A couple of years ago, I sat in a hotel suite in Napa Valley, California. The suite was one of 200 surrounding a golf corse in the Marin County highlands, and nearly the entire resort had been rented out for the Linux Foundation’s Open Source Leadership Summmit , as it was every other year, when the summit wasn’t being held in Aspen.
I’d ended up in Napa through a series of what I can only describe as coincidences: 2 years prior to that, I’d tweeted out that I was looking for work. A friend of mine in Berlin, had retweeted it to her timeline of mainly people in the cloud native community. She had been, until recently, Digital Ocean’s Director of DevRel. Before I knew it, I’d been hired as a technical writer supporting the CNCF’s many projects, which is probably how most people reading this today know me.
But back to Napa. While at CNCF, I started something called the Inclusive Language Initiative, and as a part of the work we were doing, it was requested that I come out to Napa that year.
Normally run of the mill Technical Writers don’t end up at the Napa event. The Open Source Leadership Summit is designed as a way for the open source executives the LF needs to keep in contact with to be in-person together. It’s a very high level networking event, with conference talks very nominally attached to it. (It’s a pity, because the conference talks are often electric and generally not recorded).
You’d be forgiven for not knowing what the Open Source Leadership Summit is. It’s not particularly well advertised, and that’s intentional. Up until very recently, it was entirely invite only, and even now, it’s more or less invite only.
I was sitting in this hotel room with a group of friends from the Kubernetes and open source communities. I’d met all of them before, but for the most part, these people’s titles and scopes of responsibility far outranked mine: Program managers at BigCo tech companies with large areas of responsibility, representatives to important organizations like the IEEE, people at the Director level in their careers and more.
I turned to my friend on the couch in the hotel room’s living area and expressed my discomfort. I didn’t belong here. I was uncomfortable with the idea that there were places in this world like this, where money and power moved in secret.
“But that’s the point,” they said. “It has to be like this. It has to be basically invite only, with only the right people here to have the right conversations with the cameras off, so that people can be open."
I didn’t have the tools to deal with this kind of space at the time, and (despite the urging of friends and mentors) elected to shrink into the background of the event, rather than make a fool of myself.
I didn’t know how to operate in a space that was intentionally not open. I’ve never been a particularly popular kid, despite being likeable - I didn’t know what to do with the invitation to the birthday party once I received it.
As I’ve progressed in my advocacy and inclusivity work as an individual, that conversation in Napa has haunted me with its trueness.
At the heart of any great social space where we might meet people we don’t know, the greatest act of safety-making that any community organizers can do is carefully vetting the people who enter the space.
The best of human interactions have some level of spontaneousness involved. It’s hard to be joyful without being open to the unexpected. It’s hard to open yourself to the unexpected without opening yourself to the potential for pain, too, however.
No social network, in-person event, or online community can ensure safety 100% of the time, but they can greatly reduce the risk individual people in the community are exposed to by carefully vetting who is a part of that community.
There are two common centrally-controlled social tools prevalent in social media today: opt-in tools, like codes of conduct and community guidelines, and opt-out tools, like invites.
Opt-in tools are essentially individual liability related. For example, as codes of conduct, community guidelines, and Terms of Service put the onus on good behavior on the individuals: “By participating in x, you agree to do/not do y.” They’re easy to implement with a quick glance-over from a lawyer, which is why they’re prevalent.
These tools put the onus of enforcement primarily on the individual, however: If I am the recipient of behavior that that is out of compliance with the guidelines, I am responsible for reporting it using the correct reporting tools, at which point I am entirely at the mercy of whatever body does something about the guidelines. Usually these bodies, if they exist, are inadequately trained, volunteers or people in the developing world exposing themselves to psychological trauma in our stead, or are people with too much power to be objective.
Opt-out tools are tools which deny access to the community by default until someone has proven themselves in some way: invites are the main means of doing this for social media services. Another example is probationary periods in the workplace.
These tools are unique in that they place the onus of responsibility for the community’s safety in the hands of people already in the community. That said, in most social media services that use invites, their capacity to be a tool for good is limited: we don’t know who invited someone else, for example. The days of being on probation in a new IRC server are also long gone and don’t scale well to a hyperscaled social media service either.
Bluesky is interesting in that, in their own words, their invitation system is designed on a Merkel tree: All user accounts are linked to the invite that created them, which is linked to the account that created the invite, which is linked to the invite that created their account, ad infinitum.
The Bluesky team has also stated that if a new user exhibits behavior that they don’t accept, in addition to levies against the new user they suspend up the tree and lock the inviter’s ability to invite new users for a set period of time.
This is brilliant. It adds a layer of social pressure to the act of inviting someone, and strengthens the weight of the invite in the process.
What would be better is making the Merkel tree public.
A panopticon is a prison concept in which all cells face each other in a circular structure. A guard tower is placed in the center, but the idea is that the inmates, given other inmates to stare at, will report on bad behavior and essentially multiply the number of eyes past what the guards have in their own heads.
Most social situations of any kind of an element of the panopticon about them: humans are well documented to bend their behavior to fit social pressure, and to actively shun and remove elements of their community in organized fashions even without a central guard tower.
Exposing the Merkel tree would do just this. It’s easy to ignore the bad behavior of one person, and it’s easy to shy away from association with them in public to remain a part of the group.
It’s far harder to ignore bad behavior when we think our own reputations might be tarnished by it.
Publicizing the Merkel tree would give the community the power to self-sequester its own bad elements far more effectively than removing the invites of individual users. Social pressure is the only pressure we really respond to.
Much has been made of Bluesky’s native content filtering and moderation features, but note that the underlying AT Protocol’s actual moderation spec is fairly rudimentary, as one might expect from a general-use spec. Unfortunately we can’t program our way out of this.
Looking at the spec also reveals that the content moderation Bluesky and other apps that implement the AT Protocol will have the same failings as… content moderation everywhere: ultimately, they need to land on someone’s desk to deal with them.
Content moderation and community safety work on the internet is ugly as hell, and genuinely psychologically damaging. It’s near impossible to automate for more than 6 months, meaning that dealing with content moderation in a truly useful way is a huge drain on company resources ($$$$/headcount) and most companies aren’t willing to invest in this kind of work when they can do things that directly make them money.
This isn’t to criticize Bluesky or the AT Protocol at all, it’s simply to point out that content moderation at the scale of many-millions is impossible to scale by the traditional means that most businesses scale things.
However, humans are gonna human: far better for us to take advantage of natural social behaviors and hope for the best.
There’s always a chance that exposing the Merkel tree could lead to angry mobs cancelling people for silly reasons, but revoking someone’s rights to invite temporarily is a pretty light punishment. For certain people, i.e. public figures, special exceptions in this flow would need to be made due to the sheer size of their audience, but that seems to happen on any social media network anyways.
It seems like Bluesky is in it’s “a republic, if you can keep it” era, and I’d like to see us keep it.
Community safety is hard. But an exclusive door policy is what’s kept Berghain running for 40 years, so something about it must work.