The MNHQ Moderation Team: Thread 2

[BarrackerBarmer]

Follow on thread regarding the data breach situation:
___

Dear MNHQ

I'm very grateful for the commitment to free speech you've publicly taken, and for Justine's courage this week.

A former disgruntled employee of MN is writing on Twitter about the 'transphobia' of MN staff, and calling you TERFs. She is showing a great deal of bias and intolerance towards women with feminist views, this may well be her honest opinion, which is no big deal I suppose, since she is no longer an employee.

At least, it isn't an issue until she calls a shout out to her
'friends who still work at MN' to report and take down posts by 'transphobic scum', by which she appears to be referring to any poster objecting to being called TERF by her friend.

Regardless of the personal views of the MNHQ staff, who should be as free to hold their own views as I am mine, I am disturbed that there may be a small contingent of employees who are invested in unfair moderation and will not be applying fair-handed principles, at least if the claims of this ex-employee are credible.

Can you please give posters some reassurance that the difficult job of fair-handed moderation isn't being abused by the 'friends' of ex-employees who are 'reporting it all' and taking down posts because any gender criticism means the poster is 'transphobic scum'?

Thank you.

I'm just more and more incredulous about this. If you welcome transactivists onto your staff, you really don't have the right to be surprised that they behave the way transactivists have always behaved

There are people with plenty of passionate views on subjects - how do you ensure that they keep people's data private even though they many be passionately against what someone believes.

There are very passionate gender critical feminists on here - should they be trusted with a position at MN because they could out transwomen who post?

Oh FGS Justine when something like this happens a jolly ‘she’s a very nice person and I’m sure she won’t do anything mean with the data she has, she’s just a silly billy airhead like us’ doesn’t cut it

This ^. I’m really shocked and surprised at Justine’s response.

It doesn't matter if she had access by accident. It doesn't matter if she's sorry.

We can't assume that the posted screenshots were all she took. We have no idea what data has been taken or shared, where and with whom.

We need reassurance that the proper procedures are being followed.

We need to be told exactly what data she had access to and if there is anything we can do to protect ourselves right now.

@MNHQ it's turning into a very long week!

I'm going nowhere.

What woman has been threatened as a result of this? There's a poster who said she's been called Terf offline and wonders if it is connected. I haven't seen anyone say they've been threatened as a result of this?

Currently we have no evidence at all to suggest that any personal information on MNetters has been passed to anyone or that the Tweeter even has any. 4 IP addresses were included on a screenshot on someones public Twitter page (stupid thing to do deliberatey, hardly seems like part of a campaig) and someone who used to work for MN has said it's possible to have done that accidentally.

That's all that's happened so far so yeah, keeping a level head and not calling it an act of terrorism seems about right currently.

I'm just catching up

If Mimmymum is still tweeting the IP addresses of some mumsnet gets, is she breaking data protection rules too??

DH says no, they haven't broken rules as its about how data is obtained not how it is spread.

Catching up

I think it was a genuine mistake that the posts had IP addresses on them.

Everyone knows what an IP address is. I know what an IP address is, and I don't have any tech knowledge whatsoever.

MNHQ response yesterday wasn't satisfactory. It's OK to try to reassure people, but they really had no basis for reassuring anyone, since they did't know then, and still don't know, what EH has taken.

I would have expected a website like MN, which has vulnerable people as members, to scan the online history of anyone who applies for work. Everything about her online history showed that she has no common sense, and has very strongly held views that could be viewed as anti-woman. Would MN hire someone whose online history showed they were militantly anti-abortion?

I have a pain in the hole from people saying "she's ruined her life, let's not make things worse for her". That's female socialisation talking. I don't believe she's ruined her life at all, and I don't think she gives two flying fucks. She's a writer, she doesn't think she'll need a career, so this won't matter. If anything, she probably thinks this will gain her notoriety, and that she'll get a job at Penis News.

Today 07:51 My post on the other thread

Indeed. Rather than just advice and assistance from IT specialists, MN need to seek advice from the women's sector to learn of the extra levels of security required when dealing with DV and the extraordinary protections needed for hiding women and families fleeing violent, obsessive, relentless, narcissistic men.

If MNs IT safety advisor only knows about data protection in relation to finance rather than serious matters like these, they are inadequate for MN and measures similar to hiding those needing police protection need to be sought.

This is the most serious case scenario
needs safeguarding against - and MRAs are already MNs enemy no1 - it is well known that they are also uniting with TRA to hurt women and break down women's protections so that women have no legal escape from men. They are open about it online.

Marking place in the hope of proper response from MNHQ.

What woman has been threatened as a result of this?

The bigger problem is data security and recruitment and training of staff. It’s ‘TERFs’ this time - what if it’s women planning to have an abortion next time?

I'm also really unhappy with MNHQs response. Don't minimise this! She's not a silly little girl, she's a grown ass adult who made a conscious decision to throw other women under the bus for the agenda. If you don't take this seriously MNHQS, you're also throwing us under the bus, and how many of us do you think will be happy about that?

I'm not deleting anything, but you need to get your act together here, an apology from someone who deliberately committed a criminal act will not wash.

Based on Emma's online history I wouldn't have hired her for a job with the ability to retaliate against people she doesn't approve of as the one she seems to have had, especially if the company I was hiring for was a target-rich environment in terms of providing access to the group of people that her sm profile already indicated that she was eager to strike out at. It was an incredibly boneheaded hiring decision, and MN need to be taking a close look at their hiring practices.

(also copied from other thread)

I agree. Unfortunately responses from MN so far seem focused on sweeping it under the carpet before even establishing the breadth of the data breach...all at the expense of users. Since, as previously posted, Emma has publicly included the phrase "Fuck MN" it's clear that MN have seriously misjudged her character once already.

Platitudes alone simply don't work in a situation of this nature and severity when it comes to user data. Hopefully the MN team will come up with a more concrete and appropriate course of action today.

Edited to add:

After catching up here is politely suggest MN should review their choice of legal advisor....as well as IT/data security advisors and Employment policies of course

We've been here before with Jeremy. Funny how someone supporting the TRA cause has adopted the tactic of the MRAs. It's a deliberate attempt to cause panic, to discredit MN as an organisation and as a purveyor of 'unacceptable' opinions. The misrepresentation of the Section 28 comment is laughable.
There will be a degree of information that MNHQ can share with us about their response and there will be other steps/comments that they shouldn't make in public at this time.
The TRAs are annoyed at Justine's article. They're annoyed at the Spectator article which made it clear we know TRAs pose as MNers to make deliberately inflammatory posts (so they can say then screenshot them). They're annoyed that we won't just shut up and be nice.
All they've achieved is a young woman sacrificing her career and MNHQ presumably looking again at their recruitment and data protection processes.

It's like Marie Stopes hiring someone whose entire sm profile is about attending anti-abortion protests, ffs. Someone made the decision to hire Emma, and that person did not do their job properly. That needs looking into, not to drag that person out to the stocks for a public shaming, but to ensure that future hiring decisions are made more intelligently.

Refuse makes an excellent point on the other thread about the fact that disclosure of data from MN potentially risks physical harm to individuals.

The assumption in commercial DPA is that ultimately the concerns are financial. If it goes wrong, the risks are (a) that customers/etc will sustain financial losses and have to be compensated financial and (b) the ICO will fine you, which is a bottom line loss. It's money. In medical DP, the risks are more diffuse but people are (in general) assumed not to be harmed by disclosure in a way that cannot be dealt with by compensation, apology and so on.

If MN are indeed holding data which identifies people at risk of serious physical harm possibly including death, which seems very likely (at the very least, MN hold a data set which is capable of being analysed to produce data which puts people at risk of physical harm) then, in the old world of HMG Infosec Standard No. 1 ("IS1") MN are holding data whose disclosure risks "Permanently incapacitating injury or illness to a group of individuals impacting work and leisure activities. The individuals will suffer with permanent disabilities. Loss of life to an individual. Health and Safety Executive review undertaken due to the scale and impact of the crisis".

That's IL5, SECRET. That's heavy shit. Massively complex handling and management rules, change-controlled and audited infrastructure, everyone with routine access cleared to SC. It's hard to see how you could run a public forum where the aggregated data and the underlying authentication data is IL5. And arguing data is "UNCLASSIFIED, SECRET in bulk" is going to be a big ask.

Indeed, Refuse might could argue it's data capable of "Permanently incapacitating injury or illness to a large group of individuals impacting work and leisure activities. Potential for a limited loss of life. Health and Safety Executive enforcement notice leading to prosecution due to the scale and impact of the crisis", which is IL6, TOP SECRET: everyone who goes near it DV cleared, etc, etc. But it doesn't meet any of the other tests for TOP SECRET, not remotely, so let's settle on IL5.

It would ambitious, to say the least, to attempt to assure a system in which millions of uncleared users have access to a large web platform where parts of that data are IL5. I'd go so far as to say it's impossible, in any meaningful sense.

This is, in 2018, new and uncharted territory. I suggest MN might like to talk to some academic and commercial IA people in an NDA's environment to discuss options. But having interns able to see identifying data and exfiltrate it in an uncontrolled way isn't a promising start...

(Added on this thread: yes, you need to also consider the capability and motivations of the threat actors. Based on yesterday's incident, and her friends, I think it can be assumed that both capability and motivation are proved).

I hope @MNHQ will publish a proper statement today laying out exactly what happened, where we as members stand, and what formal course of action they will be taking against this former employee.

A chat and a ‘she said sorry’ doesn’t cut it and makes MNHQ a laughing stock. Their reputation is on the line here, just as EH wanted.

For everyone changing details, please bear in mind anything you make up may well be (subconsciously) still related to you or your life.

For truly anonymous details - even a whole profile, you can generate something quite random at (for example, others exist): www.fakenamegenerator.com/

Changing accounts, emails, deleting posts now only affects the future.

What the ex intern might already have is all the details of what you posted, and the names and IP addresses of all the people who posted them. And as we know, there is no 'reasoned' approach...just posting on here is enough for the TRAs to assign us all as anti-trans.

So the question still remains, what data did she take with her? She is probably under pressure now to prove herself to TRAs and hand it over. Before they then throw her under the preverbial bus.

The problem for mumsnet on the whole self id issue is they can't win... Shut it down and upset women, or allow it to go on and get rage from the TRAs. A situation like this, handled in a way which means users lose confidence and stop discussing gender critical issues, will shut down debate without being officially mumsnets fault. It could be a blessing in disguise for Justine. Just saying.

Really it doesn't matter whether she was gathering posts on trans issues or posts by people discussing their mil.

The fact is that she stole identifying data. I imagine that we would all have a collective heart attack if our real names were revealed, no matter how innocuous the thread we were posting on or how bland our comments. Just saying "Oh, never mind," about an employee or ex employee doing this sends a message to anyone who could use data for nefarious purposes that it's no big deal.

I agree that there should be a review of hiring practices. Just like in many jobs you need a DBS check, those with access to personal data should have a full "activist" check.

Ah, the modern world...

I genuinely think it's possible that a non-compliant woman will be seriously hurt by a member of the extreme TRA fringe at some point. And who knows what will precipitate it? Emma's data breach could easily be the trigger.

This is just awful.