Crosspost: No more rock stars: how to stop abuse in tech communities

This post originally appeared on Leigh Honeywell’s blog on June 21, 2016. I’m cross-posting here it because I am a co-author and I think my readers will enjoy it.

Content note for discussion of abuse and sexual violence.

In the last couple of weeks, three respected members of the computer security and privacy tech communities have come forward under their own names to tell their harrowing stories of sexual misconduct, harassment, and abuse committed by Jacob Appelbaum. They acted in solidarity with the first anonymous reporters of Jacob’s abuse. Several organizations have taken steps to protect their members from Appelbaum, including the Tor Project, Debian, and the Noisebridge hackerspace, with other responses in progress.

But Appelbaum isn’t the last – or the only – abuser in any of these communities. Many people are calling for long-term solutions to stop and prevent similar abuse. The authors of this post have recommendations, based on our combined 40+ years of community management experience in the fields of computer security, hackerspaces, free and open source software, and non-profits. In four words, our recommendation is:

No more rock stars.

What do we mean when we say “rock stars?” We like this tweet by Molly Sauter:

Seriously, “rock stars” are arrogant narcissists. Plumbers keep us all from getting cholera. Build functional infrastructure. Be a plumber.

You can take concrete actions to stop rock stars from abusing and destroying your community. But first, here are a few signs that help you identify when you have a rock star instead of a plumber:

A rock star likes to be the center of attention. A rock star spends more time speaking at conferences than on their nominal work. A rock star appears in dozens of magazine profiles – and never, ever tells the journalist to talk to the people actually doing the practical everyday work. A rock star provokes a powerful organization over minor issues until they crack down on the rock star, giving them underdog status. A rock star never says, “I don’t deserve the credit for that, it was all the work of…” A rock star humble-brags about the starry-eyed groupies who want to fuck them. A rock star actually fucks their groupies, and brags about that too. A rock star throws temper tantrums until they get what they want. A rock star demands perfect loyalty from everyone around them, but will throw any “friend” under the bus for the slightest personal advantage. A rock star knows when to turn on the charm and vulnerability and share their deeply personal stories of trauma… and when it’s safe to threaten and intimidate. A rock star wrecks hotel rooms, social movements, and lives.

Why are rock stars so common and successful? There’s something deep inside the human psyche that loves rock stars and narcissists. We easily fall under their spell unless we carefully train ourselves to detect them. Narcissists are skilled at making good first impressions, at masking abusive behavior as merely eccentric or entertaining, at taking credit for others’ work, at fitting our (often inaccurate) stereotypes of leaders as self-centered, self-aggrandizing, and overly confident. We tend to confuse confidence with competence, and narcissists are skilled at acting confident.

Sometimes rock stars get confused with leaders, who are necessary and good. What’s the difference between a rock star and a leader? We like the term “servant-leader” as a reminder that the ultimate purpose of a good leader is to serve the mission of their organization (though this feminist critique of the language around servant-leadership is worth reading). Having personal name recognition and the trust and support of many people is part of being an effective leader. This is different from the kind of uncritical worship that a rock star seeks out and encourages. Leaders push back when the adoration gets too strong and disconnected from achieving the mission (here is a great example from Anil Dash, pushing back after being held up as an example of positive ally for women in tech). Rock stars aren’t happy unless they are surrounded by unthinking adoration.

How do we as a community prevent rock stars?

If rock stars are the problem, and humans are susceptible to rock stars, how do we prevent rock stars from taking over and hijacking our organizations and movements? It turns out that some fairly simple and basic community hygiene is poisonous to rock stars – and makes a more enjoyable, inclusive, and welcoming environment for plumbers.

Our recommendations can be summarized as: decentralizing points of failure, increasing transparency, improving accountability, supporting private and anonymous communication, reducing power differentials, and avoiding situations that make violating boundaries more likely. This is a long blog post, so here is a table of contents for the rest of this post:

Have explicit rules for conduct and enforce them for everyone

Create a strong, specific, enforceable code of conduct for your organization – and enforce it, swiftly and without regard for the status of the accused violator. Rock stars get a kick out of breaking the rules, but leaders know they are also role models, and scrupulously adhere to rules except when there’s no alternative way to achieve the right thing. Rock stars also know that when they publicly break the little rules and no one calls them out on it, they are sending a message that they can also break the big rules and get away with it.

One of the authors of this post believed every first-person allegation of abuse and assault by Jacob Appelbaum – including the anonymous ones – immediately. Why? Among many other signs, she saw him break different, smaller rules in a way that showed his complete and total disregard for other people’s time, work, and feelings – and everyone supported him doing so. For example, she once attended a series of five minute lightning talks at the Noisebridge hackerspace, where speakers sign up in advance. Jacob arrived unannounced and jumped in after the first couple of talks with a forty-five minute long boring rambling slideshow about a recent trip he took. The person running the talks – someone with considerable power and influence in the same community – rolled his eyes but let Jacob talk for nine times the length of other speakers. The message was clear: rules don’t apply to Jacob, and even powerful people were afraid to cross him.

This kind of blatant disregard for the rules and the value of people’s time was so common that people had a name for it: “story time with Jake,” as described in Phoenix’s pseudonymous allegation of sexual harassment. Besides the direct harm, dysfunction, and disrespect this kind of rule-breaking and rudeness causes, when you allow people to get away with it, you’re sending a message that they can get away with outright harassment and assault too.

To solve this, create and adopt a specific, enforceable code of conduct for your community. Select a small expert group of people to enforce it, with provisions for what to do if one of this group is accused of harassment. Set deadlines for responding to complaints. Conduct the majority of discussion about the report in private to avoid re-traumatizing victims. Don’t make exceptions for people who are “too valuable.” If people make the argument that some people are too valuable to censure for violating the code of conduct, remove them from decision-making positions. If you ever find yourself in a situation where you are asking yourself if someone’s benefits outweigh their liabilities, recognize that they’ve already cost the community more than they can ever give to it and get to work on ejecting them quickly.

Start with the assumption that harassment reports are true and investigate them thoroughly

Over more than a decade of studying reports of harassment and assault in tech communities, we’ve noticed a trend: if things have gotten to the point where you’ve heard about an incident, it’s almost always just the tip of the iceberg. People argue a lot about whether to take one person’s word (the alleged victim) over another’s (the alleged harasser), but surprisingly often, this was not the first time the harasser did something harmful and it’s more likely a “one person said, a dozen other people said” situation. Think about it: what are the chances that someone had a perfect record of behavior, right up till the instant they stuck their hand in someone else’s underwear without consent – and that person actually complained about it – AND you heard about it? It’s far more likely that this person has been gradually ramping up their bad behavior for years and you just haven’t heard about it till now.

The vast majority of cases we know about fit one of these two patterns:

  1. A clueless person makes a few innocent, low-level mistakes and actually gets called on one of them fairly quickly. Signs that this is the likely case: the actual incident is extremely easy to explain as a mistake, the accused quickly understands what they did wrong, they appear genuinely, intensely embarrassed, they apologize profusely, and they offer a bunch of ways to make up for their mistake: asking the video of their talk to be taken down, writing a public apology explaining why what they did was harmful, or proposing that they stop attending the event for some period of time.
  2. A person who enjoys trampling on the boundaries of others has been behaving badly for a long time in a variety of ways, but everyone has been too afraid to say anything about it or do anything about other reports. Signs that this is the likely case: the reporter is afraid of retaliation and may try to stay anonymous, other people are afraid to talk about the incident for the same reason, the reported incident may be fairly extreme (e.g., physical assault with no question that consent was violated), many people are not surprised when they hear about it, you quickly gather other reports of harassment or assault of varying levels, the accused has plagiarized or stolen credit or falsified expense reports or done other ethically questionable things, the accused has consolidated a lot of power and attacks anyone who seems to be a challenge to their power, the accused tries to change the subject to their own grievances or suffering, the accused admits they did it but minimizes the incident, or the accused personally attacks the reporter using respectability politics or tone-policing.

In either case, your job is to investigate the long-term behavior of the accused, looking for signs of narcissism and cruelty, big and small. Rock stars leave behind a long trail of nasty emails, stolen credit, rude behavior, and unethical acts big and small. Go look for them.

Make it easy for victims to find and coordinate with each other

Rock stars will often make it difficult for people to talk or communicate without being surveilled or tracked by the rock star or their assistants, because private or anonymous communication allows people to compare their experiences and build effective resistance movements. To fight this, encourage and support private affinity groups for marginalized groups (especially people who identify as women in a way that is significant to them), create formal systems that allow for anonymous or pseudonymous reporting such as an ombudsperson or third-party ethics hotline, support and promote people who are trusted contact points and/or advocates for marginalized groups, and reward people for raising difficult but necessary problems.

Watch for smaller signs of boundary pushing and react strongly

Sometimes rock stars don’t outright break the rules, they just push on boundaries repeatedly, trying to figure out exactly how far they can go and get away with it, or make it so exhausting to have boundaries that people stop defending them. For example, they might take a little too much credit for shared work or other people’s work, constantly bring up the most disturbing but socially acceptable topic of conversation, resist de-escalation of verbal conflict, subtly criticize people, make passive-aggressive comments on the mailing list, leave comments that are almost but not quite against the rules, stand just a little too close to people on purpose, lightly touch people and ignore non-verbal cues to stop (but obey explicit verbal requests… usually), make comments which subtly establish themselves as superior or judges of others, interrupt in meetings, make small verbal put-downs, or physically turn away from people while they are speaking. Rock stars feel entitled to other people’s time, work, and bodies – signs of entitlement to one of these are often signs of entitlement to the others.

Call people out for monopolizing attention and credit

Is there someone in your organization who jumps on every chance to talk to a reporter? Do they attend every conference they can and speak at many of them? Do they brag about their frequent flyer miles or other forms of status? Do they jump on every project that seems likely to be high visibility? Do they “cookie-lick” – claim ownership of projects but fail to do them and prevent others from doing them either? If you see this happening, speak up: say, “Hey, we need to spread out the public recognition for this work among more people. Let’s send Leslie to that conference instead.” Insist that this person credit other folks (by name or anonymously, as possible) prominently and up front in every blog post or magazine article or talk. Establish a rotation for speaking to reporters as a named source. Take away projects from people if they aren’t doing them, no matter how sad or upset it makes them. Insist on distributing high status projects more evenly.

A negative organizational pattern that superficially resembles this kind of call-out can sometimes happen, where people who are jealous of others’ accomplishments and successes may attack effective, non-rock star leaders. Signs of this situation: people who do good, concrete, specific work are being called out for accepting appropriate levels of public recognition and credit by people who themselves don’t follow through on promises, fail at tasks through haplessness or inattention, or communicate ineffectively. Complaints about effective leaders may take the form of “I deserve this award for reasons even though I’ve done relatively little work” instead of “For the good of the organization, we should encourage spreading out the credit among the people who are doing the work – let’s talk about who they are.” People complaining may occasionally make minor verbal slips that reveal their own sense of entitlement to rewards and praise based on potential rather than accomplishments – e.g., referring to “my project” instead of “our project.”

Insist on building a “deep bench” of talent at every level of your organization

Your organization should never have a single irreplaceable person – it should have a deep bench. Sometimes this happens through a misplaced sense of excessive responsibility on the part of a non-abusive leader, but often it happens through deliberate effort from a “rock star.” To prevent this, constantly develop and build up a significant number of leaders at every level of your organization, especially near the top. You can do this by looking for new, less established speakers (keynote speakers in particular) at your events, paying for leadership training, creating official deputies for key positions, encouraging leaders to take ample vacation and not check email (or chat) while they are gone, having at least two people talk to each journalist, conducting yearly succession planning meetings, choosing board members who have strong opinions about this topic and a track record of acting on them, having some level of change or turnover every few years in key leadership positions, documenting and automating key tasks as much as possible, sharing knowledge as much as possible, and creating support structures that allow people from marginalized groups to take on public roles knowing they will have support if they are harassed. And if you need one more reason to encourage vacation, it is often an effective way to uncover financial fraud (one reason why abusive leaders often resist taking vacation – they can’t keep an eye on potential exposure of their misdeeds).

Flatten the organizational hierarchy as much as possible

Total absence of hierarchy is neither possible nor desirable, since “abolishing” a hierarchy simply drives the hierarchy underground and makes it impossible to critique (but see also the anarchist critique of this concept). Keeping the hierarchy explicit and making it as flat and transparent as possible while still reflecting true power relationships is both achievable and desirable. Ways to implement this: have as small a difference as possible in “perks” between levels (e.g., base decisions on flying business class vs. economy on amount of travel and employee needs, rather than position in the organization), give people ways to blow the whistle on people who have power over them (including channels to do this anonymously if necessary), and have transparent criteria for responsibilities and compensation (if applicable) that go with particular positions.

Build in checks for “failing up”

Sometimes, someone gets into a position of power not because they are actually good at their job, but because they turned in a mediocre performance in a field where people tend to choose people with proven mediocre talent over people who haven’t had a chance to demonstrate their talent (or lack thereof). This is called “failing up” and can turn otherwise reasonable people into rock stars as they desperately try to conceal their lack of expertise by attacking any competition and hogging attention. Or sometimes no one wants to take the hit for firing someone who isn’t capable of doing a good job, and they end up getting promoted through sheer tenacity and persistence. The solution is to have concrete criteria for performance, and a process for fairly evaluating a person’s performance and getting them to leave that position if they aren’t doing a good job.

Enforce strict policies around sexual or romantic relationships within power structures

Rock stars love “dating” people they have power over because it makes it easier to abuse or assault them and get away with it. Whenever we hear about an organization that has lots of people dating people in their reporting chain, it raises an automatic red flag for increased likelihood of abuse in that organization. Overall, the approach that has the fewest downsides is to establish a policy that no one can date within their reporting chain or across major differences in power, that romantic relationships need to be disclosed, and that if anyone forms a relationship with someone in the same reporting chain, the participants need to move around the organization until they no longer share a reporting chain. Yes, this means that if the CEO or Executive Director of an organization starts a relationship with anyone else in the organization, at least one of them needs to leave the organization, or take on some form of detached duty for the duration of the CEO/ED’s tenure. When it comes to informal power relationships, such as students dating prominent professors in their fields, they also need to be forbidden or strongly discouraged. These kinds of policies are extremely unattractive to a rock star, because part of the attraction of power for them is wielding it over romantic or sexual prospects.

Avoid organizations becoming too central to people’s lives

Having a reasonable work-life balance isn’t just an ethical imperative for any organization that values social justice, it’s also a safety mechanism so that if someone is forced to leave, needs to leave, or needs to take a step back, they can do so without destroying their entire support system. Rock stars will often insist on subordinates giving 100% of their available energy and time to the “cause” because it isolates them from other support networks and makes them more dependent on the rock star.

Don’t set up your community so that if someone has a breach with your community (e.g., is targeted for sustained harassment that drives them out), they are likely to also lose more than one of: their job, their career, their romantic relationships, their circle of friends, or their political allies. Encouraging and enabling people to have social interaction and support outside your organization or cause will also make it easier to, when necessary, exclude people behaving abusively or not contributing because you won’t need to worry that you’re cutting them off from all meaningful work or human contact.

You should discourage things like: semi-compulsory after hours socialising with colleagues, long work hours, lots of travel, people spending almost all their “intimacy points” or emotional labour on fellow community members, lots of in-group romantic relationships, everyone employs each other, or everyone is on everyone else’s boards. Duplication of effort (e.g., multiple activist orgs in the same area, multiple mailing lists, or whatever) is often seen as a waste, but it can be a powerfully positive force for allowing people some choice of colleagues.

Distribute the “keys to the kingdom”

Signs of a rock star (or occasionally a covert narcissist) may include insisting on being the single point of failure for one or more of: your technical infrastructure (e.g., domain name registration or website), your communication channels, your relationship with your meeting host or landlord, your primary source of funding, your relationship with the cops, etc. This increases the rock star’s power and control over the organization.

To prevent this, identify core resources, make sure two or more people can access/administer all of them, and make sure you have a plan for friendly but sudden, unexplained, or hostile departures of those people. Where possible, spend money (or another resource that your group can collectively offer) rather than relying on a single person’s largesse, specialized skills, or complex network of favours owed. Do things legally where reasonably possible. Try to be independent of any one critical external source of funding or resources. If there’s a particularly strong relationship between one group member and an external funder, advisor, or key organization, institutionalize it: document it, and introduce others into the relationship.

One exception is that it’s normal for contact with the press to be filtered or approved by a single point of contact within the organization (who should have a deputy). However, it should be possible to talk to the press as an individual (i.e., not representing your organization) and anonymously in cases of internal organizational abuse. At the same time, your organization should have a strong whistleblower protection policy – and board members with a strong public commitment and/or a track record of supporting whistleblowers in their own organizations.

Don’t create environments that make boundary violations more likely

Some situations are attractive to rock stars looking to abuse people: sexualized situations, normalization of drinking or taking drugs to the point of being unable to consent or enforce boundaries, or other methods of breaking down or violating physical or emotional boundaries. This can look like: acceptance of sexual jokes at work, frequent sexual liaisons between organization members, mocking people for not being “cool” for objecting to talking about sex at work, framing objection to sexualized situations as being homophobic/anti-polyamorous/anti-kink, open bars with hard alcohol or no limit on drinks, making it acceptable to pressure people to drink more alcohol than they want or violate other personal boundaries (food restrictions, etc.), normalizing taking drugs in ways that make it difficult to stay conscious or defend boundaries, requiring attendance at physically isolated or remote events, having events where it is difficult to communicate with the outside world (no phone service or Internet access), having events where people wear significantly less or no clothing (e.g. pool parties, saunas, hot tubs), or activities that require physical touching (massage, trust falls, ropes courses). It’s a bad sign if anyone objecting to these kinds of activities is criticized for being too uptight, puritanical, from a particular cultural background, etc.

Your organization should completely steer away from group activities which pressure people, implicitly or explicitly, to drink alcohol, take drugs, take off more clothing than is usual for professional settings in the relevant cultures, or touch or be touched. Drunkenness to the point of marked clumsiness, slurred speech, or blacking out should be absolutely unacceptable at the level of organizational culture. Anyone who seems to be unable to care for themselves as the result of alcohol or drug use should be immediately cared for by pre-selected people whose are explicitly charged with preventing this person from being assaulted (especially since they may have been deliberately drugged by someone planning to assault them). For tips on serving alcohol in a way that greatly reduces the chance of assault or abuse, see Kara Sowles’ excellent article on inclusive events. You can also check out the article on inclusive offsites on the Geek Feminism Wiki.

Putting this to work in your community

We waited too long to do something about it.

Odds are, your community already has a “missing stair” or three – even if you’ve just kicked one out. They are harming and damaging your community right now. If you have power or influence or privilege, it’s your ethical responsibility to take personal action to limit the harm that they are causing. This may mean firing or demoting them; it may mean sanctioning or “managing them out.” But if you care about making the world a better place, you must act.

If you don’t have power or influence or privilege, think carefully before taking any action that could harm you more and seriously consider asking other folks with more protection to take action instead. Their response is a powerful litmus test of their values. If no one is willing to take this on for you, your only option may be leaving and finding a different organization or community to join. We have been in this position – of being powerless against rock stars – and it is heartbreaking and devastating to give up on a cause, community, or organization that you care about. We have all mourned the spaces that we have left when they have become unlivable because of abuse. But leaving is still often the right choice when those with power choose not to use it to keep others safe from abuse.


While we are not asking people to “cosign” this post, we want this to be part of a larger conversation on building abuse-resistant organizations and communities. We invite others to reflect on what we have written here, and to write their own reflections. If you would like us to list your reflection in this post, please leave a comment or email us a link, your name or pseudonym, and any affiliation you wish for us to include, and we will consider listing it. We particularly invite survivors of intimate partner violence in activist communities, survivors of workplace harassment and violence, and people facing intersectional oppressions to participate in the conversation.

2016-06-21: The “new girl” effect by Lex Gill, technology law researcher & activist

2016-06-21: Patching exploitable communities by Tom Lowenthal, security technologist and privacy activist

2016-06-22: Tyranny of Structurelessness? by Gabriella Coleman, anthropologist who has studied hacker communities

We would prefer that people not contact us to disclose their own stories of mistreatment. But know this: we believe you. If you need emotional support, please reach out to people close to you, a counselor in your area, or to the trained folks at RAINN or Crisis Text Line.


This post was written by Valerie Aurora (@vaurorapub), Mary Gardiner (@me_gardiner), and Leigh Honeywell (@hypatiadotca), with grateful thanks for comments and suggestions from many anonymous reviewers.