A follow-on to my "Nazi Sucker-punch Problem" post, to address the most common argument I get, which boils down to:

"""
Moderated registration won't stop Nazis, because they'll just pretend to be human to fool moderators, but it will stop normal people, who won't spend the effort to answer the application question or want to wait for approval.
"""

Okay, I'm going to try to use points that I hope are pretty acceptable to anyone arguing in good faith, and I'm going to expand the definition of Nazis to "attackers" and lump in bigots, trolls, scammers, spammers, etc. who use similar tactics.

Attackers: we can group attackers into two main types: dedicated and opportunistic. Dedicated attackers have a target picked and a personal motive—they hunt. Opportunistic attackers have an inclination and will attack if a target presents itself—they're scavengers. In my years of experience as an admin on multiple Fedi servers, most attackers are opportunistic.

Victims: when someone is attacked, they (and people like them) will be less likely to return to the place they were attacked.

In general: without a motive to expend more effort, humans will typically make decisions that offer the best perceived effort-to-reward ratio in the short-term (the same is true of risk-to-reward).

Why does any of this matter?

Because it all comes down to a fairly simple equation for the attackers: effort > reward. If this is true, then the opportunistic attackers will go elsewhere. If it isn't true, then their victims will go elsewhere.

How can we tip that scale out of the attackers' favor?

By making sure moderation efforts scale faster against attackers' behaviors than against normal users' behaviors.

- A normal user only has to register once, while an attacker has to re-register every time they get suspended.

- A normal user proves their normality with each action they take, while every action an attacker takes risks exposing them to moderation.

- A new user / attacker likely spends a minute or two signing up, while a moderator can review most applications in a matter of seconds. Yes, attackers can automate signups to reduce that effort (and some do, and we have tools to address some of that, but again, most attackers aren't dedicated).

- Reviewing an application is lower effort than trying to fix the damage from an attack. As someone who gets targeted regularly by attackers from open-registration servers, I'd personally rather skim and reject a page-long AI-generated application, than spend another therapy session exploring the trauma of being sent execution videos.

I believe this points to moderated registration being the lowest effort remedy for the problem of the Nazi Sucker-punch. So before we "engineer a new solution" that doesn't yet exist, we should exhaust the tools that are already available on the platform today. Yes, we could implement rate limits, or shadow bans, or trust networks, or quarantine servers, but we don't have those today, and even if we did, there's no evidence that those would be a better solution for Fedi than moderated signups.

Will it stop *all* the attackers? No. But it will stop most opportunistic attackers.

Will it deter *some* potential new users? Yes. But communities are defined by who stays, not by how many come through the door.

🅰🅻🅸🅲🅴 (🌈🦄) (@alice@lgbtqia.space)

Why reactive moderation isn't going to cut it, aka, "The Sucker-punch Problem". Imagine you invite your friend—let's call him Mark—to a club with you. It's open-door, which is cool, because you like when a lot of folx show up. Sure, it might get a little rowdy, but they have a bouncer, and you've never seen things getting out of hand. So, you're busy dancing when a new guy walks in wearing a "I Hate Mark" shirt and promptly sucker-punches Mark. You didn't see it happen, but Mark is upset and tells the bouncer, who kicks the guy out. A few minutes later, the same guy walks back in and sucker-punches Mark again. Same result. Some people in the club say they'll tell the bouncer if they see him come in again. Mark wants to leave, but you tell him it's not that bad—after all, you've never been punched, and you didn't see Mark get punched, so maybe he's just being sensitive. A different guy walks in wearing a "I Plan On Punching Mark" shirt. No one tells the bouncer, because they've never seen *this* guy punch Mark. He sucker-punches Mark. At this point, Mark is pissed and yelling about being punched. The club members talk about putting up a "No Punching Mark" sign, but the owner is worried it'll hurt his club's growth. Another Mark in the club proposes they turn away anyone wearing an anti-Mark shirt or espousing anti-Mark rhetoric at the door, but this gets shot down for the same reason as the sign idea—then someone sucker-punches him. By the end of the night, your friend Mark is beat to fuck and says he'll never come to this club again. In fact, he's going to tell anyone named Mark to stay clear of this place. The next time you go to the club, half the folx there are wearing "I Kill Marks" shirts, but there aren't any Marks there, so it doesn't come up. I've been sucker-punched every day, for the last three days in a row by some of the most vile hate-speech and imagery. The accounts are using open registration servers and signing up with variations on the username "heilhitler1488". I fully expect it'll continue as long as we have open registration servers. And no, username pattern blocking alone won't fix this, it'll help a little, but mostly it'll just make them wear a different shirt while they sucker-punch us. #OpenRegistrationHurts

LGBTQIA.Space (lgbtqia.space)

@alice an excellent analysis

I'd add one addendum for those in the audience who want a low effort policy that's more aggressive

There is another option much more heavy-handed -- toward "innocent" and "guilty" alike. One common to servers including mine:

By referral, after referrer has been registered X months

The number who accidentally invite someone who doesn't share culture and values of the place is very low

And if fedi shows anything imo, it's that this scales better than many think

@jhwgh1968 @alice This sort of sounds like that "web of trust" thing I heard about years ago

@kimlockhartga I've been tempted to start collecting the attacks I get and publishing them (with content warnings!) because a thing I hear over and over is:

"Really? I never see stuff like that here."

And these (mostly) white (mostly) guys were saying the same thing when #BlackMastodon talks about #Racism.

Or when #FemmeFedi talks about #Sexism.

It's like, dude, you don't see it because you're not the target. ‍

@alice an excellent analysis

I'd add one addendum for those in the audience who want a low effort policy that's more aggressive

There is another option much more heavy-handed -- toward "innocent" and "guilty" alike. One common to servers including mine:

By referral, after referrer has been registered X months

The number who accidentally invite someone who doesn't share culture and values of the place is very low

And if fedi shows anything imo, it's that this scales better than many think

@jhwgh1968 @alice i wouldn't likely be here if referrals were in place - the number of people I know on fedi that I knew before joining is tiny, and the number of them that I'd have offline conversations with about social media is zero.

Which, fine, I recognize my presence isn't crucial to the success of fedi but still I don't like the idea of a policy that would have kept me locked out.

@jhwgh1968 @alice i wouldn't likely be here if referrals were in place - the number of people I know on fedi that I knew before joining is tiny, and the number of them that I'd have offline conversations with about social media is zero.

Which, fine, I recognize my presence isn't crucial to the success of fedi but still I don't like the idea of a policy that would have kept me locked out.

@dragonfrog indeed, which is why I phrased it the way I did: "for those in the audience who wan a low effort policy that's more aggressive"

I personally think that we need a diversity of admin opinion as to what level and type of litmus test is acceptable, in order to create communities for different types of users with different threat models

If there's any flaw, it's that instance migration to a new home is too difficult. Hopefully that will be worked on

@alice

@dragonfrog indeed, which is why I phrased it the way I did: "for those in the audience who wan a low effort policy that's more aggressive"

I personally think that we need a diversity of admin opinion as to what level and type of litmus test is acceptable, in order to create communities for different types of users with different threat models

If there's any flaw, it's that instance migration to a new home is too difficult. Hopefully that will be worked on

@alice

A follow-on to my "Nazi Sucker-punch Problem" post, to address the most common argument I get, which boils down to:

"""
Moderated registration won't stop Nazis, because they'll just pretend to be human to fool moderators, but it will stop normal people, who won't spend the effort to answer the application question or want to wait for approval.
"""

Okay, I'm going to try to use points that I hope are pretty acceptable to anyone arguing in good faith, and I'm going to expand the definition of Nazis to "attackers" and lump in bigots, trolls, scammers, spammers, etc. who use similar tactics.

Attackers: we can group attackers into two main types: dedicated and opportunistic. Dedicated attackers have a target picked and a personal motive—they hunt. Opportunistic attackers have an inclination and will attack if a target presents itself—they're scavengers. In my years of experience as an admin on multiple Fedi servers, most attackers are opportunistic.

Victims: when someone is attacked, they (and people like them) will be less likely to return to the place they were attacked.

In general: without a motive to expend more effort, humans will typically make decisions that offer the best perceived effort-to-reward ratio in the short-term (the same is true of risk-to-reward).

Why does any of this matter?

Because it all comes down to a fairly simple equation for the attackers: effort > reward. If this is true, then the opportunistic attackers will go elsewhere. If it isn't true, then their victims will go elsewhere.

How can we tip that scale out of the attackers' favor?

By making sure moderation efforts scale faster against attackers' behaviors than against normal users' behaviors.

- A normal user only has to register once, while an attacker has to re-register every time they get suspended.

- A normal user proves their normality with each action they take, while every action an attacker takes risks exposing them to moderation.

- A new user / attacker likely spends a minute or two signing up, while a moderator can review most applications in a matter of seconds. Yes, attackers can automate signups to reduce that effort (and some do, and we have tools to address some of that, but again, most attackers aren't dedicated).

- Reviewing an application is lower effort than trying to fix the damage from an attack. As someone who gets targeted regularly by attackers from open-registration servers, I'd personally rather skim and reject a page-long AI-generated application, than spend another therapy session exploring the trauma of being sent execution videos.

I believe this points to moderated registration being the lowest effort remedy for the problem of the Nazi Sucker-punch. So before we "engineer a new solution" that doesn't yet exist, we should exhaust the tools that are already available on the platform today. Yes, we could implement rate limits, or shadow bans, or trust networks, or quarantine servers, but we don't have those today, and even if we did, there's no evidence that those would be a better solution for Fedi than moderated signups.

Will it stop *all* the attackers? No. But it will stop most opportunistic attackers.

Will it deter *some* potential new users? Yes. But communities are defined by who stays, not by how many come through the door.

🅰🅻🅸🅲🅴 (🌈🦄) (@alice@lgbtqia.space)

Why reactive moderation isn't going to cut it, aka, "The Sucker-punch Problem". Imagine you invite your friend—let's call him Mark—to a club with you. It's open-door, which is cool, because you like when a lot of folx show up. Sure, it might get a little rowdy, but they have a bouncer, and you've never seen things getting out of hand. So, you're busy dancing when a new guy walks in wearing a "I Hate Mark" shirt and promptly sucker-punches Mark. You didn't see it happen, but Mark is upset and tells the bouncer, who kicks the guy out. A few minutes later, the same guy walks back in and sucker-punches Mark again. Same result. Some people in the club say they'll tell the bouncer if they see him come in again. Mark wants to leave, but you tell him it's not that bad—after all, you've never been punched, and you didn't see Mark get punched, so maybe he's just being sensitive. A different guy walks in wearing a "I Plan On Punching Mark" shirt. No one tells the bouncer, because they've never seen *this* guy punch Mark. He sucker-punches Mark. At this point, Mark is pissed and yelling about being punched. The club members talk about putting up a "No Punching Mark" sign, but the owner is worried it'll hurt his club's growth. Another Mark in the club proposes they turn away anyone wearing an anti-Mark shirt or espousing anti-Mark rhetoric at the door, but this gets shot down for the same reason as the sign idea—then someone sucker-punches him. By the end of the night, your friend Mark is beat to fuck and says he'll never come to this club again. In fact, he's going to tell anyone named Mark to stay clear of this place. The next time you go to the club, half the folx there are wearing "I Kill Marks" shirts, but there aren't any Marks there, so it doesn't come up. I've been sucker-punched every day, for the last three days in a row by some of the most vile hate-speech and imagery. The accounts are using open registration servers and signing up with variations on the username "heilhitler1488". I fully expect it'll continue as long as we have open registration servers. And no, username pattern blocking alone won't fix this, it'll help a little, but mostly it'll just make them wear a different shirt while they sucker-punch us. #OpenRegistrationHurts

LGBTQIA.Space (lgbtqia.space)

@alice

This might be perhaps not the best time to ask but. What would some neat instances to set up shop at that are not the big two open instances?

@alice

This might be perhaps not the best time to ask but. What would some neat instances to set up shop at that are not the big two open instances?

@zanagb @alice I’m over here on wandering shop bc it was started by a friend of mine. The overall vibe is meant to be something like “coffee shop lined with bookshelves full of sci-fi and fantasy,” as there are many genre writers and readers present on the server.

Registration requires that someone on the server share the monthly invite code with you.

@zanagb well, I happen to know the admins of LGBTQIA.space and infosec.exchange, both of which are cool instances