The web has always been a less safe space for women, trans and non-binary people, than for cisgender white men — although it may have taken a while for the rest of the world to wake up to this. Research in Australia in 2016 found that one in four women under 30 had received threats of physical violence online.
Despite the old claims that “on the Internet nobody knows if you are a dog”, it is often smoothest when you pretend you’re a man. A 2006 study showed “chatroom participants with female usernames are sent threatening and/or sexually explicit private messages 25 times more often than those with male or ambiguous usernames.”
The blog ‘not in the kitchen anymore’, which started in 2012 recorded the harsh reactions women get when they start to speak out loud in Call of Duty, and reveal their gender. The choices to hide, silence or disguise yourself with a “neutral” user-name or avatar in response are some of the earliest examples of a kind of security work that has not been recognised by the traditional tech community.
‘Emotional labour’, originally coined by sociologist Arlie Hochschild in her 1983 book The Managed Heart, is one category which has gained a lot of popular recognition in recent years. It refers to the extra work involved in taking care of the feelings of those around us in the workplace, from the assumption that a woman will organise leaving drinks, to smiling at aggressive customers. This all takes a toll, and negative consequences, accusations of “not fitting in”, arise if it isn’t done. Yet it is a part of workplace life that men rarely participate in or value.
I want to introduce the term ‘security labour’ to describe the extra invisible work that women, including trans women, non-binary people and other marginalised bodies, do to simply exist online.
I include the latter because (as with emotional labour) although the work is gendered, it is not just women who do it.
Security labour and emotional labour are interconnected: both simultaneously demanded and devalued by the patriarchy. They both function in the same way, as work that isn’t defined as work, but is still necessary to function in our day to day lives.
It is important to claim a name for this phenomenon to make it visible and show where the digital security community has got its priorities wrong.
Defining security labour
The moment I started thinking about this parallel phenomenon was listening to Nighat Dad speak at RightsCon 2018 in Toronto. She is the Executive Director at Digital Rights Foundation Pakistan, an organisation that, amongst many things, provides a helpline to people who are receiving online harassment. Her work puts her in a spotlight, which led to a torrent of that same abuse headed her way.
As a result she spent so much time reporting abuse to Facebook that they made her a “gold star moderator”. Their system recognised that she is receiving so much abuse it’s taking over her time, but rather than take steps to protect her, they streamlined the work slightly, encouraging her to flag more abuse, unpaid.
Nighat Dad is not the only person Internet companies ask to pick up the load; huge amounts of online moderation is done by volunteers flagging content. Even where it is paid, content moderation is seen as a new feminised, “care industry”. An article in ABC News described it this way, “in online communities, women are employed at the ‘moral’ coalface, facing down trolls and hardcore pornography.”
Yet evidence shows that professions more women enter are subsequently paid less. It is therefore not surprising that security labour is also de-valued, exactly because it is women, non-binary and trans individuals who do it — regardless of if it’s in a paid role, or as volunteering for ourselves.
As soon as I started looking for other examples of this gendered work to make the Internet safe, I saw it everywhere.
- Security labour is uploading your photos to Instagram a day late so potential stalkers can’t see where you are right now.
- Security labour is creating and sharing “block lists” on social media, so you can share warnings about who will send abuse and do the silencing of serial harrassers that the platforms should be doing for them.
- Security labour is going through steps to upload photos of yourself naked to Facebook because “those who wish to avoid being victims of revenge porn [are required] to act preemptively, before they become targets”.
- Security labour is when the first thing you do with a new app is check location sharing is off, but then sharing the license plate with friends when you get in an Uber.
- Security labour is having to ask your friends to untag you in locations because the app geo-locates automatically.
- Security labour is trying to cover yourself against the blame for not taking all these extra steps if you are harassed, just like being told to “cover up”, wear more clothes, to avoid assault. Even when it got as dangerous as SWATTING, (a practice of organising murder-by-cop, through calling in a false tip on a target) there is a response that she must have done something to make people hate her this much.
Internet companies force marginalised groups to go through all this extra work to protect themselves because they don’t consider them, and their lives, seriously enough when building tools and communities online.
Although this article is predominantly focused on the digital, it’s worth remembering that the offline equivalents also exist. For example, carrying pepper spray or setting aside an emergency ‘leave my partner’ fund. These behaviours are similarly not recognised by society as an additional cost of time and money spent to exist safely.
Security spaces don’t take women seriously
Another aspect of security labour is that it is work that sits outside of the dominant narrative of the infosec community. As mentioned above, online security as a profession, and as a political movement, is largely populated by a community of white men. According to research only 11% of information security professionals in the US are women.
It is not a coincidence that those who most need security tools for privacy on the web have been locked out of participating in creating them.
I’ve been to many security training events, crypto-parties, conferences, and the like. I have both given and received training. My experience is that men teach others to install a VPN, or use PGP to protect against government surveillance, but rarely even mention the risks closer to home. Domestic abuse and stalkers have not come up, even when the training is a drop-in-off-the-street set up.
Nor does it encourage men to discuss what can they do to invoke their privileges and support women, instead the guidance is on your responsibility to take care of yourself. The conversation is also rarely about the root cause of surveillance culture: patriarchy.
We then cannot be surprised when women’s security questions in other contexts are not taken seriously. The risks that feminised and marginalised bodies specifically face are simply not built into our social understanding of security.
Thankfully there are some great projects, such as Hack Blossom and Chayn, which are providing security advice online that is tailored to women’s experiences, but for a long time this has not been the norm.
Politicising our bodies
The community spaces meant to have security at their centre are often not willing to take practical steps to ensure that everyone can participate safely, or even think critically about these needs.
Bringing up topics of discussion such as gendered threats, abusive partners, online harassment and targeting, is often treated as an attempt to politicise what many people do not realise is an inherently political occupation.
Women I know have been told that they don’t belong in security spaces because they are only interested in them “for themselves”.
For example, consider how reporting abusers is not referred to as “whistle-blowing”, whilst male whistle-blowers are placed on a pedestal in the security community, something Leigh Honeywell spoke to us about in the Intersection of Things episode on Rockstars.
Consider the hostility towards Codes of Conduct and safe space policies by hackers and members of the ‘internet freedom’ community. Chaos Communication Congress, a conference on technology and securuty, despite instances of abuse at their event, still does not want a safe space policy at its event.
The gesture towards it on their website is this: “this is not a CoC in the anglo-american sense of the word. It appeals to morality rather than trying to instill it.” Satellite events in 2017 went one step further boasting that people attending “enter at your own risk”. They even rejected talks about harrassment.
On a mailing list relating to digital rights last year I witnessed its members similarly refer to Codes of Conduct as ‘American’ — attaching an accusation of being duped by foreigners to desiring to be safe. Then moments later the same people lamented that privacy is “an abstract concept” that most people won’t understand.
In some of these circles encryption use becomes a status symbol: the more secure you are, the better a person you are. The argument seems to be that because the threats I discuss above are personal and specific, they are less valid than those which are theoretical and “principled”. I’m referring to the people who say “I don’t have Facebook, and I only communicate via encryption,” to establish their credentials.
In contrast to these boasts: some people, particularly indigenous people, cannot use Facebook as they are locked out because their name doesn’t match its Western norms. In many cases even having an encrypted app installed can be a threat to their safety if others see it.
It should be obvious by now that women and marginalised people must protect themselves from very serious threat models, like non-consensual image sharing, and ignoring this reality has consequences beyond the individual. After all, an entire hate movement, gamergate, that channels power to the far-right, was started by one angry guy doxxing his ex-partner (publishing her info online, and successfully encouraging other people to attack her). In the case of another woman, writing about this movement for the InfoSec Institute led to them taking down all her articles.
Security labour exists.
It shouldn’t need to, but it does, and should be recognised and dealt with until it is no longer necessary.
Women protecting their online security are protecting their lives, and creating a safer Internet for everyone through their work.
The existence of ‘emotional labour’ as a term has allowed people to carry out research into the detrimental effects of emotional labour on workers, showing that it causes additional psychological stress. It enabled discussions on a broader range of skills that are actually used at work. It allows women an avenue to talk about it in the workplace, and discuss issues like being the one responsible for ‘team care’.
Likewise, in naming security labour we have an opportunity to draw attention to when we are being unfairly asked to do more work to be safe both online and off.
Those building websites and tools, running security training etc. need to be aware of the extra effort they require marginalised people to go through in order to be able to participate on an equal footing with their cis male peers.
In particular security professionals need to take a holistic view of security that sees codes of conduct and encryption and harassment-free social media as a whole package of security.
Thanks to Sema Karaman for incredibly helpful editing and advice. Also to Mathana Stender, Marianela Ramos Capelo, Milena Popova, and Becca Bunce especially for conversations and wisdom. Thank you to everyone who shared stories of sexism in InfoSec and digital rights that I talked to for this.
For thoughtful conversations on topics like this, check out the podcast I co-host on technology and feminism , The Intersection of Things.