Here’s how I handle online abuse

Here’s how I handle online abuse
By Troy Hunt

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

I originally wrote this post earlier on in the year. I honestly can’t remember what the abuse was that led to it and frankly, that’s probably for the best as its allowed me to re-read this and ensure it comes across as general advice rather than a knee-jerk reaction to a specific unpleasant experience. Whilst the simple process of writing it helped me get the episode off my chest at the time, I’ve decided to post it now because I think it’s important, both for others who encounter nasty behaviour online and for myself when I next do.

Unfortunately, if you spend enough time online and especially if you’re public enough, this is something you’re going to have to deal with sooner or later. Here’s how I handle it.


I’m writing this outside the context of any recent events for reasons that will become clearer as you read on, but after the last abuse incident I thought I’d finally jot some things down. Mostly this serves as a reference point – something I may direct people to in the future – but I also write many of my blog posts as a way of forcing me to think clearly about a topic and articulate it in a cohesive fashion.

It may not be something that many of you would have expected, but I’ve often found myself at the receiving end of online abuse. As time goes by and I get more exposure or profile or whatever you want to call it that puts me in front of more people, I get more vitriol from online antagonists. Let me explain what I mean by that, the types of abuse I get and how I’ve elected to handle these incidents.

What I think constitutes abuse

Let me clear this up first because I appreciate there’s a degree of subjectivity to all this. The sorts of online abuse I get ranges from minor name-calling to slurs about my competence or professionalism to serious threats related to my personal life (I’ve come close to contacting the police in the past). I’m not going to detail what any of these actually were here as I simply don’t want to give the trolls the airtime (more on that later), but I do want to describe some of the broader behaviours.

What I don’t consider abuse is vehement disagreement with my points of view, finding factual faults with things I’ve written or said that are incorrect or any other sort of constructive argument that I may not agree with, but is aired without malice or spite. It’s the stuff that’s said first and foremost to insult or cause harm that I put in the abuse bucket. This is particularly true when it’s done from behind the veil of anonymity.

Very frequently, this is aired publicly via Twitter, in blog comments on or via other online channels. Only very occasionally does it come via private means and it has never come verbally either face to face or via the phone. At times where I have actually engaged with the other party and offered to talk to them, the opportunity has never been taken up.

I should also be very clear that this is nothing like the abuse you hear of some people copping online; repeated threats to safety or family, prolonged “campaigns” of torment, racial or sexual abuse – all of that is a world apart from what I’m describing here. What I cop is merely nasty vitriol in comparison. In fact, very often it’s the sort of thing I’m teaching my six-year-old is just inappropriate, nasty behaviour and I’m teaching him this because it’s the sort of thing you expect from kids, not grown adults.

Let me explain some of the grievances that have come up multiple times before and I’m going to address them here once and for all.

I’m “profiting from security”

The very first blog post I wrote was in 2009. The first dollar of any significance I recall making out of security was when my first Pluralsight course went live four years later. There may have been some other inconsequential amounts but what I can say for sure is that until Pluralsight kicked in, 90% plus of my income came from working my arse off in a very corporatey role at Pfizer.

One thing that many people don’t realise is that almost every time I talk at an event – including when I travel to the other side of the world to do it – I don’t earn a cent (there are a small handful of rare exceptions). Actually, I make negative money because a huge amount of time goes into not just the travel, but the preparation as well. Between conferences, podcasts and interviews, I’ve done hundreds of talks and almost never made a cent directly from them. These events are about meeting people and increasing my exposure, not just in terms of me putting my name out there, but me getting exposed to other really smart people. My experience has been that the best way to ultimately be personally successful in this area is to do as much as you can for free!

In more recent years, the work I’ve done has begun to pay well, almost entirely off the back of Pluralsight and the workshops I run. It pays well because it’s in demand; there’s a dearth of good security content targeted at developers and evidently the approach I take to explaining it is popular, something I make no apologies for. Which actually brings me to my next point: who my content is for.

I’m not explaining things “the right way”

Let me give you a perfect example of this: I’ve often seen disparaging comments about the use of the Wifi Pineapple to demonstrate security concepts. I’ll see comments about how it’s trivial or a “script kiddy” tool or how real men build their own devices and so on and so forth. What a lot of people seem to miss – and this predominantly comes from security professionals – is who I’m talking to.

The material I create, whether that be on blogs or at talks or in workshops, is very heavily biased towards software developers. Not only is that my background, but I believe that’s where I can make the most difference to security; at the point where software is being written. In a case like the risks the Pineapple demonstrates, the vast majority of developers are unaware of how easily traffic can be hijacked or the risks behind practices such as loading login forms over HTTP. My goal is to make these concepts easily consumable to them and the most impactful possible way I’ve found to do that is by showing how you can order a $100 device off the web, pull it out of the box and 5 minutes later be hijacking traffic. That resonates more with that audience than rolling your own MitM tools ever will.

I fully appreciate that the way I’m explaining security to developers is not the way some security professionals would like to consume it themselves; it’s not meant to be and the very fact that developers often get exposed to security in ways they have trouble consuming goes a long way to explaining why so many of them have such a poor grasp on it. In fact, that’s the very reason I started getting involved in security many years ago – because of the friction I saw between developers and security teams.

There are people who understand many of the concepts I talk about at a greater depth than I do. Some of them are specialists in various niches, others have simply been focusing on specific things for longer. What I’ve found my strength to be is in explaining concepts in a way that’s consumable by the people I speak to. I hope that makes sense and whilst not everyone will agree with the way I present some of these concepts, they can at least appreciate why I put them forward in that fashion.

“Tall poppy syndrome”

This is a term we hear a lot in Australia and whilst there might be different descriptions for it overseas, it generally means the same thing:

The tall poppy syndrome is a pejorative term primarily used in the United Kingdom, Australia, New Zealand, and other Anglosphere nations to describe a social phenomenon in which people of genuine merit are resented, attacked, cut down, or criticised because their talents or achievements elevate them above or distinguish them from their peers. This is similar to begrudgery, the resentment or envy of the success of a peer.

In other words, people being pissed because you’ve done well. I remember learning this term as a kid when you’d see someone getting cranky because someone else has just driven past in a nice car. I’m not sure if tall poppy syndrome is actually jealousy or just the view that someone else shouldn’t be successful in what they’re doing, but frequently this seems to be the undertone of abusive messages I receive.

Sometimes, the underlying resentment when a positive event occurs is particularly raw. I’ve seen cases where I’ve announced something or had some level of success or positive coverage and amongst the outpouring of absolutely awesome feedback, is one lone dissenting voice. Not a subtle disagreement, but outright vitriol. It’s happened enough times in the past to be something I now expect, yet it never ceases to amaze me just how opposite that voice is to all the other ones.

Abuse like this doesn’t have to be cogent or well-articulated and indeed the position of “I don’t like you because you’ve achieved some level of success” is neither of these things. Yet somehow, antagonists taking this position seem to find time to commit to explaining how little attention others should be paying!

I’m a Microsoft / Lenovo / [anything else] shill

I’m certainly not alone in copping flack for affiliations and I can understand the assumption of me being incentivised to say positive things about companies that give me things, but there’s a fundamental misunderstanding of the order in which these things occur. I’m a Microsoft Regional Director and MVP because I spent years writing about their technologies while receiving nothing from them. I’m a Lenovo Insider because I spent decades buying their gear and sharing my experiences publicly before they gave me a thing.

The irony of some of the abuse I get (and certainly some people do get very angry about my affiliations), is that I’ll be reading about how I’m a Microsoft fanboy whilst using my iPhone (I don’t want a Windows phone) or am beholden to Lenovo while reading that on the W540 I bought with my own hard-earned cash a couple of years ago. Independence and trustworthiness is massively important to me to the point where I push back on anything which has even an inkling of a chance of not being consistent with that. If it’s not something that’s an accurate reflection of my own independent views, I outright refuse and that’s the end of it. It’s that simple.

Funnily enough, I’ve often copped flak (I’ll stop short of calling these incidents “abuse”) about my ongoing promotion of tools like Freedome VPN and 1Password. I’ve never received a cent from either of them and I’ve bought every single version of their respective products at retail prices out of my own wallet! I have no financial incentive, yet I influence people to purchase them simply because they’re very good!

I recently spoke to someone in another position of influence with a similar affiliation to another large tech company and was very surprised at the pressure they had to not be seen with competitors’ equipment. That’s never the case with Microsoft or Lenovo and frankly, we’re all that much better off that the opinions of those of us involved in their programs genuinely are independent, regardless of what those who like to hurl insults from the sidelines may think.

Actions I take when receiving abuse

I’ve changed my approach over the years as I’ve gone through various nasty experiences. Earlier on, I’d be tempted to confront antagonisers and challenge their negative perceptions – reason with them, if you like. Other times I’ve allowed followers to argue with them via channels such as Twitter and blog comments, sometimes I’ve even RT’d their ridiculous comments purely to invite a torrent of defensive comments. These days, I’m trying to be much more passive.

One common thing among these individuals is that they want a fight. They’re out there to argue and debate and do whatever they can to piss you off and consume your time. I now mute them at the first sign of the behaviours I described above. Twitter is easy because there’s literally a mute feature and for anyone else who finds themselves in the same position, I highly recommend this. It’s different to “blocking” them in that they can still see my timeline and as far as they know, I just haven’t see their message or I’m ignoring it – the they joy of muting is that they don’t know. Blocking is more “passive aggressive” and it’s implicit engagement; IMHO, simply ignoring them from the outset is less confrontational. If it’s comments on other blogs or social sites, I self-mute or in other words, I simply don’t go back to that discussion. I make a conscious decision that doing so would be counterproductive and I simply tune out and go do something constructive.

Comments on my own blog are different, simply because that’s my place and like others who run a blog, I get to decide what stays and what goes. After a nasty incident some years back, I created a page titled Comments on which I link to just next to the comments section on each blog post. The bottom line is that if someone is abusive then I’ll delete the comment and likely ban them. I’ve already clarified what I mean by abuse and in blog comments it’s often insults or cheap shots without even an attempt to add something constructive to the discussion. I don’t have any moderation before a comment goes live because I want people to come to my blog and discuss the content there, but when the goal of the comment is purely to antagonise without adding value to the content then that’s it – it’s gone.

When I look back at how I’ve handled previous incidents of online abuse, there are times where I wish I hadn’t engaged. Perhaps the person was literally having the worst day of their life or had gone through a few too many glasses of the merlot or maybe they were just proverbially kicking the dog. There were occasions where my engaging with them didn’t work out well for either of us; for me because I wasted time debating with them when I could have been doing useful things, for them in various other ways which they likely now regret.

By pure coincidence, after writing this but before publishing, I read this about Robert Scoble:

Nasty comment about Robert Scoble

This is just nasty. I’d stop short of calling it abusive, but it’s the sort of behaviour that makes the guy look like a dick. No qualification of what it is about Robert he doesn’t like, nothing constructive or insightful, just a nasty comment that many people would find hurtful. That’s not out of the ordinary, but it’s Robert’s response that really resonated:

Robert Scoble responding like a pro - and a gentleman

And this is precisely the point: there will be whingers who for no apparent reason just want to rant. No matter how well-regarded you become at what you do (or perhaps because of it), this stupid behaviour will appear and you can’t help but feel a little bit sorry for the individual who resorts to it. I’m secure enough that I can happily ignore it and I’m not going to devote emotional energy to them which could be used to actually do good things.

Also, read both the cranky guy’s comments and Robert’s response – you actually come away from that with a greater respect for Scoble despite the original negative comment. In fact, for the vast majority of us, cranky guy has caused precisely the opposite effect to what he set out to achieve; he looks like a dick and his target comes out looking level-headed and having earned a new degree of respect from a bunch of people, myself included.

Here’s a question to ask yourself if you recognise your own behaviour in any of this: would you willingly approach me face to face at a conference and say the same thing? Would you look me in the eye and repeat the abuse with the same conviction as you do – often anonymously – from behind the keyboard? If the answer is “no” then think about how invested you really are in your views and if perhaps it’s something you shouldn’t be saying in the first place.

Often these individuals are just exercising bravado that deserts them once they’re away from either anonymity or the perceived invisibility that being on the other end of an internet connection gives them. Their better judgement and common decency is put aside in ways it simply wouldn’t be were they not behind those veneers. But whilst they’re behind the “protection” of an IP address and feeling as though they have no accountability, there’s very little point in debating things; rational conversation is the last thing they’re interested in.

It’s literally a small fraction of 1% of people I interact with who decide to behave in this way and that’s likely representative of most people at the receiving end of this sort of behaviour. So for me – and my advice to others as well – is that the right approach is unless it becomes an issue you simply can’t avoid confronting, do your utmost to ignore it and move on. Angry or antagonistic people like an audience, better you don’t give them one and they go elsewhere to find it.

The best defence: go and do awesome things!

There will always be cranky people who just want to get under your skin. We’ve no doubt all had that in the school yard before and many of us have had it in the workplace too. Online is a different story though and one of the best possible things you can do is drown out the negative noise with positive things.

I can’t recall who I heard originally say it, but I distinctly recall a quote very similar to this:

You can’t remove all negative things about you from the internet, the best thing you can do is to flood the web with positive things

And that’s precisely what I intend to keep doing. In fact the abuse is motivation to go out and do great things that people love and want to share positive feedback about; more talks, more courses, more support for data breach victims via Have I been pwned – all of this makes the 99.x% of people I interact with on the web happy and that remaining fraction of a percent will simply need to accept that their abuse is being drowned out to the point where very often, I simply never even know it’s occurred.

October 17, 2016 at 09:43AM
via Troy Hunt’s Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s