On Friday in “a FoHo exclusive,” the Fountain Hopper (FoHo) unleashed a full-fledged assault against the queer startup I co-founded, Queer Chart. It disseminated an email to Stanford students titled “FoHo #89: ‘STARTUP GARAGE’ PROJECT ‘QUEER CHART’ EXPOSES DATA ON 200+ STANFORD STUDENTS; TEAM ALLEGEDLY KNEW ABOUT VULNERABILITY, ACCORDING TO TIPSTERS.”
Queer Chart is a community-building social media platform for queer womxn, transgender and gender nonconforming folks. Users on the platform can connect with other queers on campus, find queer events and share pictures and thoughts. Queer Chart began when Maddie Wang ’21 shared her feelings of queer invisibility with me and Jenna Wang ’21 in a Seoul bar. As an international student who was not out to family and friends back home, I resonated with her sentiments. We felt that there was a need for community-building and queer friendship that was not being met by dating apps, and lamented the fact that close to zero LGBTQ+ platforms explicitly welcomed transgender and non-conforming (TGNC) folks. So we decided to do something about it. At the beginning of this quarter, we brought together a team of other queer Stanford students who were equally passionate about queer empowerment. Since then, a team of 10 or so undergraduates have been building the platform from scratch in our dorms. We talked to hundreds of queer folks about their needs and pooled our own money to throw gatherings for queer people, one of which included “The Second Coming” — a party attended by 300 queer womxn and TGNC folks.
When the FoHo approached us, we were in Beta 2.0 with slightly over 200 users on the platform. The FoHo alleged in their “special edition” email that 1) there was a security vulnerability on our platform, 2) we knew about it but did nothing and 3) we couldn’t fix it properly upon notification. This email, however, was filled with exaggerations and false information.
Here’s what actually happened.
On Wednesday, two FoHo reporters entered Maddie’s campus residence, notifying us of a security problem in the backend that we had previously been unaware of. User data — specifically profile information, which was already displayed to all users on the platform, as well as emails, anonymous user nicknames and dates of birth — were viewable through a request to server called ‘getEveryone.’ ‘getEveryone’ was only accessible to already existing users. There were only two ways to become a user. First, they could use a non-unique link sent to 200 people who received an email invite to the platform because they RSVP’d to “The Second Coming.” Second, they could sign up independently with a legitimate Stanford email.
Furthermore, within five hours of being notified of the vulnerability by the FoHo, we protected all private data and shut down the website for maintenance. We notified all of our users about this vulnerability and apologized through email. The email also listed the steps we are taking to protect user data, such as getting the site reviewed by security experts. As members of the queer community ourselves, we understand how important privacy is to our users. We made a mistake, and we are sincerely sorry for causing distress to our users. We also thanked the FoHo reporters in person for bringing our attention to this issue. We were hopeful that we could learn and improve from this.
That was Wednesday. On Friday, we were completely surprised by what the FoHo eventually published. Here’s how the FoHo, in turn, distorted the facts above to achieve its sensationalist narrative.
- FoHo claimed that “anyone in the world” could access members’ data because anyone could come across the invite link and become a user. Technically speaking, this is not untrue; realistically, though, this is a gross exaggeration. The invite link was emailed to individuals who signed up for a queer party promoted through primarily queer Stanford email lists. For any external exposure, a Stanford student (likely queer themselves) would have needed to deliberately share the link with a malicious outside user.
- FoHo wrote that “Queer Chart Tries to Take Service Down for Maintenance, Accidentally Leaves Data Exposed.” This is untrue. We successfully protected user data within five hours of being notified of security vulnerabilities. The website was shut down and the functionality of ‘getEveryone’ itself was changed so that only information intended to be publicly accessible to other users was displayed. Sensitive information (date of birth, anonymity identifiers and email) was no longer accessible. While FoHo reporters could still access ‘getEveryone’ because they had an existing account, it no longer contained private information. The FoHo erroneously implied in its email that accessibility to ‘getEveryone’ meant private data was still exposed.
- FoHo prominently featured the tipster’s allegation that we were aware of this vulnerability, implying that we were not only incompetent but also malicious. This allegation is blatantly false, and strikes us personally as the most disheartening. When they first told us about the vulnerability, Maddie promptly performed a five-minute fix on the spot which covered up most of the private information. Is this what FoHo meant when they wrote, “in a tense, multi-hour meeting, FoHo reporters worked with the team behind Queer Chart to take down the website for a full system redesign”? If, as the allegation goes, we had really known about the issue all along, we would have simply fixed it. FoHo reporters saw for themselves that the bug was easily fixable and we had the skills to do it. Plus, we had spent all of October pleading with our beta users to report bugs and give us feedback; this was obvious in our various publicity emails. The allegation that we, members of the queer community, deliberately overlooked issues that concerned the privacy of our users, a lot of whom are our good friends, is deeply upsetting.
There is a point to be made about FoHo’s questionable journalistic ethics. Even setting aside their misleading statements, the FoHo came looking for Maddie in her private residence without prior warning. In addition, shortly before publication, the FoHo editor-in-chief sent Maddie a long list of questions via text message with a deadline of 40 minutes later. (While Maddie did text back within the timeframe, she didn’t have access to her laptop, panicked and failed to explain to them the full context — that the vulnerability through the endpoint getEveryone was actually fixed despite the endpoint being technically accessible.) Most egregiously, during our interaction with the FoHo, they did not let us know that they would be naming the co-founders, including myself — I was still not out in certain circles — and Haart, whom they never interviewed. They also did not tell us that they were writing a special edition on Queer Chart, as opposed to including the story in a regular newsletter.
This is not surprising given the FoHo’s troubled history when it comes to practicing ethical journalism. In 2017, The Daily’s Editorial Board called FoHo unaccountable and dissected the various problems associated with a press that publishes sensationalist claims under a hood of anonymity, including not providing right of response through printed corrections and omitting facts to paint their desired narrative. In 2018, key facts were omitted from the FoHo’s coverage in which it alleged that law professor John Donohue used racial slurs. No eyewitnesses were named except for Donohue, who was not even given until the end of the work day to respond before the allegations were published. Andrew Lee ’21 argued in a May Daily op-ed that the FoHo published an article falsely accusing him of being a “conservative pawn” who the FoHo claimed was a “member of a[n] undercover conservative super-PAC.” In April, the FoHo apologized to Kimiko Hirota ’20 after not giving her the opportunity to respond to all allegations made against her and for the impact of their reporting on her.
When the FoHo stormed into Maddie’s residence, it seemed like they believed they were on the verge of exposing the misdeeds of an evil corporate entity hoping to capitalize on its users’ private data. In the email, the FoHo has repeatedly self-aggrandized to paint itself as a heroic detective investigating the Silicon Valley establishment. For instance, the FoHo claimed that Queer Chart is “currently under development through the Graduate School of Business class ‘Startup Garage,’” and blasted it as a “STARTUP GARAGE PROJECT” in the subject line of its email. But only one team member, Miriam Haart ’22, is enrolled in Startup Garage this quarter. When, during week 7, her project partner confirmed that they would not be showing up to class anymore, Haart asked the instructors if she could change her project to Queer Chart, which we had already independently been working on, and if members of the Queer Chart team could audit the class. So far this quarter, I have been to class a total of three times. When FoHo editors sat down with us and asked if we were involved with any startup classes, we explained this context very clearly. But no matter. The FoHo cut out all these nuances to write a dramatic, clickbait title that pretended to present a grand exposé of Stanford’s cozy relationship with socially irresponsible startups.
The decontextualized first three words of the email are just the precursor to an avalanche of misconstrued facts which FoHo conveniently spun to fit a pre-planned story arc — a narrative that required scapegoating us as a paradigmatic case of unethical and irresponsible tech.
When the FoHo met with us, they were unaware that Queer Chart was at beta, conveniently neglecting the glaring “beta” sign on our front page and all the emails we sent to users in which we were very explicit that we were still testing the product. Once we explained our beta status, they accused us of using it as an excuse. But the fact that we are beta matters a great deal. Beta versions of products are known to contain bugs as well as functionality and usability issues. Indeed, this is precisely why a developer does beta testing — to fix them with the users’ help. When users willingly sign up for a product that is in beta, there are different expectations than those for an established product.
It is naive for FoHo to think that they could capture Silicon Valley’s sins by harassing a fledgling queer startup. We don’t generate revenue and don’t collect data to sell to third parties. We are a group of queer, lesbian, bisexual, asexual and gender nonbinary Stanford students who built the platform because we cared about bringing the queer community together.
The FoHo ended the email it sent on Friday by declaring that “we can’t in good faith advise readers to sign up [to Queer Chart], given the team’s repeated failures to secure the privacy of the app’s user base.” Setting aside the fact that this was a flagrant lie — we fixed everything after we found out — the FoHo should have known that at our stage, defamation in the form of a special edition disseminated with our personal names was akin to sentencing the project to death. The FoHo’s unabashed willingness to use unethical journalistic practices against us shows that the FoHo never cared about whether we survived or became a better platform for queer users. And given the niche problem Queer Chart was solving, it is doubtful the FoHo cared about the issues we hoped to address in the queer community to begin with. There is a difference between investigative journalism and a sensationalist scandal sheet, and once again, FoHo has crossed the line.
— Sunwoo Lee ’20, Queer Chart co-founder
This op-ed has been corrected to reflect that no eyewitnesses were named except for Donohue, not that no eyewitnesses were contacted except for Donohue, in a FoHo report.