On August 30, Adam Heath Avitable woke up to find someone had created a profile on the dating site OkCupid using his e-mail address. Avitable clicked through one of the welcome e-mails from the service and found himself faced with a profile with the username gayassfuck, his photograph, and profile descriptions clearly meant to discredit him, such as “I’m not looking for love, just someone to live out my rape fantasies.”
Sites are not liable for what users post, but should they be doing more for us?
The most shocking aspect of the profile, perhaps, was the last bit, where under the section “You should message me if…”, the person who had created this profile had written: “You’re just looking for something physical and happen to be close by. I’m looking for someone to fulfill my rape fantasy. I want an aggressive man to just break into my house and go at it…” The profile then appended Avitable’s real home address.
Browsing further, Avitable discovered that the person who created the profile had also messaged some 24 men on the site. He contacted OkCupid immediately, concerned about the implications their ease of creation had for denizens of the web.
In this case, someone used his e-mail address and OkCupid doesn't require a password when you access the site from an e-mail, so Avitable was able to access the account and remove the information. But what if someone created an account with his personal information without using his e-mail address? Without those notifications alerting Avitable that a new account had been created, he might have never known that there was a profile on OkCupid with his home address inviting men to come over to his house and rape him.
Avitable wanted answers, but OkCupid did not respond to that first or a second e-mail, sent over their web contact form.
"OkCupid, I expect a response,” Avitable wrote in a blog post chronicling the incident. "I want the IP address of the person who did this. I would also like to know why you allow profiles to be published sharing private information such as someone’s address without any oversight, and what part of your business plan supports rape."
Finally, after Avitable’s tweets and post had received a substantial amount of views and shares, OkCupid reached out today:
My name is Alice, and I’m the customer service rep for OkCupid. I’m so sorry that you have not gotten a reply about your issue before now, and I hope I can help.
First -- the account in question, gayasssfuck, was completely removed today, and the IP it was created from has been blocked from OkCupid. We can’t give you the specific IP address, but if you do decide to file a police report, we would be happy to cooperate with law enforcement.
Second -- we absolutely do not condone sharing any private information on a profile, including addresses or email addresses. We do remove any profiles that share this information, as well as profiles that are obviously fakes as this one was, especially when they contain references to rape. That is absolutely unacceptable for OkCupid. However, our company is a lot smaller than you may realize, and we do not have the resources to hand-check every profile before it goes live. We rely on a flagging system, where users flag an inappropriate photo or profile, and then it gets reviewed by us for removal. It appears that this profile was not flagged by anyone, and we missed your emails, so it unfortunately flew under our radar. I sincerely apologize for this.
Again, I’m sorry we didn’t catch this sooner, and please let me know if you have any other questions or concerns.
The problems with OkCupid current mode of operations are numerous.
From a perspective of customer support, it is very unfortunate that OkCupid has not put sufficient resources into responding and dealing with incidents of abuse that users and non-users report. Maintaining the trust of users is essential to remaining relevant and competitive in the dating space, as OkCupid undoubtedly wants to remain.
Secondly, the fact that they do not perform e-mail verification is interesting, given how common this practice is. Another security concern arises when one considers that Avitable was able to access his profile directly from an e-mail without having to log in. In this case, this was fortunate, as it enables users who may have fake profiles created to remove damaging information from a profile while OkCupid takes their time addressing their concerns. However, from a security perspective, this is dangerous in that it enables anyone who acquires access to an e-mail account to take possession of an OkCupid profile without a password.
Lastly, and most importantly, OkCupid does not allow users to provide e-mail or physical addresses on profiles, but the only system they have in place to safeguard against this is a user-dependent flagging system. There is no user generated content filter to prevent or even flag profiles that may contain strings of text interpreted by the program as being in potential violation of OkCupid address terms. There’s nothing. You’re entirely dependent on other users letting OkCupid know that a profile may be questionable.
Most dating sites, big and small, apply a waiting period to enable profiles to be cleared. They’re particularly careful about the images they allow – but what about the user? Screening for inappropriate photos is a way for the site to safeguard itself, to maintain that it is age-appropriate and not pornographic. But what about the users? Don’t they deserve as much assistance when it comes to safeguarding their personal information? The instantaneous nature of profile creation is attractive, if one can count on all users to act in good faith. The problem is that we can't and abuses of this nature are incredibly serious.
OkCupid has expressed interest in working with the authorities, but this is contingent on victims filing a police report and being successfully assigned a detective to look into the case, which is not an easy task. The problem is complicated further by the erroneous belief that cyber threats are not as dangerous as real ones, a notion that continues to exist in law enforcement.
Law enforcement is estranged from the world of cyber-abuse and as a result, the compiling of digital evidence, tasked to people who rarely understand the technology, becomes the task of people who have little understanding of the law.
Erin Kotecki-Vest, a political blogger and active BlogHer community member is familiar to what it takes to get a cyber-abuse case through to law enforcement. Recently, she was subjected to threats on her life, her family, and her childrens’ school on the social network Twitter.
“I hate hearing there's nothing you can do,” Kotecki-Vest said when she spoke on a panel about cyber-bullying at BlogHer ’11 in San Diego, California. She goes on:
Before it escalated to death threats on my end from my attacker, it was just harassment, typical online trolling that was making me very uncomfortable. But you need to document everything, even if you don't think it crosses the line. Document it. Keep it in a folder and when you get really uncomfortable, you take it to your local authorities. They may not be able to do anything about it, but they need to start a file. You must start a file and you must have them at least document it.
And then when the day comes where they do cross a line in your state that is considered a threat, you already have this nice big documented folder at either your sheriff's station or local police station and on your computer with all of your screen shots and everything else. They are ready to move on it. The detective has a little less work to do because in a way you have done it for him or her. So make sure you document absolutely everything. Even if you don't think it crosses the line. If it's just that troll that comes to your blog all the time and you don't even let those comments go through, screen shot it. Keep them any way and keep them in a folder.
You would be surprised, you do need those screen shots. Those detectives may not be taking all those screen shots you think they are taking. You need them all. You have to back yourself up. Don't think the police are going to do all that work for you.
Kotecki-Vest filed a report, and despite continuously contacting her local sheriff’s department, it was three months before a detective was finally assigned to her case, and it took the detective several months on top of that to begin piecing things together.
“In all the cases I have seen unfold between people who were being harassed and law enforcement, the victims have had to follow up and press for their case to reach resolution, often doing much of the legwork themselves,” Kotecki-Vest said. “This is impossible to do without cooperation between sites and victims.”
Andrea Weckerle, founder of Civilination.org, has devoted her life to fostering an online culture where everyone can participate freely without fear of becoming the target of abuse, harassment and defamation. She thinks in cases of cyber-abuse, the best weapon is information.
“What you really want to do is go online and look at the language of your local statutes, even if they’re somewhat difficult to understand, to see if you have a case and move forward,” Weckerle said. “For example, in some jurisdictions you're going to find that intent matters -- did they intend to instill fear in you? In other jurisdictions, intent is not an element. Their actions as such have to be actionable. You really have to be well-versed in your statutes, to know what the facts are to be able to move forward. That's extremely, extremely important.”
Even if a case is not criminally actionable, there are civil remedies relating to defamation, intentional infliction of emotional distress, public disclosure of private facts, false light or appropriation of your identity. These options cost money, Weckerle says, but the option to pursue a civil case are there. But like Kotecki-Vest, she agrees that documentation begins long before that:
“Go ahead and start that file or see if you can open a file at your local sheriff's office or police department,” Weckerle said. “They may roll their eyes and say ‘here is someone overreacting.’ They deal with a lot of physical issues and they want to see extreme issues, so start by making them aware of the fact that you are fearful. You are not going in there to say ‘my feelings were hurt.’ You say ‘I am frightened, I am scared about this. These veiled threats are causing me severe emotional distress.’ The tendency people have is to wait too long to do it. We feel ashamed or silly and don't want to appear hysterical. We need to overcome that and start taking actions to legally protect ourselves.”
Kotecki-Vest paints a clear picture of what it is like to work with law enforcement on issues of cyber-abuse:
One of the first things I heard when I got the threats was: well, you asked for it. You're out there. You put yourself out there. You put your family out there. You talk about your illness. You talk about your politics. You talk about your life. Of course this is going to happen. This is just how it goes.
I absolutely refuse to accept that. That is not part of civil society. When we are all here face to face, you wouldn't be able to say to me that you are going to blow my brains out, not sitting right in front of me. Why is that acceptable online? Because it's coming from someone with an anonymous name? No, I refuse to accept that. I made my local sheriff's office refuse to accept that.
They didn't understand Twitter. They had no idea what I was talking about when I walked in with all of my screen shots and my iPhone. They had no idea, but I educated them and I made them learn. For a while I was at my sheriff's office every single morning for about eight days straight because every night, the night before I was getting attacked online and I was documenting all of it. They were going to take me seriously whether they wanted to or not. I just persisted. And I kept going in. Eventually they opened a case.
Autumn Sandeen, a transgender blogger who also formed part of the cyber-bullying panel at BlogHer ’11 also suggested finding an abuser’s IP address and contacting their internet provider.
“Before I contacted their provider, I looked at their terms and conditions of service as to what behavior they allow their system,” Sandeen said. “We had the same provider because this person happened to live in San Diego where I live, so contacted my provider, which was their provider, and said they are violating this rule, this rule, and this rule in your terms and conditions of service and gave them the link to their own terms and conditions of service. The person had their account suspended. So there are a number of different options.”
This approach is complicated when you have social networks and sites that have the necessary information but do not want to reveal it, as in Avitable’s case.
“The first thing I did was go to Twitter,” Kotecki-Vest recalls. She contacted the social network several times to help provide her with information about her abuser. “It was like talking to a bunch of school kids about a serious problem. I was getting form e mails in response from them. It was extremely frustrating.”
She goes on to detail how she finally got them to pay attention:
Getting Twitter's attention is not easy. You have to continuously file and show them stuff. You have to literally go over their TOS [terms of service], pull out the line that applies to the tweet that came to you, show them the tweet, show them exactly what the terms say send these in together. Every single time I would report something to Twitter, it was always an immediate rejection: “we don't like to get involved in disputes between two parties.” But this wasn't a dispute between two parties. This person was saying they are going to kill me tomorrow. That's a really big difference. Eventually with the help of the community, we got Twitter's attention.
Twitter flagged most of my incoming reports once they knew that there was an open case in the sheriff's department, but my sheriff's department had to contact them. My detective was attempting to get information from Twitter, and Twitter absolutely refused to give him anything without a court order. When my detective was putting in emergency court orders from judges, saying “this is an emergency threat of life, you need to hand over this information,” their response was: “Fax us.” They wouldn't give my detective a phone number to call them. It was: “fax us with your information.”
My detective's response was, “what happens if this is a kidnapping and she's tweeting from the trunk of a car? And I'm doing my best as law enforcement to get Twitter to give me information and your response is: We don't give a phone number. Fax us.” He couldn't talk to anyone in person. Here he was with emergency court orders and everything else and he couldn’t get anybody on the phone. It's difficult. But you have to pressure them. And you have to use your community to pressure them.
This essentially is what Avitable is doing, and this is the approach that skeptic bloggers recently took to bring justice to a troll who had been threatening the skeptic and scientific community for years.
I think we deserve more than that. Sites have a responsibility to users. They need to have a clear procedure in place for dealing with reports of serious abuse and offer contact information for law-enforcement in the event of a serious emergency. This isn’t just for dating sites like OkCupid, but social networking sites as well. If we’re going to ask the law to catch up with us technologically, we need to start by demanding that the services we use have a public policy in place and a procedure for dealing with these cases.