This post hopes to address some claims made yesterday by Rahaeli on Twitter and her site, Dreamwidth, for purposes of clarification. After the illegal attack on OTW volunteers in May, 2022, the OTW took numerous steps to protect volunteers, including hiring an outside law firm with expertise in cybersecurity, working with contractors and firms that investigate and handle security incidents, and comprehensively revising our internal volunteer practices and updating our technological tools, including email systems, as well as making all necessary reports to NCMEC and others.
These actions, revisions and updates are ongoing. We also communicated with volunteers, both through personal and organization-wide communications, providing advice on actions to take if they had been sent CSEM, information regarding safety precautions they could take regarding personal information we believed could have been compromised, and identification of further resources that they could use.
The Legal Committee has always worked closely and cooperatively with the Policy & Abuse Committee, and continues to do so. This work includes organization-wide policy and technological measures to reduce stress and strain on our Policy & Abuse volunteers, and these measures are ongoing and continuing. We, and everyone else at the OTW, have always taken CSEM very seriously and the OTW reports (and has always reported) as required to NCMEC and others. Our Abuse processes are not limited to what appears in the Archive code, as we have internal measures in place (including some which are intentionally confidential), and we are always seeking to improve them. People who try to abuse the Archive are, unfortunately, flexible and evolving — therefore, we are too.
We are confident that we are compliant with the laws, including U.S. and EU laws regarding privacy, data protection, and data retention, that apply to the AO3. (It is relevant to the legal analysis that the AO3 does not host images other than 100×100 pixel user icons, which cannot be “orphaned” within our system). As Rahaeli noted at the end of her thread, these laws do not include COPPA, the Children’s Online Privacy Protection Act, as it does not apply to nonprofits like the OTW, but as a matter of policy we do not allow children under 13 to make accounts, as noted in our Terms of Service.
Rahaeli is an expert in running an important social media/content hosting site, but not necessarily an expert about the facts in this instance, or about the OTW. We respect and have often listened to her expertise in the past; had she contacted us directly, we could have addressed her questions and concerns. We did not ignore her advice in 2022 and would not do so now.