Sexual harassment: Nicolas Dandrimont & Debian Account Managers collective gullibility on Jacob Appelbaum


I previously wrote a high level overview of how Debian falsified harassment statements against Jacob Appelbaum.

Now it is time to look at the detail. Here is an exchange between Mehdi Dogguy and Nicolas Dandrimont. Dogguy was Debian Project Leader, Dandrimont has become a member of the Debian Account Managers team.

The key thing to note here is they are simply cutting and pasting smears about harassment from the Tor Project. The smears they are cutting-and-pasting do not come from real police or a court.

The Tor Project claims they hired an independent investigator. What qualifies somebody to be an investigator?

When claims were made about Jeffrey Epstein visiting MIT, the MIT management hired the law firm Goodwin Proctor to conduct the investigation. They told everybody that Goodwin Proctor was doing this work. People could bypass MIT and give reports directly to the lawyers. At the end of this process, MIT published the full report and the names of those who worked on the investigation.

Every step taken at the Tor Project was the opposite of the process followed by MIT. Their statement does not give any link to the report itself. Their statement does not identify the name of the investigator, the name of their firm or their credentials. This comment from Sheri Steel, the Tor Project leader stands out:

The investigator worked closely with me and our attorneys

In other words, it appears that the investigator was not able to work independently. If the name of the investigator was never made public, how could volunteers go around Miss Steel and speak to the investigator directly?

The Tor Project is using an address in New Hampshire, US, a jurisdiction that is well known for its attitude to freedom and deregulation. Here is an article about the qualifications of private investigators in New Hampshire. Notice in particular that NH accepts the registration of investigators who have been dishonorably discharged from the military and other police forces. There are no checks on the financial credibility or mental health of licensed investigators. The investigator could be anybody from an ex-fireman to an undercover mall cop.

The report from Tor Project is therefore only as good as the person who wrote it and what they were paid. If the investigator was in a weak financial position, they may have felt immense pressure to write a report that tells their client what the paymaster wants to hear. That is almost always the path of least resistence.

Large professional law firms would not put their name on a report like this.

According to a detailed report in German magazine Die Zeit, the claims against Appelbaum concern incidents at his appartment in Berlin. Under German criminal law, if Miss Steele or any other person who attended the party visit a police station and sign a complaint, the police have a mandatory obligation to investigate the matter. An investigation by the police is impartial and you do not have to pay them to do it. According to German law, every crime reported to the prosecutor must be recorded in writing by the public officials. In other words, if any woman had a genuine complaint against Dr Appelbaum, the prosecutor can not refuse to open a case. The nature of German civil code (StPO) is absolutely clear, the prosecutor is obliged to listen to every woman and investigate every single complaint.

The prosecutor does not charge victims a fee for making an investigation. This raises another question, why would any victim choose to give payment to an anonymous New Hampshire mall cop when they can use an impartial German state prosecutor for free?

Due to the nature of abuse, many genuine victims have great difficulty in coming forward to report a crime. For childhood abuse victims, it takes an average of 30 years for victims to come forward. Yet once a victim has decided to speak, if they have the courage to speak to a private investigator, why would they not speak to the police?

In every case, a police report can be more thorough, more credible and they can use their powers to protect genuine victims from further abuse.

If any woman was really in danger, if Tor Project genuinely cared about protecting women in future, why would they not use the criminal procedure?

Many of us put our trust in free, open source software for a whole range of critical services from the banking industry to nuclear plants. Users of Tor Project include activists in dangerous parts of the world who may be subjected to severe punishments, even execution, if they are caught communicating on the Internet. These people are trusting Tor and other open source software with their lives. Yet if we can't trust the people who make Debian and Tor, how can we trust the software?

If you are submitting an article to a peer-reviewed academic journal, you need to identify your sources, their names and the papers they published. The Debian Account Managers do none of those things, they cut-and-paste words from a blog about an anonymous source and accepted it all as truth. Given their role in the Debian Project, it is scary how they could be so gullible to fall for something like this.

Notice how Mehdi Dogguy wrote a statement that did not include references to sexual activity, see the title of the message, it is simply "Jacob Appelbaum and harrassement". The original paragraph used the word "abuse" without any qualification. Nicolas Dandrimont strongly insists on inserting the word sexual as a prefix to both those words. Such statements are a hideous defamation and can not be used without evidence.

Subject: Re: Jacob Appelbaum and harrassement
Date: Wed, 15 Jun 2016 14:53:35 +0200
From: Nicolas Dandrimont 
To: Mehdi Dogguy 
CC: debian-private@lists.debian.org

[snip]

* Mehdi Dogguy  [2016-06-15 13:48:53 +0200]:

> In the meantime, we believe that the most urgent thing to do is to
> make sure that Debian as a community is safe for its contributors, and
> able to deal with people who abuse or manipulate, regardless of who
> they are, whether it happens online or at Debian events.

Agreed.

> Over time, Debian has published clear statements of what our
> contributors can expect from the community: the Diversity Statement
> [1], and the Code of Conduct [2], have been ratified in General
> Resolutions. DebConf events have an additional Code of Conduct that
> attendees are expected to uphold [3].
> 
> [1] https://www.debian.org/intro/diversity
> [2] https://www.debian.org/code_of_conduct
> [3] http://debconf.org/codeofconduct.shtml
> 
> Note that these documents alone can only set expectations, but do not
> help if somebody fails to meet them.

Apart from the DebConf code of conduct which has some provisions for actions, I
do agree that we're sorely lacking a process for "escalation".

> Abuse and manipulation do happen, sometimes even unconsciously, and are hard
> to detect. When a member of our community feels discomfort or worse, they
> need to be heard and understood. Not everyone is a good listener, especially
> with someone they do not know well. Make sure you and people around you have
> at least two people you can safely talk to when something goes wrong.

I had to do a double take on this paragraph, and I still can't believe what I'm
reading. Let's suppose I'm a newcomer in the project. Who should those two
people be? With my outreach team hat on, and in the context of having
encouraged around twenty newcomers coming to the next big Debian event, I feel
very uncomfortable with that response. Should the message we are sending be
that "yep, if you're talking to someone one on one, it's your fault"?

> People normally make mistakes, and they need to have a chance to
> realise what happened, own up to their mistakes, and take action to
> prevent them from happening in the future. Other people need to have a
> chance to take action if that does not happen.

You should make very sure that your public interventions on the matter are
worded more carefully. We're not talking about mere mistakes here, we're
talking about sexual assault, and harassment (sexual or otherwise). Those are
things that leave permanent scars on the victims, and can ruin their lives. Not
really something you can dismiss with "well, it happens".

If such events happen in our community, I do hope that some of us will have the
strength to make the attacker realize that what they did is wrong, help them to
make amends and, if that comes to it, help them heal themselves. But, first and
foremost, as a community, we need to make very sure that all the community is
safe, and that we stand by each other when we need each other. If that means
excluding some elements of our community to keep others safe, then we should
not be afraid to do it.

> If you want to report any issues, you can contact DAM
>  and the Anti-Harassment team [4]
> 
> 
> [4] https://wiki.debian.org/AntiHarassment

What is the current status of the anti-harassment team with DebConf being very
close and their attention being more than needed for that period?

Bye,
-- 
Nicolas Dandrimont

On a side note, Nicolas Dandrimont asked me to consider his girlfriend for an Outreachy internship. I have regularly made complaints about these conflicts of interest in Debian. Anybody who talks about these conflicts of interest is accused of sexual harassment. When I complain about Dandrimont's girlfriend, I'm doing it for all the other women who missed out on this opportunity.

Notice how Dandrimont asks to be removed from the selection process but he goes on to make comments about the projects and finishes with an offer to help rank the candidates anyway. This is not what it looks like when somebody honestly recuses themself from a decision.

The selection process described by Dandrimont would be no more credible than the investigation at the Tor Project.

Subject: Recusing myself from Outreachy applicant selection decisions, internships funding
Date: Fri, 14 Oct 2016 12:37:46 +0200
From: Nicolas Dandrimont 
To: leader@debian.org, outreach@debian.org
CC: mapreri@debian.org, pocock@debian.org

Hey all,

As of today, the person I'm involved with, Pauline Pommeret, is applying to an
Outreachy internship in Debian (on the GPG cleanroom environment project - I
don't see her mail on the list archive yet, so something must have gone wrong,
but it should arrive soon enough).

To avoid an obvious conflict of interest, I am recusing myself for any
decisions regarding applicant selections for this round.

I am of course still happy to serve as a liaison with the Outreachy program
administrators, and to forward our applicants to them for general funding when
selected, if the money allocated by Debian runs out.

This would especially be relevant, in my opinion, to RTC projects, as I'm not
sure at all that we should fund them from Debian money directly. Karen Sandler
also told me that one of the Outreachy sponsors was interested in funding
interns on Reproducible Builds. All in all, we should be able to have two or
three internship slots with Debian only disbursing one.

I'll stay on the outreach@d.o alias for now, but let me know if you need help
ranking applicants, and I'll ask DSA to remove me so you can discuss at ease.

Cheers,
-- 
Nicolas Dandrimont