After a brief chat about the latest shenanigans, I publicly replied to the CEO:

Here's a link to the full exchange

There was no reply forthcoming - although, as you can see, my message gathered a fair few positive reactions. As was inevitable, the next morning I found myself locked out of the Slack. I had been permabanned.

Then things got weird.

Someone claiming to be an employee of Automattic sent me a message saying that Matt had personally told people to ban me. I didn't know if they were telling the truth, but the GDPR gives me the right to see the data a company holds about me. That includes messages about me stored on their internal systems.

The WordPress.org Privacy Policy gave me an email address for their Data Protection Officer (DPO). So I sent a friendly(ish) message. After a little back-and-forth to clarify which data I wanted, I received this truly bizarre reply.

We are in receipt of your request, which you claim is justified by GDPR. Accordingly, we are processing your request pursuant to section 15(3) of GDPR, which requires us to provide personal information about the person that we are processing. You refer to messages sent about you on internal systems. To the extent those are outside the scope of GDPR, they are not covered by your request.

This betrays a fundamental misunderstanding of GDPR. There is not, as far as I know, an exemption for records held on internal systems. There are a list of GDPR exemptions - but they mostly relate to things like the detection of crime, academic and journalistic exemptions, health and social work data, etc.

Of course, there is an exemption for the purposes of self-incrimination. Perhaps that's what they're relying upon?

I replied with a (not so-friendly) email pointing out that I was entitled to a copy of any messages because they contain my personal data. I also pointed out that my request was neither manifestly unfounded nor manifestly excessive (another common get-out clause).

A week later, they replied:

I’ve followed up looking for any related records, and can confirm no records which use your likeness exist, other than the following: edent was deactivated by <<REDACTEDUSER>> No records exist where this was discussed beforehand.

I take this to mean that either Matt personally swung the ban-hammer, without discussing it with anyone else, or that a flunky wanted to protect their master's ego and took unilateral action.

They only provided me with messages from Slack that I had sent. They didn't provide any of the messages that mentioned me.

I pushed for further clarification - but their answer baffled me:

The Slack instance you are asking about is a communication tool used by the WordPress volunteer community to coordinate on the project to build and maintain the open source WordPress software. There is no business or data controller that owns or manages this Slack. If one or more of the volunteers had a private discussion about you in this Slack you would need to direct your request to those individuals and they would need to decide themselves how to handle your request.

(Emphasis added.)

This, to me, implies that they are not following Slack's term's and conditions which explicitly say the owner of the Slack has to comply with data requests.

As between [Slack] and the customer, you agree that it is solely the customer’s responsibility to […] respond to and resolve any dispute with you and any authorised user relating to or based on customer data

Is this Slack really owned by volunteers? According to https://wordpress.slack.com/account/workspace-settings#admins - the primary owner is WordPress.org itself. Although there are several other users listed as owners, including Matt himself.

I specifically asked WordPress.org for details of their GDPR registration. Their reply is hilarious:

WordPress.org is privately owned by a person, not by a registered or covered entity.

While the email address says “Data Protection Officer” this is merely to make it easy for Europeans to find and contact the privacy volunteers who, of course, want to do their best to assist persons with privacy related questions and requests. This does not indicate that WordPress.org is a GDPR covered website or owned by any entity which is subject to the GDPR.

So now we're at an impasse. I have no way of knowing if the anonymous tip-off I received was genuine and I can't prove if WordPress are concealing messages to me. I think it is fair to say that other people feel that WordPress.org doesn't really understand the GDPR - so we can add this example to the list.

To sum up:

• WordPress.org is personally owned by Matt Mullenweg
• The website processes millions of users' data, yet has no GDPR policy.
• Volunteers are apparently cosplaying as Data Protection Officers, without any real knowledge of how GDPR works.
• An official WordPress.org Slack is run by WordPress.org with Matt & others as admins.
• This Slack processes the data of over 50,000 users without any GDPR compliance.

In my opinion, this is no way to run a major piece of web infrastructure. The community deserves better.

My ideal job involves being employed by a millionaire tech-bro. Just before they get on stage, or moments before they file a lawsuit, or an instant before they publish their thought leadership - I will appear to them. I will be dressed in rags, body smeared with excrement, weeping sores blotching my face. I will sidle up to them, lean down, and whisper into their ear "Sic Transit Gloria Mundi!"

This used to be the way, of course. When a new Pope or Emperor was paraded through the streets, the people cheered and the acolytes coo'd. But someone would chant at them in Latin, "Thus passes all Earthly glory."

The sun sets on every empire. Each god-king was eventually proved to be mortal. The evil that men do lives after them and the good is oft interred within their bones. And so on. We know this. No one is perfect all the time. Every genius has a moment of idiocy.

For small projects, it makes sense to have only one gaffer. All the work passes through him. Too many cooks poison the well.

As projects get bigger, one person doesn't scale. It is functionally impossible to know everything, see everything, please everyone. Yet the sole arbiter remains. We (almost-jokingly) call this position BDFL. The Benevolent Dictator For Life.

But BDFL only works if the D is genuinely B. Otherwise the FL becomes FML.

It must be psychologically difficult being responsible for a mega-project. I certainly couldn't do it. If you're wasting time reading this blog post, you almost certainly couldn't do it. I like my friends to challenge my occasional missteps. I want people to be somewhat honest to my face. I can't imagine what it would do to my ego to receive endless praise. Of course I'd tune out the negative voices.

This isn't to excuse their excesses. Nor to fully demystify their demagoguery. I just want them to have good mental health so their public meltdowns don't reverberate through the æther, infecting us all with their psychic fallout.

*sigh* I'd rather not be blogging about blogging.