289

What are Stack Exchange, Inc.'s policies regarding whether and when private or sensitive information will be shared by the company with the public, and particularly with the press?

By "private information," I mean information from sources such as:

  • Non-public chatrooms, including mod-only rooms

  • Non-public Teams instances, including the one for Stack Exchange Moderators

  • Private communications between moderators and users

  • Private communications between SOI staff and moderators

  • Deleted content, which can only be seen by moderators or "trusted users"

  • Flag explanations, which can only be seen by moderators

  • Users' Personally Identifiable Information

By "sensitive information," I mean information such as:

  • Characterization of patterns of behavior of individual moderators or users

  • Characterization of on-site controversies

It would seem to me that it would be standard corporate practice to avoid sharing any of the above with the public, and especially the press, without significant exigent circumstances and the utmost of care. In particular, all of the "private" information listed above is shared on the Stack Exchange platform with explicit agreement or at least implicit mutual trust that what is transmitted in a private space stays in that space or in spaces at least as private.

However, following its removal of multi-community-moderator Monica Cellio, SE spoke to The Register, sharing information from non-public spaces and characterizing the behavior of a specific user. This behavior makes me wonder whether the privacy assumptions I describe above are in fact reflected in company policy and practice.

As the shared trust regarding private information staying private is the basis of countless communications that my moderator colleagues and I engage in with Stack Exchange users, with each other, and with SE staff, I believe it's important that SE clarify whether and how this shared trust extends to the company.

Improve this question
11
  • 6
    In this particular case, who went public first, SE or the Moderator?
    – dfhwze
    Commented Oct 16, 2019 at 16:34
  • 65
    @dfhwze I submit that that's irrelevant. The company's disclosure of information from private spaces to the press was surprising, in any case, and the point of this post is not to litigate that case and the complex nuances in it, but to ask what the actual policy is.
    – Isaac Moses
    Commented Oct 16, 2019 at 16:34
  • 2
    Perhaps it can be taken into account for the decision-making process of SE to go public.
    – dfhwze
    Commented Oct 16, 2019 at 16:35
  • 20
    I am assuming, based on recent events, that the answer is "whenever they decide to"
    – Richard
    Commented Oct 16, 2019 at 17:26
  • @Richard, I hope and expect that that's not correct. The development of the whole private-spaces and moderation-messages infrastructure is consistent with SOI taking information privacy very seriously, and SOI is sitting on too many megabytes of personal, private, and charged information to not have well-thought-out policies in place regarding its disposition.
    – Isaac Moses
    Commented Oct 16, 2019 at 17:31
  • 2
    Richard is pretty obviously correct. The most an "official" answer to your query could do is produce words on this specific URL that say whatever they say. The actual, implemented policy based on actions is not constrained by words said in other contexts.
    – Chris
    Commented Oct 16, 2019 at 18:00
  • 112
    @Peter SE violated their own privacy rules within seconds of pulling the trigger, by making an announcement of my firing to 600 people in TL (with false allegations, to boot). That completely removed the ability of the victim to control the public message, a courtesy that has been granted to all previously-fired moderators (so far as I know) and, by policy, all suspended users. None of that is about the press, but it's relevant background I think -- right from the start, they didn't consider privacy to be important.
    – Monica Cellio
    Commented Oct 16, 2019 at 18:43
  • 46
    An absolutely critical issue for all users when a manager can libel a respected moderator and not be fired for it herself. I for one do not trust SE at all, not that they care if they are trusted.
    – StephenG - Help Ukraine
    Commented Oct 16, 2019 at 18:57
  • 30
    Thank you for asking this. IMO this is the most important aspect of the situation. SE removing Monica's mod status, correctly or not, doesn't really have much impact outside of SE itself, but going to the press with it can (and it sounds like did) have real-world impacts on Monica outside of SE, and was completely inappropriate. The fact that SE has yet to apologize for their statement to the press, retract it, or promise to never do that again is a huge part of the reason so many people are still upset.
    – Nate S.
    Commented Oct 16, 2019 at 19:03
  • 2
    @SaraChipps, while y'all are formulating the official response to the situation, I'd ask that you please make sure this aspect of things does not get overlooked.
    – Nate S.
    Commented Oct 16, 2019 at 19:07
  • 2
    "Under what circumstances will Stack Exchange, Inc. share private/sensitive information with the press?" Hopefully never.
    – NoDataDumpNoContribution
    Commented Oct 17, 2019 at 8:57

6 Answers 6

Reset to default
44

We care about the concerns of the community, written about here and in other places, and are committed to ensuring that there are no deviations from this policy in the future. Though we had internal policies on talking to the press in place before the events that led to this question being asked, it became evident that those internal policies were in need of improvement.

There are clear processes in place for all staff to follow, instructing them to direct any press inquiries to the relevant staff. And for the staff (and agency representatives) who are authorized to talk to the press, there are now clear directives in place to not speak about individual Stack Exchange/Overflow network moderators or users without the express written permission of the user. There are no exceptions to this policy.

To quote our internal press policy:

Authorized Media Representatives should not speak to the press regarding network users or moderators without having received prior written authorization to do so from the subject of the inquiry…Aside from Authorized Media Representatives, no employees or staff should speak with members of the press (in any medium) regarding Stack Overflow customers, network users, or moderators, unless specifically delegated to do so in writing by an Authorized Media Representative. All queries from the media should be forwarded to [an internal email address], and no reply should be given other than "I am forwarding your inquiry to the appropriate contact."

Likewise, version 2 of the moderator agreement states:

[Stack Exchange, Inc. agrees that it will: …] Get your explicit written permission before commenting to any media (including media outlets controlled by Stack Exchange Inc.) or independent reporters about you or your moderator actions as per our Press Policy.

With regards to questions about remediation: We cannot talk about the specifics of any individual case, or how any specific case would be handled in the future. Nor can we offer any remediation here beyond what is discussed in our Terms of Service. The policy cited above is a core policy of the company, and any intentional violation of it will be addressed on a case-by-case basis.

Also relevant to this topic is our privacy policy, wherein we list general contact information for our privacy officers, and state:

Stack Overflow is committed to the safety and security of your personal data and the information that you share with us and with the public. We treat your personal data and safety from harassment as top organizational priorities.

We invest a good deal of time, effort, and money to safeguard the privacy of our users and their data. This is an ongoing concern of ours, one that we hold as sacrosanct, and that we are always working on improving.

7
  • 19
    Hey Teresa! Yaakov sent me this answer - that's a huge step forward! Thank you for dealing with the elephant in the room. There's still two minor concerns on my mind (both of which I'll probably put into words at some point), but as stated, they're minor concerns. If there's a clear "we won't feed people to the wolves" policy, that has me set.
    – Sébastien Renauld
    Commented Jun 16, 2020 at 18:47
  • 35
    This is good to see. I relayed the short message above from those responsible 8 months ago - it was necessary at the time, but really, "we won't shoot off the other foot" was pretty weak sauce. This is much better - unprompted and well thought out, it more strongly suggests such a policy might actually be heeded in the future. 👍
    – Shog9
    Commented Jun 16, 2020 at 19:22
  • 12
    You mention, "though we had internal polices...". Was the initial action in speaking to the press a violation of company policy, or was it permitted at the time but banned after the incident?
    – Robert Columbia
    Commented Jun 16, 2020 at 20:53
  • 16
    @RobertColumbia I'd be pretty uncomfortable with SE answering that question, because it would be doing to an employee exactly what has been done to a moderator that caused all this consternation in the first place. I don't think the community should be in the position of calling for heads or reckonings for individuals employed by the company.
    – Bryan Krause
    Commented Jun 16, 2020 at 21:10
  • 1
    Ms. Dietrich, your user page here links to teresadietrich(dot)com, which in turn tells us that you can be reached at teresadg(at)gmail(dot)com. Do you ever reply to such emails? It's been two months since I wrote to you there. I have been an almost daily poster here for about a decade, with a reputation of over 238,000.
    – Michael Hardy
    Commented Aug 6, 2020 at 5:14
  • wow, this post certainly aged like milk.
    – Esther
    Commented Jun 13, 2023 at 14:56
  • Worth noting, @Esther, that Teresa left the company shortly before the current ... Let's be nice and say "bad faith interpretation" ... Of this policy came into play. I believe she had every reason to believe it would be upheld in the spirit in which it was written, that of mending fences vs burning bridges.
    – Shog9
    Commented Jul 15, 2023 at 18:13
250

We didn't have a policy here; we do now: "no comment."

This is the first time that we've been asked to comment on a quote concerning a moderator, and reporters aren't always very forthcoming. So we've codified "no comment" as a policy and will operate using it going forward.

Moderators are free to talk about their circumstances to anyone they feel should know. But if we're ever in another situation where a reporter asks us to reply to a quote about moderators or other community members, we'll decline to comment and cite our policy instead.

Improve this answer
25
  • 54
    Thank you for the clear, straightforward answer. Might I recommend that you guys publish this somewhere conspicuous, e.g. stackoverflow.com/legal/privacy-policy ?
    – Nate S.
    Commented Oct 16, 2019 at 23:58
  • 123
    Thank you. Is any remediation being applied to the case that led to this policy being formalized? I mean, even without a formal policy it's kind of common sense, don't you think?
    – Monica Cellio
    Commented Oct 17, 2019 at 1:19
  • 5
    Updating the privacy policy is no small task, @Nate. We need to ensure this policy is in effect now; future updates may codify it in some such way, but that's not something I can readily speak to.
    – Shog9
    Commented Oct 17, 2019 at 1:21
  • 39
    I've realized over time that "common sense" is a term we use for things that are obvious to us but not others, @Monica. This would indeed have been obvious to certain people at certain times in the past; that it wasn't in this instance I attribute to a rather high turnover in recent years. There are things that are said that cannot be taken back, no matter how much harm they cause in retrospect; we've all seen this, in our own experience and in that of others. What can be done here… I do not know. I trust that those leading this endeavor will do their best, if not in the past then the future.
    – Shog9
    Commented Oct 17, 2019 at 1:25
  • 201
    Things can't be taken back completely; damage done can't be undone. But it is usually possible to stop the bleeding, to retract the wrongfully-said thing (and spread it to places it was repeated), to show regret and apologize, to ask the victim what might help make things right. These are all things that (in my limited experience) are usually done as soon as the problem is discovered. I realize that you yourself have no power to act here, but perhaps you can help press for, if not justice, at least some correction.
    – Monica Cellio
    Commented Oct 17, 2019 at 1:42
  • 10
    And just saying: no comment is a perfectly fine policy. I am working for a global player IT company, and "never publicly comment on issues" was stated like on my first day working there.
    – GhostCat
    Commented Oct 17, 2019 at 8:49
  • 10
    @MonicaCellio, I wholeheartedly believe you deserve an apology, but I doubt you will get one. AFAIK, if they apologise to you, it will equate to admitting liability and will leave them open to lawsuits. Ironically, if they'd just dealt with this properly with a quick reversal and apology, they could have avoided all of the backlash/escalations, nipped it in the bud, and everyone would have been happier. Fear will do funny things to people.
    – Doctor Jones
    Commented Oct 17, 2019 at 8:50
  • 33
    What is your legal authority for saying this ? The problem at the moment is rooted in individual managers being able to say what they like with no consequences. You state this is policy, but do your words have any authority over e.g. Sara Chipps or David Fullerton (or for that matter the CEO who likes to talk to Forbes but not us) ? So a clear statement from the CEO is really what is required.
    – StephenG - Help Ukraine
    Commented Oct 17, 2019 at 10:44
  • 17
    @Shog9 in this case things can be taken back, by issuing a retraction to the press that received the original comment. Ethical journalists would probably amend their original articles.
    – OrangeDog
    Commented Oct 17, 2019 at 10:49
  • 83
    @Shog9 - in any self respecting company other than 3-dude garage, the person responsible for such an egregious lapse of judgement (even assuming there was no formal policy violation) would be disciplined severely. Additionally, the person responsible for NOT having such a policy would be either disciplined or fired. And in true Monty Python fashion, the person responsible for hiring someone such a person for Director level position should be fired as well. This isn't some intern who did this.
    – DVK
    Commented Oct 17, 2019 at 12:19
  • 32
    First of all, thank you for this answer, Shog9! "What can be done here… I do not know." Nothing is easier than finding out what can be done, what needs to be done, for those responsible (not you). The apparently hard part is understanding why it's the right thing to do and actually do it. What to do: Reinstate Monica (the sooner the better), clear Monica's name on those platforms that were used to smear her (The Register, MSE itself, TL), actually and honestly apology to her publicly. It won't undo the past but it would be a great step forward. And it would be well-received.
    – Anne Daunted GoFundMonica
    Commented Oct 17, 2019 at 13:26
  • 20
    @DoctorJones that's the sort of thing that can be addressed in a contract, though, like when you leave a job and getting your severance pay is conditional on you agreeing not to badmouth the company (common practice here in the US). They could absolutely avert legal liability if they really want to make things right. They would just have to operate in good faith to reach that agreement.
    – Monica Cellio
    Commented Oct 17, 2019 at 13:38
  • 10
    @Shog9, I'm quite aware that it's no small thing to update the privacy policy, but the reason for that is the same reason I think it's important: it's legally binding. If it's just a not-officially-published internal policy, then I assume it can change without notice at any time, and next time this happens, y'all can just say you changed the policy or made an exception, and no one can do anything about that. I'm glad it's going into immediate effect (though retroactive effect would be even better) but making it official is important too.
    – Nate S.
    Commented Oct 17, 2019 at 16:09
  • 23
    @Shog9 I'm glad you now have a policy (as my answer suggested there needs to be) but the question still stands that why would someone in such a high position having dealt with press/public relations before even consider talking to a third party regarding an internal dispute? In what setting would that be appropriate?
    – Script47
    Commented Oct 18, 2019 at 9:30
  • 9
    @Shog9 Search engines have processes for slander victims to request that false/misleading information be de-ranked. An apology/retraction from SOI would give the victim the evidence needed to go through that process.
    – bta
    Commented Nov 5, 2019 at 20:46
121

No one can get the necessary individuals to answer this question, so I'll just leave this here.

Sara Chipps has damaged the trust of the community in Stack Exchange, Inc.

We as users cannot trust that she or another employee of Stack Exchange will follow any policy about what information they will give away or what they will say to the media when asked. She hasn't been transparent. She simultaneously maintains that her version of events, or at least her interpretation of Monica's stance, is perfectly valid to hand to the media, the network users, and the users of TL, and that any evidence or exact reasoning is too sensitive to share. Simultaneously.

Meanwhile, Monica's own words and version of events has been corroborated, and she has been entirely graceful and benevolent. It's great that Shog said there's a new policy of "No comment." but they didn't even follow the policy for the removal of modship. If we can't trust them to follow that policy, then how can we trust them to follow a non-codified, Meta post about a potential policy on what they will say to the media?

In any company that I've ever known, had an employee of that company went to the media and slandered an individual, they would be fired for it. They wouldn't just be fired for it. They would likely wind up in defamation litigation over it. However, it doesn't always end that way. Decent people don't double down on it, vanish, or say nothing. They apologize and issue retractions, and give said retractions to the relevant journalists.

We, as people, know when we hear damage control when the damage was blatant, negligent, and too difficult to clean. The words are sloppy, the evidence becomes private when privacy wasn't their original concern, and you can just feel that something is wrong. This is one of those times.

It's like when Blizzard took away the 10,000 dollar prize money from the boy who supported Hong Kong. They didn't return it until the sky collapsed on their head. Sure, they'll issue robotic-sounding public relations remarks, promise to do better, or say they're listening. This isn't enough.

For a policy to really matter, it has to be followed, and any Stack Exchange employee, mod, or Community Manager should follow it. And if they can't, they should be shown the door.

Oh yeah, and actually reinstate Monica, with an apology, and to issue a retraction to the relevant journalist. That's Step Number One to restoring faith.

Sara didn't go to the media. Someone spoke to the media and the media came to us for comment. – Catija♦

Based on the response received, I cannot in good conscience remain on this site. It is not the case that if the media comes to StackExchange first, that it would then be okay to act in a way that's diametrically opposed to the new proposed policy or basic human decency.

Improve this answer
5
  • 5
    The accepted answer is written by us... the staff. The people who work here. It's the official policy now based on discussions with our VP of Marketing and Communication. It doesn't get more answered than that. Sara didn't go to the media. Someone spoke to the media and the media came to us for comment.
    – Catija
    Commented Oct 19, 2019 at 6:16
  • 94
    @Catija I'm just tired to see so many BS "apologies" from SE employees. I'm also tired to see excuses for Sara's inexcusable behaviour. Please, don't hide behind "Sara technically didn't go to the media", it only deepens the gap between SE and the community.
    – Eric Duminil
    Commented Oct 19, 2019 at 7:11
  • 39
    @Catija It does not matter who went to the media. A company employee told the media something it does not matter if it started with a company or with the media.
    – mmmmmm
    Commented Oct 19, 2019 at 12:46
  • 92
    Sara violated SE's code of conduct multiple times (in the press, on main meta, on per-site metas), in addition to violating general standards of decent behavior. "We'll do better next time" without some serious correction of the damage done this time is pretty hollow.
    – Monica Cellio
    Commented Oct 20, 2019 at 1:26
  • 38
    "In any company that I've ever known, had an employee of that company went to the media and slandered an individual, they would be fired for it.". This is absolutely what should happen, she's committed a catalogue of actions that have bought SO into disrepute. Any normal company would have dealt with this quickly to prevent further damage. As no action has happened, and this saga is still ongoing, it signals a deeper problem at SO. The fact that this behaviour isn't considered unacceptable is deeply concerning. Don't expect it to change any time soon.
    – Doctor Jones
    Commented Oct 21, 2019 at 8:43
107

If Stack Overflow, Inc did this to an employee, they would be in violation of employment law and it would become a case of criminal wrongdoing. The company would face fines and punitive measures, as well as a thorough investigation into their employment practices.

Unfortunately, moderators are volunteers and have little to no federal or state protection.

A civil case can and should be pursued immediately and vigorously, but that is up to the two parties involved.

This is abuse, plain and simple, and the company must be held accountable for violations of privacy at minimum. It should be relatively easy to show that they've violated their own privacy policy: https://stackoverflow.com/legal/privacy-policy

Which all moderators have agreed to abide: https://stackoverflow.com/legal/moderator-agreement

Update:

Stack Overflow, Inc, representative Sara Chipps responded to a reporter for an EU publication asking about this situation.

This may constitute transfer of personal private information between the US and the EU, and should have followed Stack Overflow's internal processes for complying with the EU - US Privacy Shield Framework. Per their privacy policy,

Under certain circumstances, you may invoke binding arbitration to determine, for residual claims, whether Stack Overflow has violated its Privacy Shield obligations, and whether any such violation remains fully or partially unremedied. Stack Overflow has further committed to refer unresolved Privacy Shield complaints to the PrivacyTrust Shield Program, an alternative dispute resolution provider located in the United Kingdom. If you do not receive timely acknowledgement of your complaint from Stack Overflow, or if we have not addressed your concern to your satisfaction, please contact us: privacy (at) stackoverflow (dot) com or visit https://www.privacytrust.com/drs/stackexchange or at the contact information provided below.

Thus it's important for those who find themselves in a similar situation to immediately contact the privacy officer even if they are not interested in legal processes because the company needs to correct an internal fault to prevent it from happening again.

It is about correction and preventing future damage, not about blame and prosecution, so even those not interested in pursuing legal challenges have a duty to report possible violations they discover or are subject to.

CONTACT US

General Contact Information

Privacy Officer

Privacy Officer, 110 William Street, Floor 28, New York, NY 10038, privacy (at) stackoverflow (dot) com, phone: 212-232-8280 Privacy Shield

Privacy Trust, Communications House, 26 York Street, London, W1U 6PZ EU Representative

Privacy Officer, Bentima House, 168-172 Old Street, London EC1V 9BP, privacy (at) stackoverflow (dot) com, phone: +44 (0) 20 3349 1000

Note also that this may constitute a violation of GDPR. While its intent is to protect citizens of the EU, it's possible that the protections are broad enough that Stack Overflow is subject to them, and that it may shield moderators based elsewhere in the world. Either way it's worth investigating to make sure they are in full compliance with GDPR.

Improve this answer
5
  • Does anyone know which country Monica comes from? If Europe, does that contravene GDPR more than if she is non-EU?
    – marcellothearcane
    Commented Oct 16, 2019 at 19:06
  • 3
    @marcellothearcane Monicas own profile specifies an US city as location, so I fear the GDPR is irrelevant here (of course location is not citizenship etc., but still unlikely that it applies to her) ... and half offtopic, but apparently Brexit is close, and their privacy person is still someone in London...
    – deviantfan
    Commented Oct 16, 2019 at 19:09
  • 2
    Brexit may be close or years away, but the offense preceded it so Brexit doesn't block that particular case.
    – WBT
    Commented Oct 24, 2019 at 14:39
  • 2
    @deviantfan: No, GDPR can still apply to non-EU residents. And Brexit is irrelevant to this case.
    – smci
    Commented Oct 30, 2019 at 18:52
  • @smci The article links to a reason that is a recital, not the actual laws scope. See article 3 and 2 of the normative text itself. As natural person without any relation to the EU (citizenship and/or residence), it does not apply.. Monica says residence is US, and I assumed citizenship is the same (as written above)
    – deviantfan
    Commented Oct 30, 2019 at 20:26
85

I've followed several sites in the Stack Exchange family for a few years now, and this question encapsulates my extreme disappointment with SO through all of this. Although Shog9 has relayed some useful information here, the fact remains that we're 2+ weeks past The Register's harmful article with no hint of a retraction & public apology in sight.

Neither turnover nor inexperience are sufficient to explain this action. No HR or Legal Department that I know of would allow a Director-Level employee to make any such statement to the Press. The issues raised by such one-sided communication are an absolute minefield. There's a good reason why this is NEVER done. It is unprofessional in the extreme and reeks of a vindictive streak.

Until such time as I see a recognition of this and clear steps taken to mend the damage, I will have to assume that any activity on this site is subject to the same treatment if it rubs the wrong person the wrong way. My department will not consider adopting Teams, I will not recommend any sites to my colleagues or link to SO-hosted content in any form.

Improve this answer
0
29

The question mixes 2 different but related issues. While sharing protected/private information is bad, that allegedly isn't what happened.

If the accusations by stackexchange against Monica are untruthful slander/libel, then the actual private information - which would contradict the company's statements - was not released.

In such a scenario, privacy becomes a shield for the company to hide behind in an attempt to dodge legal liability.

While the company's new "no comment" privacy policy is commendable, it's also the policy their lawyer might ask them to implement in the above, hypothetical, scenario.

What I'm trying to express is that we do not just need the assurance that SE will act responsibly with private data, but also assurance that they won't fabricate false accusations. The first step of one possible way to get there would be to review the actual offending incidents, privately, with Monica.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .