I would really like to know more about these incidents at HC events. We have a lot of very complex tradeoffs within hack club involving security/privacy/safety for exactly the reasons you identified (ie, giving teenagers a very high level of agency/responsibility in running programs). However, staff try to be extremely conscious of these tradeoffs and highly attentive to the realistic risk vectors that come about in our operations.
No teenager will ever (ever!) have anything 'taken out' on them by myself or anyone else that works here. Any time things go wrong or almost go wrong, we just want to know so we can manage that risk in the future. If you are willing to share, please reach out at cwalker@hackclub.com
Nobody—certainly not any adult staff—at Hack Club relied on ChatGPT for legal advice. Nor do we employ teenagers to answer legal questions, we have actual legal counsel for that! Or in my personal case I ask my wife, who is a law professor, and then she asks ChatGPT (just kidding).
There is too much nonsense in this post to rebut line by line, and these conversations have all been had to death within Hack Club (we put a lot of time into transparently and publicly discussing our programs, problems, and decisions). Here's the short version of this saga:
- The author found a serious vuln in one of our programs introduced by a junior engineer
- We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)
- The author insisted that their test of the vuln to access their own address was a data breach, therefore obligating us to notify all 5,000 participants of this "breach" as per GDPR
- We judged this to be Prima Facie incorrect. A lawyer has since confirmed this judgment.
- It is, in fact, bad practice to notify users for every vulnerability. If this were the norm, you would inundated with notices from practically every software product you interact with. Almost all of these notices would be virtually non-actionable by the user, and they would wash out the few notices of breaches which are actionable. There is a good reason why the GDPR does not demand notice for vulns; mass notices are reserved for incidents where there is a known exfiltration of a meaningful amount of user data!
- The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
— They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Hack Club is an oddly-shaped organization with operations that often raise very real security concerns, but these are wrapped up in a complex web of tradeoffs that are very much still evolving as we refine and expand our core infrastructure. We are not Google, and it is a mistake to import reasoning from that kind of environment when analyzing our security/threat model. Nonetheless, privacy/security is something we think about and invest extensively in. In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault", and consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world. The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy! We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated. We serve or have served teenagers in almost every country, and GDPR is just the most prominent of many laws that are now on the books worldwide.
It most certainly was. You have someone outside your organization who accessed the data, and you know about it. Here's what you just wrote about the person who accessed this endpoint:
> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Someone who has been acting maliciously against your organization accessed that data. And you think it's fine? They're a teenager. An angry teenager, who is acting out. You honestly believe you can trust they didn't distribute this data or tell anyone else about the problem before you found out about it?
When I was a teenager, someone in my year level gained access to a lot of personal data about a bunch of people in our year level. This was a smart individual who at least somewhat understood the gravity of the situation. But they were also a kid, of course they distributed some of the data — bragging rights and what not.
What about the section titled "the surveillance infrastructure (orpheus engine)" where the teenager claims children's data was intentionally being sent out to third parties, specifically to profile kids? What's that all about?
Look, no-one read this article and thought "Wow, this is well written article by a super mature well-adjusted individual. I'm taking this as gospel." The article is clearly written by an angry teenager. I feel far more invested in this now that I've seen your responses. The way you're handling this, and yourself, is just downright absurd. Stop.
I never said anything was fine. I said it was a serious vuln, and we took it seriously.
We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?
The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.
Look. This isn't on the front page of HN anymore. So I'm mostly writing this to you. You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults.
> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability.
You are just not going to be able to control the narrative like this. Trying to tell someone else what the "crux of the issue is" will not allow you to shift the goal posts. The article described a pattern of issues, and in my previous comment I specifically raised one. No determined individual is going to just leave that thread dangling for you.
> Is there something else we should be doing?
Yes. Obviously. That's the point.
> The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance.
It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass. You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do.
No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time. You apologise, and explain what you're doing to rectify the situation. What have they got to hide? Are they worried they'll get an influx of outrage because this lack of care was something people in the community were already concerned about?" With the context given from the odd parent in this thread, it certainly comes across as the latter.
> It's not a complicated legal question, the answer is just no.
This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as:
a. You've never interacted with a lawyer in your life. Or,
b. You're telling porkies, or at the very least, are way too flippant with hyperbole.
> You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults.
> …
> It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass.
I'm not the leader of anything, that would be Zach Latta. He's a much better diplomat than I am, but I am doing my honest best to speak plainly and matter-of-factly to you about a complex situation that frankly requires a lot more context to properly understand than I think is possible to acquire from the information you have.
I'm also not trying to absolve our organization of all sins. We mess up all the time. We are working on many fronts to learn from these experiences and make imperfect systems a little better every day. We make mistakes, we apologize, we do our best to make amends, then we move on to the next mistake. It is the nature of doing new, hard things with real stakes.
> You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do.
>
> No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time.
This is addressed in the top comment I left. Notifying 5k people about a patched vuln is not "more than the minimum", it's legitimately bad practice. That is not my opinion, it is industry standard practice! Absent any reason to believe there has been a data breach, absent any sort of actionable information, we are not going to send an email to thousands of people.
I call the GDPR thing the crux of the question because probably 80% of the thousands of Slack messages sent on this topic, a solid majority of them were about that question. That was the impasse. Staff considered the issue and concluded that from a moral, legal, and industry standard practice perspective, notifying every user was not the correct decision. Nothing was being hidden, that team logged and discussed the vulnerability publicly within the community from the start. They fixed, disclosed, discussed, learned, and moved on.
> This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as:
>
> a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.
I am married to a law professor for whom I lived through 3 years at Yale Law and 3 years of PhD/fellowship, I have about as much exposure to law as you can get without it actually being your job. I assure you, uncomplicated legal questions exist.
Glad to see you here, actually interacting. I've made this clear on the slack, and truthfully I'm disappointed in the fact that it took so long and external involvement from a parent on HN to get a response.
Another example: there was a relatively civil debate about a new hackathon yall are putting out, funded by.... AMD, and the US government's fund to "teach AI literacy" or whatever the fuck that means. Due to this, _you region locked an entire Hack Club event_. This is the kind of stunt Nintendo would pull, but an organization that thrives itself in "everyone is welcome".
When confronted, yall decided to..... shut down any internal discussion, and avoid the thread at all costs, directly going against you other claims of "radical transparency" and "openness to feedback"/
What long game are you playing here? The game of "make Hack Club suck for 5 years, and lose our motives, morals, and the trust of our community, for an extra few bucks on the 6th?
It's complicated to handle the law. It's why lawyers cost, per your quote, $500 an hour.
But it's not complicated to listen to people and genuinely try to turn back from the wrong turn you took somewhere during Juice.
About the vuln, Ella is exaggerating and has very minimal basis if at all. She did some pentesting, vuln got patched, problem solved. Does HQ need to be more responsible here? Yes. Should critical infrastructure be written by AI? Absolutely not! But does Ella have the basis to start claiming legal superiority over here? Also no.
But, now that you absolutely insist you need to keep my passport indefinitely in order to ship me a sticker that says "summer of making" on it, I expect you to be a little more responsible in:
- Who you give access to
- How you give said access
- How long you give it for
- How strict you are about conduct when person is in possession of said access.
TL;DR: Ella's point sucks. Hack Club data handling, also socks. Hack Club PR? Might be worse.
As a longtime member of hackclub, I can confirm that while OP may have been banned, most of her points are completely valid and I can find most of the original sources for them. Point-by-point:
> - We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)
What? From the many, many #meta posts and other sources I cannot back this up.
> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
OP did say some bad stuff, but it wasn't a spree and was an isolated incident. I don't agree with her actions, but I see where she was coming from: she didn't feel heard and just wanted to get back at people she saw as having wronged her. She definitely shouldn't have done what she did but it was an isolated incident or two.
> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
You'll note that in the article that isn't what she portrays herself as and she explicitly bookends the article with paragraphs of text praising the mission and all of the good hackclub has done. Which is it, is she rightfully praising the organization but rightfully getting angry about it or is she wrongfully praising the organization and wrongfully getting angry?
> Nonetheless, privacy/security is something we think about and invest extensively in.
Based on HQ's HCB, #meta, posts in #hq, and more this is not true in the slightest.
> In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault"
Bounties were addressed in the article and last thing I heard PII is still massively distributed. If that isn't the case anymore, please actually make a post about it so the community is aware?
> consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world
That's good but again, make an announcement in hackclub?
> The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy!
The fuck?? No?? if this has happened in the last year, how angry has your lawyer about the numerous vulnerabilities that were pushed, not notified, underpaid bounties, and more? Oh, and don't forget you TAKING DOWN THE GDPR EMAIL AND NOT DELETING DATA??
> We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated.
I can definitely understand that. I really love hackclub and think the mission is amazing but at the moment I don't feel safe with my data in its hands.
If possible, could you link any of those posts, or post them through Prox2 in Slack? I'd be interested in reading it, because that's not the vibe I've gotten.
> OP did say some bad stuff, but it wasn't a spree and was an isolated incident. I don't agree with her actions, but I see where she was coming from: she didn't feel heard and just wanted to get back at people she saw as having wronged her. She definitely shouldn't have done what she did but it was an isolated incident or two.
If I remember correctly, she admitted that her ban was justified. But also, she didn't just do "some bad stuff", she did a lot of it - there's even a recent #meta thread referencing this exact post.
> You'll note that in the article that isn't what she portrays herself as and she explicitly bookends the article with paragraphs of text praising the mission and all of the good hackclub has done. Which is it, is she rightfully praising the organization but rightfully getting angry about it or is she wrongfully praising the organization and wrongfully getting angry?
Nuance does exist.
> That's good but again, make an announcement in hackclub?
Zach did.
> The fuck?? No?? if this has happened in the last year, how angry has your lawyer about the numerous vulnerabilities that were pushed, not notified, underpaid bounties, and more? Oh, and don't forget you TAKING DOWN THE GDPR EMAIL AND NOT DELETING DATA??
I'm more inclined to trust Chris than an anon account that straight up denies that internal conversations happened. You also seem to be regurgitating posts from earlier without seeing Chris's context.
> If I remember correctly, she admitted that her ban was justified. But also, she didn't just do "some bad stuff", she did a lot of it - there's even a recent #meta thread referencing this exact post.
I think I've read through the #meta post you're referencing and commented in it and yeah, but it still wasn't a spree. It was not a lot of it? cite your sources as well
> > That's good but again, make an announcement in hackclub?
> Zach did.
Where?
> I'm more inclined to trust Chris than an anon account that straight up denies that internal conversations happened. You also seem to be regurgitating posts from earlier without seeing Chris's context.
Well yeah, I'm on a throw away as I don't want to be deanon'd. If you really want to talk contact https://hackclub.slack.com/team/U09Q734PGUU, it's an alt I have. Where did I deny internal conversations as well? And wdym regurgitating posts without Chris' context? I literally broke his reply down point-by-point?
It would have been stupid if that's what actually happened :)
I am the Chris cited in the piece. We have actual legal counsel that we go to for legal advice! However, that's not what was being sought here. In this conversation, the question on the table was "What is a data breach?" according to common convention (setting aside the more technical question of what it means specifically in the context of GDPR). The author contended that a single address record—her own record, IIRC—retrieved as a test of an unsecured endpoint counts as a data breach, and therefore that we are legally obligated under GDPR to email all 5,000 participants about it. My contention was/is that a data breach implies exfiltration of a meaningful amount of data. This was a vulnerability, which we patched within about a day, but we had no reason to believe there was a breach by any definition. I pointed to a few sources to demonstrate the consensus definition of "data breach", and one of them was Gemini (or "Omniscient Robot God", as I called it in the conversation).
There are real issues touched on in this post, but the author is not a reliable narrator and they are flattening a very complex issue into a narrative that centers themself as the hero. In reality, this user was banned from our community for a long string of conduct violations, culminating in repeated incidents of saying horribly abusive things to other teenagers. They have been pursuing a grudge against the organization ever since.
Oh hey, that's my game! I am so pleased you are enjoying it. This is a remake of a game I first published way back in 2014. This version was built by team of 22 high-schoolers from around the world, recruited through Hack Club (https://hackclub.com), where I have worked since 2018.
Thanks for creating it. I love maths, and this was very pleasing to play. Have you published any other projects similar to this one? I mean, the ones that would be relevant for non-schoolers as well?
Thank you!! I recommend taking a look at the later levels, it goes beyond a middle-school level of complexity! I have seen everyone from graduate students to tenured math professors to Grant Sanderson get stumped by late-game SineRider. It doesn't really fit neatly into any specific age group or "grade level"
The map should zoom with scroll, is that not working?
The issue isn't really with being moved to a higher tier of billing. Slack doesn't owe us their service for cheap forever. The problem is that we signed a contract with them earlier this year for our current rate, then suddenly today we were told that we have to pay $50k immediately or all of our 11 years of data will be deleted. That's an absurd demand. It's a shakedown
Requiring a legal notice at any point should disqualify a chat software immediately. Good on them to make the move and other users of Slack should be wary.
Perhaps there is more to the story, but my surprise about the business culture of Salesforce isn't too pronounced to be honest. Had do happen at some point in my opinion.
I work for this foundation, I can guarantee that nothing has changed about our status or Slack's policies. We qualified before and we qualify today, which is why earlier this year when Slack took us off their free plan the rate they negotiated with us was so low. Slack was extremely reasonable during that process and we have no complaints about them.
The thing that changed is that we aren't dealing with Slack anymore, all of a sudden we're dealing with Salesforce. I can only assume they are shaking the money tree at all levels of the organization since their recent disappointing earnings report (I guess they've had a lot of those lately).
I appreciate the nuanced perspective you're bringing here but it really is as scummy as it's written in the post. They are asking us to pay $50k in the next 5 days, just for the privilege of not having our 11 years of history deleted. They don't owe us continued access to their platform on the cheap, but to demand this much money on that kind of time frame? I don't know what to call that other than extortion.
OK sure, but if you "qualified before and ... qualify today", then you have a contract that they're in breach of. Or something. I don't know. That's the point. It just seems like this post is missing some key details that would help readers to see the whole picture. I can at-once believe that they are acting in a scummy way but also that there is more information about their reasoning that would help readers to understand the whole scenario.
unless there is something going on behind the scenes, like an astroturfing signal, this seems like a pretty weak justification for the heavy handed moderation actions taken. it seems at face value like you might have killed an organic front page post attempted by a teenager trying to raise awareness and save his very cool grassroots distributed hackathon charity from an awful lot of unnecessary pain... because there "must be more to the story". i haven't ever seen anything like this on HN.
OK, message received, I've turned off the downweights and we'll keep it on the front page.
The intention wasn't to "kill" the story, but to try and get more details so it would address the questions that came up for me and that I assumed would come up for other readers (which indeed they have [1]). My words "must be more to the story" weren't intended to suggest Salesforce are likely to be in the right, but just that it would be helpful to know. I.e., does this affect all nonprofits/educational organizations? Is this change just targeted at this org? If so why? But I didn't know it was written by a student/teenager, who may not be on top of those details. And given it's late at night and there's such a short timeline for cutoff, we're happy to let the story stay on the front page now.
