Open Letter to MAPS Canada, MAPS, and MAPS PBC on Data Privacy and Doxxing

We are writing in the interest of resolving an ongoing situation in which MAPS Canada Executive Director Scott Bernstein threatened to doxx a confidential Psymposia source who expressed concerns to Bernstein about MAPS Canada’s data breach/privacy issues. Bernstein subsequently published the source’s first name on Twitter and identified them as a Psymposia source on March 25, 2022. This is of direct relevance to MAPS and MAPS PBC because the anonymous source was also a MAPS clinical trial participant. It is unclear whether Bernstein knew about their participation in the clinical trial when he chose to publicly identify them as a Psymposia source. However, their participation in a MAPS clinical trial was on the public record.

In October of 2021, Psymposia reported on a MAPS Canada data breach, in which former Executive Director Mark Haden took the MAPS Canada email list to use in his new role at a for-profit corporation. This is illegal in Canada under the Canadian Anti-Spam Legislation and punishable with a fine of up to $1M for individuals and $10M for companies.

Following Psymposia’s reporting, we were made aware that MAPS Canada Executive Director Scott Bernstein threatened to doxx an anonymous source who provided Psymposia with information evidencing Bernstein’s downplaying of Haden’s privacy breach.

The source—who provided Psymposia with leaked emails between themselves and Bernstein—was concerned with the organization’s breaches of privacy for a number of reasons, including the fact that MAPS Canada was not taking the theft of personal information contained in the email list seriously. We were similarly concerned with the organization’s privacy breach. Given MAPS Canada’s proximity to both criminalized subcultures and clinical trial participants, we believed there was extra cause for concern about MAPS Canada’s digital privacy safeguards.

In a March 25, 2022 Twitter post, MAPS Canada Executive Director Scott Bernstein revealed the name of this source in a tweet stating, “Do doxxers ask the potential doxxee if they have any issues with releasing the information? In the end, [name redacted] didn’t want the info released and I didn’t release it. End of story.”

Bernstein’s characterization of his threat to doxx the source as an “ask” is demonstrably untrue. Bernstein emailed the source, stating, “I’m considering sharing the fact with the public that it was you who was the ‘third party’ and that you shared these personal emails with a reporter. Some important information that was missing from the story.” Bernstein did not elaborate as to why he felt the source’s identity was “important information,” nor did he explain why he characterized correspondence to and from his MAPS Canada email account as “personal emails.” The source responded that they found Bernstein’s “emails to be harassing and intimidating,” stating, “You do not have my permission to release my name or any other personal information about me to the public…. I’m alarmed that you think an additional privacy breach is an appropriate response to your organization’s recent data breach.”

Bernstein ultimately did release the source’s name without their permission. When asked to remove the tweet revealing this person’s name, Bernstein told Psymposia that “the alleged doxxee identified themselves in our public webinar.” As documented in screen recordings of the session, this is untrue. No commenter linked their identity to any of Psymposia’s reporting. Bernstein downplayed his action, claiming it was acceptable because he only released the source’s first name: “How does referencing a common first name doxx someone? Kindly write a story about this, this is great exposure and shows you assholes for who you really are.”

The source in question was a MAPS clinical trial participant. Our concerns about protecting our sources are relevant regardless of this fact. However, given this reality, we believe MAPS Canada, MAPS, and MAPS PBC have an additional responsibility to remedy the situation Bernstein has created. 

We have reached out to MAPS Canada’s board three times between November 2021 and March 2022, but have not received a response. We have requested Mr. Bernstein’s removal, as we believe this act of intimidation to be disqualifying from serving as an Executive Director working with vulnerable populations. Furthermore, Bernstein’s behavior is in direct conflict with MAPS Canada’s own “Respectful Communication Policy.” In the event MAPS Canada does not feel Bernstein’s behavior warrants his removal despite these lapses, we would like to know what reparative and preventative actions MAPS Canada plans to take to remedy this situation and prevent it from recurring. 

We believe that an organization responsible for private data, in such close proximity to criminalized subcultures, must take matters of privacy and security seriously. We await your response.

Psymposia