David Heinemeier Hansson

December 2, 2021

Worrying yourself into excess

When we were developing this HEY World system in the beginning of the year, we ended up spending a very considerable amount of time worrying about and discussing all the ways it might be abused. This is the internet after all! Full of savage trolls! Surely we must fortify lest we be overrun?

But the trolls never came. Since we launched HEY World, every single one of the many thousands of posts made here have had a "report abuse" link at the bottom. Not once has it been used to report a posting that actually violated our use restrictions. Not. Once.

All that worry, all that consternation, all those arguments back and forth about policy and protocols, all for nothing.

Furthermore, HEY World is a pretty minimalist system. By design. The individual pages contain just five links: Link to the author, link to the RSS feed, link to HEY itself, and then a link to our use restrictions and a link to reporting abuse. So 2/5 of all the links on the page were reserved to deal with the phantom menace of abuse we worried ourselves into believing would arrive.

That's not proportionate outcome because it was not a proportionate process.

And these links weren't even the worst of it! We also discussed a convoluted regime by which even paying customers would have delayed access to HEY World, because what if a bunch of people would pay us, just to spout hate from these pages in massive numbers? That regime would only unlock access after you cleared certain heuristics of use of the main system.

In addition, we had serious conversations about whether it would even be reasonable to have our normal support process be in charge of these reports. Because what if the reports were filled with the worst the internet might offer. Could be pretty traumatic.

Really.

Now of course there's some degree of hindsight at play here. We would have been glad to have worried about these problems, and have built these defenses, if all the barbarians of the net had showed up.

But was that a reasonable risk, given the fundamentals? That, first of all, the internet is full of places to post nasty stuff, that HEY offered no amplification, and that the feature was already reserved to paying customers only? No, it was not.

It was not because the process was not proportionate. Given the initial risk assessment, we should have gone with a more reasonable path of "it's a problem when it's a problem", given the matter a brief but legitimate consideration, and then moved on. If the barbarians then suddenly did show up at the gates, it would hardly be a big imposition to erect these basic defenses.

For most small- and even medium-sized businesses, the main threat is not the few bad things that eventually happen. It's spending all your attention and energy on the ones that never do.