Open letter to the ACM regarding Codes of Conduct impersonating the Code of Ethics

Please help distribute the statement below.

You can write to the ethics board of the ACM and any other professional body to draw their attention to this issue.

Here is a sample letter:

I'm writing to ask you to consider the open letter on unsafe Codes of Conduct impersonating a Code of Ethics.

If somebody impersonated the president of our professional body, using his or her name when responding to a call for papers at a conference, everybody would find that completely unacceptable. Therefore, if some members of our profession impersonate the Code of Ethics with an inferior substitute, isn't it time to shine a light on these practices? Doing so can help focus attention on the real Code of Ethics and protect our members from straying into vigilantism.

Using a Code of Conduct to justify public shaming is like using the Quran to justify terrorism.

Please consider making a statement on the unsafe nature of these imitation Codes of Conduct. In particular, we ask that you warn the community that verdicts and punishments derived from these codes are not to be taken seriously and that members may face legal consequences attempting to enforce an unsafe Code.

Contact addresses:

We are writing to request the association's opinion on the phenomena of Codes of Conduct in the free, open source software domain.

The association operates a Code of Ethics with the stated aims of improving standards of professionalism in the industry at large.

The free, open source software domain is becoming increasingly prominent as a subset of the industry. In many cases it is the first point of contact for students in computing.

The largest and most well known employers in the industry have all engaged with the open source concept in some way. These employers and their management count among the members of the association governed by the official Code of Ethics.

We, the undersigned, charge that the Codes of Conduct presented by these organizations attempt to borrow from the authority of the Code of Ethics without honoring the principles and processes that are normally associated with such a code.

By way of example, we attach two Codes of Conduct, the Code of Conduct for the Fedora Project (IBM / Red Hat, Inc) and the GNOME Code of Conduct.

Anecdotal evidence

Anecdotally, we find many public references to decisions made under these foolish Codes of Conduct. Industry participants, journalists, search engines and the public at large appear to be unable to distinguish a genuine Code of Ethics matter from a vindictive, vexatious and unjust declaration made in the name of some Code of Conduct.

On 25 August 2020, a volunteer wrote to Red Hat using the Fedora council mailing list and asked about upgrading from a Code of Conduct to a Code of Ethics. In January 2022, Matthew Miller, employed by Red Hat, Inc as the Fedora Project Leader, declared that the volunteer's opinions were not valid because the volunteer had not submitted to a Code of Conduct. There was an insinuation that the volunteer was violating a Code of Conduct. In reprisal, Red Hat, Inc instructed a lawyer to begin proceedings under the Uniform Domain Name Dispute Resolution Protocol (UDRP) to seize a domain name from the volunteer. The legal panel appointed under the UDRP determined that Red Hat itself had been harassing the volunteer and engaging in an abuse of the administrative procedure. Yet Red Hat had claimed they were motivated to follow this hostile course of action by a Code of Conduct.

If these amateur-hour Codes of Conduct are enabling the largest entities in the industry to engage in harassment and publicly shaming people then it is now a compelling time to shine a light on these practices.

Summary of differences

We attempt to itemize the differences between the ACM code and the amateur-hour substitutes that have become prolific in open source.

The ACM Code of Ethics is split between two documents:

We are comparing with two Codes of Conduct

although we may refer to others.


The ACM Enforcement Procedures do not mention a jurisdiction for legal claims relating to enforcement. The ACM Bylaws are available on the website and identify the US state of Delaware as a jurisdiction.

Fedora's Code of Conduct does not identify a jurisdiction, nonetheless, the Code clearly states that Fedora is an initiative of Red Hat, Inc, a well known US company.

The GNOME Code of Conduct does not identify a jurisdiction, nonetheless, it is possible to follow links in the wiki to find the the Bylaws stating the GNOME Foundation is registered in the US state of California.

This information is not readily available for many other Codes of Conduct. For example, if we consider the Debian operating system, a recent email discussion has commenced about whether the developers should bother to incorporate.

"Did Debian survive for so long in part because there was no organization to sue?"

Email leaks from the 1990s reveal how the developers created this obfuscation deliberately. The implication is that the developers want to make arbitrary Code of Conduct verdicts and punishments while frustrating any attempt to moderate their abusive actions in a courtroom.

Basis for complaints

The ACM Enforcement Policy requires a complaint to involve a specific violation of the code and not simply a disagreement between two parties.

The Fedora Code of Conduct and GNOME Code of Conduct, like most of those in the open source world, have a very broad and unspecific scope, allowing somebody to launch a complaint for just about any issue that is inconvenient for them. A simple disagreement between two people can be used as the base for a Code of Conduct complaint.


The ACM Enforcement Policy (section 2) encourages voluntary remediation at an early stage.

The Fedora Code of Conduct and GNOME Code of Conduct do not entertain such an offer.


The ACM Enforcement Procedure, section 6, states that decisions about code violations may be recorded in public minutes of the meeting but the names of both the accuser and accused will be concealed.

The Fedora Code of Conduct states that "the identities of all involved parties will remain confidential" but in practice we have seen that this is not the case. The most prominent example is Red Hat's public statement about Dr Richard Stallman in March 2021. In other cases, Red Hat has deliberately revealed enough information for parties to a dispute to be easily uncovered by the press even if their names are not stated explicitly.

The GNOME reporting procedure includes the following text that deliberately omits the privacy of the accused:

In some cases we may determine that a public statement will need to be made. If that's the case, the identities of all people impacted by the behavior and the people who reported that behavior will remain confidential

Molly de Blanc, one of the GNOME Code of Conduct authors and enforcers, started an online petition asking people to endorse her personal grievances with a former employer, Dr Richard Stallman. Therefore, the process selected by de Blanc, a member of GNOME's conduct committee, obviously didn't contemplate the privacy of the accused, Dr Stallman.

In many jurisdictions an enforcer writing a public statement about a colleague or volunteer may themselves become subject to civil or criminal defamation proceedings.

Conflicts of Interest

Both ACM documents, the Code of Ethics and the Enforcement Procedures, prohibit people with a Conflict of Interest from acting (Code of Ethics s1.3 and Enforcement Procedure, part B)

The Fedora Code of Conduct does not mention conflicts of interest at all.

The GNOME Report Handling Procedure prohibits Conflicts of Interest. Nonetheless, it does not require the involvement of an independent or professional outsider for contentious cases, it simply recommends involving one of the executive. People have raised questions about conflicts of interest regarding one of the authors, Molly de Blanc. In each case, the executive have neither confirmed or denied the conflicts of interest, they only insist that she is competent for her duties.

In the aforementioned case involving Molly de Blanc and Dr Richard Stallman, de Blanc had conflicts of interest. Although she positioned herself as a victim, she did not recuse herself from her role in the GNOME Conduct committee and even if she had done so, her public profile induced other people to co-sign the complaint in the heat of the moment.

By using this petition to try and create a verdict, de Blanc was effectively asking for a jury of people who agree with her.

Copy-cat verdicts

The ACM Enforcement Procedure does not envisage absorbing and rubber stamping decisions made in external bodies. The final paragraph of the procedure suggests that if another body is running an investigation it may be better to let that investigation run its course before the ACM considers the same matter.

The Fedora Code of Conduct does not state that verdicts should be imported or exported with other organizations. Nonetheless, Matthew Miller, the Fedora project leader, has indicated that people have tried to use the reporting procedure to open tickets refering to complaints in other organizations.

Molly de Blanc, one of the authors of the GNOME Code of Conduct, has stated a desire for such decisions to be propagated to other organizations and this is written in the code, under the heading "Report Data", people preparing an incident report are encouraged to specify "Which online community and which part of the online community space it occurred in".

The target of a complaint who has to handle accusations, evidence and appeals submitted through multiple organizations in parallel may find it impractical and unhealthy to effectively respond to all of them concurrently.

Incestuous verdicts

As an extension of the concept of copy-cat verdicts, it is important to note that many of the organizations in the free and open source software domain have overlapping membership and common funding sources.

In other words, looking at Fedora and GNOME Foundation, both software products are supported by staff and funding from Red Hat, Inc. Fedora is almost exclusively reliant on staff and funding from Red Hat whereas GNOME Foundation has multiple funding sources but counts a non-trivial contribution from Red Hat, Inc.

If Fedora and GNOME Foundation both make an abusive verdict about a single volunteer, they could be considered proxies for Red Hat, Inc to simply spread a single abusive allegation through multiple concurrent channels.

Various social media posts have appeared recently giving lists of such incestuous organizations making identical decisions against a single volunteer. It appears the people behind this harassment have deliberately created abusive verdicts for the very purpose of saying that other organizations all agreed with them.

In some cases, we've seen organizations make abusive verdicts about people who never had any interaction with their organization whatsoever.

The appearance of multiple phony verdicts rubber stamped by puppet organizations is offered as a substitute for due process. Not one of the organizations will have followed due process in reaching their verdict.

Persons in scope

The ACM Enforcement Procedures, section A, first paragraph state that the policy is only applicable to members:

The privileges for the subject of a complaint that are described in this policy only apply when the subject of the complaint is a Member.

Open source software organizations typically have a smoke-and-mirrors approach to membership.

Intellectual property, trademarks and bank accounts are typically registered to a legal entity where only a small subset of the volunteers are legally recorded in the membership roll.

Words like "member" and "expulsion" are frequently used in open source organizations in reference to people who are not actually members.

Skipping Due Process

There appears to be no evidence of cases where ACM officials have skipped due process and simply declared somebody to be in violation of the Code of Ethics.

In the case of both Fedora and GNOME Foundation, there are cases where officials have simply written emails, blogs or other communications declaring that some person has violated a Code of Conduct. Sometimes these statements are made in the heat of the moment or when they are losing a debate. Sometimes they are repeated behind the scenes on an ongoing basis as a vendetta. In any case, the community is encouraged to trust these pronouncements of guilt simply because the person making them has some title in the organization, not because the finding was obtained through a credible inquiry.

Due process

The ACM Enforcement Procedures suggest that the subject of a complaint should be interviewed at an early stage to establish facts. The subject of a complaint must be given details of the complaint and copies of documents before a hearing. There must be at least 30 days from the moment when the subject is given the evidence until the actual hearing.

Regarding both the Fedora and GNOME Code of Conduct, neither of these codes requires the accused to be provided with copies of evidence. Neither of these codes specifies waiting periods for the accused to review the case against them and provide a response.

The GNOME reporting guide urges the committee to allow no more than one week for the entire process, this is clearly inadequate if the accused is on vacation, ill or anything else:

If the incident is less urgent, the committee members will meet within 1 week to determine an appropriate response.


The ACM Enforcement Procedures require a hearing where all parties are present before a panel or the full council.

Neither the Fedora nor GNOME Code of Conduct envisage such a hearing. The people making the decisions may do so from a bunker without ever looking other volunteers in the eye.

Appeals procedures

The ACM Enforcement Procedures offer the subject the opportunity to submit an appeal to the president. This appears to fall short of the standard in some other professional associations. For example, in some associations the appeal may involve a panel consisting of a previous president and a professional mediator, magistrate or another outsider who may bring a legal perspective to the case.

Neither the Fedora or GNOME codes mention an appeal procedure at all.

Immutable recording of decisions

As previously mentioned under the heading Confidentiality, the ACM process records the anonymized facts and verdict in the minutes of their meeting. These documents are dated and copies are circulated promptly to all parties. This makes it harder for any party to misrepresent the outcome in future.

The Fedora and GNOME Codes of Conduct do not include any specific requirements for minuting evidence and verdicts. Fedora appears to be using an issue tracking system, Pagure, to record correspondence. It has been observed that Red Hat / Fedora management have the ability to modify past conversations in some of these web-based tools. In 2020 they moved their Fedora Council discussions from an email list to a web forum (Discourse) where it is easier for them to modify discussions retrospectively.

In the case of another puppet organization, Debian, victims of the Code of Conduct experiments have shared correspondence from the enforcers where they typically conclude their inquiry, trial, verdict and sentencing in a single email that ends with some comment like this:

We are sending this email privately, leaving its disclosure as your decision (although traces in public databases are unavoidable).

The message is basically a veiled threat: if you do not accept our verdict as the truth, if you complain, then your name will be dragged through the mud like previous cases such as Appelbaum. Under such oppressive conditions, the victim of this verdict may feel apprehensive about exercising their rights and repudiating the abusive verdict.

As the evidence, verdict and sentence are all secret, the enforcers can retrospectively misrepresent the unsafe verdict for any reason whatsoever. In one case, 2018, they made a defamatory and abusive verdict about a volunteer and three years later, 2021, made a public statement retrospectively justifying their decision based on alleged events that could not have transpired until at least a year after the original abusive verdict.

Opportunity for blackmail

The ACM Procedure involves a sufficient number of independent steps and independent actors that it may be difficult for them to collude and conspire to threaten a member with a preordained finding of guilt. Even if this did eventuate, the member could simply resign during the 30 day waiting period before a hearing. The hearing would no longer proceed in this case.

In an open source organization, the organizations are much smaller or not incorporated at all, the conflicts of interest are more common and the waiting periods for a case are non-existant. Volunteers have complained of procedures where they received the accusation, verdict and punishment all in a single email, for example, the erasure of Ahmad Haghighi from Fedora and the multiple demotions of Dr Norbert Preining in Debian.

One software developer, Martin Krafft (madduck, Debian), has gifted us a public summary of his execution on Christmas Day in 2018:

Subject: Re: Censorship in Debian
From: martin f krafft 
Date: Tue, 25 Dec 2018 23:44:38 +0100

Hello project,

It's very sad to read about what's going on.

I know that there's been at least another case, in which DAM and AH
have acted outside their mandate, threatening with project
expulsion, and choosing very selectively with whom they communicate.
I know, because I was being targeted.

Neither DAM nor AH (the same people still active today) made
a single attempt to hear me. None of my e-mails to either DAM or AH
were ever answered.

Instead, DAM ruled a verdict, and influenced other people to the
point that "because DAM ruled" was given as a reason for other
measures. This was an unconstitutional abuse of DAM's powers, and in
the case of AH, the whole mess also bordered on libel. Among others,
the current DPL Chris Lamb promised a review in due time, but
nothing ever happened.

It's not going to be a constructive use of anyone's time to attempt
to establish transparency into issues of the past, and I've
disengaged anyway, as a result.

But we, as a project, need to ensure that there is more transparency
moving forward. And I think it would be wise to review the way that
DAM and AH operate. We need to ensure they stick to protocol, and
are held accountable for the use of their powers.

Thanks for your attention,

 .''`.   martin f. krafft <madduck@d.o> @martinkrafft
: :'  :  not-so-proud Debian developer
`. `'`
  `-  Debian - when you have better things to do than fixing systems

Self-deprecating forced confessions

One related phenomena is the self-deprecating forced confession. Given the imbalance between the volunteers and the ringleaders, the ringleaders can pressure a volunteer to make a public statement admitting their inferiority and swearing obedience to the group.

One of the prominent examples is the written confession of Dr Preining.

Similar practices of self-criticism exist in Scientology.

One key feature of these forced confessions is that we never see them coming from people in authority positions, as in Scientology, these statements are extracted from individual volunteers at lower ranks in the hierarchy.

PsyOps and Cybertorture

Prof Nils Melzer is the United Nations special rapporteur on torture and other cruel, inhumane or degrading treatment or punishment.

In February 2020 Prof Melzer presented a report to the UN human rights council about the risks of cybertorture.

Quoting the article:

An alarming development that Melzer contemplates is “cybertorture”. States, corporate actors and organised criminals, he says, “not only have the capacity to conduct cyber-operations inflicting severe suffering on countless individuals, but may well decide to do so for any of the purposes of torture.

“Cybertechnology can also be used to inflict, or contribute to, severe mental suffering while avoiding the conduit of the physical body, most notably through intimidation, harassment, surveillance, public shaming and defamation, as well as appropriation, deletion or manipulation of information.

“Already harassment in comparatively limited environments can expose targeted individuals to extremely elevated and prolonged levels of anxiety, stress, social isolation and depression, and significantly increases the risk of suicide.

Quoting de Blanc's enforcement of her Code of Conduct against Dr Stallman:

It is time for RMS to step back from the free software, tech ethics, digital rights, and tech communities

In other words, de Blanc proposes that Dr Stallman be completely ostracized. This appears comparable to Prof Melzer's concerns expressed 12 months prior.

In more low level cases, victims report receiving punishments on weekends, birthdays, even at Christmas.

Nobody wants to sound like that guy with the tin foil hat spreading conspiracy theories about these matters. Nonetheless, if the PsyOps risks anticipated by Prof Melzer did exist, they would be concealed in broad daylight under the guise of these unsafe Codes of Conduct.


The overall conclusion is that the cookie-cutter Codes of Conduct in open source software organizations are in no way comparable to the Code of Ethics of a professional organization like the ACM.

Verdicts are being made by taking a series of shortcuts that undermine every step of the ACM Enforcement Procedures. Nonetheless, from the perspective of outsiders, these deficiencies in the verdicts are not obvious.

Specifically, members of the ACM or similar organizations who are simultaneously promoting these alternative Codes of Conduct may be in violation of the ACM Code of Ethics. Consider, for example, the Ethics code s1.2 "Avoid Harm", s1.4 "Be Fair", s1.6 "Respect Privacy" and s1.7 "Honor confidentiality", the Codes of Conduct undermine all these points. s2.6 "Perform work only in areas of competence" suggests that writing your own code of conduct, if you have no training in law and human rights, is unprofessional. Fundamentally, section 4.1 compels ACM members to "Uphold, promote, and respect the principles of the Code". Any member promoting an inferior code of conduct that verges on vigilantism is in violation of s4.1.

Alarmingly, unjust decisions under these inferior codes may increase rather than decrease the risk of hostility and unhealthy behavior in these organizations and the industry at large.

Professionals attempting to enforce a micky-mouse Code of Conduct from an unregistered/unincorporated organization may face legal consequences against their personal assets or criminal consequences in jurisdictions where there are laws concerning defamation and harassment.

We could summarize the difference between an open source Code of Conduct and the ACM Code of Ethics as pre and post-Magna Carta. Before the Magna Carta was created in 1215, the king could imprison the barons on a whim, comparable to an open source Code of Conduct. After the Magna Carta, the relationship between the king and the barons was more balanced, as it is in the ACM Code. Other comparisons have placed Codes of Conduct and their system of shaming people in the context of the Taliban, Chinese thought reform programs, cults and Scientology. Working in the profession we love shouldn't require us to submit to these undignifying and often traumatizing systems of obedience.

Ultimately, trying to impersonate the ACM Code of Ethics with pop-up verdicts stamped with a title that looks similar to the ACM's Code appears to be the very anti-thesis of ethical behavior.