Online harms are hard. Meet a woman who is harder.


Estimated reading time: 5 minutes
Musings / Professionalism / UK policy
"Aliens" movie scene: Ripley vs bitch

I only choose friends who are brilliant, badasses, or brilliant badasses. You may have reached the part in my book where I exalt the deeds of one of them. This week I’ve had cause to exalt her again, but not for any reason she would have chosen.

Meet Mika, whom I met in my days in the WordPress.org open source community. As she’s on the west coast of America, I’ve not seen Mika IRL since before *waves hands at the universe*, but hopefully we can sort that soon.

Three years ago, Mika confided in me that she was a year into the receiving end of an unusually deranged stalker’s campaign of threats and harassment.

She still is.

This week, after four years of doing everything humanly and inhumanly possible to deal with it, she decided that enough is enough. While she had previously gone public about the harassment, albeit in a self-censoring manner, in the form of a conference talk on burnout, this week she decided to name the individual in a 10k+ word blog post where she also chronicled his harassment year by year.

Disclaimer: I’ve known the chapter and verse of Mika’s ordeal for three years, so at this stage it all washes over me. Those of you just learning about this, however, should be aware that her blog post, and the documentation linked to within it, chronicles targeted stalking, harassment, and threats which have been carried out at a speed, volume, and force that simply beggars belief. In other words, it’s heavy stuff. Give yourself some headspace before, during, and after your read.

Her blog post is here.

As you read her post, you may come to understand how Mika’s ordeal has influenced my thinking on policy, both in my immediate UK Online Safety Bill context as well as the wider policy debates on online harms, content moderation, and trust and safety.

As should befall everyone reading her post and reflecting on what she’s been through. (And, yes, she told me it was OK to write this post and bring you into those lines of thought; after all, her ordeal has to count for something.)

Consider, for example, how the harassment against Mika has, essentially, been old school. The stalking has not been carried out on (yawn) “social media” “tech giant” platforms; while her stalker has done some of the side incursions against her and her family on household names, the fusillade of harassment has been entirely DIY on self-hosted email accounts, message boards and forums, Googling, and roll-your-own tools. Put another way, nearly all of the means and methods he is using are from the 1990s, unchanged from the 1990s.

I could almost giggle at the thought of the usual suspects in their ivory towers reading her blog post and ctrl-F’ing “Facebook” “Meta” “Mark Zuckerberg” “WhatsApp” “TikTok” and being baffled that they’re finding nothing. “What do you mean the online harms are not on social media? I don’t understand. How does that work? I wasn’t aware that’s a thing that a person could do!” Proof, as if it were needed, that playing the man and not the ball does not actually help the people on the receiving end of abuse.

Now, Mika fully acknowledges that were she not a development professional herself, meaning someone who is able to script her own defensive tools, blocklists, and early warning systems, she would not have stood a chance, and certainly not through four years of online and real-world hypervigilence. (Talk about picking the wrong adversary…)

Where online intermediaries have been involved – for example, he’s tried to bribe her and others via PayPal, started a petition on change.org to get her fired from her volunteer position, and so forth – those intermediaries have, by and large, acted quickly and efficiently. In fact, the creative rapaciousness of his harassment has perversely done some of these smaller platforms a favour, as he has given them institutional experience and pathways on how to deal with people like him who misuse their services in unconventional ways.

So how do we deal with an ordeal like hers, in a legislative environment which wants to regulate her open source community as if it was Facebook; a legislative environment which would respond to her harassment by threatening her own teams with arrest and prosecution under senior management liability provisions, as the harasser himself sits back on the other side of the planet laughing his sick head off?

As you read Mika’s post, you’ll learn how her stalker even ignored a cease-and-desist order issued by a US court. It’s clear from his conduct that even if that order had been issued in his own country, however, he would have ignored it just the same. So what is the solution here, when dealing with someone who is quite clearly beyond any sort of help, rationality, or willingness to cooperate?

And no, it’s not the job of Mika, her employers, her open source projects, or platforms and service providers to stop his harassment, “fix” his problems, or compensate for the obvious lack of a social safety net, mental health care, and societal guardrails in his own country which would otherwise have restrained him.

So why are politicians determined to legislate for online harms as if it is?

Outside the realm of policy, there’s also the rather sticky issue of her own open source community, which has no project-wide code of conduct, as that would spoil all the fun of the leadership team’s manufactured psychodramas. (There’s only a CoC for conferences.) There’s also no open or transparent governance for decision-making outside code. That means there’s no way for the project or community to ban this individual from the project, for life, as absolutely must be done when someone has knowingly exploited a community that badly (subtweet). Her project can’t do that because the structures aren’t in place to either make those decisions or define the criteria – the red lines, if you will – which would merit a lifetime ban. Without those guardrails and transparency, any process to ban him would turn into a process to shadowban anyone the leadership just doesn’t like personally, and yes I have some experience in this.

So that means that every volunteer conference organiser has to make sure he hasn’t bought a ticket, as he constantly threatens to show up in person. Likewise, the whole community has to mirror 5% of the structural and technical defences she’s had to build on forums, project sites, and community spaces just to stave him off for a few hours.

Codes of conduct are all politically correct bureaucracy until a psychopath making death threats enters the chat.

Online harms are hard nuts to crack, folks. They – and the people who commit them – don’t respond to common sense, compassion, patience, restorative justice, codes of conduct, terms of service, the rule of law, your rule of law, your distinguished academic CV, your titles and prestige, your exclusive op-eds, your proposed legislative solutions, or court orders. Mika’s ordeal should stand as an example of just how hard they can be;

of just how uncontrollable online harassment can truly be;

of just how technically complex the vectors can be;

of just how utterly pointless and counterproductive some proposed legislative solutions can be;

and of just how bloody strong that woman is.

Header image: Mika dealing with your shit

The Author

I’m a UK tech policy wonk based in Glasgow. I work for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. The content and opinions on this site are mine alone and do not reflect the opinions of any current or previous team.