tl;dr DJB was approached with a complaint, and thought it was a situation where he would give advice and his counterparty expected he would maintain his confidence. After he heard about the frustration the complainant was experiencing, asked the person to file a formal complaint, or at least send a self-contained email (explicitly acknowledged as not confidential) that he could use to move forward, in order to not break that confidence.
Seems that's where things broke down. There's another complaint related to Tanja that seems separate (he says that she urged him to not file a complaint immediately), but that's orthogonal to DJB's side of this, I think.
EDIT: It seems, from context, that the complainant wanted the confidence revoked, and everything put on the record (not unreasonable). But DJB doesn't _keep_ records of confidential things -- hence his insistence that they start from the beginning.
EDIT2: I'm trying to summarize "What is DJB's side of this (as communicated in the linked emails)?" not the whole scenario. I don't know anything about this situation directly.
> But DJB doesn't _keep_ records of confidential things -- hence his insistence that they start from the beginning.
I call BS on this, if we're talking about adults at university positions. The reasonable response in that case is: "I do not have any archives. Please resend everything you've got.", not starting from the beginning without communicating that fact clearly. If someone fails to act properly in that position, they shouldn't be overseeing other people.
He should not stop because of a technicality on his side in that situation.
(Edit: reasonable response == absolute minimum here, he could do much more)
I don't disagree -- presumably some of their conversation happened verbally, so the claim 'I don't take notes or have records of confidential things' makes more sense? Seems likely, I frequently discuss things in person first.
I also agree with your characterization of the other side of this -- that it seems like he's using a technicality to excuse not doing something important. I'm not advocating anything, just trying to summarize a pretty long email chain.
You're talking about a crypto researcher here. Their behavior absolutely does include a much higher level of awareness around the handling of confidential information. He may well have a policy that all confidential communication is treated separately, including being automatically wiped after some period of time. This would need to be standard for his work as it relates to investigating 0day and other vulnerabilities that must be confidentially disclosed to third parties.
This does not make him a nice guy, and he would likely have been in violation of Title IX, which means any US govt funding for his lab is potentially at risk as a result of this case.
What do you think crypto researchers are? It's not a cloak and dagger field. It's applied mathematics research. You've never seen a group of people less wrapped up in spycraft than the attendees of an academic crypto workshop. That's one of the things that made Appelbaum's admission to Dan and Tanja's research group so weird.
I don't care who he is, or what his daily email routine is. It doesn't matter. At any level, if someone you're superior to in your organisation comes to you and reports abuse from another person in the org, you either follow up immediately, or you shouldn't be superior to them. Any kind of follow up should produce report of that. If the person taking to you doesn't want you to report it further, then it's your business to have a record of that and never lose it. I know it from normal decency and numerous company trainings and I've never even been a manager.
His research topic, or even whether the report is true don't matter. It's in his interest to follow up on his own and keep records. If not because it's right, at least to protect the university and himself from what's happening right now.
Sometimes your best protection is a policy that all electronic communications are automatically deleted after a retention period. Many companies have such policies, and they have them on advice of their legal council, specifically to avoid discovery issues in the event of a suit. You can argue this doesn't apply here from a moral perspective and I would agree with you, but IT and legal policies often do not follow an ethical code.
Crypto research exacerbates this because the likelihood of such suits is higher than with other kinds of research, sometimes rising to the level of nation states getting grumpy at you with all that could entail. Finally, while I can't make any excuse for the behavior, he would be far from the first graduate advisor to have less than stellar management training or skills.
That's pretty disgusting, and the kind of "sneaky" you'd expect from an overly precocious child. Then again, it actually does match the combination of passive aggression and thwarted control-freak that I've come to expect from academia.
Some of his side of the story has been told in the leaked emails:
https://www.hdevalence.ca/etc/34de2f3c2a48f7da/EmAiLs.txt