
When ‘he’ll be kept on payroll, somewhere’ is where you are - Tomte
https://medium.com/@hdevalence/when-hell-kept-on-payroll-somewhere-is-where-you-are-f419d3022d0#.3lr09533w
======
skystrife
If this had occurred in the US (and the mentioned confidential conversation
did in fact allege sexual misconduct), DJB would be in trouble:

> Within the University of Illinois System, ALL employees, unless specifically
> exempted, are “Responsible Employees” with the responsibility and authority
> to report sexual misconduct to their university's Title IX Coordinator. The
> only employees who are exempt from this reporting requirement are
> professional or pastoral counselors who provide work-related mental-health
> counseling, campus advocates who provide confidential victim assistance, and
> employees who are otherwise prohibited by law from disclosing information
> received in the course of providing professional care and treatment. Student
> and graduate employees are handled differently at each university. Please
> reference the Responsible Employee Resource Page under the "Portfolio" and
> Resources tabs. Please remember that all references to Responsible Employees
> are references to YOU and apply to you in your capacity as a university
> employee.

To me, this would mean that he is a mandatory reporter, and I am unaware of
any scenario where you are freed from that obligation because it was a
"confidential conversation".

The weird part comes in when you realize that (a) this is happening outside of
the US, but (b) DJB likely has NSF grants, which require adherence to Title IX
(this is what the author is referring to when he brings up Title IX training).
But how does one enforce Title IX outside of the country in which it was
passed?

~~~
belorn
While its different in each country, I know that teachers and counselors can
be required by law to personally report such crimes to the police. If I
remember right, this is true for Sweden, which would in this case result in a
police report and then no further actions or communications from the
university (in order to allow the police to do a proper investigation without
interference). If it is a student that is accused, then the university might
not even be allowed to suspend the student, through the police can of course
put the accused in holding if the police suspect a continuation of crimes or
interference of the investigation.

Compared to the US system, I actually prefer this way since it puts the whole
process into its proper place as soon as possible, and puts a form of common-
sense approach when a university employee hear or witness a crime.

~~~
M_Grey
There's also a reasonable Tarasoff case here, given Jacob's extensive and
ongoing history.

~~~
belorn
I know that education institutes in Sweden sometimes move students if they
consider that the person is continuing disruption the education, through as
with all of this, there need to be documentation that they tried multiple
methods to correct the situation and still failed. Moving students is seen as
a last-attempt.

In the case of Jacob, we don't see any of those actions. No police report or
investigation. No claim that he is continuing acting disruptive to the
university, nor that they have tried and failed to correct that behavior.
Basically no events or documented actions of jacob after the point he left the
tor project.

------
syswsi
Is this a common thing in the infosec industry? Personally I have known two
people who were sexually harassed who work in security. I've also hung out
with some and they do seem to have an unrealistic view on the opposite sex.

Some examples I've found of documented cases:
[https://motherboard.vice.com/en_us/article/female-hackers-
st...](https://motherboard.vice.com/en_us/article/female-hackers-still-face-
harassment-at-conferences) [https://www.the-parallax.com/2015/10/26/how-myth-
of-meritocr...](https://www.the-parallax.com/2015/10/26/how-myth-of-
meritocracy-stymies-women-in-infosec/)

~~~
sulam
Crypto absolutely attracts a strange group of people as compared to other
disciplines. That includes some people who are very liberal in their
definition of consent, almost by definition, which in turn can affect other
areas of their life.

[Note: I am not making excuses for their behavior, although I'd hope that
would not need saying.]

~~~
tptacek
Are you an academic cryptographer? I'm not, but I'm a practicing crypto
engineer, and I go to the occasional conference and workshop. What I've
noticed is that crypto is far better about stuff like this than CS and
certainly than infosec; I think it's a consequence of crypto being as much a
part of mathematics as about computer science.

------
pfarnsworth
Wow this blog post makes djb sound like such a scumbag. The idea that he would
ask people to consider the allegations "false" is absurd (there's a difference
between presuming innocence vs presuming the the allegations are false).

I would love to hear his side of the story.

~~~
brl
> I would love to hear his side of the story.

Some of his side of the story has been told in the leaked emails:

[https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt](https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt)

~~~
hawkice
tl;dr DJB was approached with a complaint, and thought it was a situation
where he would give advice and his counterparty expected he would maintain his
confidence. After he heard about the frustration the complainant was
experiencing, asked the person to file a formal complaint, or at least send a
self-contained email (explicitly acknowledged as not confidential) that he
could use to move forward, in order to not break that confidence.

Seems that's where things broke down. There's another complaint related to
Tanja that seems separate (he says that she urged him to not file a complaint
immediately), but that's orthogonal to DJB's side of this, I think.

EDIT: It seems, from context, that the complainant wanted the confidence
revoked, and everything put on the record (not unreasonable). But DJB doesn't
_keep_ records of confidential things -- hence his insistence that they start
from the beginning.

EDIT2: I'm trying to summarize "What is DJB's side of this (as communicated in
the linked emails)?" not the whole scenario. I don't know anything about this
situation directly.

~~~
viraptor
> But DJB doesn't _keep_ records of confidential things -- hence his
> insistence that they start from the beginning.

I call BS on this, if we're talking about adults at university positions. The
reasonable response in that case is: "I do not have any archives. Please
resend everything you've got.", not starting from the beginning without
communicating that fact clearly. If someone fails to act properly in that
position, they shouldn't be overseeing other people.

He should not stop because of a technicality on his side in that situation.

(Edit: reasonable response == absolute minimum here, he could do much more)

~~~
sulam
You're talking about a crypto researcher here. Their behavior absolutely does
include a much higher level of awareness around the handling of confidential
information. He may well have a policy that all confidential communication is
treated separately, including being automatically wiped after some period of
time. This would need to be standard for his work as it relates to
investigating 0day and other vulnerabilities that must be confidentially
disclosed to third parties.

This does not make him a nice guy, and he would likely have been in violation
of Title IX, which means any US govt funding for his lab is potentially at
risk as a result of this case.

~~~
viraptor
I don't care who he is, or what his daily email routine is. It doesn't matter.
At any level, if someone you're superior to in your organisation comes to you
and reports abuse from another person in the org, you either follow up
immediately, or you shouldn't be superior to them. Any kind of follow up
should produce report of that. If the person taking to you doesn't want you to
report it further, then it's your business to have a record of that and never
lose it. I know it from normal decency and numerous company trainings and I've
never even been a manager.

His research topic, or even whether the report is true don't matter. It's in
his interest to follow up on his own and keep records. If not because it's
right, at least to protect the university and himself from what's happening
right now.

~~~
sulam
Sometimes your best protection is a policy that all electronic communications
are automatically deleted after a retention period. Many companies have such
policies, and they have them on advice of their legal council, specifically to
avoid discovery issues in the event of a suit. You can argue this doesn't
apply here from a moral perspective and I would agree with you, but IT and
legal policies often do not follow an ethical code.

Crypto research exacerbates this because the likelihood of such suits is
higher than with other kinds of research, sometimes rising to the level of
nation states getting grumpy at you with all that could entail. Finally, while
I can't make any excuse for the behavior, he would be far from the first
graduate advisor to have less than stellar management training or skills.

------
lkrubner
I've also run into exactly this tactic:

"When I informed the project reviewer and the other fellows that, in fact, I
had resigned due to sexual harassment, Dan sent a response which opened with a
long, irrelevant, and inaccurate story about how my work was low-quality, my
research contribution was minor, etc. "

Myself and a business partner had a web startup that we ran from 2002 to 2008.
I was the CTO, he was the CEO -- at first the titles didn't mean anything
because the whole company was just the two of us. Later we had some money and
we hired some people. He was nominally in charge of sales and raising funds
from investors, but as the years went by, he struggled with the stress. He
started smoking way too much marijuana. I eventually lost all faith that I
could build anything with him. For years he had tried to win me over with
excessive praise (especially when we had no money) but when I told him I was
leaving, suddenly he complained that my work had always sucked, I wrote
terrible code, I aggravated everyone we'd worked with, I scared away all
potential investors, etc. It is curious the way that particular mentality
works. It's very much similar to what is described in the article. Once they
realize they can not win you back, they feel an urgent need to delegitimate
anything you might ever say.

~~~
engx
When things go bad, the tendency for people to lie is shocking.

I lived with a business partner, and decided to move out. Him and his
girlfriend begged me to stay but I wanted privacy (it was a big house with
other roommates).

Few months later we get into a dispute involving our third partner, everything
falls apart and suddenly they started telling people I was "evicted" from
their house and a terrible person.

------
empressplay
The "smoking gun" here is, I suppose, that the person in question was fired
from _another_ project in quite a public fashion for engaging in the very same
sort of harassment the OP reported to his supervisors and was rebuffed for.

There really doesn't look like there's much wiggle room here.

Now, that said, I think this is brilliant because this sort of thing happens
_all the time_ -- typically, if you report a Higher Value Person(tm) for
harassment (no matter what the field) you may as well just be shouting in the
wind. You'll get told "oh, you don't want to ruin their life, do you?" or
"I've spoken to him, he won't do it again, please won't you take one for the
team?" And if you persist, well, you're just disgruntled and unhappy and maybe
you should go somewhere else.

Nice to see someone held to account for once!

------
le_sign
I tried Jake's menthol eye drops once, he was offering them to lots of people
at the time. They burned for a few seconds but I felt no lasting effects.
They're something like this, possibly even this brand:
[http://www.rohtoeyedrops.com/product/rohto-
ice/](http://www.rohtoeyedrops.com/product/rohto-ice/) (the bottle was that
shape, anyway).

------
KKKKkkkk1
WTF is a "strictly confidential conversation"? Do professors at TU/e have some
special status akin to doctors or lawyers? I've never heard of this sort of
thing anywhere else.

------
omgtehlion
I only did a quick skim of the story, not read it thoroughly.

Maybe someone knows, did anyone went to (real) court or complained to the
police about Appelbaum? Looks like, this is the main concern of djb.

------
hartator
His wikipedia page:
[https://en.wikipedia.org/wiki/Jacob_Appelbaum](https://en.wikipedia.org/wiki/Jacob_Appelbaum)
Doesn't seem to be the first time he has been accused publicly of sexual
abuses. Very far from that.

~~~
maraisednofool
Here, have something more serious and in depth.

[https://github.com/Enegnei/JacobAppelbaumLeavesTor/blob/mast...](https://github.com/Enegnei/JacobAppelbaumLeavesTor/blob/master/JacobAppelbaumLeavesTor.md)

I formed my own conclusions, including about those who take this lightly.

Who has called out journalists seriously since? That's the last he did before
the attack website and the carefully placed articles started, no? For all this
talk about how Appelbaum was this sociopath plagiarist just being charistmatic
and summarizing the work of otehrs, while others do the super serious work
(that doesn't include not partaking in witch hunts, but it's fine to be this
socially inept, and spout so much sophistry, because you see, _he_ is the
sociopath, that slot is taken so everybody else is in the clear), and all
those crickets chirping in response to questions about that, including on HN,
complete with downvote brigades, the flagged article by someone offering their
first-hand account in response to what third parties claimed about them, and
so on -- I haven't seen anyone pick up the mantle yet. Even assuming every
single accusation against him is completely true, that absolutely pales in
comrparison to the "response" to it, and how transparent it is. HN is
completely scorched earth in that regard until downvotes are made public. That
would be interesting, until then take care.

------
donatj
The story would be a lot more powerful if it were vastly more concise and
meandered far less. This reads like an angsty teens livejournal entry, which
doesn't do the serious nature of the matter justice.

~~~
tptacek
It wasn't written for your entertainment.

~~~
flukus
It was written to evoke an emotional response though, not to layout a series
of events clearly and concisely.

------
spraak
It looks like this has disappeared from the front page?

------
sillysaurus3
Since this post casts djb in an unfavorable light, I feel it's important to
post some of his emails here, so that his words can stand alone, uncolored.

From
[https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt](https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt)

"Hi everybody,

As most of you know, we hired Jake for a 5-year PhD program, starting with a
50-50 split between Tor and TU/e, and increasing TU/e percentage assuming that
the first year goes well.

The Tor Project put up a blog post yesterday afternoon saying that Jake had
resigned from Tor. The blog post doesn't say "to concentrate on his PhD
studies" or any other explanation. If you look on Twitter you'll find a
shocking statement "Jake finally raped enough people that Tor as an
organisation couldn't ignore it anymore" from Meredith Patterson, and a
rapidly growing pile of comments.

If it's true that Jake raped someone then of course he should go to jail for
this heinous crime. If it's not true then the source of the false accusation
should be appropriately punished for slander. Clearly _someone_ has broken the
law.

But it's not my job to issue punishment, or to figure out who deserves
punishment. I'm going to presume _everyone_ innocent until proven guilty.
Everyone has a right to due process: being told exactly what the accusations
are, having adequate chance to respond, having hearings in front of a neutral
judge, etc.

Often people are falsely accused of crimes. I see it as part of my duty, as a
member of a civilized society, to avoid prejudging and punishing people who
are accused and who have not had their day in court. On the opposite side,
often people are correctly accused of crimes, and I also see it as part of my
duty to avoid prejudging and punishing accusers who have not had their day in
court.

As long as nobody goes to court claiming rape or slander, I would ask that you
join me in presuming that the accusations of rape are false, _and_ in
presuming that the accusations of slander are false. Assuming that someone
_does_ go to court, I would ask that you join me in waiting for judges and
juries to do their jobs---no matter how tempting it is to instead join a
poorly informed mob on one side or the other. I'm not saying that judges and
juries never make mistakes; I'm saying that the alternatives are much worse.

\---Dan"

Furthermore, from the article:

"Isis told Tanja their story of being raped by Jacob, without identifing it as
theirs. Tanja’s response was to ask “Why were they in the same bed with
Jake?”, and when I asked Tanja whether, if someone she knew personally came to
her with this story, she would believe them. Tanja said no, not without
hearing Jake’s explanation. At this point myself and Isis left in tears,
ending the conversation."

From the emails file:

" Dear Harry,

A few weeks ago you initiated a strictly confidential, and ongoing,
conversation with me. During this conversation I have been listening carefully
to what you've been saying, frequently summarizing to confirm my
understanding, asking questions regarding various details, and providing my
advice as to the best procedures for you to follow.

I'm deeply concerned about this conversation, for two basic reasons.

First, I've now heard multiple rumors making me believe that you have been
summarizing the contents of this conversation to other people in a highly
inaccurate way. Perhaps you weren't paying close attention to what I said, or
perhaps you weren't careful in how you summarized it. There are other possible
explanations---perhaps the rumors I've heard do not reflect what you actually
said; perhaps I seriously miscommunicated something---but the bottom line is
that I'm not confident in the reliability of the communication channel.

Second, some of the things you've said sound more severe than simply wanting
advice. It seems to me that you're facing problems that you don't feel able to
resolve on your own: your goal is for other people, in particular me, to take
action. However, a strictly confidential conversation makes action impossible.
My role in such a conversation is purely as an advisor; complaints and other
requests for action require different procedures.

Given these concerns, I've decided that this message will be the end of our
strictly confidential conversation. I recommend that you send me a separate
message explaining in detail what problems you're facing--- without any
reference to the previous conversation; again, it's procedurally impossible
for me to take action that relies even slightly on any portion of a strictly
confidential conversation---and explaining what actions you would like me to
take.

I'm sorry if this sounds excessively formal, but following proper procedures
avoids errors and provides protection for everyone involved.

\---Dan"

From a followup email sent by Dan:

" > In fact, I told both Dan and Tanja in June that I felt I had no option

> but to resign, due to sexual harassment, blackmail, and physical abuse

> by another of their students.

Mr. de Valence fails to mention that what he told me was part of a strictly
confidential conversation. I was not even at liberty to disclose to you the
existence of this conversation.

After careful consideration, given what I now see Mr. de Valence writing, I
have concluded that the following limited disclosure is proper: with all due
respect, Mr. de Valence is wildly exaggerating the contents of his
conversation with me. It is with the utmost care that I am choosing the words
"wildly exaggerating".

[...]

> That student, Jacob Appelbaum, was fired this summer from his other

> job, at The Tor Project,

The article cited by Mr. de Valence says that Mr. Appelbaum resigned from the
Tor Project. "Was fired" is not an accurate summary.

> on account of other abusive behaviour, as

> described in The New York Times:

> [https://www.nytimes.com/2016/07/28/technology/tor-project-
> ja...](https://www.nytimes.com/2016/07/28/technology/tor-project-jacob-
> appelbaum.html)

I am Mr. Appelbaum's first supervisor. I am aware that Mr. Appelbaum has been
accused online of rape. I am also aware of the following articles to the
contrary by investigative journalists:

[http://www.zeit.de/kultur/2016-08/jacob-appelbaum-rape-
sexua...](http://www.zeit.de/kultur/2016-08/jacob-appelbaum-rape-sexual-abuse-
allegations)

[https://taz.de/Der-Fall-Jacob-Appelbaum/!5361578/](https://taz.de/Der-Fall-
Jacob-Appelbaum/!5361578/)

I don't know which side is correct, and I'm certainly not in a position to
judge. Obviously it is important for criminals to be punished, and it is also
important for innocent people to be protected against false accusations; this
is why we have courts.

[...]

Six days before the deadline, Mr. de Valence said on the chat system that he
wouldn't get much done that day or the next day because he felt "quite burnt
out from last week and travel and some life crises", and that he would check
back in the next day. He then fell silent, with the status of his work far
from clear.

Three days later, after the lead student finally managed to track him down by
smartphone, Mr. de Valence sent one message saying

    
    
       Hi, sorry if I was unclear, I merged the WIP code I had into master
       so that other people could work on it, because I am burnt out and
       can't do both implementation work and the Tor meeting at the same
       time.
    

He then fell silent again. It turned out that the software was quite far from
a satisfactory state. The rest of the team had to stay up late nights writing
code and text to get the submission done on time.

Two weeks later, to my astonishment, Mr. de Valence gave a public talk at the
University of Waterloo on the results of the paper. He had never asked the
team for permission; he had never even notified anyone else on the team that
he was planning to give a public talk. (I first heard about the talk from a
Waterloo tweet two days before the talk.) The only part publicly announced
before that, a tweet in September, had clear consensus of the team; the
question of what to announce when had been an explicit discussion topic for
much longer. As for content, Mr. de Valence's previous slides for a private
ECRYPT-NET audience needed quite a few fixes, were missing cryptographic
context, and predated tons of work on the paper by the rest of the team. Even
today I don't know what his Waterloo slides said; he never replied to my email
asking for slides. "

I have to split up this comment in order to post it due to HN's length limit.
See my reply below.

~~~
sillysaurus3
From the article:

"Dan has written at some length about the importance of “due process”, both
internally to the research group and externally to the world. But it’s telling
to notice that in every such discussion, Dan carefully avoided any mention of
concrete processes: he did not define the “different procedures” suddenly
required for him to take action, nor what “proper procedures” should be
followed."

This is patently false. Dan sent a series of emails that clearly outlined both
the procedure to take to file a formal complaint, as well as Dan's reasoning
for insisting on these procedures.

I recommend reading
[https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt](https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt)
in its entirety. It isn't something that can be summarized. I've done my best,
but I have cherry-picked quotes here which both support and defend Dan. Why? I
feel it's important for someone to point out that insisting that someone file
a formal complaint is not the same thing as failing to take action.

Again, the length of
[https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt](https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt)
and the emotions that are invested in this situation will prevent most readers
from actually reading the full emails in their entirety before making a
judgement. But I strongly recommend taking the time to do this.

Note that in no way am I condoning or defending anything about Jacob's
behavior. There is enough anecdotal evidence to be extraordinarily suspicious
of him. But I am uncomfortable with the idea that Dan is getting thrown under
the bus solely because he insisted that Henry file a formal complaint, and
because Dan refused to take action based on off-the-record conversations.

~~~
wehere
i mean those e-mails by Dan you quoted are pretty incriminating themselves

~~~
tempestn
Incriminating in what way? They sounded pretty reasonable to me.

~~~
vacri
From the article, Dan and Tanja are superiors in a workplace, not unrelated
folks in a volunteer project. It's their responsibility to ensure a safe place
to work - telling people to take it to the courts is an unreasonable way to
start dealing with an internal HR problem.

~~~
watter
Exactly this. They clearly failed to follow university policies and they were
acting as supreiors.

------
simplehuman
Is this the same Dan as the author of qmail? I feel I cannot use that software
anymore in good conscience

~~~
poikniok
Shouldn't we wait to hear Dan's side of the story before we get out the
pitchforks just yet?

~~~
clearly_a_shill
I have seen instances of Jake behaving inappropriately in front of DJB, and
I'm pretty sure he saw.

I've heard Jake bragging about his sexual exploits on numerous occasions,
including the sawzall story.

Not posting under my normal account for obvious reasons.

~~~
flukus
Any more detail? There is a big gap between inappropriate behavior and sexual
harassment and/or the assault allegations made.

~~~
knieveltech
Is there now? By all means describe what objectively differentiates
inappropriate from harassment.

~~~
flukus
Farting is inappropriate but not harassment (usually). There is a huge range
of behaviour that's can be inappropriate but not harassment.

~~~
sethherr
That's a reasonable example, but doesn't answer the question: what
differentiates it?

I'd say it's something like "involving people without their consent" \- e.g.
farting on them.

Which includes forcing people to listen to tales of your sexual exploits.

~~~
flukus
I'd disagree discussing your sexual exploits is harassment either, up to a
point. It's harassment when it's clearly unwelcome and directed at a specific
individual.

So if we sit next to each other and I keep farting even though you don't like
it, it's not harassment because it's not directed at you, but if I kept
walking over to your area just to fart, that's harassment.

I would have thought the distinction would be obvious considering the overlap
between HN readers and the socially awkward.

~~~
knieveltech
sethherr nails it with consent. Just about anything can be harassment if the
critical element of consent is missing.

------
nemo1618
After what happened to Assange, I can't help feeling skeptical of character-
assassination pieces on people associated with Wikileaks.

