Ep. 244: “Inside Tracy Chou’s Block Party for Social Media”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Beau: Al Gore never said he invented the internet, but not the internet you’re thinking about.

War Games Clip: You are really into computers, huh?

War Games Clip: Yeah…

War Games Clip: What are you doing?

War Games Clip: Dialing into the school’s computer.

Beau: War Games came out in 1983, the year TCP IP protocols were standardized. That’s why Lightman could hack into the school records and change his grade from an F to a C. The internet was pretty boring for the first 20 or 30 years. Then came social media.

The Social Network Trailer: People want to go on the internet and check out their friends, so why not build a website that offers that? Friends, pictures, profiles. I’m talking about taking the entire social experience of college and putting it online.

Beau: That’s from the trailer for The Social Network. I found it on YouTube, a social media platform. It’s been viewed more than 17 million times. If you scroll through the comments, you might find some new like-minded friends. That’s social media, and it made the internet sticky.

CBS Mornings: You may have heard there are multiple legal cases underway alleging social media platforms like Instagram, YouTube, TikTok, and Snap are designed to be addictive and can be harmful to minors.

Beau: But social media can also be really dangerous.

Tracy: Strava profiles are public by default. And so if I’m running from home, tracking my run, like when I leave and come back, I’m basically doxing myself. You can literally see where I live.

Beau: Turns out some people are watching very carefully. 

Tracy: He had flown to San Francisco and when I posted this, he then realized like he could show up where I was. Like, he wasn’t that far away. 

Beau: Today we’re talking to Tracy Chou, a prominent advocate for diversity data, an early employee at Facebook, Quora, and Pinterest, who was one of Time Magazine’s women of the year for building a tool to fight online abuse and harassment. I’m Beau Friedlander, and this is What the Hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online? Tracy Chou, champion of data diversity, mind behind the internet safety tool Block Party, welcome to What the Hack.

Tracy: Thank you. I’m excited to be here.

Beau: I’m super excited to have you here. Now, I’ll just say there’s a reason this conversation is happening right now that I think is going to be meaningful to a lot of people. But we’re gonna get to that at the end of this episode. First, I wanna know a little bit about you. Where are you right now?

Tracy: I am in San Francisco. I actually grew up in the Bay Area as well, so I’m like a very Bay area, Silicon Valley-native sort of person. Yeah.

Beau: So you went to school in the Bay Area. 

Tracy: Yes. The, you know, junior college down in Palo Alto.

Beau: Yeah, that’s, yeah. Okay. Go Trees. So you went to Stanford. I think you went there for undergraduate and graduate. Yep?

Tracy: That’s correct. Yes.

Beau: I only know that because we’re friends on LinkedIn and I’ll leave it at that. So you are Bay Area through and through, which means that startups in the tech sector are kind of just the air you breathe.

Tracy: That’s about right.

Beau: Have you been in tech your entire career?

Tracy: What’s sort of funny about this is when I started college, I did not think I wanted to do computer science or engineering per se, and I just kind of got sucked in. Partly ’cause I didn’t have a better plan and partly because my freshman year dorm mates were taking electrical engineering classes and my prime criteria for taking a class was having friends in the class. So I ended up taking electrical engineering classes with my dorm mates, which led me down the path towards computer science because I discovered that I hated electrical engineering, but computer science was close and I could kind of take advantage of what I’d been studying to do computer science. So I’ve now been in the tech industry for quite some time now, but it almost felt like it was against all of my instincts that I ended up here. I actually have a very core memory in my like, software developer existence from early on. When I interned at Facebook, back when it was still a startup, there were probably a hundred or so of us on the engineering team. And supporting a hundred million active users, like monthly active users. And I remember people commenting like, wow, like per engineer, we’re supporting a million people. And it’s just like the people in this building, like on this floor who are doing this, like we’re creating this product and supporting this many people connecting online and doing fun stuff. It was kind of mind-blowing to me that, you know, sitting at our computers just typing away in this like one room, the people like, I don’t know how many of us, like within these walls, we were responsible for making this thing exist that wouldn’t have existed otherwise.

Beau: I’m like whatever the opposite of numerate is. But you were responsible for like a million users. Is that right? 

Tracy: Well, it’s more like you divide it out, sort of like across all the… but yeah. Yeah.

Beau: Mind boggling.

Tracy: Yeah. But that still, like, you know, a hundred people in engineering at Facebook at the time that I was there, it was still quite large compared to the later experiences I had. So I worked at Quora and Pinterest quite early on those teams where I was a second engineer hired at Quora, the question/answer site. And then I joined Pinterest when it was about 10 people, like five of us on engineering. And those experiences even more so cemented for me this like, wow, we are making something exist that would not exist but for the efforts of the people in this room. Like, it’s kind of amazing that I’m sitting at my computer typing away and I’m creating something. And as some additional context, I’ll add that my mom is also a software engineer and she has a PhD in computer science.

Beau: Whoa. She was an engineer in the eighties.

Tracy: Yeah, that’s right.

Beau: That was really unusual back in the day.

Tracy: Yeah. I grew up hearing all of her stories of being a woman in engineering. In her class at National Taiwan University, there were eight women out of 200.

Beau: Okay. So 4%.

Tracy: Yep. Hey, you’re pretty numerate.

Beau: Yeah, I just realized that might be. Quora counts as social media?

Tracy: Yeah. We thought of ourselves in that category. Yeah. Like everybody has your own user account. You set your profile photo and like write stuff under your name and build your own credibility. Yeah. Another core memory I have from early in my software engineering days is sitting around a table with a few of my colleagues who are all male, talking about some, you know, product decisions we wanna make about how we’re building feed for Quora. And somebody turned to me and asked, “Tracy, what do women want?”

Beau: Oh goodness.

Tracy: I was maybe 22 years old at that time and thinking, I don’t feel equipped to answer on behalf of half, slightly more than half of the global population, but I guess I should try because I am the closest to being able to represent.

Beau: Such a bizarre point of view. What do women want? I don’t know. What do men want?

Tracy: Yeah.

Beau: Well, okay, so I don’t even feel the need to explain what’s wrong with the position that puts you in. Short version, a lot.

Tracy: Yeah. And it seems kind of obvious now to think about it, like the people who are building these products obviously are gonna influence what products are built and how they’re built. But it took that question to really make it sink in for me that all of us were encoding our biases and perspectives into what we were building. We were making the decisions of what would be in these platforms and how people would interact and what sorts of behaviors we would encourage and what guardrails we might put in for things going wrong. One of the things that was nice at Quora was I got to build the block button pretty early because somebody was harassing me and I was like, hey, guess what? I can make this stop by building the block functionality. And my teammates were like, sure, if you wanna build it, like go ahead and build it. So it felt very empowering to be able to step in there and say, I’m gonna make this happen. Like some safety and protections for myself. But I also think if I hadn’t been there on the receiving end of harassment from somebody on a platform that I was building, if I hadn’t been there, we wouldn’t have built a block button so early. I think this is true of many other platforms like-

Beau: Because a guy would’ve been like, bring it bro.

Tracy: Or he just wouldn’t have been targeted in the first place. 

Beau: So you built a block button. I have friends who probably wish they had a block button just walking down the street. I know I do.

Tracy: Yeah, yeah. It was actually really fun. As you know, one of my earliest projects when I worked at Quora, so I got to think about what are all the surface areas in which I want to be protected. I was like, ah, he shouldn’t be able to comment on my answers, shouldn’t be able to send me a message, shouldn’t be able to do anything on any of my content that would generate notifications. It’s actually a very fun exercise to think about, like, how am I gonna protect myself? And then I’m gonna make it happen.

Beau: Now, block buttons existed.

Tracy: Oh yeah. Yeah. I mean, the concept of blocking people existed. It was on other platforms.

Beau: That begs a question, you know, we want as much engagement as possible, but we need to define possible because some types of engagement are upsetting or harmful. They negatively impact quality of life, like productivity, a sense of wellbeing, all that. Where do we draw the line on what is acceptable behavior or what is okay online?

Tracy: First I would say just to talk about what engagement looks like from the perspective of engineers and product people building these platforms is it’s often just a bunch of numbers and not qualitative. So we were looking at things like how many clicks are happening, how many comments are happening, how many friends, follows are created. So there’s not a very good sense of the quality of these interactions and engagement at the surface level, and like the KPIs, the key performance indicators that companies are trying to drive up, they’re often not looking at these things. And in the short term, engagement may be higher, even if the nature of the engagement is not good, like it’s harassment, or, you know, fighting back and forth or whatever it is. It might generate a lot of activity that to somebody who’s not looking at the quality of it may think, oh, this is good. Like, there’s more stuff happening. But to your point, not all of this engagement is good. And maybe over time it’s actually bad because, for example, if you’re getting a lot of harassment, so maybe it looks like a lot of engagement from the platform level of like, oh, you’re getting tons of replies to all of your posts. Like maybe that seems like a good thing. But if it’s actually all abuse and harassment being directed your way, at some point you may just step aside and not wanna deal with it anymore. And that was an experience that I had particularly on Twitter where I was very active doing sort of like advocacy, activism work. I got a lot of sort of unpleasant things sent my way, whether through mentions or DMs, and sometimes it would spill over to other platforms. So I very personally experienced not all engagement is good engagement. And it ranged from more like garden variety sexism and racism and sort of like childish insults, to pretty sustained, targeted, coordinated attacks. It feels pretty bad. So I went through a period of grappling with all these like very negative emotions for myself and like, trying to understand the emotional impact it was having on me. It felt, I mean, it feels terrible to have people yelling negative things at you all day long. And I also had people who would tell me like, maybe you should just not be online anymore. Like, why don’t you just delete your account? Like that would solve the problem. Which offended me because it felt very unfair that I should not be able to participate online in spaces that can be very useful and interesting, and positive in my life because there’s like a few assholes out here who are harassing me. It felt analogous to telling somebody who’s getting street harassment, like, maybe you could just stay home all day long and never go out anymore. 

Beau: Or never go out in public. 

Tracy: Right? Like, it just, it felt like the complete wrong response. And I’d also dealt with like the more severe stalking questions of like people from the internet who would say they were gonna come find me; unclear if they were truly going to or not. But then I also did deal with some cases where people showed up, flew around the world and showed up where I was.

Beau: So Tracy, what was making these, I assume dudes, so angry? What was the work you were doing that was triggering? Triggering. I love that. I love that the trolls were triggered. It’s so funny. But- so, what was going on? What were you doing?

Tracy: So I was speaking about issues of diversity and inclusion in tech. To that point we were discussing earlier of how we should have more representative populations involved in building technology, because it would be better. I wrote a post that ended up going viral about the hypocrisy of the tech industry not having any data on diversity. So as a very data-driven industry, we measure everything. We A/B-test everything. Anything we roll out, we have to understand what the success metrics, are we hitting those. We try to learn from the data. But with regards to diversity, there was no data. Up until 2013, I wrote this blog post, wasn’t necessarily expecting anything to come of it, but after I put this out there, I think it hit a nerve. And a lot of people were like, yeah, you’re right. Like, why is there no data on diversity and what our demographics look like? If we think we want to improve this, why aren’t we measuring the baseline and then setting targets against it? So I became an accidental activist around this topic and my side hustle, I guess you would say, alongside being an engineer at these various tech companies was then talking about diversity in tech. So I built more of a platform on this topic, trying to get more of this like message out there that we should be building more inclusive workplaces, trying to build more pathways for different populations to enter the tech industry. And then it would benefit all of us, the people who are in the industry, and also everybody that we hope to serve with technology.

Beau: Just this week, 404 Media released video interviews of testimony given by the DOGE bros who were charged with taking away funding for DEI. I dunno if you saw them or not, but their responses were absurd.

CLIP – DOGE deposition: How do you interpret DEI?

CLIP – DOGE staffer: There was… the EO explicitly laid out the details. I don’t remember it off the top of my head.

CLIP – DOGE deposition: It’s okay. I’m asking for your understanding of it.

CLIP – DOGE staffer: Yeah. My understanding was exactly what was written in the EO.

CLIP – DOGE deposition: Okay, so can you-

CLIP – DOGE staffer: I don’t remember what was in the EO.

CLIP – DOGE deposition: So right now, do you have an understanding of what DEI is?

CLIP – DOGE staffer: Yeah.

CLIP – DOGE deposition: Okay. So what’s your understanding as you sit here today in this deposition?

CLIP – DOGE staffer: Well, it, it was exactly what was written in the EO.

Beau: Did you get a lot of hostility from tech bros? I mean, was that a thing?

Tracy: Yeah, so my DEI activism, although I’d say at that time it was not even called DEI yet, but my activism came from personal experience.

Beau: Okay.

Tracy: I didn’t realize that I was treated differently for being a woman. At first, maybe I was just sort of not very self-aware or not aware of my surroundings. 

Beau: Or focused on your work.

Tracy: Yeah, it took me a while to realize that the feelings of not belonging, feeling that I couldn’t hack it in the tech industry, might have more to do with the social factors than my own abilities. I realized I actually do like coding quite a bit and software engineering, and I’m pretty good at it, I think. So these feelings that I might not be able to make it in the industry did not have to do with my ability to do the job. It had to do with the social environment I was in, constantly being cut down or told that I didn’t understand what was going on, being dismissed, cut out of a-

Beau: Like the technical side of things, 

Tracy: Yes. Yes. Yeah.

Beau: And was it accurate?

Tracy: No, there are cases where I would identify a bug that was actually quite severe and try to tell people like, hey, we need to fix this bug. It’s corrupting memory. And people would at first say like, it’s not possible that there was that bug. ‘Cause that’s a bad bug. Like, if that actually existed, we’d have a lot of problems. And then a little bit later, somebody, a man looking at it and being like, oh, actually there is a bug here. And then people being like, wow, this is a very severe problem. Like, we must address it. I was like, yes, that’s what I was trying to tell you, but like, none of you would listen. And then the response being like, well, who’s gonna fix this bug? Like, who’s gonna… I was like, well, I mean, I volunteered to fix it since I was the one who had found it in the first place, like I know exactly what the condition is that would trigger it. I know how to fix it. And then the response would be like, well, are you sure you know how to do it? We need to make sure we get lots of other reviewers to confirm that you’ve done the right thing. Like, we’re not sure that you know how to fix this. I was like, look, I found it in the first place. I know exactly what to do. Sure, you can check my work. It’s gonna be correct. And like you probably should generally check people’s work. But it feels like it’s, you know, disproportionately focused on me as a woman that you don’t think I’m gonna do a good job. So very, very common stories. I’m not saying this is unique to me, and in fact, like, it’s a very common experience for women and minorities in the workplace. So that sort of frustration was sort of pervasive in my every day. I remember at some point thinking, I probably spend at least 30% of my brain power per day frustrated about being a woman and how I’m treated differently, and I still do a pretty good job with the remaining 70% to do all the technical tasks I’m supposed to do. But can you imagine if I could spend a hundred percent of my energy just kicking ass on the technical side instead of having to waste all this time worrying about the sexism or the racism that’s going on?

Beau: As a person who is, you know, conversant with math, I guess you figured out that you needed to do something about it. Now the response was Fast and Furious online. People did not like what you had to say about your experience.

Tracy: Yeah.

Beau: Did you put it as, this is my experience and this has to change, or…

Tracy: Yeah. There’s a whole bunch I put out. There’s some of it, it was like, here’s my personal experience. I do speak for a general class of people who feel this way. I’m not gonna say that everybody’s had the same experience as me, but there are many others who also have felt dismissed or condescended to or feel like they don’t have the same opportunities. But if we really wanna build for everybody, we need much better inclusion and representation in the teams that are building. It can’t be perfect, but we can do a lot better than having a hundred percent white male teams.

Beau: So you were being harassed, but you were also being stalked by somebody and that happened because you were advocating for diversity online, because of your opinion, because of what you had said online? What happened?

Tracy: It’s a little unclear to me what’s going through the minds of these people who form these sometimes parasocial attachments or sometimes like very antagonistic. It’s sort of, it’s an attachment, but in this weird way. Like they’re very angry about what you’re saying, but then also like want to make a connection with you. It runs the gamut. What was happening for me was just having additional exposure online, like having a little bit more of a platform meant that there were more people on the internet who were seeing me and seeing my profile and for whatever reason, whatever weird thing was happening in their brain, it caused them to want to do things to me. So I can’t characterize all of the stalking and the harassment in the same way.

Beau: Mm-hmm.

Tracy: But a common theme I’ve heard from friends who are quite online, other folks who are quite online is like at any threshold of fame, like more people get exposed to who you are, the higher the chances of somebody being a little crazy and who knows, like, why they do what they wanna do. But the more you’re out there, the more likely that one of these weirdos ends up being obsessed with you and wants to do something to you. But the threshold for women is much lower for men, where they end up having to deal with these problems. So a man who has a million followers is almost certainly dealing with some of these weirdos as well. But a woman with only a thousand followers might be dealing with similar.

Beau: You’re not just anybody, you’re somebody that’s visible. You were a Time woman of the year. There was only 12 of them. And you have over a hundred thousand followers on X. And to a subset of society, you are somebody who is intolerably visible because we live in a society that doesn’t tolerate certain kinds of success. Talk about that and how it played a role in what happened.

Tracy: There are people who are mad that I’m a good software engineer and I’m a woman. I think I triggered a lot of insecurities for people. And even if they can’t identify in themselves that that’s what’s upsetting them, I’ve seen that, phenomena enough times. I’m pretty sure that’s what’s happening. And the lashing out happens in different ways. Sometimes it’s very direct and other times it’s in these weird undercutting ways or sending harassment, or all the weird things that you’ve seen online I’ve experienced probably-.

Beau: So you’ve been stalked physically, like somebody has gone online to see where you live and figured that out and, and bothered you?

Tracy: Yes. I think I still came at being online with this naivete of, it’s all, this is all good stuff.

Beau: It’s all good.

Tracy: Like I don’t mind being like… who’s gonna do anything to me? And it felt rewarding to build a following, to put stuff out there and have people react to it. So I had not thought too hard about my physical safety because I didn’t think that there were threats. And, you know, I had dealt with some of these weirdos messaging me saying that they were gonna show up where I was. I figured like, this is not real. People can say whatever they want. And there were a couple of cases that probably were just like harmless people making threats online. So I ignored those as well until I realized actually that like one of these people was actually stalking me and showed up multiple times where I was in person.

Beau: Did you know?

Tracy: I didn’t realize at the time. And then I saw later, like he was posting photos from exactly where I was at the times that I was there. Yeah, that freaked me out. I realized like, oh, I need to actually be a lot more locked down than I am and think a lot harder about all of my OPSEC. So…

Beau: Okay. OPSEC, operational security.

Tracy: So then I had to think through, okay, what are all the things I need to lock down? Like, where is my information out there? My addresses, fortunately, ’cause I’ve moved a lot, were like less of a problem. I mean, you could probably still find out my address online, but because I had moved a lot there, a lot of like old addresses, so I was like, okay, at least I have like a little bit of deflection.

Beau: It would be a lot of work, yeah.

Tracy: But other things I would share. I was like, I think one time when my stalker showed up where I was, was because I had posted a photo from a museum that I was at basically in real time. And then he showed up there.

Beau: At the same time.

Tracy: Yeah, he showed up like, maybe like half an hour later. I was like, well that was dumb of me. I mean, I didn’t realize that that was a threat. He lived in a different country, but I guess he had flown to San Francisco and when I posted this, he then realized like he could show up where I was. Like, he wasn’t that far away. So I realized like, okay, this now very common advice to hear, common wisdom like, don’t post photos in real time, like wait until after you’ve left to post a photo. It’s like, okay, yes, I need to do that now. But also just thinking through other attack vectors like, didn’t want to share publicly who my close friends and family are, because if I’m linked to people who maybe share a lot online, then I can be exposed through them as well. So it’s not that I don’t like my friends and family and like don’t want to share them publicly, but I just for like safety reasons don’t want to have those relationships be very public. So it compromises my security and also their security potentially. I like to use Strava to track my runs outside. Somebody followed me once and then I realized like, Strava profiles are public by default. And so if I’m running from home, tracking my run, like when I leave and come back, I’m basically doxing myself. You can literally see where I live and you see my routines, and almost in real time you can know where I’m running, which is really, really dumb. So locking that down was important. So I had to go through, just think about all the places where my data might be out there. On the data broker side, obviously those folks are buying and selling that data. But then also like on all my own social media and like the accounts that I’m using, even things like reviews I’ve written, whether it’s like Google Reviews or Yelp.

Beau: Strava’s a great example, and you said it exactly right. You basically doxxed yourself, but social media, what you described was a systematic doxxing of self.

NYT – Strava Clip: By design, these secretive locations are supposed to be difficult to spot. But a heat map posted online by Strava, a company that tracks people’s exercise route, has inadvertently put these places on public display for all the world to see.

Tracy: Yeah, a lot of us got online early enough when there weren’t so many of these concerns back then and were just encouraged to share by the platforms and it felt good. Then it didn’t seem like there were downsides to being more open and connected, like add all these people to be your friends on Facebook, post photos from where you’re going, the parks you go to, the coffee shops you go to, like just share broadly, build a following. Lots of connections. Like, we didn’t really think about the potential dangers and now a lot of us have these extensive digital footprints that bad actors are getting very good at using against us. So I’ve dealt with some threats that are more unique to what my situation is, but now a lot of fraudsters will pull the information up and not necessarily because they’re trying to target you in particular, but just targeting a lot of people to try to scam you of your money, defraud you of your money. With the information that we put out there on social, it’s not too hard to figure out often like who’s close to you. There’s enough of our likenesses out there like image and video that it’s not so hard to create deepfake attacks like the voice-cloning scams or somebody calls you, sounds like somebody that’s very close to you and they’re in distress and they need your help urgently. Like when you hear those sorts of situations and it really sounds like them because these voice clones are really effective now. Then you fall for it. And so it’s not just people who are highly visible who are dealing with this. I think it’s increasingly all of us as scammers and fraudsters are getting more sophisticated. AI technology is making it easier and easier to personalize attacks with information that you may have put online.

Beau: I mean, this is a dopamine El Dorado, but a goldmine for data too. And one that puts us all at risk. So I posted this stuff back in 2008, whatever it was, it doesn’t matter. I didn’t look at the privacy policy and I didn’t really think about how it would impact me. Simple fact: if something is free, you’re the product. With social media that means data that can be used to sell you stuff, make you more findable, make it easier for a threat actor to target you. I used to answer the phone a- true story- and not say yes or hello because I was afraid that someone was gonna get my voice print and use it against me. And I make a podcast so you can kind of judge my intelligence based on that. But anyway, this is a data “own goal,” like footy style. We filled the swamp that the tech bros built, made possible by making what we shared permanent, packageable, and profitable. So you built something to remedy the situation. Which is super cool ’cause it takes 20 minutes at least per platform to go through the privacy settings and location sharing and everything else to create a situation where it’s not that easy to get hacked or targeted, whatever. And when I say 20 minutes, multiply that by quite a bit because policies change all the time. And with that, your exposure every single time.

Tracy: I would say 20 minutes is a very severe underestimate, like having now-

Beau: For me, for a real… I mean, I know all the… and every week I do an advice piece at the end of this show, so I know where all the stuff is because for a living I keep things private. So, but like for a normal human being to do it, forget it. I don’t think they’re gonna get it right. Unless it’s like kind of what you do, you’re not gonna get it right. So you created Block Party. What is it?

Tracy: Block Party was my attempt to make amends for having helped build some of these platforms. So I started Block Party with the mission of making the internet safe again and making it so that people can be online and partake in all the goodness of being online. So still seeing the optimistic view of what platforms can be used for, like democratization of information, of access, connection. There are a lot of really good things that can come with being online, but making it so that all the good doesn’t come with a bunch of bad

Beau: The bad being stalking and doxxing, and…

Tracy: And harassment and loss of your data, loss of control of like who you are online.

Beau: Account takeover, even.

Tracy: Yes, absolutely. And it was a way for me to exert agency as well in the situation. One of the pieces of advice I got when I was dealing with the worst of the stalking, when I had to go actually seek out some guidance from private security firms to figure out what I should do, was the worst thing that can happen for people who are the subjects of online harassment or abuse is a feeling of helplessness where you feel like you can’t do anything. Somebody has just turned their attention to you and now you are kind of screwed. And that mindset is potentially the worst thing because you just then kind of like sink into this morass of bad feeling and feel like you can’t do anything. But you can actually exert agency. You can think about what are the potential attack vectors, what are the potential compromise vectors, and you can go systematically go through and try to reduce your risk in all these ways.

Beau: You can’t though if you don’t know what those are. So that’s kind of where you come in.

Tracy: Yes, yes. I mean, if you’re very dedicated, you could go to all that effort to learn all these things. I took this advice of you have agency, you can exert agency to an extreme. And so instead of just securing my own accounts and locking things down for myself, I decided I want to build solutions to help everybody do this, people who don’t necessarily want to wade through all of these settings themselves and wade through all of the harassment and terrible things themselves. Coming from a background of engineering and having worked on platforms, I knew that it was possible to do much better, but potentially the incentives were not there for the platform companies to build these better tools for you. So I decided to go out and build these tools myself, and hopefully help not just myself, but many other people who might be dealing with the ills of being online.

Beau: If you have a phone or a computer, you’ve gotten a patch: a security update you need to keep your device safe. Everybody knows that patch. The reason those exist is because the internet, and everything that connects to it was built without privacy or security by design. Memory errors, zero-day vulnerabilities, bad stuff that happens putting profits in front of peoples’ safety. All kinds of things. This is why people like Tracy need to exist. If you’re not sure what we’re talking about, Tracy is the patch. She looked at the privacy-by-design flaw — and it is by design that things aren’t private — and said, I’m going to reverse-engineer this. Build a bolt-on fix. Just like a patch, but for humans. And what gets me is you created something that can go in and just say, Strava, don’t share that with people who don’t know me. And Google, we can share this for work but not that. Is that right?​​​​​​​​​​​​​​​​

Tracy: That’s right. That’s right.

Beau: Very cool. 

Tracy: Yeah, the platform companies all want you to share as much as possible because it’s more interesting when you go onto a platform and see lots of data there. I find it a little ridiculous that Venmo has a public feed of transactions, but it is kind of interesting when you go into Venmo and you see like, oh, my ex is going on sushi dates with a new person. So it’s interesting though, like when you log into Venmo, it’s more interesting than logging into, I don’t know, your Chase account. There’s no interesting social feed. So I could see why the companies have an incentive to build things to be public by default and encourage you to overshare.

Beau: Sure.

Tracy: But it’s not good for you as an individual to have all the information out there.

Beau: So now you built, you literally built… Now for folks listening, is it an app they can download? Is it an extension that goes on Chrome? What is it? Who can have it and how do they use it?

Tracy: Block Party is a browser extension that you can install to your Chrome, Firefox, Edge, et cetera. So it sits on top of your browser and it runs similarly to a virus scanner where you press a button to have it go scan. It will check your social account. So it will check all these ones that we’ve been talking about, Venmo, Strava, like Facebook, Instagram, LinkedIn, Twitter, also things that you wouldn’t necessarily consider social media, but there’s a lot of your personal data linked to them, like Google and YouTube. It’ll go through and scan-

Beau: So that like your image that you have is your Google account pops up where Apple does the same?

Tracy: Yeah. So it will scan all those things and flag potential risks to you that you may want to fix. So Google is an interesting one where most people don’t think of that as social media, but you have probably a profile photo associated with it. By default, that photo is public. So if somebody is trying to guess what your email account is and they type in your email account into like the Gmail auto-complete, if they’ve guessed correctly, it’ll bring up your profile photo. So somebody who’s just trying to-

Beau: That’s nasty. Really? That’s why my picture is of a red African daisy. It’s a Gerber daisy.

Tracy: So yeah, that’s great security. Good job. 

Beau: Now, you know. 

Tracy: But that sort of thing, we will flag that for you and say like, Hey, maybe you wanna make this not public. There’s a potential risk factor here. If you accept the recommendations, click a button, Block Party will go and fix all of those for you. If you want to go read through all of the changes in much more detail, you’re also welcome to do that. One thing that is more nuanced about what we’re building with Block Party is that the way we exist on social media with these different accounts, it is gonna be different for each person. On some platforms, maybe you wanna build a bigger following. Like maybe there is a platform for you, which is like the one where you’re building an audience. Maybe that’s Twitter for you, or maybe that’s LinkedIn. You wanna be more public, and maybe there’s another account where that’s where friends and family only it needs to be really locked down. Or you have different trade-offs you might wanna make. So there may be cases where you wanna go through and look at what these trade-offs are. But what Block Party does is suggest much better defaults across the board. And you can always still go and fix them. But the defaults that Block Party is giving you, and there’s like one-click fix, are much better than you get when you sign up for the platforms.

Beau: When I first heard of Block Party, I thought it was like another social media company trying to get me to be friendly with my neighbors, which I’m fine. I live in the woods. Anyway, then I learned what it actually was and I thought, oh my God, that’s genius because threat actors are really serious and they live off the insecurities built into social media. A hundred percent. They’ll create a deep fake, Hey, it’s me, I’m, I’m stuck in wherever. Danbury. I need money. And it sounds just like me. And because you know who to send it to, who knows me too, it might work.

Tracy: Yeah. 

Beau: What’s the response been to Block Party?

Tracy: Yeah. With enterprise customers that we’re talking to, increasingly there’s the realization that the security perimeter, it has to involve the people. It’s no longer sufficient to just lock down your computers and your devices and the network on the technical side.

Beau: You’re kidding.

Tracy: Yep. It turns out the people are the big compromise vector.

Beau: Humans? Fallible? Crazy.

Tracy: I know. Maybe when we’re all replaced with AI agents will be better, or actually not, they’re even worse for security, but-

Beau: I was gonna say, you can just make them hallucinate and be like, sure, come on in. Whatever.

Tracy: Yeah. But there’s increasing the realization that humans need to be protected as well. And this is a very important tool to help secure the humans who also like sit, as like one person, both professional and personal. So they have these accounts that represent their personal lives, but they’re using them in professional capacities, especially LinkedIn, Twitter for some folks, and some other platforms too, like where you are blending your professional brand with your personal identity, and there’s this very porous boundary between you as an individual and you as an employee who might get compromised and targeted. So the response on the security side is like, oh yes, like, this is very important. This used to be something that was difficult to try to guard against because it is quite awkward if you’re a security person to go to an employee at the company and say like, okay, let’s pull up all your personal social media so we can lock it down. That feels just a little awkward.

Beau: It feels like it might even be constitutionally problematic.

Tracy: Yes. But in this case where it can be a tool that runs and people can opt in… it’s like, oh, I’m just locking things down. It’s not somebody on IT or security who’s sitting with a human to look at all their personal accounts and lock things down. It feels much better. It’s also just much more effective. A number of the folks that we have sold our product to would previously be running workshops manually to get people into a room and say like, okay, we’re blocking three hours to go clean up your account so you don’t get attacked. And it becomes a problem for not just you, but like the company as well. So to be able to have a tool that automates all this stuff is pretty great. Saves everybody a lot of time and makes things a lot more effective.

Beau: So, true or false. Like a lot of scammers, threat actors, they’re going in through social media and going, I see who Tracy’s, maybe not mom is or friend or whatever. They went out for drinks. I know who that is and I have her voice print. You’re toast?

Tracy: Yeah, we actually have an example that hit pretty close to home with an intern who was with Block Party last summer, proudly posted on LinkedIn in her first couple of days that she was working at Block Party and got targeted with a scam. Somebody pretending to be me that texted her.

Beau: Whoa. 

Tracy: Messaging her to buy a bunch of gift cards, and then referencing people on the team and she fell for it. She thought it was me, telling her to go buy gift cards. When it all came out, she was like, I thought it was you because you were mentioning all these people. Like it seemed like they knew everybody. It just seemed like it was you. I was like, well, yes. So you remember how you posted on LinkedIn that you were joining Block Party and you’ve connected with everybody? It’s pretty easy to figure out who all your connections are, who’s on the team. Like all that information came literally from things that you had done very publicly. It was a good thing to-

Beau: LinkedIn, even just LinkedIn even allows you to see who someone’s connections are, like who you have in common. It’s bonkers.

Tracy: Yeah. Yeah. It’s by default very public. It’s very easy to see people’s connections if they have not gone to special effort to lock them down. And like, that gets used in these phishing attacks because messages from scammers seem very realistic when they cite real details of people that you work with, and they get all the context right because all that context is out there for them to scrape and use against you.

Beau: Context is everything and it always has been. Long before tech took over, it used to be an asset. Not anymore. It’s liability. So is Block Party a form of advocacy?

Tracy: It is. It is showing the world that we can have agency, we can have better. It doesn’t have to be that hard, and we can make things better for ourselves and we can have more choice about being online. We can get good things without the bad. We don’t have to just be victims of what greater powers have decided we should experience, and we can choose this experience that we have. Before I built Block Party, there were folks like, it’s just really hard to solve these problems. Like, we can’t keep people safe online. Like, it’s a hard problem. Like, they’re there. Like, you’re so cute. You think that it’s so easy to solve these problems, but it’s not. It’s just beyond what is possible. And then I built Block Party and people were like, wait, that’s actually not that hard to make things better. What do you know? So I think it’s advocacy in that way of showing what is possible when you care and put your energies towards doing better.

Beau: Tracy Chou, thank you so much for joining What the Hack today. It was a pleasure to talk to you.

Tracy: Thank you for letting me share some of my stories.

Beau: Okay, so here’s the part that we didn’t say in the beginning. Tracy Chou just joined DeleteMe in a way, and Block Party and DeleteMe are now working together. DeleteMe acquired Block Party. 

Tracy: I am terribly excited that DeleteMe has acquired Block Party because it means that we will be able to protect that many more people at so much more scale, and it’s really accelerating our mission to help keep people safe online. DeleteMe has been a big brand in the space. All of the customers that we talked to are DeleteMe customers, yeah, it’s pretty amazing. When we talk to these folks, they’re like, oh yeah, we roll out DeleteMe and Block Party together because you are different aspects of the same thing for removing your data online. Very complementary. This is great, that, you know, we can protect people in these different aspects of getting their data off data brokers and also off social media. So it’s such a natural fit.

Beau: I am honestly so stoked to have gotten to know you a little bit, Tracy. ‘Cause you know, everyone at DeleteMe is not gonna get that opportunity, as much as I… there’s 500 of us. Come on. But I really just, so I’m so glad to hear that you’re a part that we’re actually joining in, arms and going after, you know, the things that can be gotten.

Tracy: Go team. 

Beau: Alright, now it’s time for the Tinfoil Swan, our paranoid takeaway to keep you safe on and offline. This week, it’s really simple. You need to go and check your privacy settings on social media. If you already are a customer of DeleteMe, then it’s gonna become a lot easier for you real soon. But if you’re not, and most of us have a lot of accounts, right? I have at least four. I have four. And by the way, I’m not active on all of them. That doesn’t mean I’m not exposed. So go through all of them and check your privacy policy, your settings, not policy. See how and what you’re sharing. And if you’re not comfortable with what you’re sharing, shut it down. That’s it. I’m not gonna walk you through every one. You can do this. Make sure your privacy settings are not sharing stuff like where you are, who you’re with, and all the rest, and who you know. Be safe out there. See you next week. This episode of What the Hack is produced by me and Andrew Steven, who also did the editing. What the Hack is a production of DleteMe which was picked by the New York Times’ Wirecutter as the #1 personal information removal service. You should be using it already. If you’re not and you want to, well, you can. Here’s what to do. Go to joindeleteme.com/wth. That’s joindeleteme.com/wth and get 20% off. I kid you not, 20%. 20% off. That’s joindeleteme.com/wth. Now, stay safe out there. See you around.

Learn More:

• See where your data is exposed with our free scan.
• Learn more about data brokers and how they misuse your data.
• Read about Block Party and DeleteMe.