morphed from an issue with Larry’s participation in the Gorean and BDSM communities. Specifically, somehow now it’s about Larry’s former housemate and an assumption that the relationship he had with her was non-consensual. The assumption, of course, winds up being proven false (the police report of the welfare check proves that). Quoting from later in Larry’s post:

So now, Dries and Megan are claiming that the issue was, and always was, entirely based on concern about the ability of my housemate to consent. To consent to what is unclear; usually that phrasing refers to sex, but my interactions with her in public (Drupal or otherwise) were always extremely G-rated. To the best of my knowledge, the only information about her they had was “Community Member A’s” single paragraph of being uneasy in-hindsight after she didn’t want to talk to him (being mute and shy) and wouldn’t make eye contact (being autistic).

Somehow, “she’s quiet and shy” turned into “we think there might be a consent issue here”.

For those not familiar with it, autism can have a very wide variety of symptoms […] My former housemate has extreme introversion and eye contact with anyone, even me, is extremely uncomfortable for her. She is still an intelligent woman with her own thoughts and feelings and moral stances. Every single bit of her atypical behavior in public was due to her autism, which is why she specifically instructed me to tell people that she was autistic as a way to explain her odd behavior. All of which could have been found out by Dries et al if they had simply spoken to me and asked before summarily dismissing me because of “beliefs”.

Excuse my French here, but I can’t believe that Larry actually has to say all this shit. And I certainly can’t believe I’m reading this shit.

The most troubling parts of Larry’s post are the things like this:

This information [that there was an issue with Larry’s autistic former housemate] was actively withheld from me for months during our conversations in February through April. Yet now my open and honest explanations to the Board on 16 March (after Dries and Megan decided in February to summarily remove me from Drupal) are being retroactively used to justify their actions against me.

Or, put another way, Larry was honest and had his honesty used against him in a retroactive justification for the actions taken against him. Which, of course, was different than the previous reasons given to him and others.

And then:

This is also completely at odds with Dries’ original statements to me — that the issue was avoiding anyone finding out that there were Goreans involved in Drupal — and in his original blog post — that the issue was entirely “beliefs” of which he did not approve — which made no mention of my former housemate at all. These statements cannot both be true.

Again, Mr. Buytaert has proven himself to be a complete two-faced liar, changing the story for his own convenience, with absolutely no integrity or respect for the truth. This is not how responsible leaders act.

Megan further states “The Drupal Association can not and should not investigate or adjudicate legal matters.”

At least on this point we 100% completely agree! And yet she is willing to take harmful action against someone anyway given nothing more than hearsay. That is, she is adjudicating legal matters.

So again, Ms. Sanicki is showing her dishonesty or at least flagrant inconsistency.

The most “damning” (and I use that word ironically) accusation they are even able to make is that I “allowed” my former housemate to contribute to Drupal, as though I was preventing her from doing so otherwise. Bollocks. Here’s the actual quote from my second blog post:

She is very intelligent and curious and was interested in programming, so after she took a free online coding course I allowed her to help me with some small Drupal core patches. Her shyness, however, prevented her from posting any issues in her own name, so we abandoned that endeavour. She still wanted to learn, though, so I brought her along to a number of Drupal and tech conferences in the Chicago area.

She took a free online programming class all on her own; I reviewed her assignments to give constructive feedback. She then helped me with some minor PSR-0 refactoring for Drupal 8, on a patch I submitted. Yes, I “allowed” her to help me directly with a patch, at her request. How terrible. She wanted to do more to help, but was too uncomfortable posting in her own name and I was not comfortable posting her work under my name as though I had done it.

It sounds like “tried to help someone who wanted to contribute to Drupal to contribute to Drupal” is the actual accusation against me. I certainly hope we’re all guilty of that.

If this is really the main reason Larry was stripped of his leadership roles, it’s nothing short of outrageous.

If it’s not, and it’s his participation in Gorean and BDSM communities, it’s still nothing short of outrageous. This is before even factoring in that that information got to the Community Working Group (CWG) and others in an unethical and possibly unlawful manner (from a website which forbids that type of sharing in its terms of service).

Even if it’s some combination of the two, it’s still nothing short of outrageous.

Dries further states:

Larry’s posts created material disruption to the project and the Association based on incomplete and inaccurate information.

And Megan continues:

Larry’s subsequent blog posts harmed the community and had a material impact on the Drupal Association, including membership cancellations from those who believed we doxed, bullied, and discriminated against Larry as well as significant staff disruption. Due to the harm caused, the Drupal Association is removing Larry Garfield from leadership roles that we are responsible for, effective today.

People canceled their DA memberships because they felt the DA was mistreating me. And somehow Megan is trying to make that seem my fault for stating facts. I reject that characterization outright.

I fail to see how it could possibly be harmful to the Drupal project for someone in Larry’s position to counter rumors, innuendo, gossip, and lies with the truth. Unless, of course, it’s because the truth is inconvenient to Mr. Buytaert, Ms. Sanicki, the CWG, and others, and they would prefer those rumors, innuendo, gossip, and lies to remain unchallenged and unanswered. If so, I’ve seen high schoolers act with more respect to their peers, and that’s saying a lot.

The “material disruption” came from Mr. Buytaert’s, Ms. Sanicki’s, and the CWG’s piss-poor handling of the situation. To attempt to pin that “material disruption” on Larry crosses outside the boundary line of conduct deemed acceptable in decent society and should be retracted without further undue delay, with the appropriate apology to Larry issued as part of that retraction. (Not that I’m holding my breath, mind you.)

Finally, the end of the post:

What have we learned

A number of things, unfortunately.

  • We’ve learned that a vocal significant minority of people in Drupal do not believe Dominant/submissive relationships can be consensual at all.
  • We’ve learned that Drupal’s senior-most leadership feels autistics cannot consent, at least if they’re mute, although consent to what is unclear.
  • We’ve learned that the penalty for bringing an autistic person to a DrupalCamp and making someone uncomfortable because she doesn’t talk is to be summarily dismissed from any and all positions of responsibility.
  • We’ve learned that the penalty for actively soliciting blackmail material and then trying to blackmail fellow members of the community is also to be removed from any positions of authority, as Klaus has been. (It seems odd that both of these warrant the same action.)
  • We’ve learned that collecting “dirt” on a fellow member of the senior team with intent to use it to force the person out warrants no penalty.

The first three of these things are absolutely fucking outrageous, excuse my French. The fourth one (referring to Klaus Purer) is reasonable, perhaps the only reasonable action taken by the Drupal community’s leadership related to this whole affair, and thus the faint silver lining on this cloud. Mr. Purer deserved to be held accountable for his egregious, despicable, and indecorous conduct.

The fifth of these (about “collecting ‘dirt’”)? I’m not even sure “absolutely fucking outrageous” does it justice. This/these jerk(s), unfortunately, got what he/she/they wanted. This person or group succeeded in splattering dirt on the reputation of a high-profile contributor to a high-profile free software project, resulting in his eventual removal from all leadership posts, and quite possibly irreversible damage to his career which took over a decade to build… and got away with it. This goes beyond even the most permissive bounds of anything that we as a society could possibly label as a standard of decency.

Worse, we don’t even have one or more names to associate with this act. That only speaks volumes about the egregious cowardice, flagrant indecency, and patently derelict character of this person or group of people. I don’t know who is more at fault: the person or group that collected the “dirt” that started this, or the people like Mr. Buytaert and Ms. Sanicki that helped this despicable person or group fulfill such despicable desires.

Before I get to the very last thing Larry reveals in his post, I’d like to suggest a sixth thing we learned from this, which is something I also feel “absolutely fucking outrageous” fails to justly describe: Attempting to protect one’s reputation in the Drupal community when someone involved wants you gone is enough reason to lose one’s leadership roles in and of itself. That’s part of what I read from this: that the real issue now is that Larry dared stand up for himself. That he dared defend his reputation instead of just taking it lying down could only legitimately piss off those who value their own completely fucking absurd lies which smack of a rookie flack’s first weeks on a new PR job. (Excuse my French, again.)

Larry says it himself that it was not easy coming out about the details of his personal life. As I see it, he made the brave move to do so to beat the blackmailers to the punch, and also to set the record straight instead of letting the gossip and rumors be what everyone based their decisions on.

And now, the truly sad conclusion, quoting Larry’s blog post one last time:

At this point, I cannot in good conscience continue to be an advocate for Drupal in the broader tech community. Though it pains me to say it after 12 years with this project, to be stabbed in the back by so many, even if they’re a minority, is unbearable. Doubly so when it’s by the project lead, a man whom I had considered a friend.

Up until this point, despite all that had happened, I had not canceled my Drupal Association membership, in the hopes that this matter could be resolved honestly. Unfortunately, I now see that honesty is not going to be forthcoming. I have now canceled my DA membership as I can no longer, in good conscience, financially support those who continue to discriminate against — and spread misinformation about — me and those in marginalized groups.

I can only imagine how many more DA membership cancellations have followed Larry’s. We know at least a few preceded it when Larry made his first couple of posts.

That Larry considered Mr. Buytaert a friend before all this shit hit the fan is quite telling. I have had plenty of experience with friends willing to throw me under the bus, so to speak. I have also had an experience where my honesty was used against me and it cost me quite a few potential friends. We are taught that being honest and transparent are qualities of good character­, and then there are situations like this where those same qualities are used against those that have them by people with character that can only be described as putrid.

So, there you have it. I’m not going to get into the comments, or go into the DA blog’s post in much detail beyond what Larry has quoted, though I will say both are worth reading for a more complete and rounded understanding of what’s going on.

Before I wrap up this post, I’d like to say that the fact Larry can’t comment now as much as he’d like to due to the confidentiality agreement, is the exact reason I’m extremely leery of these agreements.

Briefly, what this means for me personally:

  • I am removing Drupal from consideration for my future personal website projects indefinitely. (There was at least one prior to this post, which I’m going to try to either figure out how to do with WordPress, or explore other options.)
  • For the moment, I will accept client assignments which require me to maintain an existing Drupal site, but not assignments which require me to set up a new Drupal site. This also means I will be steering clients who want me to set up new websites away from Drupal to other platforms (not necessarily WordPress, but that remains a possibility).
  • Going forward, the main reason I learn any more about Drupal is for the purpose of migrating existing Drupal sites to other platforms, something I will happily do given what appears to be the final outcome of this situation.

I base these strictly on the handling of the situation by Dries Buytaert and Megan Sanicki. It has nothing to do with Larry’s alleged misdeeds at all; to sum it up, I really think Larry did nothing wrong that would warrant the sanctions dealt to him. As I see it, the damage to the Drupal brand can be traced back to its leadership and their poor handling of the situation. To me, it does not make sense to blame it on what Larry did (which was simply to protect his own interests and reputation).

I am, of course, open to re-evaluating my stance at a later date.

The witch-hunt against Larry Garfield, part 2: “I do not know which one is more damning.”

This entry is part 2 of 3 in the series The witch-hunt against Larry Garfield

Sorry for the delay in getting this up. I’m posting this sometime on either a Saturday or a Sunday, something that I almost never do for several reasons. But this can’t wait for the next nominal business day, which is Monday 2017 April 17 (ignoring that many businesses will be closed because it’s the Monday after Easter Sunday).

I had posted this immediately after Larry’s third post on the topic. I had hoped more would develop in the extra days I wound up giving this post, but little has. That said, it’s a relief that people are still talking about this. I got a link from Misha Verbitsky’s blog on a LiveJournal-based platform earlier this week, which I appreciate (the entry is in Russian, and I might add, doesn’t appear to be handled well by Google Translate without reformatting). Misha is one of many that have denounced the actions of Mr. Buytaert and Ms. Sanicki regarding this situation.

Anyway, the basic theme of Larry’s third post on the topic, with the title “Regarding the continued mystery” and with the all-too-appropriate slug “tmi-part-3”, is to list two alternative possibilities in response to several things that have been said or done, with the statement “I do not know which one is more damning.” after each set.

I’m going to quote at least some of those here with my own thoughts.

The [joint post from Mr. Buytaert and Ms. Sanicki on the Drupal Association blog] implies that the “information” considered included “some of Larry’s online interactions, both on and off Drupal.org”. In the information provided by the Community Working Group (CWG) to both me and the Board, however, there is no Drupal.org interaction listed at all. The only off-Drupal.org “interaction” mentioned that was not part of the CWG’s “mediation” process was from the original individual who reported my private life to the CWG, who now, in hindsight, was upset that I had brought my autistic housemate to Midcamp.

It’s also worth noting that on 3 February 2017 I asked the CWG for copies of what excerpts of my private posts they had as of then. I asked them again on 25 February, after my call with Dries. I was not provided with any such information until 27 February, a mere two hours before I received Megan’s email dismissing me from the track chair position and DrupalCon engagements. Even that information was incomplete, as it included only a screenshot and two non-Drupal links. The packet I received for the Board meeting (after action had already been taken against me) included the out-of-context excerpts Klaus had shared with me, an additional excerpt that Klaus had dug up after speaking with me (which I’d not seen before), and anonymized copies of emails to the CWG from three individuals (one of them being Klaus) which included the very first mention of my autistic housemate. At this point there still were no excerpts from anything from Drupal.org.

That leaves two possibilities:

  1. The CWG and/or the Board and/or Dries had/has damning evidence of actions I’ve taken in violation of the CoC, actively withheld that information from me over the course of several months, and issued a statement stating clearly that I had not violated the Code of Conduct, but is still committed to withholding the information as they won’t even tell me what supposed evidence they have or are accusing me of.
  2. Megan and Dries are making misleading and inaccurate statements now (which I list and go into below) to cover up the lack of justification for their actions.

I do not know which one is more damning.

Of the two, I would consider withholding evidence from Larry to be slightly more damning. But either possibility means that Drupal’s governance is pretty broken: either the leaders (Ms. Sanicki and Mr. Buytaert) are corrupt and dishonest (in the second case), or the CWG and Board had it in for Larry since the beginning (in the first case).

Next up:

Second, the post indicated that Dries decided to remove me because “Larry had indicated on several occasions that he was drawing down his involvement in the Drupal project, and that context helped inform Dries’ decision.”

It is true that I mentioned to the CWG, and to Dries, that it was ironic all of this was blowing up now as I was likely going to scale back my Drupal core involvement before too long anyway (something many people have done many times). However, I did not say I was going to leave Drupal entirely any time soon; I indicated that it might happen long-term, or not. I never said or implied that there was any imminent departure planned on my part. If that were my intent, why would I have submitted sessions for DrupalCon at the beginning of February, 3 months before the conference? That wouldn’t make any sense at all. Drupal is still a key part of my professional career, as is presenting at conferences, Drupal or otherwise.

That someone gives informal fair warning that they intend to “step down considerately” (as the Code of Conduct specifies one should do) from some positions in no way implies that it is appropriate to force them out of those or others, nor does it rise to the level of a complete and total removal from the project in all aspects.

Additionally, when Dries called me on 24 February he had already made up his mind to ask me to resign. That means he could not have known I was planning to scale back (but not leave) before that unless the CWG specifically told him. That means either:

  1. The CWG told Dries of my likely scaling back when they talked to him, despite CWG discussions supposedly being confidential, and Dries then not mentioning that to me until I told him that I had been planning to scale back late in the conversation on 24 February.
  2. Mentioning that in the post is purely a post-hoc justification for an action taken that did not have anything to do with it.

I do not know which one is more damning.

To me, clearly the first of the two is much more damning, as it means the CWG can’t be trusted to keep confidential conversations confidential. Obivously if Larry wanted to tell Mr. Buytaert that he was scaling back his involvement, he would have done so himself. To mention that there was a possibility in a confidential conversation, that gets twisted around when repeated to “oh, Larry’s going to be leaving the project soon anyway”, is a huge breach of trust.

Given what I’ve seen, I’d expect Drupal’s leadership to “cover its asses” with such justifications. That’s still very damning, don’t get me wrong, but doesn’t rise to the level of violating confidentiality.

Neither of the two possiblities Larry mentions in this stanza of the post should happen in a healthy free software project’s governance.

And then, the process by which Larry’s removal from his track chair and speaking position was decided:

Third, the post states that there was “a careful, and deliberate process that has been going on since October 2016.” Let’s consider the timeline implications of that.

  • October 2016: First report to the CWG, in which they find no Code of Conduct violation by me. They do not inform me of this fact.
  • 16 November 2016: First time the CWG contacts me about there being any reports, and tell me there is no CoC violation.
  • 16 January 2017: Klaus and I have a Google Hangout in which he threatens to blackmail me. I report said blackmail to the CWG the same day.
  • 3 February 2017: I have a “mediation” interview with a member of the CWG. Aside from that member sending me notes to validate, I receive no further communication from the CWG.
  • 24 February 2017: Dries calls me and tells me to resign. I have one brief call with a member of the CWG later the same day.
  • 27 February 2017: Megan emails me to tell me I’m out from DrupalCon.

At no point in this process was there any indication that I was “under investigation”. Aside from the single interview with the CWG there was no request for information from me at all. If the Board was even aware of the matter prior to my referring it to them, I did not know of it. However, when Dries spoke to me on the 24th he said quite clearly that he had not been part of any CWG conversations. That leaves two possible conclusions:

  1. The CWG, Dries, Megan, and the Board were having continual meetings to plan to kick me out of Drupal and actively kept it secret from both me and the DrupalCon track team (who, presumably, would have objected to me having a session picked in the first place if I were already in the process of being removed).
  2. The process was not “careful and deliberate”, but they must now claim that it was in order to protect the current structure and their ultimate decision on my fate.

I do not know which one is more damning.

This is a tough one, but a secret conspiracy to kick Larry out of a project that he has been a loyal contributor to strikes me as at least a bit more damning than simple lying for the sake of ass-covering. Of course, both are very damning for Drupal’s project governance and do not reflect well on those in charge at all.

Three months between the first CWG complaint and Larry being effectively fired from at least his positions at DrupalCon, if not within the entire Drupal project, with no notification to Larry that he’s under investigation, does not strike me as “careful and deliberate”. The half-assed “mediation” between Larry and Mr. Purer also comes across as just another form of CWG ass-covering, now that I think about it. While the amount of care and deliberation can be a very subjective matter, I feel I’m being fair when I call bullshit on the “careful and deliberate” bit.

Moving on, Larry then addresses the question on everyone’s mind: why was he removed from his roles, anyway? (A question, I might add, that has not been satisfactorily addressed by anyone in charge of the Drupal project, including the DA and CWG.)

This seems to be the million dollar question for many (myself included). The post from Megan and Dries implies it’s because of actions I took, or reports they have about me… but they can’t talk about what the actions were, or what kind of allegation they are, or when it happened, or why it was evidently never given to the CWG to resolve, or (if it is as bad as they make it out to be) why it was never given to law enforcement to have me charged with a crime. But don’t worry, just trust that they have this evidence, which they can never speak of. That this evidence totally justifies the decision they’ve already made. A decision which they felt they needed to justify with my supposed withdrawal from the project, despite claiming that regardless of anything else, this secret evidence would, alone, justify my removal.

While a viable plot for a late night comedy show, this is the argument they are using to attack my reputation and my career, so you’ll forgive me if I don’t simply take them at their word that such evidence exists. Especially as we have the original reason direct from the source (Dries’ original, unedited blog post).

Dries’ original blog post, before he edited it, stated quite clearly why he asked me to resign:

However, when a highly-visible community member’s private views become public, controversial, and disruptive for the project, I must consider the impact that his words and actions have on others and the project itself. In this case, Larry has entwined his private and professional online identities in such a way that it blurs the lines with the Drupal project. Ultimately, I can’t get past the fundamental misalignment of values.

First, collectively, we work hard to ensure that Drupal has a culture of diversity and inclusion. Our goal is not just to have a variety of different people within our community, but to foster an environment of connection, participation and respect. We have a lot of work to do on this and we can’t afford to ignore discrepancies between the espoused views of those in leadership roles and the values of our culture. It’s my opinion that any association with Larry’s belief system is inconsistent with our project’s goals.

Before I continue with the quote from Larry’s post, I want to address Mr. Buytaert’s post, as originally written, quoted here. The reason Larry self-outed and thus “entwined his private and professional online identities” is because someone was threatening to blackmail him, namely by making content from a private website public (again, lest we forget, in violation of a privacy-protecting AUP/TOS). And again, what Larry does behind closed doors should not affect his role as contributor to a community-based free software project, especially when that is his livelihood, whether that activity behind closed doors is Gorean role-play, BDSM, or whatever sexual practices or roleplay, no matter how bizarre or “Offensive™” others might find it. That Larry had to self-out to protect himself from blackmail is bad enough.

Again, as I read it, the whole Gorean thing is not even Larry’s “belief system” but simply roleplay. Today, it’s someone into Gorean roleplay and BDSM. Tomorrow, it could be… LGBTQ people? Muslims? Jews? Atheists? Microsoft stockholders? Duck Dynasty fans? The best way to avoid this potentially slippery slope is not to take the first step.

Continuing on:

Note the first line in particular: I’ve been active in Drupal for over a decade, and only now have my “private views” become “public, controversial, and disruptive to the project” despite no changes in the level of “entwining” I was supposedly doing. And they did so through no action of my own, but because of a whisper campaign behind my back which lead to the actions of others who chose to blackmail me. But now Dries needed to excommunicate me because my private life might be “disruptive”. He didn’t, however, go into any detail about what was so problematic about my beliefs other than talking about “equality” in the abstract, despite a decade of evidence that I actively support the same.

In his call with me, Dries said very explicitly there had been no Code of Conduct violation, as far as he knew I had done nothing illegal, and as far as he was concerned my private life was not his business even though he personally found it distasteful. Yet he was still asking me to resign because of the possible disruption to the project from someone else going public. In particular, he indicated that “someone” was threatening to go public in a matter of “days, not weeks”, unless I was removed from DrupalCon.

So I see two possible conclusions:

  1. Dries is so personally disgusted by my (not illegal, not CoC-violating, not his business) personal life he wants to remove me from Drupal because of it, but won’t just own up and say that.
  2. Dries was mostly afraid of my blackmailer making good on his threats to go public and what the bad PR would be, caved, and now refuses to admit that he was in the wrong.

I do not know which one is more damning.

It’s really tough for me to say which one is more damning, but I’m going to go with the first choice. If that really is the case, that Mr. Buytaert can’t just own up to the fact he finds Gorean roleplay and BDSM distasteful, even though they obviously do not affect Larry’s skills when it comes to contributing to the Drupal project, then it’s time for him to resign and let someone else take the reins.

Caving into a blackmail threat and not being able to own up to that being a mistake is also a grave error. But letting one’s personal views cloud the actions one takes against another, especially when the target of those actions suffers career-related damage as a result, is far worse.

This does not have two conclusions of which we are left to decide which is more damning:

With regards to the individual or individuals who “participated in gathering information about [my] private life”, the post claims “The Community Working Group is currently handling this situation through their standard process.” This seems odd given that, regardless of the CWG decision, Dries evidently has the authority to unilaterally remove the offender(s), but has not done so despite agreeing that what they did was a violation of the CoC and likely a crime.

Given that I reported the blackmail attempt to the CWG in mid-January and it is now April and I have heard nothing but a single “mediation” interview, in addition to the innumerable process fails listed above (which even the post from Dries and Megan admit), I must confess that I have little faith in the “standard process”, whatever that is.

This, in and of itself, is outrageous. Get “Offended™” and violate the privacy-protecting AUP/TOS of a private website to out someone whose activities are thusly “Offensive™”, and nothing happens. Even though such conduct is at least a civil tort if not a criminal act, and a clear violation of the CoC.

On the other hand, it’s Larry who’s having to fight to save his career and reputation after being thusly wronged. It’s no surprise that Larry has no faith in the “standard process” after that; I wouldn’t either, and I’d assume most sane people wouldn’t as well.

The post from Dries and Megan also implies that there were to be many more “discussions” between Dries and I, and that I somehow cut it short by going public about the fact that I was being blackmailed. That is a grossly disingenuous statement.

In the very first communication I had from Dries on 24 February, he made it very clear that he wanted me to resign and wouldn’t take no for an answer, yet “no” was the only answer I would give. There was no indication of plans for further discussion, other than him ending with “let’s talk again soon”.

In the only communication I received from Megan, on 27 February, she informed me of my removal from presenting at DrupalCon “given [my] recent discussions with Dries”, with no further explanation or even implication of more communications were to come.

That did not in any way indicate a potential for “a number of conversations to resolve any remaining concerns”. It was an ultimatum, and the end of a conversation. There was no further discussion to be had. Yet the post accuses me of “effectively ending the process in the middle of what we expected to be a series of constructive discussions” when I posted my initial self-outing post. However:

  • I had discussed self-outing with members of the CWG on multiple occasions since January
  • I had told Dries on 24 February that I was considering self-outing precisely as a way to undermine blackmail
  • In my written statement to the Board on 16 March (which Dries would have read) I made it explicitly clear that I intended to self-out as a way to minimize the public damage to my reputation, regardless of the board’s decision
  • Dries emailed me after the Board meeting (on 19 March) to encourage me to not self-out, but held firm on my prompt departure from Drupal
  • On 19 March, I invited the CWG to review my self-outing post before publishing in order to verify that it would not, itself, violate the Code of Conduct

That I was going to self-out was not a surprise to anyone, and at no point was it expressed that there were conversations to be had that didn’t begin and end with me leaving and giving in to blackmail.

I see two possible interpretations:

  1. Dries and Megan intended to have a series of conversations with me to try and convince me to leave quietly and give in to blackmail, but failed to actually tell me this, even after they were aware of the self-outing post I was going to publish, and instead opened with an ultimatum.
  2. They had no such intention and are ret-coning events.

I do not know which one is more damning.

On this one, surprisingly, I really don’t know which is more damning either. I’d lean towards saying revisionism (or as Larry says it, “ret-coning”) is the worse of the two, but the reality is it really doesn’t matter whether Mr. Buytaert and Ms. Sanicki have been caught in a big, huge lie, or are just such terrible communicators that they couldn’t have told Larry their intention was, over the long term, to try to talk this out. Again, both scenarios are dreadful.

The sum total of the actions of Dries Buytaert, Megan Sanicki, Klaus Purer, the CWG, and others invole clearly indicate a gross failure in leadership and culture within the Drupal community. That a gross violation of the standards by which decent people live has been deemed acceptable by no other than Mr. Buytaert himself is enough for me to declare the Drupal project as it stands today in danger of collapsing unless drastic changes are made.

Finally, the conclusion of Larry’s post:

So what does Larry want?

A few people have asked me what it is I want, and what I hoped to accomplish by going public. A fair question. My goal has been, and remains, to defend my name, reputation, and honor against blackmail and libel, from anyone.

There has been wild talk of a Drupal fork, of reorganizing the Drupal Association, of people resigning, and so forth. I have no interest in such discussion, nor interest in a Drupal fork. My goal is not to split or harm Drupal, nor anyone in it. My goal is entirely defending my reputation and putting a stop to blackmail and libel.

I admire Larry’s desire to keep the community unified. However, I just don’t see that happening with the current leadership.

Reorganizing the community leadership, including the DA, is necessary to keep problems like this from happening again. As I see it, as more or less an outsider who has not ever followed the Drupal community that closely (but who nevertheless wants the option to run a Drupal site without regrets in the future), is that there are systemic issues here that need to be fixed to restore confidence in the community’s leadership.

Before I conclude this post, I’d like to briefly address Larry’s hot-off-the-presses blog post “Don’t go low”. Apparently some people are outraged enough to engage in harassment and stalking-like activities, including “doxing”, of those involved such as Mr. Buytaert and even people like Angela Byron, who did not even get involved until after the decision had been made to remove Larry from his positions.

Larry condemns the activity and cites it as no better than what has been done to him:

Dries mentioned that he had received a great deal of private hate mail over this matter, and that it was impacting his approach to the situation. I’ve previously seen a (very small) number of people on Twitter suggesting gathering private information on Dries and others, including their families(!), to use as leverage. In a previous comment, Angie Byron (who was not even involved in matters surrounding me until after I went public) said that she’d received threats against both her and her daughter.

I want to speak directly to those presumably few who have sent such messages, and in the calmest and most restrained manner I can:

What the fuck were you even thinking???

No, seriously, how did you even think that was a good idea? Responding to cyberstalking, prejudice, and blackmail with… cyberstalking, threats, and blackmail? No. NO! Even if you’re trying to support me, NO! I do not want any such support. You are actively making it harder to resolve this situation.

Incidentally, Angela has made a blog post about what the CWG does since she was a former member, and can now speak a bit more freely. I may address this in more detail in a later post here, but did not want my readers to wait until I posted the next part to have a chance to look at it. I am not sure what others are seeing in this post of hers that is hostile to Larry; it appears to be a neutral attempt to get information out there and counteract FUD (fear, uncertainty, and doubt) being spread about Drupal’s CWG.

Finally, since I began this post, Mr. Buytaert has issued what he titles as an apology on his personal blog. In part three, I analyze this post as well as other happenings that have taken place related to the situation, as this post has gotten way too long to try to cover it here.

The witch-hunt against Larry Garfield, part 1

This entry is part 1 of 3 in the series The witch-hunt against Larry Garfield

This story has been out there for a while, but I haven’t posted until now because I was letting the story develop a bit more. (I have, in the past, posted too soon before parts of the story have developed and wound up looking, or at least feeling, like an idiot. More on this later.) Now that both sides have posted at least one statement, I feel the story has developed enough that I can go ahead and comment.

At present, I am not a Drupal user, but the issues that this situation presents could just as easily happen to anyone in any community-based free software project (WordPress, Joomla, Concrete 5, etc) and it’s entirely possible that I could wind up a Drupal user at some point in the future (I have set up a Drupal site before that I wound up never actually making a live website). In fact, I see parallels between this story and things that have happened to me in a couple of the various communities I have been involved in over the years. So I don’t see this as a Drupal issue, I see it as a community leadership and project governance issue, and a mighty big one at that.

A recent article on TechCrunch reports on the issues surrounding Larry Garfield and his continued participation in the Drupal project after over a decade of contributions. How the issues came to be is a chilling tale, which I will attempt to summarize in a timeline fashion, but I would like to invite readers to also read Larry’s blog post about the situation (titled appropriately enough “TMI About me”).

The timeline:

  • 2005 (April or later): Larry Garfield begins his involvement with the Drupal project.
  • 2016 October (approximate): Someone finds Larry’s profile on a private website for alternative lifestyles (in this case, it would appear, a BDSM community). This person was “Offended(tm)” (as Larry says it), screenshots a post, and passes it around, which is a direct violation of the site’s terms of service (TOS).
  • Some time later: This post makes it to Drupal’s Community Working Group (CWG), which finds no code of conduct violation that they can take action on. Despite this, a “gossip campaign” continues against Larry.
  • Some time after the above: The CWG informs Larry of the situation, who responds with an open offer for others to speak privately with him about his personal life if they so desire.
  • Late 2016 November (US Thanksgiving weekend) at Drupal Iron Camp in Prague, Czech Republic: Klaus Purer takes up Larry on his offer, though he doesn’t listen to much of what Larry had to say, ending the conversation with a statement that he was going to “distance himself from” Larry. Larry offers a handshake, which I would assume was declined by Mr. Purer.
  • Some time later: Mr. Purer signs up on the same private website, to go “spelunking” through Larry’s post history, sharing the “worst” posts with the CWG (again, in a flagrant violation of the TOS of that site).
  • 2017 January: Larry has a Google Hangouts conversation with Mr. Purer, during which the latter implies he is speaking not only for himself but for another group of anonymous individuals and attempts to blackmail Larry into resigning from his positions in the Drupal community, including his Drupal advocacy within the PHP community. Larry, in his post, states he “do[es] not suffer bullying and threats lightly” and as a result referred the matter back to the CWG, who mediates by having separate conversations between both Larry and Mr. Purer. They conclude again that no code of conduct violation has occurred.
  • Some time after the above: Mr. Purer continues his “spelunking” of the private website and sharing of content from that site with the CWG (still in violation of that website’s TOS).
  • 2017 February 24 (a Friday): Larry gets a phone call from Drupal project lead Dries Buytaert (roughly equivalent to a prominent WordPress user/contributor getting a call from Matt Mullenweg himself). Mr. Buytaert would reveal that he and the Drupal Association’s executive director Megan Sanicki had known about this situation for some time, but not once reached out to Larry until this phone call. Mr. Buytaert asks Larry “to step down from Drupal… in the best interest of the project”. Larry says this is impossible as it would directly impact his career (and due to Larry’s advocacy of Drupal in the PHP community, not necessarily in the best interests of the Drupal project either).
  • 2017 February 27 (the following Monday): Ms. Sanicki sends Larry an email dismissing him from his position as track chair and speaker at DrupalCon “per [his] conversation with Dries [Buytaert]”. From Larry’s blog post: “I do not know if ‘per my conversation with Dries’ means I’m unwelcome in Drupal because of my sex life, I’m unwelcome in Drupal because Dries was afraid Klaus would go public and embarrass the project otherwise, or something else. I have been given no further information than that and still have not been.”
  • After the preceding email: The Board of Directors (of the Drupal project) votes to affirm Ms. Sanicki’s “decision to revoke the session for DrupalCon Baltimore and end the track chair term”. They did this after Larry presented his case in writing when he was unable to present his case in person due to being scheduled to present at a conference.
  • 2017 March 22: Larry makes his blog post (linked below).
  • 2017 March 23: Ms. Sanicki makes a blog post on behalf of the Drupal Association addressing the situation (linked below).
  • 2017 March 26: Techcrunch publishes their article and it is shared to the Cypherpunks email list (and many other places, I’m sure) shortly thereafter.
  • 2017 March 27: Larry makes his second blog post (linked below).
  • 2017 March 29: Ms. Sanicki updates the DA blog post.
  • 2017 March 31: Another DA blog post from Ms. Sanicki (or at least posted from her author account) goes up (linked below).
  • 2017 April 5: Larry makes a third blog post, which I will comment on in more detail in the second part of this post (as this one has already grown to be rather long).

Larry goes on to quote from both the Drupal and DrupalCon Codes of Conduct. The first quote from the Drupal Code of Conduct:

We expect members of the Drupal community to be respectful when dealing with other contributors as well as with people outside the Drupal project and with users of Drupal.

It is obvious to me that at least Mr. Purer and the original as-yet-unnamed individual who found Larry’s profile have violated this rule by sharing information about Larry from a private site where such sharing is prohibited by the TOS. I would think that everyone, including Mr. Buytaert and Ms. Sanicki, who has acted on such information shared in violation of the TOS, should be considered as “having eaten from the fruit of the poisoned tree” as it would be said in US criminal law.

Larry hasn’t broken this rule just by having a different lifestyle and adopting quirks from a subculture. He mentions saying “be well” or “I wish you well” to end a conversation. The US pharmacy Walgreens had their cashiers say “be well” for quite a while, so it’s not like it’s all that weird. I certainly hope they didn’t quit because someone made a stink about it.

And Larry’s quote from the DrupalCon Code of Conduct:

Sponsors, volunteers, speakers, attendees, and other participants should strive to treat all people with dignity and respect, regardless of their culture, religion, physical appearance, disability, race, ethnicity, gender, or sexual orientation.

Larry goes on to refer to Gor as a culture and BDSM as a sexual orientation, both of which I would consider reasonable categorizations. And so the story sat for a few days, while both the Drupal Association made its statement about the issue and Larry made a second blog post about the topic.

I’m not going to go into detail on the second blog post (other than that I made a few edits to the part I wrote before it went up, based on that information). However, I am definitely going to call out Ms. Sanicki’s blatant lies and contradictions in her statement made on behalf of the Drupal Association. My commentary to each quoted section of their statement is directed at the Drupal Association and specifically at Ms. Sanicki:

We want to be clear that the decision to remove Larry’s DrupalCon session and track chair role was not because of his private life or personal beliefs. The Drupal Association stands by our values of inclusivity. Our decision was based on confidential information conveyed in private by many sources. Due to the confidential nature of the situation we cannot and will not disclose any information that may harm any members of our community, including Larry.

Okay, so this wasn’t about his private life. Yet you’re not saying exactly what it was. It’s funny how the reason is so confidential yet Larry has no problem putting out there exactly what parts of his private life people are apparently taking issue with. Even if the community doesn’t have a right to know why you, the Drupal Association, have a problem with Larry remaining a part of the project, Larry himself deserves to know. Larry refused to resign after Mr. Buytaert’s phone call to him, so the fact Larry was summarily removed from his track role and DrupalCon session after that call is a bit more puzzling.

What exact rule(s), in either the Drupal or DrupalCon Codes of Conduct, did Larry break? If there are none, why is he being treated like he did break a rule?

This decision followed our established process. As the Executive Director, charged with safekeeping the goodwill of the organization, I made this decision after considering input from various sources including the Community Working Group (CWG) and Drupal Project Lead, Dries Buytaert. Upon Larry’s request for an appeal, the full board reviewed the situation, all the evidence, and statements provided by Larry. After reviewing the entirety of the information available (including information not in the public view) the decision was upheld.

What you (Ms. Sanicki) did not tell us, is that the CWG is three people, all selected by Mr. Buytaert. Thankfully, the comment saying so was allowed, so the rest of us following this debacle know this. I am also reading between the lines here that the CWG could be seen as an extension of Mr. Buytaert’s ego and that he would be unlikely to pick people that would vote on matters like this against his wishes. The CWG should be picked by leaders in the community and not just the project lead. How can we possibly trust the CWG to make unbiased decisions otherwise?

In order to protect everyone involved we cannot comment more, and trust that the community will be understanding.

I read this as “we are above admitting we really screwed this up and so this dollop of bovine excrement is all we’re going to drop on the concerned members of the community.” Sorry, no sale.

We do see that there are many feelings and questions around this DrupalCon decision and we empathize with those community members. We will continue to monitor comments. We are listening.

Good, then I hope this blog post finds its way to you. I want to know at what point the two of you (Ms. Sanicki and Mr. Buytaert) are going to admit that you screwed this whole thing up and reverse it. Also, Klaus Purer and whoever originally sent the complaint about Larry to the CWG both need to face some serious consequences (though I suspect it was, in fact, Mr. Purer who sent in the original tip). Everything that has wound up being leaked from the private website (mentioned by Larry) and put in the hands of any non-member of that site was done so in violation of that site’s Terms of Service or Acceptable Use Policy (TOS/AUP). It’s all “fruit of the poisoned tree” and if everything stems from what was posted on a private website which was accessed on behalf of the CWG and DA in violation of the TOS/AUP, regardless of who did it, then the foundation of any action against Larry is flawed.

It looks like, per the March 31 blog post to the DA blog, that there may yet be action taken against Mr. Purer. However, Larry still needs to be made whole. If there’s a reason for removing him as speaker and track chair at DrupalCon, then we should know why. And not just vague terms like “holds views that are in opposition with the values of the Drupal project” (which in and of itself shouldn’t be an issue), “[people] suffered from varying degrees of shock and concern” (there’s a reason those kinds of websites are private), or “protect the shared values of the Drupal project” (when the action to remove Larry from community involvement is seen by many as a direct contradiction of those values and the first step down a very slippery slope). No, we the community have the right to know what rules Larry broke, chapter and verse.

I’ve seen these kinds of things unfold before–not to mention experiencing a similar situation myself. I would hope those in charge will do the right thing, and try to fix the damage they have caused to Larry’s career. The more likely outcome, unfortunately, is that they don’t give a tinker’s damn and let the (wrong) decision stand. If Drupal wasn’t Larry’s entire career at this point in his life, this would be much less of an outrage. But it is, and this is the most outrageous thing I’ve ever seen a software project’s leadership do to a contributor–many times more outrageous than what happened to Theo de Raadt as a NetBSD contributor back in 1994 (finding the details of which, I leave as an exercise to the reader).

Mr. Buytaert: If you really wish to “protect the shared values of the Drupal project” then you need to reinstate Larry Garfield as a contributor and issue a sincere and meaningful apology to both Larry and the Drupal community, without any further undue delay. You also need to understand the difference between fantasy roleplay and real-life conduct as a member of the community. It really isn’t any of your business if Larry’s into BDSM or Gorean fantasy role-play, and the fact that information was leaked to you from a private website in violation of its privacy-protecting AUP/TOS doesn’t change that. That Larry has had to make this public just to try and protect himself is outrageous and egregiously offensive not just to me, but to a lot of other people out there (judging by the comments I’ve seen on both your blog and the DA’s blog). You should also strongly consider resigning as project lead because instead of “protect[ing] the shared values of the Drupal project”, you have diminished and tarnished them.

Ms. Sanicki: Your role in wrecking Larry’s career by dismissing him as speaker and track chair at DrupalCon is also egregiously offensive. That you pretend it has nothing to do with leaked details of his private life, leaked to you in violation of a private website’s privacy-protecting AUP/TOS, is perhaps the most egregious lie I have ever seen told in my entire adult life. You have made the Drupal Association look just awful, and as I see it, the most certain way you can fix it is by resigning your position without any further undue delay.

Mr. Purer and the as-yet-unnamed person who, in the words of Larry, was “Offended(tm)” by what you found out about him: Your disrespect for privacy in the quest to ruin a man’s career is shameful. I don’t know how you can look yourselves in the mirror in the morning after doing what you have done. If you lack the integrity to remove yourselves from the Drupal community, I hope the leadership does. To violate the AUP/TOS of a private website, put in place to protect the privacy of its members (not just Larry, but all the other members as well), for the purpose of leaking information to destroy a man’s career because you don’t like what you saw, is saying a huge “fuck you” to how we operate in decent society. It may not be a crime in and of itself to do what you did, but it’s definitely unethical and immoral and probably a civil tort as well. Shame on you.

In part two, Larry’s third blog post (which I had skimmed, but not read in detail, before putting the finishing touches on this one).

Could you get spied on and ratted out by your computer repair shop?

This post was inspired by the recent widely publicized incident where a Best Buy customer in California was charged with child pornography-related crimes after he dropped his computer off at the local store and it was shipped to the Geek Squad center in Kentucky for the actual repairs. There’s also a tie-in with National Stalking Awareness Month related to privacy and security when it comes to electronic data which I will get to later in the post.

A representative sample of articles about the incident:

I’m not really going to go into quotes of any of the articles here, but simply restate what appear to be the facts in my own words. A Geek Squad staffer was running a data recovery (“file carving”) tool on this particular PC. Part of the assigned work was data recovery, so on its face it would appear to be a valid reason. However, the Geek Squad staffer’s job was just to get the PC running, not recover data. It turns out that he was a paid FBI informant who got $500 for each instance of apparent child porn he found.

To its credit, Best Buy issued this statement (quoted from the Network World article):

“Best Buy and Geek Squad have no relationship with the FBI. From time to time, our repair agents discover material that may be child pornography and we have a legal and moral obligation to turn that material over to law enforcement. We are proud of our policy and share it with our customers before we begin any repair.

“Any circumstances in which an employee received payment from the FBI is the result of extremely poor individual judgment, is not something we tolerate and is certainly not a part of our normal business behavior.

“To be clear, our agents unintentionally find child pornography as they try to make the repairs the customer is paying for. They are not looking for it. Our policies prohibit agents from doing anything other than what is necessary to solve the customer’s problem so that we can maintain their privacy and keep up with the volume of repairs.”

My first reaction to reading this was “looks like more spin than a Steve Mizerak massé”. I have a lot of respect for PR as a profession, but this smacks of trying to close the barn door after the horse has already bolted. Depending on the circumstances, I would even question that there is a moral obligation, even if a legal one is there. That they would be proud of this policy, especially if it goes over and above what the law actually requires (despite what they say), is a bit concerning from a privacy standpoint.

The law in Texas appears to have such a requirement. Without quoting the entire law here, the computer technician has to “view the image” “in the course and scope of employment or business” in order for the reporting requirement to kick in. There’s a criminal penalty of a class B misdemeanor ($4,000 fine and/or 180 days county jail as of this writing) as well as possible civil liability. For the terminally curious, it’s Section 110 of the Business and Commerce Code.

Anyway, whether your threat model is a Best Buy technician, or an intimate partner who may have turned to stalking you, the basic ways to protect yourself are pretty much the same. First, realize that without taking any other steps, “deleted” files aren’t really deleted. Whether one empties the Recycle Bin in Windows, or runs the rm command from a GNU/Linux command line, the only thing that is actually removed is the pointer to the data, not the data itself.

If the true intent is to erase a file, one needs to actually erase it, not just remove the pointer to it. BleachBit contains options for wiping the data in the free space of a hard drive (which I would recommend doing at least once per month, if not more often), as well as overwriting file contents or an entire directory’s contents prior to deletion. There is also the shred command for GNU and related systems if working from the command line. This mainly pertains to mechanical hard drives, as a properly configured solid state drive (SSD) should effectively do this for you: enable TRIM on Windows, or mount with the “discard” option on GNU/Linux (yes, it may affect performance but it’s a small price to pay for knowing that deleted files are actually gone and not just floating around). In fact, not only should one not need to overwrite files on have a solid state drive, doing so can shorten the drive’s lifespan.

Second, consider using encryption to keep your data private. There is a reason most websites (including this blog) use HTTPS (encrypted HTTP) now, and why it’s been recommended since the beginning of the World Wide Web to never submit credit card or banking information over unencrypted plain HTTP. Anyone can read plain HTTP while it’s in transit. It’s the electronic equivalent of writing information on a postcard and mailing it–something most people reserve for the most innocuous of communications. Similarly, data encrypted in storage won’t be readable without a decryption key, usually a passphrase (don’t just use a simple word).

Third, consider keeping particularly sensitive data on external storage devices such as USB hard drives, so that the data is not on the computer if it needs to be repaired. This would also reduce the chance of important data on the internal drive getting “accidentally” erased for whatever reason during a repair–though if it’s important, it should be backed up anyway (see below).

Fourth, don’t keep data that you don’t need. If you don’t need your web browsing history from some months ago, get rid of it. Firefox sorts history by calendar month and lumps sites visited over 6 months ago into their own list; unfortunately, this has to be done manually every so often (again, I would recommend monthly). For stuff that should never go into the history to begin with, Chrome has an “incognito” mode and Firefox has a “private browsing” mode. Firefox, at least, also lets one completely disable keeping browsing history if appropriate for one’s situation (Preferences / Privacy / History then select “Never remember history”) and also includes a “Forget” toolbar button for quickly “disappearing” the last 5 minutes, 2 hours, or day’s worth of history.

Finally, don’t forget to keep adequate backups. Remember, if the main copy of the data is encrypted, it only makes sense for the backups to be encrypted as well (and often the backup copies should be encrypted even if the originals are not). The more important something is, the more backup copies of it should exist (either onsite or offsite).

The Evernote two-step: a tale of caution regarding privacy and data ownership

This recent story from PCWorld about Evernote changing its privacy policy followed by this story covering a very abrupt about-face from Evernote say pretty much all there is to say about why it’s a bad idea to blindly trust companies like Evernote with the privacy of your data.

Basically, Evernote changed their privacy policy on a whim to allow employees to snoop on user notes ostensibly to assist efforts to train its algorithms. Originally, individual users could opt out of the algorithm training, but not out of the part of the privacy policy still allowing Evernote employees to snoop on their data; businesses could opt out but would not get the benefits of the new features if they did.

Evernote was quick to backpedal and change to an opt-in model following the fully justified outrage of its users. It’s quite possible some users no longer trust Evernote with their data after this two-step, and it would be hard to blame them. It is possible to store data locally with Evernote (by creating a local notebook instead of a “synchronized” notebook) and they intentionally make it easy to get all your data out of Evernote if you want to leave for what you believe are greener pastures. This gaffe might be the impetus for quite a few users to do just that.

The lesson here is a very powerful one: there’s very little stopping other companies from doing this tomorrow, and there’s no guarantee the CEO of that company will even give the appearance of giving a tinker’s damn about its users. This is a rather direct reminder to take a look at the companies you trust with your data, and how easy it would be to get your data out of those services/products should you decide you want to leave. Of course, it would be wise to remember the best time to find out how easy it is to get your data back out of a product/service is before you put your data in it.

I’ll add a personal angle to this. At various times over the past year and change, I have considered moving this blog to a static site updated with Pelican, among other possibilities. The hard part is not getting the data out of WordPress–that’s actually about as easy as they get. Even the free-of-charge wordpress.com platform makes this relatively easy, even if one is not moving to self-hosted WordPress (a.k.a. “wordpress.org” to differentiate it from shared-hosting wordpress.com).

No, the problem comes if I find out Pelican (in this case) doesn’t work out and I have to move entries back into the last backup of the site as a WordPress site. That might be easy if I make no more than about five posts before finding out it’s not going to work out. But what if that’s ten? Twenty? Fifty? One hundred? Two hundred? It’s a potentially painful process because I don’t see an easy way to automatically make even a WXR file with the new posts in it. Sure, I could ease any future transition by keeping a local install of WordPress and add the new posts manually as I make them, but that is an implied admission I have no confidence in the new platform–and that would be the case even if it was something besides Pelican.

Of course, ideally I want to change platforms only once. There’s always the chance the first change doesn’t work out. There’s also the chance I would want to later switch back to WordPress after making this change, or switch to a future WordPress fork or even to something like b2evolution (which forked from the same blogging software that WordPress was forked from).

Another great example of what not to do, unfortunately, is what the WordPress Foundation (at the time) did when they struck a deal with Meetup.com regarding the online presence of local WordPress groups. The thing to remember about Meetup.com is that they intentionally make it difficult to impossible to change platforms. Vendor lock-in, combined with the (justified) fear that organizers might lose some members (in fact, almost certainly will lose some members) when transitioning to another platform, is the business model of Meetup. It’s a huge departure from the Meetup that I used as an early adopter and that’s sad.

Anyway, it was and still is really disappointing to me that the WordPress Foundation (at the time) deciding to just pay a bunch of money to Meetup. The first reason is it’s been sort of an informal goal of the WordPress community to do everything with WordPress that can be done with WordPress. As an example of this, WordCamps aren’t ticketed with Eventbrite or other such sites; they use a WordPress plugin called CampTix written for the purpose. Thankfully the deal with Meetup.com is about the only time WordPress was intentionally eschewed for a function central to the local WordPress communities around the world.

Adding to it, of course, was the unfortunate experience we had with the Houston WordPress Meetup in most of 2012 going into the early months of 2013 and the response from Meetup (at the top of the post). Basically, Meetup’s standpoint was that the people (community) in the group didn’t matter as much compared to the organizer paying their dues on time. The only silver lining to this cloud is that the WordPress Foundation (the entity paying Meetup which is the nominal organizer of the actual group; maybe this, too, has changed to WordPress Community Support, the new PBC) has a bit more skin in the game and can replace inactive or unresponsive organizers. Then again, they would still be able to do that using a home-brewed WordPress-based solution, without paying Meetup one bloody cent.

Regarding the use of Meetup, it’s hard to see which is the chicken and which is the egg. A lot of groups were using Meetup.com prior to the WordPress Foundation deal. Still, the better move for the community would have been to start a WordPress multiuser site similar to wordcamp.org with a plugin to replicate the Meetup-like functionality in much the same way CampTix fills in for Eventbrite. Better yet would be a fully free software alternative (GPL, if need be Affero GPL) to Meetup.com; even if it is not built on top of WordPress, that would be a step in the right direction.

Examples are plentiful, but the lesson remains the same:

  1. Know how to get your data out of a platform before you need to. If unsure, ask questions. If you don’t like the answers, use a different product or service instead, after getting satisfactory answers to the same questions.
  2. Trust your gut. If a privacy policy change rubs you the wrong way, raise hell about it, and minimize the damage by taking your business and your data elsewhere (see #1).