Policies and procedures for individuals banned from community events

Brainstorming here..

• Have an admin-level flag on d.o user accounts indicating if someone is banned from events but their d.o account is still otherwise still usable.
• Provide an SSO option for community event organizers to subscribe to that would require all registrants to have a d.o account.
• Use the SSO solution to block people from registering for the event if their account has the flag created above.

Obviously there are several steps to the above.

I applaud the CWG for attempting to provide community organizers support! This appears to be very well thought out and the questions asked seem to be the right ones which are extremely difficult.

Here is my only concern. Once something is posted on the internet, it is forever. Outside of horrible situations that I can't name them all (sexual or physical assault), ruining someones reputation and in this case their ability to make a living is something that we need to be really really really careful about.

Suggestion:

Maybe there is a way add Drupal.org usernames on the back-end that are banned and then us as organizers can upload a user names separated by commas and then it tells us the severity of the ban (low, moderate, critical), and when their ban expires.

This way it keeps the users names behind a password protected site which is not searchable by the net. And organizers must sign up to view submit their usernames. This keeps it in the need to know and removes the digital footprint.

As an organizer for Drupal Camp Asheville, I am interested in receiving guidance and complying with ongoing and resolved investigations of Code of Conduct violations that result in banning individuals from participating in Drupal events. All of our events are extensions of the Drupal community operating within the same Code of Conduct, so I believe we should be expected to comply. I do feel that it is important to protect the privacy of individuals in ongoing investigations that may be temporarily banned.

I'm not sure the best way to communicate this to our network of events, but whatever the mechanism, it would probably be good to have at least two members of each organizing team have access to this information. It might be a good idea that these representatives sign an agreement to keep private information private and a regular effort to ensure the representatives are still associated with their event.

In general, I think Drupal events and organizers should be more connected, so maybe this can be a consideration when discussing the mechanism of communication. I also hope that the mechanism for sharing will not be to duplicative of current documentation, so it will be not require a lot of extra effort to keep this information current and risk outdated information.

I would be happy to participate in further discussions regarding this issue and I appreciate that it is being addressed.

I support making this information available to organizers of Drupal events. And there should also be a clearly defined method for event organizers to bring issues to the CWG for potentially new Code of Conduct offenders.

Though if we make this information technically challenging to obtain, then there is a good chance that some camps will not go through the effort. As an organizer, I can say that running camp is difficult enough without adding technical barriers to the site or additional steps to verify attendees.

I understand that this information negatively impacts a person's career, but then again, why are we concerned about protecting bad actors in our community? By publicizing this information, there is a chance that if someone has done harm to one person, others may also be empowered to speak up if they have also been harmed by that person. And we should absolutely not publish the names of those that were harmed.

My biggest concern actually is whether the community will welcome back a former, yet no longer listed, offender. We absolutely should, but I fear that will not happen, which would be a bigger problem and further negative impact of this information being public.

@kclarkson: If someone has been banned from d.o then they've already actively taken steps to ruin their own career, so they'd have nobody else to blame for further consequences only themselves. If they want to make up for past offenses they'd have to START by fixing their stance in the greater d.o community before then trying to continue at local events.

To clarify, while I don't think there is anyone who is banned from drupal.org who is not also banned from attending DrupalCon and/or other Drupal events, there are people who have been banned from attending events who have *not* been banned from drupal.org.

It seems important to keep the focus on how to keep camp attendees safe and having a reasonable way for camp organizers to have access to information that allows them to do so.

Should there be a way for people who are banned to re-enter the community? Frankly I think there should be an extraordinarily high bar to do so, and that figuring out how to do that should not be a top priority. I am far less concerned about the careers of those who have actively harmed our community than I am for the people who have been excluded from our community by those bad actors' actions. I also think the excessive concern for the privacy of bad actors continues to harm and exclude people from marginalized groups from fully participating in our community. A number of the bad actors have been celebrities in our community who have a considerable number of supporters. By never saying what has happened or why somebody has been banned, there continues to be an army of people touting why a bad actor is great and then gaslighting anybody who has concerns.

I'm guessing the privacy is primarily a way to avoid liability and libel suits. I don't think it ends up serving our community well.

Well my suggestion would be very similar to @DamienMcKenna's #3001953-2: Policies and procedures for individuals banned from community events.
Have 3-4 new fields on d.o users:
ban_rating: 0 - 3?
ban_expire: date
ban_location: ie just DrupalCon? specific place? is this field necessary?
ban_reason: short text - like something like: "inappropriate advertising" or "assault" - Inappropriate advertising is relatively easy to work with and monitor for as well as low risk of harm, so camp organizers could make some degree of informed decisions too.
SSO can expose this AND users with (a new permission for event organizers) can view that.
Only DA/CWG would be able to edit those field.
Full details would continue being stored however the DA/CWG are currently storing them.

The user fields are hidden by default but if that data is leaked it should be sufficiently non identifying in that format I think.
If liability/libel concerns are at issue, changing it to "reports of ...." as the short ban reason might resolve that? (Not a lawyer)

Alternatives: Make the ban fields visible.

I really like @DamienMcKenna's suggestions in the first comment for camps and cons, but that assumes all Drupal events have their own website, or are using some system that can use SSO. Most meet-ups, for example, are organized on meetup.com. Other informal events like sprints, bar-nights, game-nights, etc, are often organized via google forms + spreadsheets, or even over email.

It would be nice if the drupal community could also provide some kind of service (human or automated) where an event organizer could provide a list of the email addresses of their attendees (assuming they have consent from each of those people to do so) and be told "Yes, everyone here is okay."

I'm not sure if there's a way to export email addresses (or any data?) from meetup.com, but it would be nice if there were a way we could cover our user groups as well as camps & cons.

Yeah, to @jenlampton's point, a lot of camps use Eventbrite and others to manage registration. That would have to change (it could change). That solution also requires a bit of work from the DA.

I really like @weekbeforenext's idea about having camp organizers check against a list. The organizers should have to sign an NDA to do so, and should only be allowed to check their roster (as opposed to seeing the entire list and then cross referencing it). I think this is the easiest solution to implement.

to @DamienMcKenna's point about ruining one's career: I see your point, but that could lead the Drupal Association into tricky legal territory. For example, a person could sue to get off the list. I ***really*** think whatever solution we implement, we should run it by a legal team.

There are a number of things to consider here:

1) Who is responsible and accountable for the list
2) How people can recommend changes to the list, and why
3) How we can be sure that we give access to the list to those who will ensure it is not misused.
4) What is the actual requirement?

With regard to 1), I highly suggest that the list is owned by an entity with legal cover. If somebody finds themselves prevented from executing their work because they are on the list, they may well sue. Frankly, I’m amazed it has not happened already.

As far as 3) is concerned, I would want to know that those I passed information to would respect it. I would, at the very least, want an NDA between me and the person requesting information. To be honest, I would like to see a lot more. Basically, if you want access to information like this, I would want you to prove your camp met certain standards, such as CoC, documented reporting procedures, speaker agreements, the whole shebang. Camps would need “cerifying” to have access to the list.

I do wonder about 4). The list is short. Like, really short. How many times do “banned individuals” actually attend camps that would want to consult this list? I think, before implementing a system, we really need to know if it actually achieves much.

Folks are quick to ban folks that don't line up with their ideologies. As a global community, how can one group force its views on another? I think this dangerous ground we are stepping into and we should not be so quick to give tools to those who would wield it purely due to political differences.

Also, I would prefer CWG not be involved with deciding who is on/not on the list. I think it should solely lie at the feet of the Drupal Association who has a board who can be held accountable.

I have organized many camps, and just my two cents here about who this list should be shared with: the camps (hopefully every camp, but it's hard to supervise) have a CoC, and there is an individual (again, hopefully everywhere) who is the contact person if anything happens. That position usually goes to those who are trusted in the community and can help in potentially problematic situations. How about appointing this person to be the supervisor of the attendee list as well?

Of course usually nothing happens, which is the good case, but if they are so trusted with this, I believe they could handle the list as well.

This is a very hard topic, especially if there is noone with the responsibility of having a good knowledge of what's happening at DrupalCamps (e.g. not sure if a CoC is a must, or only a recommendation).

I agree with some of the suggestions mentioned above, but I feel like this issue is conflating a few things:
1. should the CWG have a policy on banned individuals?
2. what should go into that policy (for example, does it include a master list of banned individuals)?
3. what bureaucratic infrastructure is needed to support the policy? (for example, guidelines on who counts as a camp organizer)
4. what technical infrastructure is needed to support #3 (SSO, admin flag on drupal.org).

Before we jump to how we might implement, I wonder if folks can come to an agreement on #1 as a first step.

My vote is for yes - the CWG absolutely should have a policy on banned individuals.

What is the scope of this? Does this apply for attendance, session submission, social events, and/or volunteering in any aspect of an event? This should be explicitly defined.

I like the basic premise of the idea, as it helps promote safety for members of the community attending events. This information should be extremely sensitive to respect the privacy of those involved. I don't think NDAs are enough (as Rachel said).

I want to echo my support for the previous comments around SSO and a technology-driven process.

It is my understanding that banned individuals have their drupal.org accounts locked or outright removed. In lieu of sharing information, could we establish some shared tools that would verify someone has an active drupal.org account? This would require registration, session submission, etc to go through drupal.org's federated login.

I don't want to restrict events or be too prescriptive, but having a set of tools that can be used that support this approach would be advantageous. As others have said, it should cover the scope we define (social events, registration, session submission, etc). This may mean asking camps to use a specific set of tools that can support SSO. We could look to engage the DA in this process and establish some partnerships with promising platforms.

Such an approach would mitigate sharing sensitive information between individuals by handling vetting during registration or if an individual tried to submit sessions, so camp organizers wouldn't necessarily need to do this.

I still think it is imperative there is a process in which camp organizers share incidents with the CWG. This should go beyond just individuals banned from events, as the same individual could have incidents across several events and the CWG could consider taking action even if a person is not banned from one specific event.

The DA is currently implementing oAuth, FYI.

I’m really glad to see the CWG are talking about how to handle banned individuals. They have clearly thought about it a bit, which I appreciate. I completely agree with @mdrummond's point above:

I am far less concerned about the careers of those who have actively harmed our community than I am for the people who have been excluded from our community by those bad actors' actions. I also think the excessive concern for the privacy of bad actors continues to harm and exclude people from marginalized groups from fully participating in our community.

I don't always agree with them (in fact I have many frustrations) but the CWG is extremely deliberate in their work and they give people many, many chances to work with them and to correct any problematic behavior. You can see this if you read their minutes. If they reach the point where they are permanently banning someone from Drupal, then that person is being willfully destructive to the community. If I worked with that person in any other tech community, I would want to know this. I’m OK with there being real, meaningful consequences for things like sexual assault, unapologetic hostility to other contributors, repeated or sustained harassment, etc.

In fact, I think having a public list of people permanently banned from Drupal would be a good incentive for people to work with the CWG and try to do better, which it seems some Drupal celebrities can’t be bothered to do.

People who are only temporarily banned are in a different category, IMO. They either haven’t messed up as badly and/or they are working with the CWG to correct it. Part of their penalty could be to voluntarily not attend events for whatever period of time they are banned. That’s a great way for them to show that they value the community more than their personal ego. And it's a lot simpler to implement. 😉

I agree with @drnikki and others that the policy component of this needs to be discussed and decided, not the technical implementation. We cannot rely on event organizers using a unified toolset.

@damien,

@kclarkson: If someone has been banned from d.o then they've already actively taken steps to ruin their own career, so they'd have nobody else to blame for further consequences only themselves. If they want to make up for past offenses they'd have to START by fixing their stance in the greater d.o community before then trying to continue at local events.

I respectively disagree with your point. All cases are not created equal and when posting to the public can ruin families.

I don't want to rehash any issues but there are two people that were very well respected in our community that were banned. PLEASE NO NAMES. My point is that the reason this was such a huge issue and made national news was because so many people were split regarding the ban. There will always be cases that are borderline and for those cases I do not believe it is fair to post publicly as the internet is forever. I just don't think its the Drupal Communities responsibility to publicly convict someone.

I also agree with @jenlampton in that we can't use Drupal.org as means to block people from registering events as we all do our own thing. I know we use Eventbrite. And some events use google forms etc...

But echoing what @nerdstein said, if we could fund Conference Organization Distribution (COD), and really have a solid platform for all conferences to use. We could easily start requiring sign in from from Drupal.org. But this would have to be a Major Initiative that the Association pushed and all us organizers participated in. COD just never gets enough support to make it a product that everyone wants to use.

In fact, I think having a public list of people permanently banned from Drupal would be a good incentive for people to work with the CWG and try to do better, which it seems some Drupal celebrities can’t be bothered to do.

I feel this could set the DA up for lawsuits. Something like this would need to be ran by a lawyer.

I just don't think its the Drupal Communities responsibility to publicly convict someone.

Absolutely +1 for this.

I think there must be some misunderstanding here. I do not believe that the CWG are even considering a list of individuals that would be visible to the public, at least I hope they are not. I cannot imagine any circumstance in which the Association would maintain or even contribute to a public list of banned individuals. Indeed, I can only imagine a very tightly managed system for avoiding such a list becoming public.

To @rachel_norfolk's point above - from the initial post, it's not clear exactly what the CWG is considering, so I'd love to get that clear before we rush to figure out toolsets, funding camp distros, or NDAs.

My read of the initial post (and based on the title) is that the CWG is at last considering an official policy on how to handle both temporarily and permanently banned individuals. This policy may include:
- clear guidelines for what banned individuals can and cannot do (post on d.o, attend camp events, blog about Drupal, run a Drupal meetup)
- clear workflows for how an individual becomes un-banned
- clear documentation for how an individual becomes banned (this already exists, to my knowledge, but might be linked here)

As a result of this policy, there may subsequently be conversations about
- how to enforce what banned folks can and cannot do and this enforcement may include how to notify camp organizers if a banned individual wants to attend a local event
- who should know if one person is banned
- who should know the complete list of banned individuals

CWG folks - is this correct? Do we know yet what would go into the initial policy document?

I have to say, the idea of putting a group that's outside of our local communities in charge of "banning" local members seems fraught with many risks. It does seem like an appeal or mediation process would need to be clearly articulated, and it also seems that the group is heading in the right direction. It would be great to have some sorts of guidelines, espescially for meetups. We've had all sorts of weirdness, from the creepy to the stupid to the just plain weird (like putting multiple slices of pizza and other snacks into their pockets), so when is banishment ok? Just when someone feels threatened?

I'm actually more interested in understanding what the expectations are for the local meetups and camps vis-a-vis reporting incidents to the CWG. We had to ban one meetup member many years back, for inappropriate behavior towards a female developer, but this was prior to the days of the CWG, and I don't think this meetup member is even on Drupal.org, and doesn't attend national events. If this were to happen today, should the CWG be alerted? I just banned the individual from our offices, as we were the regular meetup hosts at the time, and he was asked to leave during the only other time he tried to attend. But now that we're no longer hosting, I don't think anyone would even remember what happened, and it was definitely creepy, so it would have been great to keep that memory alive somehow. But then again- is there a time limit to banning?

I would like to recommend that everyone take some time to read through some of the public minutes of CWG meetings. In the rare cases where they take action against someone, it's only after extensive discussion and attempts at mediation. They seem to give the subjects of their complaints every opportunity to be heard and understood. (And please understand that I am not a big fan of the CWG. I have a lot of frustrations with them, but being hasty or careless isn't one of them.)

If there is no public record of people they ban, I don't see how there is any accountability. Again, it takes A LOT to get permanently banned from the Drupal community. This isn't just something that happens because you have bad social skills or someone doesn't like you. When the CWG feels strongly enough to ban someone, it's only because they have very seriously screwed up and shown no interest in changing their behavior.

I just want to point out that this is not some abstract discussion for a lot of people. A lot of the most prominent situations involving banning people have involved harassment and assault and demeaning of women and other marginalized groups. Here in the US we're having a national conversation about whether terrible actions towards others will have long term consequences on people's careers and ambitions, and there's certainly a large faction of people that think the worst thing that can happen is for somebody—particularly a man—have those ambitions thwarted. Meanwhile people from marginalized groups often have their careers and lives shut down for far more minor issues. And it's hard not to see that very same thing playing out in these discussions as well. And for a lot of people, this is not some theoretical discussion, they have had personal experiences of terrible things happening and then the people who have done those things get to walk around as if nothing has happened. And that ends up putting more people at risk of having their lives indelibly changed too. So I think it's really critical that folks think about what sort of community we want to have, and whose lives we want to prioritize. Do we want to minimize the legal risk that somebody gets upset that they have to face consequences for their actions? Does preventing the risk of that blowback outweigh keeping people safe? Are we okay with people feeling traumatized because celebrities who've done awful things are allowed to walk around freely at our events?

That's what's at stake here.

Building on @ultimike's points above, one piece of consistent feedback that the CWG has heard over the last year and a half is that there needs to be more clarity around our processes and procedures, particularly when it comes to banned individuals.

To be clear, the question of whether or not the CWG should be able to recommend or implement bans is not up for debate in this issue; the primary question here is how our processes around banning are documented and shared with others, particularly when it comes to those individuals who have either been asked not to attend events or prohibited from doing so. We have heard from multiple camp and event organizers who are looking for clear guidance to make sure they aren't inadvertently providing a platform to those who have been banned or asked not to attend other events.

I also want to be clear that for the purposes of this discussion, the CWG is not concerned about questions of legal liability; any eventual policy that might result would likely be run past an attorney to flag any potential issues prior to implementation.

One question/concern I have thinking through @rubyj's suggestion that only those with permanent bans be added to a list is that due to the length of our process, a temporary ban may be in place for several months following a reported incident before any decision is made about a permanent ban. During that time, we wouldn't necessarily be able to provide assurance to people who are aware of (but not involved with) the incident in question that they will not run into that individual at an event.

I also think the question @Alex UA raises is a good one. We have had various event organizers reach out to us either to inform us about people who have banned from their events and/or ask for our advice; however there is no clear guidance for how or when to do so. One of the situations we want to avoid is where someone engages in abusive behavior at one event, gets banned, and then goes and engages in the same behavior at a different event run by different people.

I do understand the concern and wishes for organiseres to have a global list of banned people from events of the Drupal community.
I approach privacy, inclusivity and interactions with other humans on a basis of "be tolerant of everyone, except those that are intolerant towards others" it is the paradox of tolerance, please go there and read more about it if you are uncertain what I mean by this.

Translated I would put this in a way of:
We should be tolerant of differences in all shapes & sizes, as long as those difference do not present a danger to the healthiness of the community.

I do get a feeling that some off what is being proposed here is starting to get a bit over the top and would not reflect well on the community as a whole. It is when things like this really gets put into order that abusers of such a system also appear, both from a professional perspective as this information being used to screen candidates for jobs or reject someone from participating in an event by another community.
I personally would never support an effort to put this into a structure as proposed in this issue.
On the other hand I do believe that the CWG and DA could assist event organisers with guidelines & example policies of how to handle this better per event.

Taking a look at this from the privacy & GDPR point of view I would question the legitimacy of both the CWG and DA of making this information public, I have never accepted the terms of the CoC here on Drupal.org for the user I have, every update to it (big or small) requires an explicit consent from each user, implied consent do not apply (even if the implied consent was assumed prior to GDPR taking effect).
This would to my knowledge also mean that at any given time if a user requests to be deleted/anonymised the DA would have no other option than do as requested within 24 days (the reasonable timeframe set down is 3 weeks e.g. 24 days).

Sharing the data of users without specific consent from each user on the list is against GDPR, so unless this was part of the original agreement signed, I do not see how data can be made public.

What I do see that DA & CWG can do with the list of banned people is keep it internal, get consent from each and everyone on that list that it can be shared – and specifically define who it can be shared with – and open-ended sharing of personal information is not allowed either.

Just to clarify one point: by using your Drupal.org account, you accept the Terms of Service and these require that you abide by the Drupal Code of Conduct.

Updates to either the Terms of Service or Drupal Code of Conduct do not require explicit consent, only that you are notified that the changes have been made. Continued use of the service as a logged in user signifies consent.

As it happens, I’ll be updating a section of the Terms of Service today so you will be able to see how that alert is done. We could easily do the same in future for COC updates, if you like.

@nerdstein

It is my understanding that banned individuals have their drupal.org accounts locked or outright removed

This has been discussed earlier in the issue, but to reiterate: it isn't the case. And to @kclarkson's point part of the massive public response to high profile cases was a lack of definition of what 'banned' meant in the first place.

A non-exhaustive list of possible situations:

1. Banned from speaking at events, but not from attending events or d.o
2. Banned from attending events, but not from d.o
3. Banned from both attending events and d.o
4. Temporary and voluntary self-exclusion from events and/or d.o and/or the issue queue of a particular project/ and/or irc/slack as a sort of time-out.

The CWG deals with everything from people's whose attendance at events poses a safety risk to other attendees, to technical disputes between developers that become loud (online or in person) interpersonal arguments impacting observers. So 1-4 are reasonable responses to those situations depending on what the situation is. The question then is which ones need to be communicated outside the CWG and people directly involved. This has been extremely inconsistent so far, so it's good to see this issue to trash it out, but there doesn't appear to be a common understanding of the issues in the first place.

fwiw, I think #4 should not be communicated at all since it's a sign of good faith engagement with the process, but one case where this happened was announced very publicly and non-anonymously in the past, whereas cases in the 1-3 range have not.

Here in the US we're having a national conversation about whether terrible actions towards others will have long term consequences on people's careers and ambitions, and there's certainly a large faction of people that think the worst thing that can happen is for somebody—particularly a man—have those ambitions thwarted. Meanwhile people from marginalized groups often have their careers and lives shut down for far more minor issues.

@mdrummond,

I commend your commitment and passion to diversity and inclusion. But one of the issues I have with the national conversation, is that many people are not taking into consideration an individuals personal interpretation of terrible acts nor is the national conversation acknowledging that every case is not the same.

For Example: This is a ridiculous example on purpose so don't judge me :)

I am a member of a marginalized group. This older white man calls me Black but I prefer to be called African American. I tell the person to please do not call me or any other person black but they continue to do so. I explain to the CWG that I prefer to be called African American vs Black and give them the reasons why and how many times I asked this person to stop. The CWG bans this person and puts them on the list for being racially insensitive. But what the CWG doesn't know is that this older white male who was calling me black is married to another African American man who prefers to be called black.

This is a prime example of how my personal interpretation of a terrible act is not treated equal and every case is different.

Yes: the person should respect someone else's wishes.
Yes: I know the CWG wouldn't probably ban this person
Yes: I get that this is not a sexual assault or harassment case. But those phrases are used very frequently although there can be a huge range of the severity of the incident.

All this to say. I am not thinking about the person who physically abuses someone because to me that case is very very very easy. You are banned, simple as that. But when drafting policies I always try think about the cases that are not so clear. The cases that could ruin someones life on a personal interpretation. Another example are the U.S. Marijuana laws. They are ruining peoples lives and putting them jail for what most people see as not an issue.

To @catch's point above, one additional factor to keep in mind is that there have been multiple occasions when someone has publicly or privately claimed to have been "banned" by the CWG (or allowed others to make that claim on their behalf) when in fact they have not.

It's difficult for us to correct the record in many of these cases, as commenting publicly might undermine the confidentiality of others involved in what is often an ongoing matter. Because we're not able to do so, this can sometime leads to confusion about the CWG's process and/or a skewed impression of how frequently individuals are banned.

The technical solutions so far proposed that rely on a valid D.O account or checking against an email list would be easily circumvented by creating a new account or registering with an alternate email, at least for someone who only wishes to attend an event without having the event organizers being able to discover their ban. Someone not very well known could even submit a session under an alternate account and still avoid raising suspicion.
The one case were I think the technical solutions would have an effect is denying the ability to submit sessions from a moderately well known person who has been banned from events, because them submitting under an alternate account would be more likely to be discovered by an event organizer and seen as suspicious. But in this case, the visibility of them presenting at an event could mean a person who knows they are banned is able to report they are ignoring the ban, and might be enough of a deterrent to keep them from attempting to submit anyways.

@cmcintosh: People aren't banned for political differences, please read more into what the CWG does and how their processes work.

@kclarkson: Your scenario is a strawman argument as the CWG wouldn't ban someone over a minor disagreement like this. People have been banned for serious harassment and/or assault after usually quite lengthy processes where there is a lot of communication with the CWG. People aren't banned over personal disagreements, if these can't be worked out amicably they instead generally seem to end with a request to both parties to simply avoid further interactions.

This discussion is about preventing further incidents after someone has been shown to behave inappropriately and unwilling to make amends. It's about preventing serial harassers and abusers from being able to continue to harass and abuse more people after their behavior becomes known.

Also, just to mention it, this is not about hypothetical scenarios. If you follow the CWG public minute reports you'll see that there have been a small number of scenarios where people were banned for physically threatening or assaulting people. Some of the people who were banned are still employed by companies in the wider Drupal community. Members of the community would like to ensure that if they attend local events that they won't then receive the same threats or be assaulted by folks that have been known to exhibit unwanted behavior. We're not talking about hypothetical scenarios - this is about actual people, actual events that have already happened and that we want to help prevent from reoccurring. So lets drop the hypotheticals, lets deal with the reality we're already facing.

The fact that people are actively lying about their status with the CWG seems to be a pretty good example for why shielding everything in privacy has consequences.

I think there's a lot of discussion where it's taken as a given that there definitely needs to be privacy. And I think it's worth not taking that as something that has already been decided.

If somebody comes forward with a concern, and they want to have privacy for themselves in doing so, they absolutely should be able to expect and receive that privacy. And there is research that should be considered in terms of whether something is private or public and how that affects people's willingness to come forward with reports of problems.

My understanding is that the Community Work Group was originally formed with the intent of assisting with mediation, particularly when difficult discussions came up in the issue queues, often between people who have at least some level of parity in power.

And that's just very, very different from the types of issues that have been coming up more and more lately where there is a large power disparity between somebody reporting an issue and the person whose actions are being reported. Issues of harassment, intimidation and abuse where these disparities exist are just very, very different, and I'm not entirely sure that the procedures that initially worked when dealing with mediations are working well when dealing with this different set of problems.

We can look at the CWG minutes and see the back and forth that tends to go on for long periods of time in addressing a report, and often that process is drawn out because the person whose actions are being reported does not want to engage.

How do we keep people safe while that is going on? And how long do we give somebody to respond and for action to be taken before a plan is put in place to keep people safe? And how does that get communicated? Because so very often it doesn't get communicated publicly, and the person who has been reported is able to publicly lie, publicly build an army of supporters, and those who want to stick up for keeping others safe get attacked by that army.

And of course there can be instances where there are reports that are not done in good faith and where something doesn't rise to the level of there being a necessity for public consequences. We've seen that in the last year too, where the CWG has been weaponized as a way to attack those arguing for diversity and inclusion efforts within the Drupal community. And thankfully at times the CWG has been willing to step up and make clear that they won't allow themselves to be used like that. There still are times where they do carry out investigations because the people whose actions are harming others feel hurt that they're being called out. And that's really unfortunate.

None of this is easy. But again, I would urge people to keep the focus where this should be, on keeping our community safe. We should absolutely be cognizant of not creating processes that get weaponized to be used against people from marginalized groups. But the fact that there are bad actors out there shouldn't deter us from putting in place strong measures that can be used with discretion and discernment to create a better, more inclusive environment for Drupal.

@damien,

Again I highly highly disagree with not thinking about scenarios when developing a policy. A policy is literally developed around scenarios our else you wouldn't have a policy. The situation I presented, which I stated was purposefully ridiculous in order to demonstrate how incidents have different interpretations of severity although they are all lumped in to one term "sexual assault" for example.

In addition, (2) years ago Drupal did have a situation that was in the gray area and had no guidance or policy to lean back on. Not thinking through scenarios is EXACTLY the reason we made National news for silencing someones free speech.

So to reiterate my point(s).

1. Yes: I agree there should be some sort of list that people are put on so us as organizers can cross reference our speakers and participants
2. No: I disagree that this list should be available to the world or just any person on Drupal.org

And the reason I say NO is because the Drupal Community should not be publicly convicting people that may have long lasting impacts on families. So for me convicting ONE wrong person and their families is bad. So yes I think scenarios should be the main driver of the policy.

We are talking about people being banned because their actions have demonstrably harmed someone (usually someone with less power or privilege, as Marc pointed out). They have already negatively impacted someone else's personal life, family, and/or career, through no fault of that person.

I don't see why harassers should have some protection from professional or personal consequences for their actions. Hypotheticals are fine, but people don't get banned from the Drupal community just for not using someone's preferred language. We are talking about people who have HURT other human beings, on purpose, and after repeated warnings.

I don't think it is in the best interest of the Drupal community to be responsible for notifying the world about the actions that have banned an individual from our community. If someone's actions in our community constitute the involvement of law enforcement, the public records of those actions can be the responsibility of the law enforcement agency.

Information about who is banned from Drupal community activities should only be used to enforce the ban within our community, by people who are given the responsibility to enforce bans.

I agree that before we can go too far down the road of any technical implementations, we need to start with the policy. We need to define (and make publicly available) exactly what is meant by “banned” (from drupal.org, events, etc…), how someone can be banned, how someone can be unbanned, the relationship between banned individuals and local Drupal community events, etc…

Maybe we should redirect our conversation back to the development of the policy as @ultimike suggested.

I've not yet processed what I think would constitute a ban from community activities. I do however want to share some thoughts that I hope are helpful in some way.

• I believe Code of Conduct violation occurs through actions. The Drupal community should be a welcoming environment for all, including religion (or lack thereof), political alignment, or personal lifestyle. A person can be whoever or believe whatever they want, but when harmful actions are performed during Drupal community engagements, they are in violation.
• Positions of power in the community should be clearly defined and require higher standards than general members. These positions of power should also be revokable due to harmful actions inside or outside of the Drupal community. Positions of power are a privilege and harmful actions outside of the Drupal community could negatively impact our community by association.
• Anyone reported in an incident report should be given due process.

We are talking about people being banned because their actions have demonstrably harmed someone (usually someone with less power or privilege, as Marc pointed out). They have already negatively impacted someone else's personal life, family, and/or career, through no fault of that person.

I don't see why harassers should have some protection from professional or personal consequences for their actions.

The difference is that publicly identifying the harassers will most certainly subject them to more consequences outside of the CWG, including affecting their employability. This might sound fine on the surface, but keep in mind this is a lot of pressure to put on the CWG (potentially affecting the ability for the person to make a living). Not to mention, I believe this would open up the DA to lawsuits. This list could easily be interpreted as a blacklist (and I would agree with that). According to this article, "At least 29 out of the 50 states have blacklisting statutes." The DA does not want to go down this route.

In my opinion, we should not publicly identify people on the list, even if it was not legally questionable. I personally believe people can change. And if they appear on the list once, it will affect them forever.

@ultimike, what tools are currently in place to measure the impact of incidents and determine responses? If we already have some tools in place, it might be good to review those as a starting point.

I'm really struggling with the 'leave things to law enforcement' view that has been expressed multiple times on this thread.

1. Police departments, especially in the US but also elsewhere, regularly post photos of arrestees and also random suspects who haven't been apprehended, often with detailed personal information - before there's been any trial or anyone's been proven guilty. I have no idea why people would think the police would be more responsible about this than the CWG.

2. Criminal records also hurt employment prospects, shouldn't need to be said, but still.

3. The police have an extremely bad record for dealing with cases such as domestic violence, sexual assault, and rape, and victims of these often do not want to go to the police for good reason. I'll spare posting those reasons on the thread and assume people know how to use google. Similarly there are well documented cases of the police being called to deal with mental health emergencies and shooting or fatally restraining the person they were called to help.

4. Drupal events have international participants, and for either party in a CWG dispute, dealing with the criminal justice system in a country they're only supposed to be visiting for 3-5 days would be impossible. This could obviously be especially bad if the person reported to the police is not from the country the event is held in - restrictions on leaving the country for example.

So there are many reasons why actions which are theoretically serious enough to involve the police (from assault and battery to sexual assault), in practice should not imply a requirement for the victim to involve the police if they don't want to.

For more reading on this, there's a reading list of alternatives to the criminal justice system here: https://icopa2018.files.wordpress.com/2018/01/icopa18_abolition_reading_...

#48 I would classify myself as a Camp organizer / Local community manager – and it might not have been clear from my previous post here, but I strongly object to there being a system for categorizing or looking up people that is "on the list".

It would break all maner of trust regarding privacy, if this information gets opened up to "trusted" people, because the next step here is to ask who are those "trusted" people and how do I get on the list of "trusted" people.

I do fully understand the wish for this information to be shared to local event organisers but based on current privacy laws in Europe I do not see this as something that could possible to archived without breaking those laws or making the list open for GDPR Art. 17 requests (the right to be forgotten).

I simply cannot imagine a situation where we would pass information such as "After the mastic asphalt incident, Neville Sponge is banned from attending all Drupal events" to people that might make that information public. I just cannot see how that could possibly happen - the litigation risk is just too high.

The thing with the current environment for Drupal events is simple - anyone can decide to hold an event and run it in any way they seem fit. Indeed, there are no real controls stopping a "banned individual" from hosting and event!

That we have such a free environment has been a great benefit to the project. Events happen all around the World, many of which (probably the majority) don't even feature on things like Drupical. It does mean, however, that we have no way at all of knowing how any host may use information passed to them.

Unless there was control over the organisation of events so that those holding a "banned list" could be absolutely sure how the list was used and kept private, this whole conversation seems somewhat moot.

@ultimike

I recently completed an Introduction to Code of Conduct Enforcement course, in which I asked questions regarding some of the things we are discussing here.

I asked about public vs. private banned list. The recommendation from the instructor is to have no list at all. Any list can be grounds for a law suit. Since we are not upholding or enforcing law, we will be held legally liable for any list we create, regardless of how well protected it may be. Even if someone hears that a list might exist, we are liable if we indeed have a list.

The instructor did mention one exception to her recommendation of no list, based on an experience in her community. If someone has repeatedly acted in a way that threatens public safety at multiple events and law enforcement is involved, the information about that individual is shared among community events. This information is posted at events with a list of when previous incidents occurred with contact information for the law enforcement officer that handled the case.

In lieu of a list, she recommends a way to hand off information in person, phone or video call. As far as sharing information with event organizers, I don't know if this could be a quarterly group call or if it should be individual conversations with specific event organizers regarding potential issues on an as needed basis. The latter might be the way to go. We would likely need to identify a reliable list of events and how to contact organizers.

It would probably be a good idea to train more organizers in Code of Conduct Enforcement, so that we all know how to take incident reports and how to respond to them.

One more thing I wanted to mention was a tool or approach to incident assessment. Attached is a screen grab from my notes that includes a grid for visualizing the risk and impact of an incident to aide in deciding an appropriate response. I don't know if the CWG has something like this, but I thought it might be helpful.

FYI, the DrupalCon CoC Master Incident Log has a very similar method of calculating the severity of an incident...

@rachel_norfolk

That's nice. Is that document available for event organizers to copy and use?

@weekbeforenext - of course, here you go! https://docs.google.com/spreadsheets/d/1UH3bEH1_mcIJYh3W-8KwjQ_uQSjoiVGL...

(really, really, really, hopes that she has definitely not copied across any actual data...)

Closing out this old issue. To summarize, the CWG does not maintain a list of individuals who have been banned from events, instead situations involving banned individuals are handled on a case-by-case basis. If you are an event organizer and are concerned that someone who is scheduled to attend or speak at your event might be doing so in violation of a ban, you are welcome to reach out to the CWG for guidance.