Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1451 lines (807 sloc) 425 KB

Jacob Appelbaum Leaves the Tor Project

Jacob Appelbaum

Disclaimer: This is a place for me to collect evidence and news on the story. I am currently not personally or professionally involved with anyone from the Tor Project, therefore do not send me inquiries asking for official comments from them other than what I have included here. I will source everything as thoroughly as possible; however, just because I include information or sources here does not mean I agree or disagree with it/ them. I will only include information that is publicly available; any information that is given to me in confidence will not be published without the expressed consent of the sender. I do not condone the harassment of any individuals (accuser, accused, etc.) on the basis of information that is presented here. This repository is not published or represented, such as through "vanity" accounts, anywhere else online - any individual or media organization who republishes, mentions, or promotes this investigation repository is not in any way affiliated with me unless expressly stated otherwise here. (CC-BY-4.0)

    1. Early Life
    2. Career
    1. Removal from Core Tor
    2. Patterson Denounces "Gross Diservice to Tor Community"
    3. Appelbaum Denounces Allegations
    4. Replacement of Tor Project Board Members
    5. Tor Project Concludes Investigation
    1. Leaked Tor-Internal Chat Logs
    1. Victims
    2. Witnesses
    1. Cult of the Dead Cow
    2. Freedom of the Press Foundation
    3. Purism
    4. Chaos Computer Club
    5. Noisebridge
    6. Friends and Colleagues
    7. Internet Freedom Festival
    8. Debian Project
    9. Linux Australia
    10. Electronic Frontier Foundation
    11. Telekommunisten
    12. The Intercept
    13. The Tor Project

Latest updates:

Appelbaum gives first press interview, subsequent Guardian interview; reason for living in Berlin; encryption used in Tor investigation; quotes from David Chasteen; quotes from Isaacson; de Valence, Bernstein, and Lange; Laura Poitras and Risk documentary; Electronic Frontier Foundation; Telekommunisten meetup; Chelsea Komlo

The History

Note: This section is for relevant events or statements leading up to Appelbaum's resignation.

Early Life

Highlight of today: Photoshoot at Noisebridge with the talented photographer Peter Yang for Rolling Stone; he's an absolutely awesome guy!

-- Jacob Appelbaum @ioerror (June 21st 2010)

Appelbaum, from Rolling Stone interview

The Rolling Stone interview from 2010 is one of the few publicly-available accounts of Jacob Appelbaum's early life (another more detailed personal interview was previously published on his old website). Despite taking issue with the "sensationalist" title post-publication, as far as I'm aware he has never disclaimed the content.

Appelbaum's obsession with privacy might be explained by the fact that, for his entire childhood, he had absolutely none of it. "I come from a family of lunatics," he says. "Actual, raving lunatics." His parents, who never married, began a 10-year custody battle before he was even born. He spent the first five years of his life with his mother, whom he says is a paranoid schizophrenic. She insisted that Jake had somehow been molested by his father while he was still in the womb. His aunt took custody of him when he was six; two years later she dropped him off at a Sonoma County children's home. It was there, at age eight, that he hacked his first security system. An older kid taught him how to lift the PIN code from a security keypad: You wipe it clean, and the next time a guard enters the code, you blow chalk on the pad and lift the fingerprints. One night, after everyone had gone to sleep, the boys disabled the system and broke out of the facility. They didn't do anything special — just walked around a softball field across the street for half an hour — but Appelbaum remembers the evening vividly: "It was really nice, for a single moment, to be completely free."

When he was 10, he was assigned by the courts to live with his father, with whom he had remained close. But his dad soon started using heroin, and Appelbaum spent his teens traveling with his father around Northern California on Greyhound buses, living in Christian group homes and homeless shelters. From time to time, his father would rent a house and turn it into a heroin den, subletting every room to fellow addicts. All the spoons in the kitchen had burn stains. One morning, when Appelbaum went to brush his teeth, he found a woman convulsing in the bathtub with a syringe hanging out of her arm. Another afternoon, when he came home from school, he found a suicide note signed by his father. (Appelbaum saved him from an overdose that day, but his father died several years later under mysterious circumstances.) It got so that he couldn't even sit on a couch for fear that he'd be pierced by a stray needle.

An outsider in his own home, Appelbaum embraced outsider culture. He haunted the Santa Rosa mall, begging for change. He dressed in drag and "I ♥ Satan" T-shirts, dyed his hair purple, picked fights with Christian fundamentalists and made out with boys in front of school. (Appelbaum identifies himself as "queer," though he refers to at least a dozen female lovers in nearly as many countries.) When a friend's father encouraged his interest in computers and taught him basic programming tools, something opened up for Appelbaum. Programming and hacking allowed him "to feel like the world was not a lost place. The Internet is the only reason I'm alive today."

At 20, he moved to Oakland and eventually began providing tech security for the Rainforest Action Network and Greenpeace. In 2005, a few months after his father died, he traveled alone to Iraq — crossing the border by foot — and set up satellite Internet connections in Kurdistan. In the aftermath of Hurricane Katrina, he drove to New Orleans, using falsified press documents to get past the National Guard, and set up wireless hot spots in one of the city's poorest neighborhoods to enable refugees to register for housing with FEMA.

Upon returning home, he started experimenting with the fare cards used by the Bay Area Rapid Transit system and discovered it was possible to rig a card with an unlimited fare. Instead of taking advantage, he alerted BART officials to their vulnerabilities. But during this conversation, Appelbaum learned that BART permanently stored the information encoded on every transit card — the credit-card number used, where and when they were swiped — on a private database. Appelbaum was outraged. "Keeping that information around is irresponsible," he says. "I'm a taxpayer, and I was given no choice how they store that data. It's not democratically decided — it's a bureaucratic directive."

Given his concerns about privacy, it's easy to see why Appelbaum gravitated toward the Tor Project. He volunteered as a programmer, but it soon became clear that his greatest ability lay in proselytizing: He projects the perfect mix of boosterism and dread. "Jake can do advocacy better than most," says Roger Dingledine, one of Tor's founders. "He says, 'If someone were looking for you, this is what they'd do,' and he shows them. It freaks people out."


In 2008 Appelbaum officially joined the The Tor Project, a research and development nonprofit based in Cambridge, Massachusetts, and Seattle, Washington. He was part of the translation team, improving documentation for non-technical users, and at the forefront of advocacy and public relations for the Tor network. He also ran "urras", one of Tor's directory authorities, which are special servers that maintain a list of all relay nodes (including exits) to help Tor clients find them. There were eight in 2012, ten in 2014, nine as of today. The hostname for the server was, with the IP address, which was a target of the NSA's XKeyscore (XKS) system as revealed through an investigation published by Das Erste.

Tor network diagram

Obwohl er keinen Hochschulabschluss vorweisen konnte, bekam er 2010 an der Universität Washington einen Job als Forscher und IT-Sicherheitsexperte. [Although he possessed no university degree, in 2010 he got a job at the University of Washington as a researcher and IT security expert.] Doch weil er nicht aufhörte, Julian Assange öffentlich zu unterstützen und vor Bespitzelung zu warnen, verlor er 2012 den Job. [But because he didn't stop publicly supporting Julian Assange and warning against spying, he lost the job in 2012.].

In June 2012, before losing his university position in Professor Yoshi Kohno's computer security and privacy lab, Appelbaum was among three guests in the eighth episode of Assange's televised discussion series "The World Tomorrow." At one point Appelbaum talks about U.S. Immigration and Customs Enforcement surveilling Dingledine ("my mentor") when he purchased a plane ticket for one of Appelbaum's speaking engagements:

I actually have the Freedom of Information Act data for my Immigration and Customs Enforcement records from a couple of years ago, because I thought someday maybe it would be interesting to look at the differences. And sure enough it has Roger Dingledine, who bought me a plane ticket for some work thing, his credit card, his address where he was when he bought it, the browser that he used and everything about that plane ticket was all put together.

... The commercial data was collected, sent to the government and they were tied together. And the thing that I find to be really crazy is that it's essentially the merging of these three things you're talking about. It was my right to travel freely, it was my ability to buy that plane ticket or for someone else to purchase that plane ticket, and it was the ability for me effectively to be able to speak — I was going to travel to speak somewhere, and in order to do that I had to make compromises in the other two spheres. And in fact it impacts my ability to speak, especially when I find out later what they have collected and that they've put it together.

A revised transcript was later published on November 26th as "Cypherpunks: Freedom and the Future of the Internet." A journalist from Der Spiegel, which Appelbaum had contributed to or been quoted in since 2005, reviewed the book as being filled with "Verschwörungstheorien" [conspiracy theories] by "Aluhüte" [tin-foil hats], even though many of the allegations would be vindicated a year later with the Snowden leaks (see 'The Snowden Leaks').

CryptoParty Controversy

On December 27th 2012, founder Asher Wolf (@Asher_Wolf) quit as an organizer of CryptoParty, a grassroots initiative to educate the general public on digital privacy-enhancing tools, which at the time was just four months old. She said "quitting wasn't easy" and cited a general lack of respect from several people in the movement who took advantage of CryptoParty's decentralized structure, which may have put attendees at risk. One day later she published a blog post with further explanation as to why she left. The 'final straw' was a series of interactions surrounding the Chaos Communication Congress in December 2012 (29c3), particularly involving former London CryptoParty organizer Samuel Carlisle (aka "Sam the Techie"), who allegedly failed to complete a contract of building a website for her after she paid him AUS$700. When he traveled to Hamburg on December 24th for his first Congress, as an Angel volunteer and Lightning Talk speaker, she encouraged others to confront him on her behalf. As a result of the attention on the dispute and the controversy over someone's retaliation for the "Creepercard" (Red/Yellow card) activity, Carlisle claims he was removed from the volunteer team. Wolf became a doxing target, which she implied was his fault. Web developer Daniel Sieradski (@selfagency) helped her get it back online and finished creating the website, free of charge. Despite Carlisle's public apology, Wolf's positive reference letter for his MIT application (as well as previous commendation of his work for CryptoParty), offers to refund via bank transfer, and supposedly more than one person willing to act as an intermediary, the dispute was never resolved.

Appelbaum was also mentioned in her blog post regarding a conversation they'd had on the Liberation Tech mailing list in early October, the topic of which was her technical abilities and willingness to learn. In response to her assertion that she didn't "have the right skill set," he encouraged her to not 'demoralize' herself, which she misinterpreted as criticism; he clarified that he believed in her willingness to learn. She also criticised his recommendation of PrivateGSM (software for making encrypted phone calls) at the first CryptoParty and how he backed out of teaching for the session. In the comments he explained that he'd had a new device and wasn't able to "hack it together" in time. The misunderstanding was resolved again and she said his response was "supportive and constructive." Following the end of the Congress, Appelbaum organized a crowdfund on ChipIn for Wolf to recover the AUS$700, half of which he supposedly donated himself.

I think we should raise $700 for @Asher_Wolf and then try to build consensus on future strategies for conflict resolutions. While raising money to remediate @Asher_Wolf's capital losses doesn't solve all problems, I hope it eases class division pressure. Lest anyone think otherwise - the cash for @Asher_Wolf is merely to offset her loses and not meant to interrupt the dialog about sexism.

-- Jacob Appelbaum @ioerror (January 1st - 2nd, 2013)

Within a day the fundraiser surpassed $500 and soon ended with a total of $885 from about thirty donors, at which point Appelbaum closed the campaign at Wolf's request. Responding to Carlisle's worry that the campaign insinuated his guilt, Appelbaum said it was not an "absolute condemnation" of him and made "no judgement" on the matter because he "didn't know the details," but hoped this would "make peace possible." Wolf voiced displeasure that Appelbaum hadn't consulted with her prior to launching the campaign, that there wasn't a "strategy," and she felt pressured to express gratitude. She was unable to refuse donations and claimed PayPal froze her account.

If by "screwed up" you mean someone decided to earnestly attempt to fix a problem without discussing it with me and now I can't access my PayPal account as a result and I can't issue refunds because the account is frozen, well yes. It was all very well-meaning 'tho, we all know that.

-- Asher Wolf @Asher_Wolf (January 3rd, 2013)

Appelbaum said his effort to reimburse Wolf "wasn't trying to make her whole. The goal was to return the amount of money she invested until the dispute can be solved."

During the OHM ("Observe. Make. Hack.") hacker camping festival in the Netherlands, Wolf personally confronted Carlisle and again told him to pay her back the AUS$700. On July 31st, the official start of the OHM festival, Carlisle tweeted for the last time to announce that he was quitting Twitter.

(Note: It has been alleged that at some point Meredith Patterson attacked Carlisle with a hammer; another anonymous pastebin claimed this happened at CCCamp in 2015, not OHM 2013. While they both were indeed at OHM, I have seen no further mention of this anywhere or how it is related to Appelbaum).

Len Sassaman and Plagiarism Allegations

Amidst the discussion about the crowdfund for Wolf, technology researcher and writer Meredith Patterson (@maradydd) surfaced allegations of plagiarism against Appelbaum. She hasn't publicly specified what research was plagiarized, only saying later in October 2014 that his talk for the 'Nothing to Hide' Chaos Communication Congress in 2008 (25c3) was stolen from her, her now deceased husband Len Sassaman, and American security researcher Dan Kaminsky (@dakami).

left to right: Benne, Arjen, Marc, Jake, David, Alex

The "research" allegedly stolen was oral discussions between the three during the previous Congress (24c3) in December 2007. Appelbaum's talks for 25c3 were 'Building An International Movement:', 'Advanced Memory Forensics: The Cold Boot Attacks' (solo), and 'MD5 Considered Harmful Today.' The alleged act of plagiarism involves the last one, a proof-of-concept execution based on the research of Marc Stevens, et al. regarding chosen-prefix collisions. Stevens, et al. were not only the original authors of the research but Appelbaum's co-speakers for the CCC talk. She has not yet accused them as a group of plagiarism, despite the fact that ostensibly they would also be implicated with Appelbaum in her claim. According to Subgraph Chief Technical Officer Bruce Leidl, there was a competition among security researchers to implement and present the attack of the original paper but "no person who actually worked on the project has any grievance with Jake."

If you compare names, you'll see these are the same people in both instances. The difference is that in the second instance, the attack from the paper is implemented and practically demonstrated. After the first paper was published, many security researchers, including myself had the idea of actually implementing the attack. Kaminsky and friends also thought about doing this it seems and had started working on it (when?) with the goal of presenting at a conference and being recognised for basically the work of these famous cryptographers.

... So Kaminsky claims that he told Jake that they were working on it at some conference, which Jake doesn't even remember. I believe this since I've always seen Jake demonstrate nothing but good faith in such situations and there isn't much.

-- Bruce Leidl @bleidl (October 6th, 2014)

Patterson said Appelbaum apologized to her about their "differences" during Sassaman's wake at the DNA Lounge and she not only acknowledged Appelbaum's apology but admitted that Sassaman forgave him and she unexpectedly backtracked on her acceptance due to unresolved anger; she also apologized for her "entirely passive-aggressive" attempt a resolving it by writing negatively about him in Hacker News. In addition to frequent friendly discussions on usability, security, and legal issues (including offering research help), Sassaman in fact had expressed support for Appelbaum in 2011 after he was repeatedly detained and interrogated by US CBP at the airport.

There might be short-term benefit through appeasement, by remaining silent, but it can only hurt overall. That said, having had to choose in the past btwn not poking the hornets nest, vs. shining light on it, I get that it's difficult. So, thank you, Jake, for speaking up. (January 12th, 2011)

CBP has all but dropped the pretense that they're detaining @ioerror for any reason other than harassment. How long will this continue? (January 19th, 2011)

Make no mistake: @ioerror is being punished. This, without trial or even a pronouncement of guilt or charge. For how long, and who is next?

-- Len Sassaman @lensassaman (June 14th, 2011)

The issue was raised again in February over mpOTR software, which was already being resolved. She said Appelbaum was "playing fast and loose with attribution" and that his apology to Sassaman had been dishonest and manipulative because Len's "forgiveness was contingent upon Jake keeping his nose squeaky clean with regards to attribution. He hasn't." She did not specify what the new allegations of plagiarism were.

I was enjoying my evening before @ioerror's kleptomania intruded on it. This game stopped being anything other than tedious a while ago. So fine. If that's how he wants it, here's the whole story, and then I'm going to enjoy the rest of LobbyCon.

At CCC in 2007, @lensassaman and @dakami and I were quietly discussing some research we were investigating, and @ioerror followed us around, begging to be let in on the secret. So we did. He promptly gathered another team, beat us to publication, and bragged to @lensassaman and me in our hotel room at CCC 2008 about taunting @dakami about the "top secret" research that he had stolen from us. I don't know why @ioerror decided to rip us off and the only reason I can think of why he would taunt Dan about it is base cruelty. But that's it, that's what happened, and I look forward to being shut of it.

-- Meredith Patterson @maradydd (February 14th, 2013)

She also accused Appelbaum of lying about the date of his apology to Sassaman: Appelbaum said they "made up" at Noisebridge, whereas Patterson said she was only aware of a reconciliation through IM weeks before his suicide on July 3rd after battling chronic depression and degenerative pain. Appelbaum apologized again even though he did not agree with her story. The issue has continued to briefly surface since. One of Patterson's most vocal supporters is her friend Andrew "Weev" Auernheimer of The Daily Stormer, an American 'black hat' hacker-troll. Appelbaum, like many of Auernheimer's targets, still supported him during his conviction under the Computer Fraud and Abuse Act (CFAA) in March 2013 (which was later reversed).

The conviction of @rabite is wrong. He is being persecuted by the State for unpopular and clearly protected speech with the Fourth Estate. AT&T and the State are persecuting @rabite rather than admitting their own respective incompetence. A neo-classic whistleblower crackdown. As @rabite is not a sympathetic defendant, it is easier for AT&T and the State to shoot the messenger. This is wrong; he should walk free. (November 21st, 2012)

I have had a very bad series of experiences with @rabite but being #CFAA railroaded doesn't bring justice to anyone. It shames our country.

-- Jacob Appelbaum @ioerror (March 18th, 2013)

The Snowden Leaks

On June 9th 2013, Edward Snowden became a public figure a few days after the first Guardian exclusive on leaked documents about previously undisclosed NSA surveillance programs. Details and speculation about his "quiet" life, work, and subtle activism in Hawaii were soon published in several news outlets.

On July 2nd, Appelbaum gave a talk on internet surveillance for the Digitale Gesellschaft's 14th "Netzpolitischer Abend" in Berlin. He expressed disappointment that Germany had just rejected Snowden's application for political asylum, considering what the leaks revealed about American spying in Germany. During the talk he also explained why he had left Seattle and moved to Berlin: due to a birthday diving trip to Hawaii in April, he was later suspected of being linked to Snowden and feared the Grand Jury investigation would intensify (see 'Freedom of Information Lawsuit').

I think it's important to understand this, right? I'm in Berlin right now because I had the really fucking awful, unfortunate mistake of (for my whole life) dreaming to go to Hawaii. To go swimming with manta rays and dolphins and all this other "unicorns and rainbows," all that stuff. We didn't find any unicorns and rainbows- well, we actually found two rainbows, but no unicorns. So I was in Hawaii for my 30th birthday in April, and twenty of my friends came. It was the most incredible thing I had ever experienced. If you want to feel loved, have twenty people fly for a really fucking long time to an island in the middle of an ocean, and to fly you there as a gift for your birthday. I felt really loved and I felt this was incredible; what a fantastic thing and what great friends. I'm so lucky to have friends like this in my life.

The problem with data retention is that it tells a story about you which is not necessarily true, and I've said this many times. It's made up of facts, individual facts which may be correct, but the story that they tell depends on who's telling the story. The narrator of a story -- let's say an analyst looking at your data trail because of a Grand Jury, let's say related to WikiLeaks or other things, let's say related to the largest national security leak in human history. Can you image what that analyst is thinking, now that I had the misfortune of finally living this childhood dream, only to have -- two months later -- a guy from Hawaii, being stationed in Hawaii, leaking these documents?

Here's a great dread: I don't actually trust that my country is a safe enough place, that I should wait around and see if justice still exists. So I came to Berlin, because I thought it would be a much better place to write about some of the things that are taking place now, to work with people that are interested in understanding the surveillance. Because for a decade I have worked on these issues and finally we have the information, as you've seen in Der Spiegel recently and as you've seen in the Guardian.

Online Harassment of the Tor Project

Over a span of several months prior to the Chaos Communication Congress (31c3) in December 2014, core Tor developer Andrea Shepard was the target of repeated online harassment. On Thanksgiving Day, she doxxed the alleged lead troll Jeremy Becker (aka 'JbJabroni10').

Finally, in retaliation, Shepard published a blog post that revealed JbJabroni’s real name: Jeremy Becker, a pharmacist who lives with his parents in New Jersey. Becker has since deleted all his accounts.

It’s unclear whether the doxxing will put a stop to Becker’s behavior. Shepard told Motherboard she hasn't been contacted by any of Becker's known accounts, but has no way of being sure if he’s not still harassing her under a new name as “he was part of a larger mob of deranged Pando followers.”

... In an email, Shepard admits doxxing to stop harassment is “not a reliable solution because a smarter harasser will always manage to conceal himself, but I'll take what I can get in the moment right now.”

While she is said to have received the brunt of the harassment, in the blog post identifying Becker she details several other people, including Appelbaum, connected to the Tor Project who were similarly harassed. A few months earlier, Appelbaum had been interviewed by Exberliner Magazine about offline harassment he had also experienced from the U.S. government. According to an unclassified 2013 cable from the U.S. State Department's SMART archive, the U.S. Embassy in Berlin was cataloguing this press coverage (the document was drafted and released by a "Fergerson, Cheveda J," who was the Embassy's Political Section Office Manager around that time; she had previously been Office Management Specialist for the U.S. Embassy in Warsaw).

Summary of Appelbaum's statements to press

On December 1st, she brought attention to tweets from someone who, like Becker, was criticising her support of Auernheimer. She responded by saying the person was "dangerously unhinged" and that the tweets demonstrated "her inability to comprehend that talking to someone doesn't imply agreement, while typical of her purge-happy political persuasion." When asked why she gave 'Weev' "the time of day" based on her experience with harassment, she said "he's never been an ass to me personally and I seriously dislike purge dynamics." Appelbaum, whom Auernheimer had repeatedly called a "plagiarizing snitch/ fraud/ degenerate" and "filthy Jew," asked whether it mattered to her that "he has done awful stuff directly to me... I see some people unwilling to feel for you because you don't feel for them about that issue." Auernheimer took the opportunity to bring up the allegations regarding Sassaman, a move which Patterson supported:

It is not “awful stuff” to call you out on plagiarizing @lensassaman and so driving him to his grave. Meredith’s forgiveness of you was predicated on you not reoffending. Then you did it to a host of others. I notice you are fucking silent about plagiarizing Len. There’s no blood on my hands, but yours are stained with Len Sassaman’s.

-- Andrew "Weev" Auernheimer @rabite (December 1st, 2014)

Shepard expressed a "wish he'd knock that crap off and grow up" but, despite acknowledging his anti-Semitism, repeated that "it scares me how okay some people seem to be with [ostracism]."

I object to social dynamics like this which replace making one's own assessment with pressure.

-- Andrea Shepard @puellavulnerata (December 1st, 2014)

A month earlier in November 2014, Appelbaum had also asked Eleanor Saitta (see 'Freedom of the Press Foundation') to "address the Nazi supporters in the community." Her response was that "there are none."

There are none. There's folks who're friends with specific humans, some of whom believe in things they disagree w/, like the occasional legitimacy of state violence, or eating meat. And yes, fucked race politics [too]. Because if you never talk to the other side, you lose. Left purity never won anything, Jake. We're all humans and we have to live together.

-- Eleanor Saitta @Dymaxion (November 5th, 2014)

Similar comments were made again several months later when Shepard and Patterson defended Curtis Yarvin (aka "Mencius Moldbug"), who is often compared to Auernheimer as a "race troll."

I do not think it is a good thing to warp one's mind in deference to popular unreason ...I don't want to live in the world bending the knee to popular tribalism and moral panic would make.

-- Andrea Shepard @puellavulnerata (June 5th, 2015)

Patterson also argued professional work should stand on its own and preemptive blocking was "nonsense."

My point is, if dude wants to talk about programming, by all means, have dude talk about programming. If dude subsequently gets up on stage and makes with the casual racism, by all means, end the talk early and boot him; the organisers have that power by virtue of being the organisers. But pre-acting to something that hasn't happened yet is nonsense.

-- Meredith Patterson @maradydd (June 5th, 2015)

Appelbaum and Dingledine on stage, source:

On December 30th 2014, Appelbaum and then Tor Project director Roger Dingledine presented the "State of the Onion" at the CCC, an annual update on developments at the Tor Project. Three minutes in, Appelbaum started speaking about the "sustained campaign of online harassment" which had been directed at Shepard "for the past several months."

APPELBAUM: It is the case that there's a person in our community, and many persons in our community, that have come under attack and have been deeply harassed. We think that sucks and we don't like that. Even though we promote anonymity without any question, that is no backdoors ever (and we'll get back to that in a minute), it is the case that we really want to promote being excellent to each other (in the spirit of Noisebridge). [...] It isn't the case that we're saying you shouldn't have the right to say things, but we are saying "get the fuck out of our community" if you're going to be abusive to women.

And you'll note that I used the word "fuck" to say it; I'm sorry about that because the point is we all make mistakes and we want to make sure that, while it's true that we have transgressions, we want to make sure that we can find a place of reconciliation and we can work towards conflict resolution. It's important at the same time to recognize that there are people whose real lives are harmed by harassment online. In this case, one of the people is in this audience and I hope that they won't mind be named, but we want to give her a shout-out and say that we stand behind her a hundred percent.

DINGLEDINE: One of our developers on core Tor, Andrea, has been harassed on Twitter and elsewhere, really a lot more than should happen to anybody.

[...] She's not just being attacked because she happens to be there, she's being attacked because they're trying to attack the Tor Project and all the other people in Tor; so yes, she may be the focus of some of the attacks but we, the rest of the Tor community, the rest of the security community, need to stand up and take on some of this burden of communicating, interacting and talk about these issues. We can't just leave it to her to defend herself.

As Appelbaum followed up with, the harassment seemed to center overall on the controversial topic of Tor's creation by the U.S. Naval Research Laboratory, their continued funding from the U.S. government, and use by the intelligence sector, a debate which has been raging since the software became more widely used by the public. Becker's supporters cited that debate as justification for his actions, that he "badgered high-status, key people" (in his view, Tor developers and spokespersons) "for answers to questions he considered important."

According to national security researcher and journalist Alexa O'Brien, who claims to have spoken with Appelbaum on the subject at the event, he was "sympathetic to [retribution] against the troll."

Do you all remember a troll named jbjabroni10? He got doxed, lost his job for trolling/harassing pv? ("pv" is Shepard, @puellavulnerata) I don't claim to speak for jb (he prob doesn't want me to anyway); but I remember what happened ...and I remember talking to @ioerror about the matter in *Hamburg, at CCC (it was a heated discussion). Ironically... in that discussion, (I'm not going to speak for Jake, maybe I am mistaken)... BUT, he appeared sympathetic to retribution against the troll, but supportive of measures that were taken. I took to mean. If one trolls insults/otherwise act inappropriate manner, social retribution justified. I hope that we all use this e.g. to explore important questions as applied to the least of us too. I don't have an answer, only active listening, thinking for myself about all that has transpired. I do, however, hope that this doesn't get played like some kind of battle of the cliques.

-- Alexa O'Brien @carwinb (June 11th, 2016)

Prior to the next Congress, in mid December 2015, it was reported by Motherboard that a small number of Twitter users, several of which were "connected to the Tor Project in some capacity" or "vaguely associated with the security community at large," were told that their accounts had been targeted by state-sponsored actors. Twitter did not respond to requests for more information or updates. Shepard was among those who were notified.

Suspension from the Tor Project

Based on a letter cited by, leaked through the anonymous blog site, Tor Project's then human relations manager Tom Leckrone (who still contributes to the mailing list) wrote to Appelbaum on March 18th 2015 that he was "expected to engage... on performance and conduct issues" as part of a Performance Improvement Plan following "an unpaid suspension for a period of ten business days" from March 20th to March 30th. The suspension was due to incidents which took place on March 3rd and 6th during a core Tor team company meeting in Valencia, Spain, during which one of the topics was reducing government funding. (This was also the week of the Circumvention Tech Festival, during which Appelbaum tweeted they needed help identifying a suspicious GPS tracking device found on an attendee's vehicle, and also when he claims he and Macrina had sexual relations for the first time.) The letter states:

As you know, a community member advanced a complaint that included two separate instances. One of the instances involved a provocative conversation on the afternoon of March 6th. The person to whom you were speaking was not offended, but the provocative conversation could be overheard by others and created an unwelcoming environment.

The other incident raises more serious concerns regarding Tor Project’s obligation to ensure a safe and comfortable work environment, especially as regards an environment that is unwelcoming or hostile to protected classes of community members. In this case, you made statements that implied that new community members were recruited in a sexually charged manner. This was made during the course of a Tor Project-sanctioned work session which you took part in leading. The very statement that the inception of a working relationship was in any way influenced by sexual conduct or even innuendo is offensive, especially in an environment where Tor Project is actively working to ensure that all community members are able to engage and advance themselves based on their skills and willingness to contribute rather than other attributes.

... In the repartee that followed, you expressly stated that the offensive sexualized recruitment “strategy” had “worked” with the complainant. This statement created an inappropriate and unwelcome environment for the complainant, and, indeed, any bystander who overheard this statement would be likely to perceive that the work environment at Tor Project was not welcoming and supportive of merit-based work. claims they have confirmed the authenticity of the letter ("... die Echtheit der Mail bestätigt"), though the submitter remains anonymous and the Tor Project has not confirmed it. Ars Technica Senior Business Editor and journalist Cyrus Farivar has also published a copy of the internal email, which he said was sent to him anonymously.

Leckrone also warned Appelbaum that he should resign if he didn't want to follow the terms of suspension or the Performance Improvement Plan; even if he did comply, he could have his employment terminated if "further performance or conduct issues ensue." It may be relevant that Appelbaum was told to contact then Executive Director Andrew Lewman, who had been with the Tor Project since 2009 and then chose to leave less than a month after this letter was sent (the position was filled by Dingledine in May of that year). The stated reason was that he left to work with "an Internet services company," which turned out to be two: Inman Technology and Norse Corporation. Both companies are information technology companies with ties to the intelligence sector, which was negatively regarded by Lewman's former co-workers. When Lewman was asked to comment on his alleged mishandling of the situation as Executive Director, he said he was "unable to comment on internal HR and legal matters during my time at The Tor Project, Inc."

Roger Dingledine, source:

According to Buzzfeed, a person who made a complaint around this time was then Development Director Karen Reilly.

She told [the board of the Tor Project] about Appelbaum’s public and false claims that he had sex with a specific member of the Tor community — something multiple sources have told BuzzFeed News Appelbaum has “done to too many people to count.” And she told them of darker allegations against him that had come up after a group of disgusted Tor community members gathered to share stories.

...According to sources, Appelbaum’s behavior had been the talk of the conference. Reilly had separately approached Lewman, Dingledine, Mathewson, and Seltzer in Valencia and told them of the harassment.

At dinner, the conversation turned to Appelbaum after Gardner, not yet a Tor employee, broached the subject. According to a source with knowledge of the dinner, Gardner said her friends had been asking her why she was working with an organization that employs a rapist. After that, Reilly “rehashed everything.”

... Following the dinner, according to sources, Tor conducted a human resources inquiry into the matter.

Like Appelbaum, Reilly was also given a ten-day suspension, but for "spreading rumors about the Tor Project." It is not stated what kind of rumours, about whom, or by what medium. Unlike Appelbaum, she didn't take the offer and left permanently; no mention was made of her departure in Tor Project blog announcements. She is oddly not listed under 'past contributors,' while Lewman is; the last time she appears on the Tor Project website is April 2015. As late as October 2014, Reilly had defended Tor for dealing effectively with these kinds of issues. A year later to the day, she wrote a blog post reflecting that she now thought otherwise:

If I had the power to remove the sexual harassers and misogynists from our midst, don’t you think I would have done so already? The problem is that I don’t have the power. If I worked for the sort of industry that removed awful men, I would have the power to remove awful men. If I say something, I’m the hysterical bitch who just wants to create drama. If I oppose an abuser openly, I become a target along with the people I care about.

In a Medium post published on July 4th 2017, she wrote in the second-person about a conflict with an HR person at a tech organisation that led to resignation and further employment issues. She may have been indicating that she has been under NDA with the Tor Project, hence the use of a detached grammatical person. On December 1st, in another Medium post, she wrote:

Because when women build whisper networks to protect other women from rape, it’s called “spreading rumors.” Let’s call these things what they really are: an activist response to human rights violations, something leaders would be praising from a high stage at a conference if it wasn’t a response to their failures.

Between the 17th and 18th of March 2015, when Leckrone sent the suspension email, Reilly tweeted what is possibly a reference to the "canary in the coal mine" allusion:

Canary status: dead. -- Karen Reilly @akareilly (March 17th, 2015)

Appelbaum also tweeted:

I wonder what the best defenses are for JTRIG-ish psyops? Just buckle in and move slow? Refuse to be split? Refuse to be atomized? (March 17th, 2015)

That feeling that manifests when it is time to move on. Intensely.

-- Jacob Appelbaum @ioerror (March 18th, 2015)

JTRIG chart

"JTRIG" is the acronym for a unit of GCHQ, the Joint Threat Research Intelligence Group, which uses psychological manipulation tactics to infiltrate and destroy activist groups by understanding, shaping, and controlling how discourse unfolds. The Human Science Operations Cell (HSOC) is a division of GCHQ which focuses on online human intelligence. Documents outlining their purpose and methods were among those leaked by Edward Snowden (with which Appelbaum was closely involved) and subsequently published through media outlets with access to the archives. In February 2014, co-founding journalist and constitutional lawyer Glenn Greenwald released a series of documents on JTRIG, including "The Art of Deception: Training for a New Generation of Online Covert Operations," in which they outline their goals to create "cyber magicians" who can manipulate targets at individual, group, and global levels using social psychology.

Among the core self-identified purposes of JTRIG are two tactics: (1) to inject all sorts of false material onto the internet in order to destroy the reputation of its targets; and (2) to use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable. To see how extremist these programs are, just consider the tactics they boast of using to achieve those ends: “false flag operations” (posting material to the internet and falsely attributing it to someone else), fake victim blog posts (pretending to be a victim of the individual whose reputation they want to destroy), and posting “negative information” on various forums.

In April 2015, Appelbaum and (now former) Facebook software engineer Alec Muffett submitted a draft to the Internet Engineering Task Force (IETF) for recognising and registering ".onion" as a special-use domain name, which was accepted later that year in October.

Freedom of Information (FOI) Lawsuit

In June 2015, The Intercept published court records sent to Appelbaum in May after the government had agreed to unseal them on April 1st. The documents detailed how the U.S. Justice Department forced Google to turn over "more than one year's worth of data from the Gmail account of Jacob Appelbaum" under 18 U.S. Code § 2703, including a gag to prevent Google "from notifying Appelbaum that his records had been provided to the government."

According to the unsealed documents, the Justice Department first sought details from Google about a Gmail account operated by Appelbaum in January 2011, triggering a three-month dispute between the government and the tech giant. Government investigators demanded metadata records from the account showing email addresses of those with whom Appelbaum had corresponded between the period of November 2009 and early 2011; they also wanted to obtain information showing the unique IP addresses of the computers he had used to log in to the account.

Google argued that providing such records not only violated Appelbaum's Fourth Amendment right but his First Amendment right as a journalist (see pgs 10-11 under "The Order May Raise Significant Free Speech and Other Privilege Issues" of Attachment A).

To the extent that the Gmail user [redacted] is a journalist or engaged in other constitutionally protected activities, the user may wish to assert First Amendment rights or any applicable journalist, academic or other privileges or defenses to which the user is entitled. Google is not properly positioned to do so on behalf of users.

The Justice Department argued that Appelbaum had “no reasonable expectation of privacy” over his email records, where the Order "simply requires disclosure of 'non-content' information" (see pg 8 under "The Order is Constitutional" of Attachment B), and also didn't acknowledge him as being a journalist. They considered the nondisclosure provision to be necessary because "unsealing and permitting disclosure of the Twitter Order has already seriously jeopardized the investigation" (see pgs 3-4 under "Argument" or pgs 11-16 of Attachment B), referring to the public controversy following their other Order to Twitter for the same data (see pgs 5-7 under "Procedural Posture" of Attachment A).

The Twitter Order was issued on December 14, 2010 and relates to the ongoing Wikileaks investigation, which is obviously an issue of great public interest. The Twitter Order demanded the production of subscriber information and certain records and other non-content information for a number of Twitter account holders from November 1, 2009 to the present, including an account with the user name [redacted]. It also contained a non-disclosure provision. The grand jury investigation underlying the Twitter Order was widely reported in the New York Times and other media outlets around the time the Twitter Order was issued. Indeed, prior to issuance of the order, the Attorney General had acknowledged that the government was actively investigating Wikileaks.

... On January 4, 2011, the day after the government agreed to unseal the Twitter Order, it procured from this Court the Order in this matter, which is substantially identical to the Twitter Order and compels Google to produce the idential information as the Twitter Order for the Google Gmail account [redacted]. The perpetual nondisclosure provision in the order is identical to the Twitter Order nondisclosure provision.

Artist rendering of Theresa Buchanan

Artist rendering of Judge Buchanan, who authorized the Order (here presiding on another case).

The redacted article which the government provided as evidence of the investigation having been "seriously jeopardized" (see "Government Exhibit 1" of Attachment B) was Greenwald's Salon piece: "DOJ Subpoenas Twitter Records of Several WikiLeaks Volunteers." The redactions from the article as presented by the government included the words "Wikileaks" and "Icelandic Parliament member," as well as the names of Birgitta Jónsdóttir, Appelbaum, Rop Gonggrijp, Assange, Bradley Manning (who now goes by 'Chelsea' Manning) and presiding federal Magistrate judge Theresa Buchanan. Greenwald, Jónsdóttir, Appelbaum, and Assange were among those targeted by three private intelligence firms, as revealed by a Palantir Technologies strategic plan document in February 2011.

(Note: Greenwald incorrectly describes the court order as a "subpoena" in the title and several times in his article; it is a "D" order, not a subpoena, since it was signed by Judge Buchanan.)

According to the final attachment, "on July 29th, 2011, Google provided notice of the Section 2703(d) Order to the subscriber following expiration of the non-disclosure period" of ninety days; however this authorization only pertained to its existence, as the contents remained sealed until April 2015 (see pgs 1-2 under "Background" of Attachment O).

Following the publication of the gag order, Appelbaum tweeted about the Tor Project's funding and how he had purposefully used Gmail to "draw out the DoJ's illegitimate practices."

I have long been critical of [government] funding - especially military - of NGOs. I find it interesting that people might suggest otherwise. When we have societies that fund infrastructure, I believe it should be for every person and it should come from general funds. ie: [non-military]. I have also long thought / said that NGOS need to find funding that is in line with a peer to peer spirit. Crowd funding? I'm not sure.

As more details about what the US Govt is doing to me - more personal attacks come to try to discredit my work and life. Why is that? It is a fact that the US Govt is targeting me as part of the @wikileaks Grand Jury. They do not appreciate my work with Tor or @wikileaks. I believe that it is precisely because we are doing good work that many reasonable people ask questions. Lots of bad actors pile on too. Reading about the history of COINTELPRO is informative as the tactics we experience are often identical. Unprovable rumors run rampant. I especially find it interesting that as a worker, who owns no capital, I am attacked by "workers" for having a job at a non-profit. Huh?

I wish that Tor had a more proactive stance on discussing a lot of these issues. Funding and the software dev are both important topics. The fact that I've been involved with @wikileaks and Tor is also used to try to harm either or both as a wedge issue. COINTELPRO2.0? Unsure. Perhaps the weirdest part of some recent attacks are those who deny the harassment from the US Govt has happened. What evidence do you need?

A few people have asked why I would use GMail; the purpose is simple: 0) free legal service from Google 1) expose the processes and results! For many years, I have used services specifically to trap the US Govt into picking fights that will become public. That the DoJ uses a "legal" process is not evidence that the NSA didn't also hack Google. Different attackers, same great target. It is important to note that many of us have worked tirelessly to expose both the DoJ's tactics and the NSA. Both need to be understood.

I've used many other services to draw out the DoJ's illegitimate practices. Very few have taken up a defense for me, @wikileaks or Tor. It is also possible that many other services were simply not allowed to have their fights unsealed - which is yet another legal travesty. , Google, Twitter are the three companies that actually fought, lost, and eventually notified me after it was over. I'm sad to say that Yahoo, Facebook and many other services must have been targeted but are so far totally silent. Did they fight? Win? That a provider has to spend a great deal of money for you to even have a chance of a day in court is already a lost battle at scale. My guess is that Yahoo went to court, they lost and the US govt has gagged them forever.

One easy test to learn if you're radioactive is to call the company lawyers and ask them to talk with you. Silence or refusal is telling.

-- Jacob Appelbaum @ioerror (June 22nd, 2015)

On June 24th 2015, O'Brien and VICE News Senior Investigative Reporter Jason Leopold jointly filed a FOIA lawsuit against nineteen US federal agencies for their documents on Appelbaum. The first amended complaint was filed on August 9th. It is not publicly known whether the request has been fulfilled but it may be nearing completion.

Visit to North Korea

If someone asked you on a date to go on a tour of North Korea, would you go? Asking for a friend.

-- Jacob Appelbaum @ioerror (January 21st, 2016)

In early April 2016, Appelbaum visited North Korea for seven days as part of a guided tour group of nine other Americans with the Korean International Travel Company, supposedly after receiving offers sometime in January. Though he never publicly announced he was going, he can be seen in the group pictures from a personal essay written by PBS Newshour producer Hannah Yi, as well as the tour video uploaded anonymously to Vimeo between the 26th and 27th of June (Vimeo later took it down, but I had saved an .mp4 copy). Other than Appelbaum making an appearance, what is shown in the video matches pictures shared by Yi in the essay, such as the soccer game at the Rungrado 1st of May stadium in Pyongyang and the bronze statues at the Mansudae Grand Monument. It has been alleged that this trip may have threatened the Tor Project's funding.

North Korea tour group (Appelbaum on the far left)

Denunciation of Establishment Media

On April 13th 2016, Appelbaum delivered a speech he self-described as "journalistic suicide" at the Logan Center for Investigative Journalism (CIJ) Symposium (where he is an advisor) in Berlin, Germany. During the speech he outlined how he and other investigative journalists had been betrayed by establishment journalists -- particularly at The Guardian, the "shittiest publication in the English language."

Some of you have written things in papers, for example, were you call me, or Julian Assange, or Sarah Harrison, 'internet activists'. To you that have done that, I think that you do not understand potentially what you do and, in that case, I have some forgiveness for you. But for those of you that do, I understand that you think me your political enemy and I take that up quite seriously, and I will win. So, with that in mind, I don't call you a 'grammar activist'.

But I would say that it is important that if we have 'disclosure activists' in the audience, I think it's important to consider, for example, that when we have bylines together in papers and later you call me an 'internet activist', it's important to remember you should probably have disclosed in your article where you called me an 'internet activist' that, actually, we were co-authors on, for example, the equivalent of the German Pulitzer Prize, or something similar to that.

To call me a 'political activist' is to consciously put me outside of the political tent of privilege and to say: go ahead, instead of being under journalism law, you're under terrorism law.

Appelbaum at CIJ event

Visit to Cuba

What is the best way to fly to Havana, Cuba from Germany for @cubaconference without touching FVEY countries? Asking for a friend.

-- Jacob Appelbaum @ioerror (December 12th, 2015)

At the end of April, Appelbaum and Bähring (see under 'Emerson Tan, Patterson, Shepard, and Hirsch') went on a two-week trip to attend the three-day Conferencia Internacional de Software Libre (International Free Software Conference) at the Colegio Universitario San Geronimo in Havana, Cuba. The purpose of the conference was to gather free software enthusiasts who "normally are prevented to participate not only by financial reasons but also by denying the entry visa," and discuss how free software can help those in developing countries. On the first day, Appelbaum gave a midday talk titled "Anonymity and You - A Discussion about the Tor Network."

Appelbaum at the Cuba conference, source:

Festival de Cannes

On May 19th 2016, Laura Poitras' Risk documentary on WikiLeaks premiered at the directors' fortnight of Festival de Cannes (Cannes International Film Festival). Appelbaum, who was featured in the documentary, has been friends with Poitras since at least April 2012, when they co-hosted a surveillance teach-in at the Whitney Museum of American Art in New York City. During the event, he handed out a list of addresses for "possible domestic NSA interception points," six of which were among those also confirmed in a 2018 investigation published by The Intercept. The St. Louis "Bridgeton room" had previously been reported on by cybersecurity journalist Kim Zetter in 2006.

On February 22nd 2015, Appelbaum had tweeted "I hope someday I'll be able to travel freely with Laura in the United States - as the Russians say: 'Hope dies last, but it still dies.'"

Laura Poitras, Jacob Appelbaum, Sarah Harrison at Cannes Festival

Poitras, Appelbaum, Harrison at Festival de Cannes, May 19th 2016. Photo credit: © Jean-François Lixon

The Resignation

On the 24th of May 2016, one day before Appelbaum would resign, Shepard tweeted a commitment hash (i.e. making a statement of secret value which can be authentically revealed in the future).

The Eindhoven Institute for the Protection of Systems and Information (Ei/PSI) published the schedule of speakers for their "Security in Times of Surveillance" event on May 26th. Sometime between the 24th and the 26th, Appelbaum's talk "Beyond End-to-End Encryption" was cancelled, the reason only noted as "sickness." Dingledine, who had a talk on Tor onion services, still participated in the event.

Shari Steele, source:

On May 27th, former Electronic Frontier Foundation Executive Director Shari Steele (who became Executive Director of the Tor Project in December 2015 to "solve their operational challenges") reportedly requested that Appelbaum sign a resignation agreement, whereby he would promise "mutual non-disparagement," including giving up the right to sue the Tor Project. According to the attached explanation by, Appelbaum refused to sign the agreement and it was never executed. In an interview with The Guardian, he said he had agreed to "undertake anti-harassment training, but left Tor before that could happen."

Steele's husband, Amazon Web Services vice president of engineering and former Sun Microsystems Federal president William "Bill" John Vass, worked with researcher Stephen Smalley at the NSA to "add the Flask architecture for flexible mandatory access control to OpenSolaris" in 2008. According to an anonymous pastebin (see 'Leaked Tor-Internal Chat Logs'), Vass also worked on the XKeyscore system used to target Appelbaum (see 'Career').

Removal from Core Tor

On June 2nd, 2016, Steele posted a "transition" update on the organization's blog:

Long time digital advocate, security researcher, and developer Jacob Appelbaum stepped down from his position at The Tor Project on May 25, 2016.

Within the same day that Steele announced Appelbaum's departure, Shepard revealed the hash:

Precommitment revealed: sha256("It seems one rapist is one rapist too many\n") (June 2nd, 2016)

(To verify this yourself using OpenSSL, input echo It seems one rapist is one rapist too many | openssl sha256, the output of which should be (stdin)= bfb9a7c833a5fc8f5a938d816b1bbc4acaa06519fdb1af4c8632719596807dac).

Shortly before the transition update was published, Dingledine allegedly sent out an email to the Tor-internal mailing list with more detail about Appelbaum's resignation (originally leaked on June 5th, it was later republished and mirrored by on June 27th). The email outlined who would be the points of contact, reassured them they were still working on drafting documents for company and community policy, that Tor-the-company would survive this, and urged them to "be mindful" about how they talked to the public or engaged in "twitterwar." No one from Tor has yet confirmed whether the email is authentic.

A few days later, Appelbaum's name was removed from the list of core Tor Project employees and volunteers, then added to 'past contributors.' Someone also quietly unpublished at least one blog post on Appelbaum, which was later restored.

However, he still appeared to have control over his Tor directory authority. On July 1st, Dingledine emailed a plan to drop 'urras', a process which requires at least five of the nine other directory authorities to agree in consensus, including at least one of three DAs which votes on recommended versions: 'moria1' controlled by Dingledine, 'gabelmoo' controlled by developer Sebastian Hahn (shown to be targeted by the NSA's XKeyscore program in 2014), and 'tor26' controlled by sysadmin and developer Peter Palfrader. On July 5th, the process for removing 'urras' was complete.

info on urras directory authority

Patterson Denounces "Gross Disservice to Tor Community"

As people responded to the news about Appelbaum as well as these mysterious tweets, it became clear that they were connected after Patterson tweeted about the lack of explanation in Steele's announcement. is a gross disservice to the Tor community. People deserve to know why Tor evicted its resident sociopath. You don't just kick sociopaths down the road and play like you've done the necessary. That's extending their social license to operate. Tor had the chance to nip this in the bud back when Jake was just a plagiarist. They ignored it, and he graduated to sexual assault... Jake finally raped enough people that Tor as an organisation couldn't ignore it anymore.

-- Meredith Patterson @maradydd (June 3rd, 2016)

As background to her assertion that he "graduated [from plagiarist] to sexual assault," it would be relevant to note that Patterson and Appelbaum have a history of being involved in plagiarism disputes since 2008 (see 'Len Sassaman and Plagiarism Allegations'). She tweeted her account of an interaction with Appelbaum which followed that alleged dispute, and then said that "Jake hasn't apologised to any of his assault/harassment victims that I know of either. And to everyone else trying to make hay out of that distinction, hairsplitting isn't a good look on you." Auernheimer replied to Patterson's thread, saying "plagiarism is a more serious allegation than rape to me personally... The bug Jake stole from Len was awesome. Once in a lifetime kind of stuff. Irreplaceable." These kinds of comments were neither new nor discouraged (see 'Online Harassment of the Tor Project').

American journalist Quinn Norton, former partner of Aaron Swartz, later also claimed involvement in plagiarism disputes with Appelbuam. They have yet to directly specify, or present evidence of, what work he plagiarised. In Patterson's case she probably won't ever do so, since she's already told Leidl (who challenged how she defined 'plagiarism') that "when research that gets stolen was only communicated about orally, there is no paper trail." Kaminsky was also unwilling to provide details. Cryptocat developer Nadim Kobeïssi has also argued with Appelbaum in the past with regards to attribution rights, but outside of one tweet on the subject has stayed out of the debate because he "thought a bit more about things and decided I had better things to emotionally invest myself in than an angry riot."

The majority of those who responded were shocked and/or asked for more information, both about the rape allegations and the circumstances of Appelbaum stepping down, which the Tor Project only said was a "personnel matter." According to Süddeutsche Zeitung, the Berlin Public Prosecution Office was not aware of any claims to date against Appelbaum ("Die Berliner Staatsanwaltschaft ermittelt nach eigenen Angaben bislang nicht gegen Jacob Appelbaum").

On June 4th, Steele released a longer public statement about the situation. Though it did confirm that the allegations led to Appelbaum stepping down, it did not reveal any more details, only that the matter was being investigated with the help of "a legal firm that specializes in employment issues including sexual misconduct."

Over the past several days, a number of people have made serious, public allegations of sexual mistreatment by former Tor Project employee Jacob Appelbaum. These types of allegations were not entirely new to everybody at Tor; they were consistent with rumors some of us had been hearing for some time. That said, the most recent allegations are much more serious and concrete than anything we had heard previously. We are deeply troubled by these accounts.

We do not know exactly what happened here. We don't have all the facts, and we are undertaking several actions to determine them as best as possible. We're also not an investigatory body, and we are uncomfortable making judgments about people's private behaviors.

That said, after we talked with some of the complainants, and after extensive internal deliberation and discussion, Jacob stepped down from his position as an employee of The Tor Project.

A screenshot of an email sent to Farivar, who published summaries of the allegations and Appelbaum's initial response, indicated that they were investigating the allegations.

screenshot of Tor email

Though the surname and email address were blacked out, 'Kate' is Kate Krauss, the former Director of Communications and Public Policy at the Tor Project (see under 'The Tor Project'). Her only personal public comment in response to the announcement of Appelbaum's resignation on June 2nd was "tears."

Appelbaum Denounces Allegations

Appelbaum's last message, prior to these allegations going public, was a tweet on the day he supposedly left the Tor Project: "Changing of the guards." He remained publicly silent until June 6th, when he issued a statement using TwitLonger, both to say that the allegations against him where "entirely false" and the "vicious and spurious" way they were delivered has made him "prepared to use legal channels, if necessary, to defend my reputation from these libelous accusations." The reputational damage from the allegations began to take effect in the following weeks as he was removed from participation, membership, and advisory positions in several organisations.

An international film publicist, Claudia Tomassini, told WIRED that Appelbaum's "legal team is working on an injunction against these monstrous and factually incorrect accusations." According to The Daily Dot she "walked back that statement," instead saying he “deserves as fair a hearing as anybody who comes forward with grievances against him.” She also clarified that Appelbaum was not her client; her involvement with him arose out of one of her media publicity projects, the 'Risk' documentary (see 'Festival de Cannes' and 'Laura Poitras').

DIE ZEIT Appelbaum story in printed paper, source:

On August 10th, reporter and author Christian Fuchs of the Hamburg-based German national newspaper DIE ZEIT published (in English and German) an excerpt of a weeks-long investigation, made available for purchase online and scheduled for print publication the next day. Data journalist Lars Weisbrod, of the Henri-Nannen-Schule for journalism, is also a co-author. It was based on interviews with Appelbaum and eight witnesses regarding the allegations by Chelsea Komlo, who was addressed by the pseudonym of "River." This was the first time Appelbaum had spoken to the press since his resignation.

He told ZEIT that as a person in a leadership role, he made many mistakes and hurt people, and he is willing to accept responsibility for this. Nevertheless, he said, the statements from "River" were completely fabricated. "At no point did I have sex with someone who was unconscious. Nor did I have sex with someone who was in any way intoxicated in order to obtain consent."

DIE ZEIT noted again that "there have been no reports of charges by victims or investigations by police or public prosecutors against Appelbaum," and Appelbaum hadn't gone to police either. Sebastian Mondial, a DIE ZEIT investigative researcher and data journalist, tweeted about his involvement in the investigation. Apparently addressing the claim that Appelbaum chose them first, he said:

No, it was the other way around. We talked to a number of people first. Then he agreed to talk to us, too. It took many weeks for that. Personal remark about the @ioerror story: Was on two panels with @ioerror in the past about whistle blower protection #full disclosure. Story started just covering the incidents and the community. We took our time, that's all. To sum it up: People who claim to create transparency by publishing stories anonymously use Github in an intransparent way. My guess: Habit.

-- Sebastian Mondial @kappuchino (August 10th, 2016)

On August 12th, the full four-page investigation was published online; an English translation was published the next day. Its main focus is the rape allegation by "River," but they also briefly cover the two incidents from the last Chaos Communication Congress which were refuted (see witnesses 'Emerson Tan, Patterson, Shepard, and Hirsch'), including Lovecruft's alleged fabrication and subsequent removal of the story behind "Alice", and then supposedly unmentioned crucial details regarding Macrina's allegation of sexual assault (see 'Alison Macrina').

(Note: The story describes Appelbaum as the former lead developer of Tor - "der führende Entwickler des Tor-Projekts." While he was considered a developer and the leading advocate / "icon" responsible for the public image of the Tor Project, he was not in a lead developer position.)

Anna Catherin Loll, a Berlin-based journalist writing for The Guardian, said Appelbaum's German lawyer described the allegations as "a hate campaign." She "also found some conflicting accounts in at least three of the allegations of sexual assault," though did not specify which allegations. Electronic Frontier Foundation co-founder and board member John Gilmore was quoted describing the publicising of the allegations as "trial-by-rumour."

“The numerous victims that this process creates are not helped at all; the innocent along with the allegedly guilty are savaged and rejected without ever getting a chance to defend themselves.”

In November 2017, the European Court of Human Rights (ECHR) decided in the case of EGILL EINARSSON v. ICELAND that "public persons... do not have to tolerate being publicly accused of violent criminal acts without such statements being supported by facts," on the basis that such statements would violate Article 8.

Replacement of Tor Project Board Members

On July 13th 2016, the Tor Project announced that it would be replacing all seven members on the board of directors "in keeping with its commitment to the best possible health of the organization." The statement was written by the outgoing board and posted as a press release by Krauss. Though Dingledine and Mathewson stepped down from the board, they will "continue in their roles as co-founders of the Tor Project, leading Tor's technical research and development."

In an interview, Ms. Steele said the board moves were intended to “bring in a strong, leadership-oriented board with more experience leading a strong and sustainable organization.” Recruiting new members, she said, had not been a challenge.

“All of them had been watching what was going on with Tor and were committed and enthusiastic about growing this into a stronger and sustainable organization,” she said.

The departing directors are Meredith Hoban Dunn, Ian Goldberg, Julius Mittenzwei, Rabbi Rob Thomas, Wendy Seltzer and two of Tor’s co-founders, Roger Dingledine and Nick Mathewson. Mr. Dingledine and Mr. Mathewson will remain as leaders of Tor’s technical research and development.

Six of the original seven positions were filled and some were renamed; Casper Bowden's position as an 'in memoriam' director was also removed. Computer scientist Matt Blaze has taken the position of Board Chair; EFF's Cindy Cohn as Board Treasurer; McGill University anthropologist Gabriella Coleman as Board Clerk; privacy advocate Linus Nordberg (a Tor developer who also runs the Swedish directory authority 'maatuska'), human rights data analyst Megan Price, and security technologist Bruce Schneier as directors.

Neither the old board of directors nor the new have publicly commented on the investigation outside of praising the Tor Project's response; Blaze had commented on the initial public statement and Coleman was the only board member to personally blog about the allegations, praising Steele for how "action was taken relatively swiftly." She has not disclosed whether she knew about her upcoming appointment to the Tor Project board of directors when the blog post was published on June 24th.

I have known Jacob for 10 + years and it was only when the woman came forward in the Tor project that I had ever heard these specific sexual assault accusations.

Tor Project Concludes Investigation

On July 25th 2016, the Tor Project announced via Gizmodo that their two-month "external investigation" had concluded. Steele did not give details on what the findings or conclusions were, only saying that they would "release the general findings of the investigation as well as new guidelines regarding sexual harassment" "exclusively to The New York Times later this week."

Steele told Gizmodo that the Tor Project has no plans to bring any of the sexual assault claims to law enforcement, but said that she can’t speak for the individual victims. The external probe, conducted by a lawyer who specializes in sexual assault investigations, interviewed more than six people who claimed to be victims of Appelbaum’s abuse or to have witnessed it. According to one woman interviewed as part of the probe, the investigator conducted multiple interviews over a period of two months.

“We were especially looking at the accusations against Jacob Appelbaum and also looking to see if there were any broader long term implications for the broader community,” Steele told Gizmodo. She said the investigation also looked at whether the Tor Project held any liability.

Gizmodo claims to have also interviewed an anonymous source "with knowledge of the investigation."

People inside the Tor Project are still deliberating what Tor’s statement regarding the report will say, though one source with knowledge of the investigation said that the report will not use the word “rape.”

On July 27th, Steele announced directly from the Tor blog that the investigation had concluded. Due to the "sensitive" nature of the information, she did not disclose who was involved in the investigation or clarify what "unwanted sexually aggressive behavior" was found to have occurred.

"... A number of people have come forward with first-person accounts and other information. The Tor Project hired a professional investigator, and she interviewed many individuals to determine the facts concerning the allegations. The investigator worked closely with me and our attorneys, helping us to understand the overall factual picture as it emerged.

... The investigation is now complete. Many people inside and outside the Tor Project have reported incidents of being humiliated, intimidated, bullied and frightened by Jacob, and several experienced unwanted sexually aggressive behavior from him. Some of those incidents have been shared publicly, and some have not.

Steele also claims that they found "two additional people as having engaged in inappropriate conduct, and they are no longer involved with the Tor Project." She did not identify these individuals or what their "inappropriate conduct" consisted of, only telling The New York Times that they "had also been involved in the incidents" and "we won’t tolerate this behavior anymore." Krauss was contacted directly on the subject by Ars Technica but she also refused to give their names. The Daily Dot claims to have spoken with anonymous sources who say the individuals, both male, left "more than a month ago" and were not accused of assault.

Sources with knowledge of the investigation told the Daily Dot that the project cut ties with the two men, only one of whom was an actual project member, more than a month ago. The two U.S.-based developers, unidentified by the Tor Project, are not accused of assault, the sources said.

According to BuzzFeed, the two men will be reintegrated into the Tor community by Tor Project's new Community Team and Council; Macrina, who leads the Community Team and is a member of the Community Council, has been recused from this effort after two core Tor members pointed out the conflict of interest (see 'Alison Macrina'). She claimed that because the Community Team is unpaid, they do not have access to the investigation results; to this day, the Tor Project has not shared the investigation procedures or results publicly.

In response to the news, Reilly referenced what Mathewson allegedly said to her at the Tor developer meeting in Valencia.

That feeling when the person who made you unemployed is now unemployable. For the rest of you who let this happen: I hope you "seek therapy to help you through this"

-- Karen Reilly @akareilly (July 27th, 2016)

Technology reporter Nicole Perlroth covered the conclusion of the investigation for The New York Times, which was also among the establishment media denounced by Appelbaum (see 'Denunciation of Establishment Media). Other than repeating what Steele said in the blog post, she claims to have also spoken with an anonymous source with regards to Appelbaum's absence in what turned out to be a one-sided investigation:

Mr. Appelbaum was preparing to address the results of the investigation after the release of Tor’s statement, said a person who spoke on the condition of anonymity.

... Mr. Appelbaum did not participate in the Tor investigation, citing concerns with the way the findings would be communicated and the security of the investigation, according to the person who spoke on the condition of anonymity. Mr. Appelbaum had asked that Tor’s investigators speak with him in person or through encrypted means and declined to take part when those requests were not met, this person said.

The Tor Project later tweeted about the use of encryption during the investigation. It is unclear if this is a refutation of Perlroth's article or if these options were only offered to alleged victims and witnesses, but not Appelbaum.

Tor offered multiple encrypted communication channels to people interviewed in the investigation into allegations of sexual assault. We use multiple encrypted channels at Tor every day -- makes sense, right?

-- The Tor Project @torproject (August 1st, 2016)

In a Twitter exchange, Shava Nerad, Tor Project's founding executive director who left for health reasons around the same time Appelbaum joined, said she confirmed with at least one Tor staff member that Appelbaum was not interviewed.

My understanding is that Jake asked to be interviewed on Signal and the private investigator refused to use private comms. I confirmed with Tor staff that he was not interviewed because they could not agree on a method of secure comms. ... All Shari has is the victim collective's testimony, no cross examination, nothing from Jake.

-- Shava Nerad @shava23 (August 22nd, 2016)

Steele uses euphemism for rape in interview

Following the publication of the article, Perlroth said Steele used "a euphemism for 'rape'" during the interview, but the tweet specifying the term was deleted from the thread. It is unclear why Steele is relunctant to use the word "rape" if those allegations were supposedly confirmed, which has been noted by several media outlets including ZEIT Online and Frankfurter Allgemeine Zeitung.

Von Vergewaltigung ist im aktuellen Statement von Steele nicht die Rede [There is no mention of rape in the current statement from Steele]. Offenbar gibt es auch weiterhin keine Strafanzeige gegen Appelbaum [Apparently there are still no criminal charges against Appelbaum]. -- ZEIT Online

Das ist alles, was Steele und das Tor-Projekt sagen wollen, und es bleibt weitgehend unklar, wer die Beschuldigenden sind und was genau Appelbaum vorgeworfen wird [That's all Steele and the Tor Project want to say, and it remains largely unclear who the accusers are and what Appelbaum is accused of exactly]. Dass es keinesfalls belanglos ist, zeigte ein fehlgeschlagener Angriff auf dem Höhepunkt der Empörungswelle [It showed, by no means insignificantly, a failed attack at the height of the storm of controversy]. -- Frankfurter Allgemeine Zeitung

When Komlo revealed herself as 'River' in December 2017, Steele told Gizmodo that Komlo's allegation "was finally the straw that broke the camel’s back" because the private investigator found it to be "credible."

The Website and Twitter Accounts

The website was created as a victim story bulletin board, with an attached git repository run by an account created on May 26th that uses his name and Twitter/ GitHub handle (with the only difference being an extra 'r', this is a form of cybersquatting). Contrary to some suspicions that he had been hacked, his official website is listed on his Twitter profile as According to the registration information, the website was created using PrivacyProtect on May 27th, two days after Appelbaum reportedly stepped down and the same day that the resignation agreement from Steele is dated. The domain is being hosted by GitHub in San Francisco using GitHub Pages. The OpenPGP key given as a contact method is named "Jacob Appelbaum's Victims Collective."

site registration

Six anonymous or pseudonymous Twitter accounts were created in the wake of Appelbaum's resignation. The first, previously going by the handle "@TimetoDieJake," was changed to "@VictimsOfJake" and promoted the victim website (you can tell it's the same account because all the tweets match prior to the former's deletion). The profile picture for both is a psychosurrealist piece called "Castrate Cure," portraying a small female figure using a guillotine to perform a penectomy on a giant man. No one has publicly claimed the Twitter account, though a few Tor Project employees have publicly indicated they were involved with the website. On June 7th an FAQ was added to the site, in which it denied any association with the Twitter accounts:

We have seen the accounts you're talking about and they aren't associated with us. We don't know who is running them, and some of us are disturbed by their incendiary statements and graphics. We don't condone calls for violence or for Jake to self-harm.

However, based on its first tweet, the @VictimsOfJake account had a very early awareness of the site and also has knowledge of Patterson blaming Appelbaum for Len Sassaman's suicide. It is unlikely that they are a native German. On June 3rd, they shared the site in its early stages (using a link that was no longer live), where it very explicitly claimed to be Appelbaum. The account was last active on June 27th, 2016.

first version of website -

Under the 'Victims' header of the original version of the website, it at first appeared to be filled with random speeches, though it was likely default filler text since it is used on at least two other websites: this blog and the 'Manifest' section of this site, with nearly identical theme code that the victims' website seems to have copied.

Shepard is one of the suspected creators of the site. She tweeted that it was not her "choice to keep the sources this vague, but frankly, people are afraid of retaliation." (I'm assuming she means retaliation from people other than Appelbaum; for any allegations which are true, the level of detail in the stories would enable him to identify the claimant from memory and thus defeat the attempt at anonymity. This implies Appelbaum himself is not able, or has no desire, to deanonymise them publicly). She told WIRED that the creator was a "longtime member of the Tor community” whom she knows and trusts. She has also speculated that Appelbaum created the @VictimsOfJake account to smear himself "for sympathy." Another likely candidate is Lovecruft (see 'Isis Lovecruft'), who said "I first started seeking out other victims, about six months ago," which would also explain their strange dating (see 'Victims'). Alison Macrina, like Shepard, has said the account is a "troll" and "should be reported. [T]hey do not represent any of the victims I've talked to." (The @VictimsOfJake account responded by calling her a "social manipulator," yet later appears to support her.) She told The Daily Dot that she "vouched for the authenticity of the anonymous victims’ statements" and, like Shepard and an unnamed Tor employee, knows who is behind the website. It is entirely possible that all three could be directly involved with the website's creation and updates, due to their open admissions of having knowledge of the allegations for at least a few months.

Besides the alleged victims' stories themselves, the most alarming aspect of the website was the lack of good faith displayed by the tweet button at the bottom which prompted people to share the website as if it was owned by Appelbaum:

I just read on @ioerror's homepage that he has sexually assaulted many people in #tech. #wtf

The site's FAQ now claims that they are "a small group of people of different genders" who "never meant to impersonate Jake or to trick anyone. With the official text, we have tried to make it clear that it isn't pretending to be made by Jake himself." However they are still linking to his real GitHub account at the bottom of the page, their contact email is, and the file for the website's header image is "me.jpg." The new tweet prompt text is:

I just read on that @ioerror has sexually assaulted many people in #tech.

The last part of the FAQ states: "We do not believe that Jake is likely to ever face criminal charges. We know that some people will say that proves that the stories here aren't true. But we know that many people understand we are telling the truth, and we believe people will be safer because we made this site."

The second account, "@Ioerror_info," was made several days later. On June 9th, its first tweet was an alternative version of a story published by Gizmodo and The Daily Dot (see 'Emerson Tan, Patterson, Shepard, and Hirsch'). Like the first account, it is not publicly known who is behind it.

On the same day, Australian podcaster Patrick Gray tweeted a Hitler meme captioned to represent Appelbaum reacting to the allegations. Gray said this meme had been "doing the rounds" in private conversation; Shepard and other Tor contributors, including developer Griffin Boyce and Kenneth Freeman, either liked or shared the tweet. Replies to the tweet were generally disapproving, though no one pointed out that it was in very poor taste particularly because Appelbaum comes from a Jewish background (see 'Online Harassment of the Tor Project').

The third account, "@JakeTheRaper," was made on June 14th. It mutually followed an account which has been amplifying anti-Appelbaum tweets, especially those with a mock-solidarity button which Shepard and Macrina also liked. It linked to a GitHub repository that was created on June 12th, run by Caleb James DeLisle (@cjdelisle), the lead developer of cjdns and project admin for XWiki, who told me that he does not support the message of that account and has added a disclaimer (as did I when it decided to link here instead, as the account violates my anti-harassment policy). On November 6th, the account changed to "Ban Jake Scott" after disappearing in September and deleting all of their tweets on Appelbaum.

On June 15th, a name-spoofed account (@chaosupdales) tweeted that "Jacob Appelbaum is barred from attending all CCC events." Many retweeted the message thinking it was the @chaosupdates account; when people realized it was fake, reactions were mixed. After the real CCC account announced that Appelbaum would not be welcome (see 'Chaos Computer Club'), it responded: "It seems, dreams can be achieved." The next day they tweeted that they were "a wishful account."

This is not a fake account. This is a wishful account, and sometimes wishes come true. We still wish, @ccc had a Code of Conduct.

On August 8th, another new Twitter account (@WatsRllyGoingOn) began tweeting very explicit dominatrix GIFs to portray Appelbaum as a sex slave of various women involved in the allegations, referencing the #FemdomDarknet hashtag in the Twitter profiles of Macrina and Shepard. Shepard responded to one of them by rating it "3/10 at best, too het" (heterosexual). When Lovecruft objected to the crass tweets, Shepard said to "think twice before blaming me."

Tweets responding to graphic gifs

The @WatsRllyGoingOn account has since been re-branded as "anti-fascist" and may belong to Esme Dudoit as all three accounts follow each other (see under 'Henry de Valence'). The current profile picture was taken from a 2014 Digital Journal article on 'Black Bloc' protestors in Brazil.

On August 15th, a sixth Twitter account was created called "@VictimsOfAndrea," parodying the handle @VictimsOfJake. Most of its tweets consisted of screenshots of Shepard's tweets or telling people to call Shepard a "witting US Govt agent", and its first tweet directly referenced Jeremy Becker (see 'Online Harassment of the Tor Project'). The account was last active sometime in December 2016.

Leaked Tor-Internal Chat Logs

During the night of June 25th, @VictimsOfJake tweeted a link to an encrypted pastebin on, which was set to expire within a day. The author claims to be someone in the security community who works on Tor, and they outline a list of nine points they consider important to "the campaign to destroy Jake." Among other allegations of complicated sexual relationships among various complainants and Appelbaum, it also accuses Nick Farr (see under 'Allegations') of being a "paid hacking consultant for the CIA." Farr has since asserted that family history and alcoholism disqualified him from intelligence work, but that he's worked for the Departments of Treasury and Labor as an accountant.

Screenshot of pastebin, source:

About three hours later, a new Reddit account called Tor-Internal shared that link after posting a second pastebin, supposedly a leaked chat log of the Tor-internal "watercooler" IRC channel from November 10th, 2014. The pastebin itself was dated August 29th, 2015 (i.e. it had been public for ten months prior to going viral). The preface oddly requests that it not be leaked. Cryptome, who was tipped by the Cypherpunks Mailing List, became the second person to share the pastebin file on Twitter and provided a list of the pseudonyms used in the chat matched to core Tor Project names.

David Chasteen

The subject of the chat log involved confronting a recently-hired project manager, Iraq War veteran David Chasteen ("DaveC1"), who had emailed Tor-internal to inform them that prior to signing on to a six-month contract with the Tor Project, he had not divulged he had just finished working for the CIA under a TSI/SCI (Top Secret/ Sensitive Compartmented Information, the highest tier of three) security clearance. Instead, he only told them he had worked for the State Department. He would not divulge what surveillance programs he had been involved with, but in the past he indicated he had experience in terrorism intelligence analysis.

During the conversation, Appelbaum asked Chasteen a series of questions about his career as a soldier and with the CIA, including "Have you ever killed someone?" Chasteen's response was "not directly." After Runa Sandvik asked for clarification on what Chasteen meant by 'not directly', Lovecruft told Appelbaum to stop "wantonly" attacking Chasteen and "causing a dramabomb," mocking the questions by equating it to asking someone if they had "ever indirectly killed someone via flushing shit down the toilet in the US with potable water."

Also, unlike you, some of us actually maintain software and enjoying clearing our minds through coding

-- Isis Agora Lovecruft @isislovecruft (November 10th 2014)

Chasteen frequently proposed that he was going to formally out himself through a Boing Boing article written by founder Xeni Jardin, which received a negative reaction. Sandvik urged him to work directly with them and various people wondered how to frame the story to the public. There was no evidence of such a story being published by Boing Boing and Jardin did not publicly comment on whether she worked with him, though it is clear they are known to each other. Appelbaum stated that Chasteen had threatened to sue the Tor Project for discrimination against veterans when questions about his prior work first arose; Chasteen apologized and said he was "probably more sensitive to it than most" due to starting "an organization that is focused on combatting veteran stereotypes and discrimination" (alluding to IAVA, Iraq & Afghanistan Veterans of America). However he then rudely told Nima Fatemi ("mrphs"), an Iranian exile who was worried about the impact of this on his family, to "check his entitlement." It was later revealed that Dingledine ("sekritarma") had been physically sitting with Chasteen during the chat. According to his email, Chasteen said he was also planning to meet with Reilly ("Karen"), Mathewson ("Nick"), David Goulet (@ev0ke42), and Lewman ("Andrew").

Dingledine talks about Operation Onymous, source:

Chasteen joined Twitter on November 7th, 2014, one day after he allegedly left the CIA according to a timeline anonymously sent to Cryptome (which is yet to be verified). The timeline indicates that Chasteen had shown an interest in joining the Tor Project as early as January 2011; without explanation as to its relation to Chasteen (though it appears to have been alluded to in the chat), it also notes Operation Onymous (the takedown of several dark web marketplaces on November 5th & 6th by Europol, FBI, and DHS, followed by the arrests of seventeen people) as a relevant event. His only tweet for that year was on December 12th, which he tweeted again almost a year later with small changes in wording.

It is unclear whether Reilly's ("puffin") involvement in keeping the secret and recommending Chasteen to Tor influenced her resignation four months later after the Valencia meeting (see 'Suspension from the Tor Project),' as well as to what extent WikiLeaks was informed about Chasteen. It is also unclear whether disclosing Chasteen's name would have legal consequences for the leaker, as was asserted by Appelbaum in the chat. The Intelligence Identities Protection Act is a federal law amendment to the National Security Act of 1947 which specifies that "criminal penalties for the intentional, unauthorized disclosure of information identifying a covert agent" only apply if the agent was in service within five years during or prior to the disclosure. If the timeline is correct and he worked with the CIA for a total of eight years (from 2006 to 2014), then the leak would fall within that sensitive 5-year time period. However, considering that Chasteen includes information about his CIA work on his bio page for IAVA, and no additional classified information about his work was revealed in the chat, it is quite unlikely charges would be justified.

Intelligence Identities Protection Act

Tor developer George Kadianakis ("asn") shared a link with former Tor Browser bundle signer Erinn Clark ("helix") to a etherpad first saved on November 30th, 2015 (shown via the timeslider), which doesn't appear to have been edited further until June 26th 2016; someone used the pad to allege that Lovecruft was an FBI informant between 14:36-14:49 on June 27th. Since anyone can edit anonymously and the date of the edit is so recent (within a day of the pastebins going viral), there is no reason to believe this etherpad document is authentic.

Riseup etherpad

There has been limited speculation about who the leaker(s) was. It has been suggested by some that it could be Appelbaum due to his insistence on publishing through WikiLeaks and his accepted offer to log the chat for the Tor-internal mailing thread. Since the leaker took steps to conceal the origin of the transcript, it could just as easily have come from anyone participating in the channel, including Chasteen, who repeatedly says that the story will be leaked. Joseph Cox of Motherboard claims they "confirmed the legitimacy of the transcript" but did not specify how that was done. York, who was called "highly promiscuous" in the first pastebin, believes that leaker could be a woman and someone else fed her the information.

The @VictimsOfJake account shared another link on the night of June 27th, which was a pastebin of their response to the first encrypted pastebin, which they told Cryptome was "bullshit." The response oddly begins with an assumption about the author's age, sex, and drug inexperience based on the "style" of the writing, even though basic textual analysis of vocabulary puts their own writing style at a lower level of quality than what they're criticising (they casually use words like "fishy," "shill," and include an emoji, which "a young person" is more prone to use).

On May 10th 2018, Jardin published a BoingBoing article responding to Gina Haspel's confirmation hearing, featuring comments from Chasteen as a "former rank-and-file CIA guy," who noted that his tweets had been "cleared for publication by @CIA 's Publication Review Board in less than 24 hours. Happy to see they're still clearing criticism in a timely fashion."

During CIA training in 2013, I was instructed that CIA officers are allowed to violate US law while conducting operations. I pushed back against this interpretation during class and was reprimanded for doing so. I have no reason to believe that that training has changed.

In the Army, I received training on not just my right but my responsibility to disobey unlawful or immoral orders. No such training was part of the CIA's curriculum for [Directorate of Operations] officers during my tenure from 2006 to 2014. This is not part of the culture.

All nations' intelligence agencies (and armies) break FOREIGN laws because espionage (and invasion) isn't legal. That's par for the course. But where soldiers have a rich tradition of moral philosophy, the CIA tends to respond with "we were just following orders." We hanged Nazis who used this defense. If the CIA is going to inculcate a tradition of respect for the rule of law, it's going to require a significant change in curriculum and some intelligence equivalent of courts martial empowered to actually enforce that law in the field.

-- David Chasteen @davidschasteen (May 10th, 2018)

Chasteen's comments somewhat conflict with those he made in 2014. According to the leaked email sent to Tor-internal, he initially claimed he was "never involved in or aware of operations against US persons. I was never involved in or aware of operations against NGOs and/or journalists or activists, American or otherwise," and further said that "thankfully I never saw anything that required blowing a whistle," even though he now claims to have been instructed to break both domestic and foreign laws, and was aware that such a "curriculum" pervaded the culture of the organisation.

I was in a meeting with [Director of the National Clandestine Service] where he asserted, angrily, that he was going to put a stop to Chiefs of Station violating the law (re: things like casual petty cash theft) and being promoted on time. ("They can't just keep paying it back and saying it's fixed.") He wasn't so naive as to think that he could sanction these officers, he just wanted to keep casual lawbreakers from being promoted as fast as their peers.

-- David Chasteen @davidschasteen (May 11th, 2018)

The Allegations

Warning: Many stories haven't been verified or vouched for! They are only here to document allegations.


The website profiles nine separate claims from people who were "harassed, plagiarized, humiliated, and abused — sexually, emotionally, and physically." Initially, half of them were marked as placeholders (Alice, Briar, Phoenix, and Sam), but the stories for "Sam" and "Phoenix" have since been added, along with more stories than the original eight (Kiwi, Nick, and FemCog). All, except for Nick's, were purposely under anonymised names. A few were not published via the website, but still referenced it. Although the repository creator's profile shows contribution activity on May 26-27th, those commits do not belong to the live repository but a previous copy which was removed; the current live copy was committed on June 4th. It has been alleged the original repository was removed to hide evidence that the woman intended for the "Alice" placeholder had a story about her written & submitted without her consent.

The GitHub copies of the entries are PNG images; the text appears blue in odd places due to GitHub's syntax highlighting. Initially, all the entries were marked with the same date of December 31st, 2015; since then, newer entries have not only been given different dates but the dates on earlier entries were changed (compare them from both archives). It is unclear what the date signifies. A list of the allegations submitted anonymously on the website (ordered by their dates):

Based on the details provided, this incident likely occurred around the Berlin Speakeasy organized by the Electronic Frontier Foundation (EFF) and the Freedom of the Press Foundation (FPF) on July 13th, 2014. Budington was indeed in Berlin as an attendee, along with Lee, Sandvik (who joined FPF a month before), and Robinson. Yan Zhu, who hosted a get-together the day prior, left before the incident occurred but has said she heard rumours of harassment for years. Considering it was a "workshop on whistleblowing platforms," it was probably the GlobaLeaks/ SecureDrop/ Aspiration Tech event, "Open Technology Whistleblowing Platform Roundtable," occurring sometime between the 12th and 16th of July. The topic was similar to what Budington and Zhu presented at HopeX in New York City, July 18-20th. Appelbaum was still in Berlin on the 15th and left for Amsterdam by the 16th, so it would've had to occur before then.

Though no specific allegation is made, there is also a general complaint about his name frequently being first on the list of authors for academic papers; however the practice of listing authorship alphabetically in research, especially within the U.S. and in the fields of math and computer science, is very common:

For this reason, mathematicians traditionally list authors on joint papers in alphabetical order. An analysis of journal articles with at least one U.S. based author shows that nearly half were jointly authored. Of these, more than 75% listed the authors in alphabetical order. In pure mathematics, nearly all joint papers (over 90%) list authors alphabetically.

These traditions differ from other areas of scholarship, especially those that frequently involve large numbers of researchers working on a single research project. In areas of mathematics that are more closely associated to such areas, the culture and traditions may blend together.

While these traditions are well-known to mathematicians, they are often misunderstood by other scholars whose traditions differ. Occasionally, this works against young mathematicians — especially those with names near the end of the alphabet.

Nick Farr

The first was Nick Farr, one of four individuals to eventually claim authorship of a story on the victims website. His entry is now dated January 25th, 2016. He alleges that he was verbally harassed during the Chaos Communication Congress event in 2013 (30c3), where he was an organizer of the Lightning Talks; Norton says she witnessed it. After approving a proposal for a talk which was going to argue that Appelbaum was a U.S. intelligence operative, he was chastised first via email and then in person multiple times by both Appelbaum and "important people in the CCC."

Jake demanded all the records I had received from this person. Jake also had the CCC edit the 30c3 wiki database to eliminate any trace of the offending talk.

Furthermore, he says a note was left every night on his hotel room pillow (though he does not know by whom):

"Don't make us use extreme measures. Hand it all over."

During the conference, Farr had not tweeted that he felt threatened or intimidated. On December 27th, he praised the work of the Chaos Mentors" for being "an excellent example of the larger DIY effort to make the #30C3 a safe space for all." On the 29th, he tweeted: "Pro Tipp: Don't let bullies win. #30C3," and did not respond to requests for elaboration. Two months later, he cryptically tweeted: "Note to self: Don't volunteer for any org where gratitude is not part of the culture. #saythankyounotfsckyouwhenyourvolunteersmoveon." He did not specify what organisation he was referring to, only indicating in replies that the ingratitude came from "fellow organizers."

In March 2014, Farr published "What I Miss Most About The 30c3" on his now defunct personal site. He wrote about his favorite aspects of the "amazing" Chaos Communication Congress but concluded that he wasn't planning to attend further Congresses due to family needs (with no mention of Appelbaum).

While it’s not a huge surprise to many of you, I think I’m going to let the 30c3 be the highlight of my Congress experience and a great feeling I’m going to hold onto for a few years. I couldn’t imagine a better note to take a rest on. I’m also incredibly grateful to the team that’s taking over the Lightning Talks, I am sure they will take my work and build immensely on it. While you’re all enjoying the 31/2/3c3s, I’ll hopefully be welcoming my own family into this wonderful world you’re all helping create.

On November 1st 2016, he published another Medium post claiming that his allegations had been dismissed by "my colleagues and friends... as I had dismissed others."

On November 19th, while preparing for the upcoming Congress, Farr tweeted that he had instructed "my refugees" to help "with the Team-Jake cardboard scarecrow now. Hopefully it will arrive in time." Shepard liked this tweet.

Computer and network security professional Ryan Lackey had asked for clarification regarding the alleged messages left on Farr's pillow at 30c3. Farr responded that "someone unauthorized entered my room," though it "wouldn't have been hard, necessarily, [if I remember correctly] folks had keys to my room for orga reasons."

On December 16th, Pepijn Le Heux, a Dutch attorney and Tor advocate based in Amsterdam, said he spent a lot of time with Appelbaum (who was scheduled to deliver three talks) during 30c3 and did not witness him harassing Farr:

Most [people] at 30c3 were pissed off by how @Nickf4rr handled this. People were mad at him, but [did] not send by Jake or so. I spent almost the entire 30c3 with @ioerror, we shared hotel room. He never gave much attention to @Nickf4rr & everybody else thought @Nickf4rr acted wrong, spoke about it with CCC, it was corrected & moved on. @ioerror had bigger issues to worry about. Just went into exile, Snowden revelations, had a few big 30c3 talks. We spent the days eating healthy, gym every day and working. 30c3 was really not about @Nickf4rr. He says: 'a deliberate campaign of abuse orchestrated by Jake Appelbaum at the 30c3' but also says he didn't really know at the time.

What @Nickf4rr really means: I was stupid & malicious, everybody got mad at me, but under current circumstances I can just blame Jake. Story of @Nickf4rr hardly needs to be challenged, bullshit is clear from the text. According to @Nickf4rr the whole CCC and his oldest friends are Jake 'proxies' or 'cronies' ...sure.

Since at least 2006, Farr is listed as being the Chair of the Social Engineering Department at Osric University, a "unique non-accredited degree-granting institution that conducts nearly all courses via the internet," which appears to have been inactive since Fall 2014. The university claimed to specialise in research on contrived languages and pathological lying, offering "Associates Degrees and Baccalaureate Degrees" in addition to "traditional course requirements at other colleges and universities." The website was registered in 1998 under "Osric Publishing" by Christopher Herdt (@cherdt). The overview for Farr's department is:

The Social Engineering Department is devoted to the study of controlling large groups or societies through the use of coercion and through the subtle changing of social mores and belief over time. The department is not only devoted to the study of social engineering in history, but also in the present day as a cultural study, and as a practical application.

On May 13th 2018, Farr retroactively changed the title of his original Medium post from June 5th 2016 to "Restoratice Justice > Mob Justice" and replaced the contents with a new message:

Bringing people together is my life’s work. The text that was originally here is not an example of bringing people together, in fact, it deepened rifts in a community that I’ve spent a large part of my life trying to nourish. I apologize for deepening those rifts and am working to help repair them.

There are powerful forces that are using personally traumatic disputes to keep people bickering instead of focusing on building community, solidarity and the tools and techniques with which we can resist and restore our freedoms.

On June 5th 2018, he tweeted a thread about his own misunderstandings about consent in relationships:

Before my first [long-term relationship], how many women had I pursued to the point of real fear? Who knew I had a lot of social capital or had reason to fear my "shady hacker friends" and thus very carefully managed me? How many women who sent strong signals of interest had I totally ignored?

Now I look back on my [long-term relationships]. How many times was I totally shocked to be dumped? All but one. How many exes did I hijack into managing me with a "take me back" cry for help? Most. The happily ever after fairy tale makes us do dumb things too.

-- Nick Farr @Nickf4rr (June 5th, 2018)

On August 7th, Farr said that "for as long as I remember, people have just always assumed I'm some kind of cop or spy or whatever." On August 11th, reverting on the sentiment expressed in the retroactively changed Medium post, Farr claimed he was still "fighting toxicity" regarding the allegations he had made and that "no good fight goes unpunished."

Alison Macrina

Sam: "His nonconsensual washing lasted about a minute or two before I leaped out of his bathtub and started crying in the corner of his bathroom" (February 3rd, 2016).

The second was Alison Macrina (@flexlibris), founder and director the Library Freedom Project. Four days after she claimed to be writing about community building to fix Appelbaum's "untold harm to this community," she published a Medium post on June 15th claiming that she submitted the "Sam" story, and that she was also friends with "River" in addition to "a number" of other alleged victims.

She tweeted that she had her "come to Jesus" moment months ago and that she was "ashamed it took me so long to figure out what was what." Both she and Shepard were still on friendly terms with Appelbaum as late as mid-February 2016, around the time Shepard claims to have first heard about the allegations, though Macrina's "Sam" story is dated February 3rd. Macrina may have visited Appelbaum in Berlin sometime at the end of 2014. She was also there as a Tor Project representative for the CIJ Symposium in March 2016. In between she was a fellow presenter with Appelbaum at the last "State of the Onion" talk for the 2015 Chaos Communication Congress in Hamburg, Germany; following the conference, she was in Berlin and said she was leaving Germany on January 3rd with ACLU library program director Kade Crockford (@onekade), who had also been there for the conference and New Year's Eve. Macrina shared several pictures of herself, Crockford, Slate journalist and Library Freedom Project activist and former Electronic Frontier Foundation staff activist April Glaser in squatting poses around Hamburg and Berlin. Performance artist and Families For Justice As Healing co-director "Madge of Honor" Mallory Hanora also tagged them with a picture of empty bottles on grass.

Her partner Franklin Bynum (@frabyn, then @bynumlaw), a Houston-based criminal defense attorney who she 'met' in July 2015, migrated his law firm out of Google Apps after her encouragement to do so. They have been together since at least mid-February. He wrote "Decoding Appelbaum" on June 6th, though neither disclosed Macrina's involvement with the allegations at the time. On June 8th, prior to coming out as "Sam," Macrina said she planned to organise a space at the CCC to "change the culture" by teaching "soft skills" through "some intentional spaces for learning about consent, abusive behaviors, transformative justice, supporting each other, and so on."

... I deeply want my "soft skills" to be treated the way technical skills are in this community.

-- Alison Macrina @flexlibris (June 9th, 2016)

In response to worries about how the Tor Project would handle the investigation, Macrina -- who was reportedly "deeply involved" -- said:

I am too. [For what it's worth], I trust Shari's leadership & action here. She took the situation seriously from day one. I'm fortunate to have an insider view, and I wouldn't be part of Tor during this if I didn't trust her.

-- Alison Macrina @flexlibris (June 9th, 2016)

According to DIE ZEIT, Macrina omitted crucial details from her story, including that she went to the apartment shortly after "River" left on January 3rd and had consensual sex with Appelbaum.

Ms. Macrina reacted angrily when asked about it. It’s "shameful and prurient" to even be asked about that at all, she said. "Finally, as a general principle, it is not okay to hold up other sexual encounters to assault victims as a way of suggesting that their assault is invalid."

The Guardian also confirmed that the alleged incident took place in January 2016. Macrina claimed to have met up with him again later in Berlin:

When she met Appelbaum again in Berlin he insisted that he was the real victim because other people were making “false claims” about him. “He put on such a show on this little bench we were sitting on. It wasn’t that cold but he ostensibly shivered, asking repeatedly why I didn’t want to come over for tea.” Hoping for an apology was futile, she realised. “It was all about him trying to get me into his thrall with stylizing himself as the victim,” she says.

Isis Lovecruft

Forest: "Sometime around 5 o'clock in the morning, I woke up very confused and startled because my pants were unzipped and Jake's arm was wrapped around me, his hands in my underwear" (February 1st, 2016).

The third was Isis Agora Lovecruft (@isislovecruft), a (now former) core Tor developer, who came out as "Forest" in a blog post on the same day that Macrina claimed to be "Sam." Like Macrina, Lovecruft did not specify the date of the incident beyond that it happened "two years" ago; Loll and Martin Kaul at (English) 'questioned dozens of people over several months' and identified that the approximate date would have been sometime in January 2014, which does not conflict with Lovecruft's timeline that it occurred after Appelbaum moved to Berlin in the summer of 2013.

At that time, Lovecruft had written about also wanting to move to Berlin at the end of August 2013 and felt depressed about living in the U.S. while working "with no pay." On January 1st 2014, after attending the same 30c3 where Farr alleged his own incident occurred, she shared an article about Appelbaum's recent talk for Chaos Communication Congress (30c3). On January 6th Lovecruft tweeted, "I'm thinking I'll stay in Germany for a while. And apply for C-base membership," a popular Berlin hackerspace which Appelbaum had been attending since at least 2008.

Their timelines may be in conflict, because he was went on vacation to Thailand for three weeks between January 4th to 24th. Between January 25th and 26th, he was attending the 'Einbruch der Dunkelheit' / 'As Darkness Falls' conference at the Volksbühne to run a workshop about anonymity networks and participate in an evening panel discussion about learning from Manning, Assange, and Snowden. On January 30th, he was part of a Transmediale keynote presentation called "Art as Evidence" at the 'Haus der Kulturen der Welt' (HKW) auditorium in Berlin, with Poitras and artist Trevor Paglen.

Lovecruft wrote less about the incident itself and more about when she claims to have tried to resolve the situation six months prior in Valencia...

Instead, I had planned to gather people for a secret meeting in Valencia, somewhere calm, neutral, and away from events, like on the beach, invite Jake, and have everyone willing who has ever been sexually assaulted, humiliated, harassed, or felt their boundaries disrespected, by him to take turns telling a few sentences about what he did to them and how it made them feel. Then we would tell Jake that, as his friends, we thought this needed to stop, and that we’d either deliver a list of the stories to The Tor Project and other organisations, or make all the stories public, if he refused to hold himself accountable for his actions or his behaviour did not appear to improve. In planning this secret meeting, I tried to determine what would cause Jake to perpetually disrespect other people like this, and if there were any positive things we could do to help him.

... as well as how she wanted to pursue "transformative justice" based on her experience dealing with a different man who was accused of rape.

There are some differences between how Jake is behaving to how the other anarchist I mentioned above was behaving. The other anarchist was willing to engage in the defined process, respectful of his victims’ needs, and eventually sincerely apologetic for his actions.

I cannot condone his actions; however, I cannot condone violence and threats against Jake. Full stop. That is not productive. If he is further harmed, we never see the end of the wretched abused-abuser cycle.

People who behave as Jake does are sick, and they need help. Often, it is because they were severely hurt at some point. As the activist adage goes, “We need to be gentle with one another, so that we can be dangerous together.”

Lovecruft said there was no forgiveness for the women who, according to Macrina, "weaponized their femininity" to sign a letter of solidarity (see under 'Friends and Colleagues'). She later amended that the next day by saying "pity is the primary response. Signers are probably shocked/ hurt right now, and I'm very sorry for them."

Brennan Novak, who was Lovecruft's roommate at the time, said he spoke both with her (sometime in mid-January) and later Appelbaum (in early February) on the subject of the intervention.

The evening of Feb 3rd I talked with Jake for five hours. Jake was open to the idea of a group discussion, just not in Valencia, as the previous year he had been traumatized with false allegations. Jake also said he first needed to clarify if anyone was pressing legal charges presently- the intervention was only one topic we discussed- the other was that Jake had heard rumors of being called a rapist. Both of Jake[']s concerns made sense to me. It was an intense conversation, but a respectful one. I was trying to be a peaceful mediator. I believed in the idea of transformative justice.

According to The Guardian, Lovecruft emailed the Tor Project about the allegations in February, which resulted in Appelbaum being banned from the upcoming developer meeting and the Internet Freedom Festival in Valencia (see 'Internet Freedom Festival'). confirmed this, specifying that she sent the email to the Tor Project on February 17th.

According to DIE ZEIT, Lovecruft had fabricated the victim story of "Alice," a young Russian activist and girlfriend of Appelbaum's, who upon finding the account published on the victims' website demanded it be taken down. Novak, who said he was also in a relationship with the woman, confirmed that she denied being a victim. According to, she stated that 'the text is false in almost every detail' ("der Text... ist falsch in fast jedem Detail“).

Sie sagt, wenn Appelbaum tatsächlich so schlimm wäre, wie er in der Geschichte geschildert wurde, „hätte es eine Gefahr für mich sein können, meinen Fall ohne meine Zustimmung zu veröffentlichen“ [She said that if Appelbaum was indeed as wicked as he was portrayed in the narrative, "it would have been dangerous for my case to be published without my consent"]. --

According to a Twitter exchange with Mondial, who has a cryptographically-verified copy of the deleted repository, the fabricated story was removed on May 27th. It brings into question how many of the other alleged victims were also not consulted.

The organizers of the website committed the same mistake. An earlier version included the case of "Alice." The text was posted only for a short time. Although the time and location had been changed, her story fits precisely with the events at the congress. Mr. Appelbaum kissed Alice so violently that her lips bled.

But when Mr. Appelbaum’s actual Russian girlfriend discovered the text on the web, she was shocked. She demanded those responsible for the website to remove it from the internet immediately. She says she doesn’t want to be used by a campaign that she rejects. "I am not a victim of Jake," she told Die Zeit. She says she told a friend about the intense kiss in confidence. This story was not merely used on the website without her permission – she says the story was also "heavily manipulated."

In September 2016, Lovecruft claimed to have begun her PhD in applied cryptography at Radboud Universiteit in Nijmegen, within 65 kilometers of Eindhoven. Six months prior, she had given a talk there on anonymous networks. On September 10th, she claimed that she hadn't been in Berlin since April, even though she interacted with at least one witness and was on a recorded panel discussion, "Hacking Society and Economies with Decentralized Networks," for BlueYard Capital's 'Decentralized and Encrypted' event on June 1st. An argument ensued regarding semantics and whether this was an unusual misremembrance or a lie to avoid culpability for the victims' website, especially considering that defamation ("üble Nachrede") and intentional defamation ("Verleumdung") are criminal offenses in Germany.

Lovecruft on a Berlin panel discussion in June, source:

Lovecruft, Steiner, Stark, Wilcox at BlueYard Capital's event in Berlin on June 1st, 2016

Zooko Wilcox, one of the other panelists, responded to the argument by saying, "I know @isislovecruft, and she often makes mistakes and misremembers things, like every other human that I know," adding that he had "never observed her deliberately lying." One month later in October, Wilcox still added Lovecruft to a "Berlin area" list on Twitter.

Lovecruft, having previously maintained a residence at her parents' Los Angelos home, left the U.S. to move to Berlin on December 7th 2015 after the FBI allegedly attempted to contact her in November several times, and again in April 2016.

The FBI has contacted my lawyer again. This time, they said, “She should meet with one of our agents in San Francisco to talk. Otherwise, are you the point of contact for serving a subpoena? She’s not the target of investigation, but, uh… we uh… need her to clear up her involvement or… uh… potential involvement in a matter.”

On December 12th, Kobeïssi tweeted to ask if "having delusions of persecution" was "a prerequisite for getting hired at the Tor Project? What a weird culture." He also said the "team has an unhealthy mental culture." Besides being a generalised criticism, it appears this was interpreted as a response to Lovecruft's situation with the FBI (which was not yet public). The next day, Kobeïssi said that he had been "ostracized, lost a handful of friends. Not a single difference from a cult."

Fact: every time a Tor developer claims they were "exiled" to Germany, a Syrian refugee facepalms themselves to death. Tor dev/crypto community so morally bankrupt, being surveilled is some sort of coveted status symbol, and being oppressed a competition.

-- Nadim Kobeïssi @kaepora (December 13th, 2015)

In the interim, lead developer Mike Perry published a Tor Project blog post on March 21st stating that they have "never received a legal demand to place a backdoor in its programs or source code, nor have we received any requests to hand over cryptographic signing material" and "several of our developers have already stated that they would rather resign than honor any request to introduce a backdoor or vulnerability."

One of her theories as to why they might be trying to make contact was "a Grand Jury subpoena for someone else," possibly referencing Appelbaum since it is publicly known he is one of the targets in a U.S. Grand Jury investigation against WikiLeaks (see 'Freedom of Information Lawsuit'). In February 2014 she shared an Al Jazeera article about how FBI investigations are "fraught with confirmation bias & false positives due to overwhelming surveillance data." However, despite saying she was "worried about what happens to me when I return," she later tweeted about travelling to New York and even San Francisco for a Cloudflare party protest with de Valence in early 2017.

In October 2016, Lovecruft claimed she had been "unexpectedly made homeless" and alleged that Appelbaum's advisors at Technische Universiteit Eindhoven were "actively covering up for other reports of abuse."

Last month, I was unexpectedly made homeless in retaliation for reporting that @ioerror sexually assaulted me & many others. Jacob Appelbaum has continued to harass and threaten me, my family, partner, colleagues, friends, and the other victims. He's threatened doxing, and gaslighted reporters and sent them towards me and the other victims on a weekly basis. His academic advisors have taken steps to punish and threaten reprisal — for myself & others within academia — for our actions.

Let's be clear: Jacob is a sociopathic narcisist, and his advisors are tenured academics actively covering up for other reports of abuse. Outside the sycophantic and nepotistic cesspits of academia, there are intelligent and amazing people, doing good work and helping others. The true academe is witness to violence, yet—for self-preservation—choses complacency and complicity. Cowards and villains, the lot of you. Systemic abuse in academia aside, I'm glaring specifically at academia in Netherlands and Germany. Specifically, I'm glaring at 2½ persons.

Daniel J. Bernstein, one of Appelbaum's advising professors for Technische Universiteit Eindhoven's PhD program (in which Lovecruft's partner Henry de Valence was formerly enrolled), reacted to Lovecruft's allegations by saying she was "severely misinformed or lying." Bernstein had previously written a blog post indirectly responding to the allegations against Appelbaum (see under 'Friends and Colleagues'), which resulted in Lovecruft and Macrina calling him and his fellow professors 'platformers' and 'rape apologists.' Lovecruft later described Technische Universiteit Eindhoven's scientific director Tanja Lange (Appelbaum's other advisor) as "a terrible excuse for a human being."

Since at least 2014, Lovecruft had looked up to Lange as an influential "female cypherpunk." In May 2015, a year before Appelbaum's resignation, Lovecruft tweeted "I hope that someday I can be so patient with others [as Bernstein and Lange are]." According to, the change in perspective may be driven by her rejection from Eindhoven.

Als Appelbaum im September 2015 an der Technischen Universität Eindhoven ein Doktorandenprogramm beginnt, ist auch sie interessiert [When Appelbaum starts a doctoral program at Technische Universiteit Eindhoven in September 2015, she is also interested]. Für Appelbaum ist die Universitätsstelle in Eindhoven auch eine existentielle Stütze, falls er, nach den Vorwürfen im März in Valencia, seine Arbeit beim Tor-Projekt nicht fortsetzen kann [For Appelbaum, the university office at Eindhoven is also existential support if, after the reproaches at the Valencia meeting in March, he cannot continue his work at the Tor Project]. Lovecruft versucht schließlich, bei den selben Professoren wie Appelbaum angenommen zu werden [Lovecruft ultimately attempts to be accepted by the same professors as Appelbaum]. Am Ende wird ihr das nicht gelingen [In the end, she will not succeed]. Ein anderer Mensch wird jedoch das Büro beziehen, das direkt neben Appelbaums liegt [However, another person will move into the office that is directly next to Appelbaum's]. Es ist der Lebenspartner von Isis Agora Lovecruft oder einer ihrer Lebenspartner, das ist nicht klar [It is the significant other of Isis Agora Lovecruft (or one of her significant others, this is not clear)]. Dieser Mann wird später Arbeiten von Appelbaum bewerten, deren Ergebnisse für dessen Vorankommen in der Universität wichtig sind [This man will later evaluate works by Appelbaum, the results of which are important for advancing in the university]. --

When Lange had asked for help acquiring tickets to 32c3 in December 2015, Lovecruft directed Appelbaum to assist her.

Im Januar 2016, kurz nachdem sie an der Universität in Eindhoven abgelehnt wird, beteiligt sich Isis Agora Lovecruft daran, Geschichten zu sammeln über Jacob Appelbaum [In January 2016, shortly after she was rejected by the university in Eindhoven, Isis Agora Lovecruft takes part in collecting stories about Jacob Appelbaum]. --

On October 18th 2016, a witness going by the pseudonym "Kit" published their account of events which occurred surrounding the publication of the victims' website and Appelbaum's resignation. Due to a tutoring arrangement, 'Kit' met with Appelbaum on May 27th after he cancelled his talk at Technische Universiteit Eindhoven due to "sickness" (see 'The Resignation') and confirmed that he "was looking horribly sick." At the time, they were not aware of Lovecruft's allegations or that he had been forced to resign from the Tor Project two days before. 'Kit' proceeded to attend the "Summer School of Real-World Crypto and Privacy," an education gathering for PhD students, postdoc researchers, and security experts, taking place during June 5th - 10th in Šibenik, Croatia. At the event they met up with Lovecruft and two of her partners (given pseudonyms to protect their privacy), who became "really upset" when 'Kit' inquired about Appelbaum's well-being. Still unaware of his situation, they went with Lovecruft and one of her partners back to the hotel.

Isis and John were having a discussion amongst themselves, so I strolled along behind them, preoccupied with my own thoughts. In the hotel, on the stairs to the rooms, I heard Isis saying that they want to see it (or him) burned totally to the ground. The “it” was too quiet for me to hear clearly, and might have been “him”. John answered that a small controlled burn should be sufficient enough to reach Isis’ goal on which Isis replied that they need assurance that it (or he) cannot rise again. Isis said that if an inferno is needed, an inferno needed to be used. At this point I had no clue what/who they were talking about. I did have a funny anecdote about fires from my past and told them this. After this I reached my floor and said goodnight.

That night 'Kit' claims they went online and learned of the allegations for the first time; after that the atmosphere during the rest of the summer school was "tense all the time." On June 10th, Lovecruft responded to a reply-tweet to say that she was busy in Croatia learning about secure pseudo-random permutations (PRP) for designing block ciphers, which had been the topic of Bristol University lecturer Martijn Stam's "Blockcipher Security Notions" talk on June 7th and Radboud Universiteit professor Joan Daemen's lectures on June 6th and June 9th that Lovecruft attended. On June 11th following the end of the event, 'Kit' was again in the presence of Lovecruft and 'John.'

On Saturday, the day after the last talks, Isis, John and a couple of others were sitting with me in the lobby of the hotel. I was asked to read, check and comment on a blog John was writing. At this moment, Isis had not yet told the world that the “Forest story” on the website was their story, but it was clear to me that Isis was at least one of the stories; I suspected Isis was “Forest”; John used “Forest” as an example, apparently confirming my suspicion. This has been confirmed by Isis themself on their blog by now.

While I was helping John with his blog post, Isis was looking up German law. Isis was reading laws out loud that suggested they was trying to find out what kind of punishment there is for someone that doesn’t testify or isn’t fully truthful in their testimony or even committed perjury. Isis even asked John if he knew what would happen to a foreigner living on a visa committing perjury. I was shocked that Isis would even think about taking this kind of action in a court of law. Isis stated that they was planning on pretending to be one of the other, less grave stories, instead of testifying as Forest, if it came to a trial in Germany. Since John was using “Forest” as an example in his blog, Isis stated that they was convinced that the blog would lead back to Isis and they would be called in for questioning. If this happened, Isis would testify as one of the stories that did not include rape, since they didn’t want to tell the rape story over and over again.

Isis also looked up what would happen to Jake if found guilty in a court of law. Isis found that he would be deported and would never be able to get a visa in any European country if he got convicted of a violent crime. Isis looked very smug and happy about this fact. John said that this implied facing the (red. WikiLeaks) Grand Jury in America for Jake and that he thought that this would be too grave. Isis said that they wanted Jake to leave all the countries they might ever want to live in and that Jake would get what he deserved.

'Kit' had previously announced the release of this story on October 12th, and claims they "still do not know what kind of consequences I can expect" from publishing their account of events. Their identity was vouched for, and Lovecruft publicly responded to them the next day, despite having previously blocked them:

Hi Kit, I'm very sorry that I've frightened you! Also shocked. I've never meant to do any such thing. But I'm confused: while working alone in my partner's office one day in August, you entered and talked to me for >1hr. You didn't seem frightened at all then. What has changed since, that suddenly I'm so terrifying? I understand you've been talking with Jake a lot. He gaslights, so please be careful.

Although now is perhaps inopportune to make corrections, there are mistakes in your story w/serious legal ramifications. I've never wondered what happens if I perjure. Rather, I've wondered if I'd be charged w/purjury for refusing to testify. (Or for claiming "I don't know/remember" in response, which is one tactic for not answering questions under US law.) This might seem strange to many, but, as an anarchist, I don't testify against others, ever, not even if they raped me. It doesn't make sense to me to claim that I don't believe a State, and then run to a State because someone harmed me. In essence, I'm confused why researching my right as an EU resident to not testify against my rapist is so shocking. [And for what it's worth], if I were to bring rape charges against Jake, I would do so in the US, which is within my legal rights. The "it" in "I don't understand why you don't burn it to the ground" was "institutionalised sexism". You apparently didn't find it worth mentioning that I was speaking with a Professor. And that our previous conversation that night had surrounded preventing these events from ever occurring again.

I'm sorry again my response that night made you feel unwelcome in the conversation. I was really emotionally upset. Just to make it clear: I'm not angry with you, or anyone else whose name is not Jacob Appelbaum, [Daniel J. Bernstein], or Tanja Lange. I find Dutch directness a virtue, so if I were angry with you I would have definitely said so very loudly and clearly. Lastly, are you really afraid that I (with relatively small power) would (or even could) "ruin your academic career"? Or are you actually afraid that your advisors and their pet sociopath might ruin your life if you don't toe their line? I'm sorry you're stuck in that toxic situation over there at TU/e, but I suggest you attack the source not the symptom.

Over the following winter break, 'Kit' tweeted:

Communities don't get safer by accepting rape claims without questions. More and detailed communication, listening and helping fairly is. (December 29th, 2016)

How curious that [people] stop responding as soon as you ask if they're up for mediation (NO charges!) to create a safe [community] @feminaecognosce (January 7th, 2017)

In October 2017, Room for Discussion was scheduled to host an event titled "Whistleblowers and WikiLeaks" at Universiteit van Amsterdam, interviewing Harrison and Appelbaum. On October 11th, they announced the event had been cancelled to allow for grieving over the unexpected death of their former chairman, Jeppe van Aubel. Additional events and interviews were also rescheduled for this reason. Nonetheless, Lovecruft tweeted both "condolences" and condemnation at the Room for Discussion and Universiteit van Amsterdam accounts for a couple of days, insinuating that "the actual cancellation reason" was Appelbaum's alleged behaviour.

Room for Discussion Facebook post, source:

On October 16th, Lovecruft tweeted about being verbally and physically assaulted after the Electronic Frontier Foundation's Pioneer Awards ceremony, alleging that John Gilmore -- who had been attending the event -- sent the attacker and that there was "several pounds of substances" at his house. Lovecruft then used the allegations to incite murder.

Anyway — post Jacob Appelbaum — I just wanna point out there's a lot of goddamned "famous" men for no reason who go round harming people nonstop. And these goddamned piece of shit rapist abuser men are only there because they're enabled by someone you know. KILL THEIR ENABLER

-- Isis Agora Lovecruft @isislovecruft (October 17th 2017)

Gilmore is a well-known drug policy reform advocate and has a dedicated section on his website for the cause. There is no public evidence that any of the claims were investigated, confirmed, or acted upon in any way. However Lovecruft referenced the allegation again in May 2018 amidst mailing-list discussions about whether the Tor Project website should display preferred pronouns, calling Gilmore "a fucking transphobic piece of shit."

On December 26th, Lovecruft released another blog post alleging researcher and hacker Will Scott participated in a "gang rape" of Komlo and accused the CCC of "privately working to undermine positive change and enable rapists." Steele was critical of the post:

Your blog post is not consistent with the Tor community process or your own stated desire for restorative justice. You've lumped someone who didn't commit rape, has shown remorse, and went through a process of rehabilitation with those who would continue to do harm.

-- Shari Steele @ssteele1234 (December 26th 2017)

The next day, Lovecruft replaced Scott's name with a truncated hash and reshared the blog post after "additional conversations with River," but did not remove the picture identifying his face in a crowd of attendees at the Advanced School of Cryptography (taken in September by computer science professor Francisco Rodríguez-Henríquez).

On February 5th 2018, Motherboard DE editor Theresa Locker interviewed people who had attended the recent Chaos Communication Congress and falsely reported that Scott had been involved in a "Gruppenvergewaltigung" (gang rape), citing Lovecruft's recent blog post instead of Komlo's.

On July 4th, board members of the CCC and Zwiebelfreunde simultaneously published statements regarding coordinated police raids that had occurred at their hackerspaces and personal homes two weeks prior. In response, Lovecruft tweeted:

Lovecruft tweet

On July 5th, Steele released a statement on the Tor Project blog offering support to Zwiebelfreunde and those who had been targeted. She also indicated that someone at their company had been disciplined for "public, verbal attacks on community members." Between the 6th and the 8th, the Tor Project was removed from Lovecruft's bio. The Tor Project also moved Lovecruft to their 'past contributors' page. More than a month later, on August 23rd, the raids were declared illegal by the regional court of Munich.

On July 19th, Lovecruft stated "I'm not attending HOPE and you shouldn't either! They are letting a known rapist speak," and linked to the speaker bio of Scott, who was scheduled for a panel discussion on internet censorship. Staff and community members of the Tor Project, including Blaze, Macrina, Goulet, Whited, Matthew Finkel (@mfinkel), Mike Tigas (@mtigas), Griffin Boyce (@abditum), Fatemi, Clark (@postessive), and Lee (@micahflee) still attended. Macrina claimed Loll "tried to approach" the Tor Project booth and that "telling her off did feel great though."

During a controversy over the presence of "fascist and white nationalist disruptors" at the conference, Lovecruft repeated that HOPE "is currently platforming another rapist" and attendees were "complicit through your silence and participation." These comments were made despite the fact that they still conflict with Komlo's most recent statements and Steele's assessment. Kobeïssi, who was also attending, described Lee's reaction as "utter stupidity." In a thread between him and Buddington, Komlo vaguely told Kobeïssi, "We know the bad things you've done."

On August 17th, Lovecruft and Komlo delivered a talk about "integrating Rust components directly into the core Tor code base" (which had been announced as part of the schedule in May) at the third annual RustConf in Portland, Oregon. During the introduction, Lovecruft said, "I worked for the Tor Project from 2010 to last month, in July 2018. I very proudly no longer work there; if you want to know more about that, you can talk to me after." A recording of their talk was released on September 6th.

Leigh Honeywell

The fourth was Leigh Honeywell, a computer and network security professional, who says she was in an open relationship with Appelbaum during 2006-2007 and he "ignored my use of a safeword."

In that time we spent together, he violated boundaries I set as though they were a game, particularly at times when I was intoxicated. There were a number of times I felt afraid and violated during interactions with Jacob. Being involved with him was a steady stream of humiliations small and large as he mistreated me in front of others and over-shared about our intimate interactions with friends who were often also professional colleagues.

For example, on several occasions in professional situations, he told other people that I was good at a particular sex act. On another occasion where my primary romantic partner at the time, Paul Wouters, was also present, Jacob ignored my use of a safeword when his sexual behavior turned into violent behavior that violated my limits. Paul and I both had to repeatedly tell Jacob to stop, and the experience was profoundly upsetting.

On June 21st, Honeywell, Valerie Aurora, and Mary Gardiner published a list of recommendations for communities on how to "prevent 'rock stars'." However there are concerns that based on Aurora's own behaviour, she belongs to the same 'rock star' mentality she is supposedly condemning.

More than a year later, Honeywell and Aurora co-authored a blog post outlining what they called "the Al Capone Theory of Sexual Harassment." They referenced the allegations against Appelbaum, citing that he had left the Tor Project due to "sexual misconduct and plagiarism," though no evidence of plagiarism has been presented and those allegations were not even acknowledged in Steele's blog post on the investigation.

On February 12th 2018, Honeywell published an ACLU blog post about "staying safe when speaking out about harassment," and described herself as a "sexual-misconduct whistleblower."

Ásta Guðrún Helgadóttir

The fifth was Ásta Guðrún Helgadóttir, an Icelandic politician and Pirate Party member, who tweeted allegations of sexual misconduct:

For me what did it when he jumped naked in my and my exes bed and asked for a three some. With a hard on. Because jumping naked in other couples bed begging for a three some is... normal? Some etiquette I wasn't aware of. It didn't feel nice. It didn't feel right. Beside groping and shit. That was worse somehow.

-- Ásta Helgadóttir @asta_fish (June 15th 2016)

Henry de Valence

On March 16th 2017, de Valence published his own account of events relating to Appelbaum, Lovecruft (see 'Isis Lovecruft'), and various members of staff at Technische Universiteit Eindhoven.

On August 31, 2015, I started a Ph.D. in cryptography at TU Eindhoven, working with Tanja Lange and Dan Bernstein. On December 2, 2016, I resigned, due to sexual harassment, bullying, blackmail, and physical harm as a result of their favorite student, Jacob Appelbaum, as well as Tanja and Dan’s total abdication of their responsibility to manage the workplace environment in their research group.

He claimed to have "first heard of Jacob’s inappropriate behaviour in December of 2015, while in Berlin after the CCC" when "a close friend contacted me, telling that Jacob had grabbed her." During a trip to Fukuoka, Japan, for the Seventh International Conference on Post-Quantum Cryptography (PQCrypto) from February 24-26 2016, he alleges that Appelbaum engaged him in sexually explicit conversations and convinced him to put an irritant eye drop in his right eye, which "has never really felt the same since then."

He also felt that Lange and Bernstein gave Appelbaum special treatment and didn't require him "to complete the homework for his required courses on time." According to emails from Bernstein (published by de Valence), "a committee at TU/e charged by law with ensuring proper grading... formally investigated and rejected" his claim of 'special treatment'. The latter situation was due to a pre-arranged "50-50 split between Tor and TU/e" (the same option given to Lovecruft at Radboud) over the course of five years, including a one-year extension to the university's standard four-year timespan of study to make up for lost time. Bernstein repeatedly wrote he was "puzzled" why de Valence never filed a written complaint after first speaking to him at the end of April, prior to contacting the Human Resources department in late-August. In contradiction to what is presented in the emails, de Valence argued that Bernstein had no actual interest in taking action.

While waiting for a follow-up with Human Resources, de Valence said he traveled to Belgium for a project meeting and then gave a talk for the CrySP research group at the University of Waterloo in Canada on October 14th (the day after Lovecruft's talk). According to Bernstein, de Valence hadn't finished his portion of the work for a team research project prior to the submission deadline and then presented the paper at Waterloo without permission from the rest of the team; de Valence responded that this story was "long, irrelevant, and inaccurate."

I informed HR that I was having panic attacks about my workplace and would be working on other research projects from home while they dealt with the situation. I would later learn that HR reported to Tanja that I was “ill” at this time. In mid-November, HR informed me that I needed to undergo a mandatory mental health evaluation with the “company doctor”. I found it deeply offensive to demand this after their failure to act on my complaint, and declined. I wrote a resignation letter addressed to the dean at the end of November, and sent it to HR.

He has since removed his position at Eindhoven from his blog.

Shortly after de Valence shared the Medium post, engineering grad student Esme Chloé Dudoit (also @EsmeChloeDudoit) re-shared the account of 'Kit' originally posted in October 2016, tagging de Valence to identify him as 'Doe' or 'John' (see under 'Isis Lovecruft'). In a series of tweets, Dudoit alleged that de Valence resigned after victimising a female PhD candidate she was "communicating daily" with. When asked whether she would write about what she knew, she said she was "going to have to." She has not tweeted or posted anything on the subject since.

On March 22nd, Lange posted a short response to de Valence's story. She countered that he "never revealed the eye drop story to me" or "any firsthand bad experience," only that "Lovecruft felt threatened." After they "had a long chat" at the summerschool in Croatia, "he was very happy that we talked."

To this date I have not seen the complaint email he says he sent to HR.

On March 23rd, Bernstein also posted a response to de Valence's "smear campaign", pointing out several inaccurancies between his summary and the formerly confidential emails in question that de Valence decided to publish. Throughout the post, Bernstein repeatedly questions why he never filed a written complaint prior to contacting Human Resources. According to the "Complaints and disputes" rules on the university website, students can contact student counselors before "instigating the formal procedures," and in the event of "work-related psychosocial stress" ("factors in the work situation that can cause stress") there is a procedure for contacting confidential advisors and a complaints committtee. Bernstein also describes several instances of what he thinks could be viewed as acts of favouritism towards de Valence (hosting him in their home, paying him for unworked hours, giving preference to his privacy, and protecting him from academic embarassment) instead of Appelbaum.

When the errors are stripped away, what we find from Mr. de Valence is a fundamental failure to focus on the facts. He's full of accusatory words and insinuations, and remarkably light on details. Does this really sound like someone "trying to blow the whistle"?

He later tweeted that de Valence's "discomfort seemed quite serious, and I don't think it was made up." He has since tweeted two commitment hashes but also claimed to have recused himself from any further investigation into the matter. Lange has also tweeted a commitment hash.

On July 10th 2018, de Valence tweeted that Bernstein should go through "Title IX training," referencing a U.S. federal civil rights statute which requires educational institutions to investigate and resolve complaints of sexual discrimination and harassment, or risk losing access to federal funds. While he is subject to Title IX as a research professor at the University of Illionis at Chicago (UIC), that process is not internationally applicable to his position or incidents at Eindhoven.

Chelsea Komlo

River: "I didn't know until very recently that nonconsensual sex, by a friend, is rape" (February 2nd, 2016).

Chelsea Komlo, a former ThoughtWorks software developer and current Tor Project engineer, revealed herself as 'River' on December 29th 2017.

Komlo communicated with Appelbaum for the first time on June 8th 2014, after attending ThoughtWorks' "North American Away Day" event in Atlanta, Georgia. He spoke about defending the free and open internet. Komlo, already a ThoughtWorks employee since October 2013, tweeted that his talk was "really inspiring and thought provoking." She repeated this sentiment in an interview with Gizmodo the day she publicly revealed her identity, saying he had "inspired her to become more involved with the security community."

On December 4th 2015, Komlo tweeted that she would be traveling from Quito (Ecuador) to attend the Chaos Communication Congress in Hamburg. On December 28th, she tweeted at Will Scott and Matthew Garrett to thank them for their "awesome" talks.

At some point during the conference, she claims she met (in person) with Appelbaum, "a powerful and high-profile leader of the security and privacy community," that he "propositioned her for group sex... and she declined." However, Komlo says she "engaged in consensual sexual relations with him during those three days" following the end of the conference. The alleged rape occurred on New Year's Day "while she was intoxicated." Her original pseudononymous story mentions that she "blacked out," though there was no mention of drugs; in her new statement, she initially says drugs were "involved" without specifying which ones or who had taken them.

According to DIE ZEIT's investigation from 2016, the alleged incident occurred during Appelbaum's New Year's Eve "orgy" party. None of the eight witnesses interviewed, who were among the twenty-some party guests and also present at the apartment for at least two days following the party, confirmed her story. Tor volunteer Christopher Sheats (@yawnbox) was the only witness to publicly come forward. Fuchs, who spoke with Appelbaum "in a hotel and over encrypted chat programs," said this included witnesses who were not friends with Appelbaum, and Appelbaum did not tell them who "River" was.

"A couple of people in the living room are prone on the floor, all of them fully dressed. They had turned up the music so the moaning and groaning of the others doesn’t bother them as much. A young journalist had made herself comfortable on [Appelbaum's] lap, and he is massaging her back. Sitting across from them is a young American woman. She had gotten to know the others just a couple of days before, but she appears to be uncomfortable at this party. She doesn’t talk much but listens in a friendly manner to what is being said.

... A little while later, he disappears with [the female journalist] into the bedroom. Already there in bed is the taciturn young American woman. The three had sex together.

... River was new to the scene. She had known Mr. Appelbaum and the others only for a couple of days, from the [Chaos Communication Congress.] Didn’t she know what she was getting herself into? Guests say Mr. Appelbaum made it explicitly clear that there would be a "sexy time party" at his place. An eyewitness claims to have seen how River had MDMA in her hands on New Year’s Eve. Mr. Appelbaum was also under the influence of drugs that night. The female journalist who left the apartment on New Year’s morning around 10 to go to the airport assures that River made a comparatively sober impression and was at no time unconscious in the night or in the morning. Everything that happened between the three, she says, happened with mutual consent.

Komlo has not mentioned any women (such as this journalist, Macrina, or Zhu) being present at the party, nor in any of the consensual or non-consensual sexual encounters she had during the trip. She specifically alleges that Appelbaum raped her when she "was alone with him and his male friends."

It wasn’t until around 5 in the afternoon of January 1 that the rest of Mr. Appelbaum’s guests, who hadn’t made it home, woke up. River was one of them. Those who encountered her that day remember a very quiet, friendly and balanced person. One person, who was afraid he had given away too many intimate details about his life New Year’s night, says River comforted him. In the early evening, he, along with River, Mr. Appelbaum and couple of friends, drove to the Vabali Spa in Berlin, near the main train station.

Similar to the case of the Russian, River’s story also conflates diverse evenings, situations, and people in the Alice account. Events have flowed in that must have taken place after returning from the spa and on the evening of January 2. River maintains they were all watching a movie and lying on the couch, and while they were, she had supposedly been touched against her will. On one evening, River and Mr. Appelbaum actually watch the Gaspar Noé film "Love" together with friends; on the other evening the U.S. espionage series "The Americans." Die Zeit was able to speak with three of the five guests who were present. One remembers that River actually could have said on the couch, "Not in front of everyone." But it was meant in a playful way and nothing more happened after that. No person there on that evening says they watched Mr. Appelbaum and River having sex. One of those present only remembers that somebody murmured "Can I join in?" when River and Mr. Appelbaum were cuddling naked under a blanket. Tor terminated working with two of those present in July; they were accused of "inappropriate behavior."

Several of Mr. Appelbaum’s friends say they had asked River themselves whether she was okay, one even waited for an undisturbed moment when Mr. Appelbaum had left the room to do it. Each time she answered yes. Also there seems to have been no drugs consumed, and hardly any alcohol, after the excesses of New Year’s Eve. At most a joint. Not one of the total of eight witnesses present during those three nights and two days in January remember River ever being unconscious. Also, no one says they saw her being forced to have sex against her will. River probably left Mr. Appelbaum’s apartment on the morning of January 3.

Vabali Spa in Berlin, source:

The Vabali Spa, which Appelbaum and guests visited, in the middle of Berlin near the central station.

There were no tweets from Komlo between December 29th 2015 and January 3rd 2016, the time period in which the alleged incident occurred. On January 4th, Komlo tweeted a New Year's resolution to "find better ways to communicate about bad security tradeoffs." On January 5th, she claimed to have slept twelve hours to "recover from travel, conferences" and indicated she was departing from Hamburg soon. This tweet was referenced in the DIE ZEIT investigation:

Days later, River posted that she was looking forward to another trip to repeat the fun she had – she meant in Hamburg and Berlin. On January 19, River wrote Mr. Appelbaum an email about cryptography. She closes with 'hugs.'

According to her new statement, she "notified several individuals at the Tor Project about this sexual assault" in April 2016. However, Lovecruft's account states that they were "introduced through a mutual friend" prior to reporting "everything to the rest of The Tor Project" on February 17th 2016 (see 'Isis Lovecruft'), so it is unclear when Komlo first reached out to anyone about her story.

I have worked with legal counsel throughout this entire process. I have strongly considered the idea of seeking criminal charges in Germany against Jacob, but initiating lengthy legal proceedings in another country which I am neither a citizen nor a resident is a significant barrier for me. That said, I would gladly discuss this with any interested German authority and would be willing to testify in any court of law about this crime without hesitation. However, my personal motivation has always been to inform our community.

In September 2016, she "considered publishing a statement about her experience in 2016, using her real name, but she ultimately decided not to." At the end of September, she attended the Tor Project's Summer Meeting in Seattle, Washington. In February 2017 she went on a "social media hiatus" and subsequently attended another Amsterdam meeting from March 22nd - 27th. She was officially recognised as a Tor Project member in mid-June after Lovecruft requested that an LDAP account be created for her.

Despite Lovecruft's post, Komlo says she has "forgiven" Scott, who briefly alluded to the controversy towards the end of his second #34c3 talk on supporting network infrastructure in Cuba:

And then on a more serious note: I think that message is one that also reflects, to some extent, on some of the tensions we've seen at Congress this year. I think we've had failures that we should be recognising. We need to think about 'how do we address this?' How do we build some place that is more welcoming, that is safe? For me, that's the spirit. How do we come together, how do we build what we want Congress to be, and think about this in the collaborative way of making this space that is good for us - and at the same time safe for victims?


Yan Zhu

Yan Zhu, senior software engineer for Brave, an Electronic Frontier Foundation Technology Fellow, and former admin at the Tor Project, published a Medium post about her "second-order" knowledge of the allegations on June 15th. She claimed to have "heard multiple stories from employees who had been sexually harassed and/or manipulated by Jake over the years," but "never anything as serious as assault." She previously "didn't really buy" that there would have been backlash from Appelbaum had anyone spoken up, and he "is/was a close and longtime friend of many of my ex-partners."

I’m left with the uncomfortable, dissonant realization that I am friends with people who have a higher tolerance for abusive community members than I think is safe for any community.

She also gives detail on a personal story which may establish her as a possible witness to the story of Komlo (aka "River"), though she did not mention anyone by name and has not done so since. After getting drunk at a Berlin party following the Chaos Communication Congress, she awoke in Appelbaum's bed, "feeling sick with no clear memory of how I got there."

I pulled myself out of the bed, stumbled into the dark living room, and found someone I knew. I asked them whose bed I was in, and they said Jake’s. I felt gross upon hearing that, but as far as I could tell, nothing bad had happened and I had a friend at the party who was looking out for me. Still, I was disturbed by the thought of being unconscious in his room at a party with a bunch of strangers and a 3-hour hole in my memory. I vowed not to drink that much alcohol ever again, and indeed I’ve barely drank at all in the last 6 months.

If people had spoken up earlier about Jake being a serial rapist, I wouldn’t have let down my guard and followed my friends to Jake’s apartment in an intoxicated state, regardless of whether he had been proven guilty in court or not. It’s just not a risk I could afford.

Based on a Twitter exchange with someone who "ran into you on the street and I wished you luck at orgyleaks," this was most likely the night of Appelbaum's New Year's Eve party. That morning, she tweeted:

glad i already fulfilled this year's quota for bad decision making! #ThanksBerlin

-- Yan Zhu @bcrypt (January 1st, 2016)

Violet Blue

Violet Blue, a San Francisco Bay Area freelance journalist, said she's known Appelbaum since 2005 and resisted his sexual advances, as well as physically intervened when he allegedly harassed another girl at a party. Regarding the plagiarism allegations, she claimed "all his work is a sham" but like Patterson and Norton did not specify details. She added that these experiences made her wary of "hero worship in 'hacktivism' circles'." On June 16th she published a Medium post with more detail on her history with Appelbaum and the incident with the girl, who she says was a friend of hers.

Outside of Kink, in 2007, Jake had sexually targeted a female friend of mine. Her and I were going to a large tech party in December; I think it was a Wikimedia party, and Jimmy Wales was there. My friend was feeling hunted by Jake, and early in the party she said he was trying to isolate her, and told me she was scared. She is not a big or strong girl, nor is she loud, and he was trying to convince her to go into a stairwell with him. The convincing turned into trying to pull her away physically, grabbing at her hands. I locked my arm with hers, and put myself in between her and Jake. All while he was trying to reach around me, while he was telling me to let go. I said No, she’s not going with you. I insisted a bit louder, No. He was livid.

Blue also claimed Appelbaum publicly humiliated her in front of his friends by saying she "gives great head." She responded that he had confused her "with a certain blond blogger," which may have been a reference to Jardin. In June 2008, Blue noticed that about seventy two Boing Boing posts mentioning or linking to her work had been "unpublished" from the blog's archives "for personal reasons," which Jardin chose not to elaborate on. Blue has publicly called her a "douche," agreed with a statement claiming Jardin had "an active and deceitful role" in building Appelbaum's fame, but denied she had been sexually involved with them.

(Note: Appelbaum has previously stated that he worked for; in fact, the statement was made in relation to his objection to Blue's sex talk being pulled from the BSides San Francisco conference in February 2013 due to complaints from Aurora of the Ada Initiative, despite Blue's clear history of sex-positivism. However she misidentifies Shepard as "Tor Project's director" even though the WIRED interview she links to clearly says Shepard is a core developer, not a director. Furthermore there appears to be some confusion in her summarization of the timeline of events surrounding the Valencia intervention; the incident with Reilly at the Tor dinner was at the beginning of March 2015, whereas Lovecruft said she began planning the intervention in early 2016. Blue is falsely conflating the two events.)

Randi Lee Harper, a San Francisco Bay Area activist for online abuse prevention, criticised the men who only now were coming forward to vouch for accounts of Appelbaum's behavior they had witnessed:

All these men are coming forward with stories of how they saw stuff. Good for you. Where the fuck were you? Why didn't you do something? You will not get a "good lil ally" badge for coming forward to confirm stories now. You waited for women to take the risk. Cowards.

-- Randi Lee Harper @randileeharper (June 16th, 2016)

Emerson Tan, Patterson, Shepard, and Hirsch

Emerson Tan, a London-based security professional, told both Gizmodo and The Daily Dot about an incident he claimed to have witnessed in the middle of the night (no date specified other than "it was the day we arrived at CCC") during the 2015 Chaos Communication Congress (32c3) in Hamburg, Germany.

"At about 2 or 3 a.m. in the morning I happen to be talking to [Patterson], [Shepard] and Jacob Appelbaum and a group of other people who have come out of the congress hall into the lobby of the Raddison Blu hotel in Hamburg,” Tan told Gizmodo. “Jake has his hands all over this girl, and she is very obviously not very happy. You know, she’s looking for her bag, they’re having a conversation and she’s looking for her bag she can’t find her bag and she appears to be really quite distressed and Appelbaum forcibly attempts to try and kiss her, grabs her arm and her backside and makes a move for her breasts.

... And the other males who we were with were basically just kind of joking amongst themselves and don’t really seem to see anything wrong with it, which is really quite distressing,” Tan said. “So I watched this for about two to three minutes and then I decide to go and do something and just mount a very very subtle intervention. Which is, I go over, I shake Jake’s hand I tell him what a great job he’s doing with the Tor project and the rest of it and that gives the girl roughly the 30 seconds she needs to find her bag without being in an undistracted fashion. She left, and I found her hiding out in the hotel bar later, after Jake had left. She was pretty composed but obviously upset."

In The Daily Dot interview he gave a more detailed account, including what the girl, who Patterson claimed was "obviously a little bit inebriated," did after the incident.

Tan said afterwards he spoke briefly with the woman. He asked if she wanted to file a police report, but she was unwilling. She left the hotel before any of the witnesses learned who she was. The incident was never reported to police or to the Tor Project.

Dan Hirsch (@thequux), who had married Patterson on June 11th, was also a witness but was not named in the Gizmodo interview.

“Most of Jake’s attention was focused on some girl who was somewhat shorter than he was,” Hirsch said. “She was cornered against the bar, looking around I presumed to try to find an escape route or for someone she could get the attention of.”

Tan posted the story on his Facebook page, saying that even though he didn't know who the girl was he had submitted it to Steele as part of the investigation. He also mentioned seeing Appelbaum "trying to take upskirt photos of women" and "making lewd comments and allegations of threesomes with various members of the privacy community." Shepard added that once when Appelbaum was "good drunk" in a Berlin bar in July of 2013, he "discussed how he would ‘use my ass’."

Tan's Facebook posts

However, Tan's story has since been contested. On June 9th, the first alternative story released by @Ioerror_info using TwitLonger claimed that Tan's interpretation of the incident, which occurred on the night of December 26th, was wrong. The "girl," a woman named Jill Bähring, had not been subjected to unwanted sexual advances by Appelbaum, and in fact has been "romantically involved" with him (see 'Visit to Cuba'). Her account was initially private but she made it public within a few hours of the statement being published to authenticate that it was from her. She admitted to having temporarily lost her bag and being "emotionally distressed" at the time, but it was not because of Appelbaum.

I did indeed look not very happy. I was emotionally distressed at that time and told Jake, one of my close confidants, about my situation. He did have his hands all over me, just as I had my hands all over him. At no point did Jake forcibly attempt to try and kiss me, nor did he grab me in any inappropriate manner.

While we were talking, I realized that I didn’t have my bag with me, and started looking for it. Anyone who has ever lost sight of their wallet and phone will look “quite distressed” as a consequence. According to Tan and Patterson, none of our friends seemed to see anything wrong with that situation: “And the other males who we were with were basically just kind of joking amongst themselves and don’t really seem to see anything wrong with it, which is really quite distressing”

This is true. There was nothing wrong with it. I was among several friends with whom I felt absolutely safe.

She also said that Tan's account of how he approached them wasn't accurate.

The next day, I wasn’t going to be at the conference, so I didn’t expect to see Jake for a couple of weeks. Jake and I said goodbye to each other in the hotel lobby, and we kissed. But since my friend was waiting for me to leave, I playfully pushed Jake away. At that time, I noticed Emerson Tan for the first time – since he was intervening at that point. He states: “So I watched this for about two to three minutes and then I decide to go and do something and just mount a very very subtle intervention. Which is, I go over, I shake Jake’s hand I tell him what a great job he’s doing with the Tor project and the rest of it and that gives the girl roughly the 30 seconds she needs to find her bag without being in an undistracted fashion.”

I recall Tan approaching me, asking me if Jacob was harassing me. I said he wasn't. Nevertheless, Tan dragged me away and immediately started talking intensely to Jake. At that point I decided to leave, since my friend was waiting for me. I walked him to his hotel, which was only a couple of blocks away.

She ended the statement by asking why "a highly distorted version of my experience" had been published in the first place. Le Heux retweeted the statement saying "I was at Raddison Blu that night, I know these people & as far as I know this story is accurate." In response to Isaacson arguing that third-party voices were damaging "in the current plublic climate," Le Heux said he (as well as Bähring) "should be allowed to speak my truth about events where I was present, although I am a bit scared to do so in the current 'safe space'." Zhu tweeted that she "was also around that night and didn't do anything because Jill seemed ok. Glad to hear that she was."

Gizmodo subsequently published a new story with Bähring's account, though they have yet to add an update to the original despite at least one request to do so; The Daily Dot both added an update to their original story and published a new one (though they have yet to correct the statement about Bähring's story being published by Appelbaum). Dell Cameron, one of three authors collaborating on coverage at The Daily Dot, tweeted screenshots of emails to show he was trying to contact Bähring through Tomassini, as she has so far not spoken directly to the press. Tan was also contacted to comment on the fact that his story had been refuted and denied approaching her to ask if she was being harassed:

“This is a situation open to misinterpretation because I do not know what she's thinking,” Tan said. “I'm fully willing to stand up and say that.”

Macrina described the Gizmodo and Daily Dot articles as "one misreported story," both of which are still live. Neither Patterson nor Shepard revoked their statements, though they both initially made brief comments on the fact that Bähring refuted their version of events. Replying to someone pointing out that she had yet to make any retraction, Patterson said that "there are some goddamn impatient people on the internet. Response forthcoming, but I have a life and a job." Shepard characterized the story as "a minor incident the press inflated" and said she was not a reliable judge of the situation.

Frankly, I can't read neurotypical human interactions well enough to reliably tell if someone's upset or not; I was relying entirely on @Emerson_T's interpretation of events that night, and also had the least clear view of anyone involved, since I was trying to avoid being spotted by him. This argument over what did or did not actually happen that night, though, is entirely orthogonal to the actual allegations against Jake which are the only reason the incident in question ever got any attention in the first place.

-- Andrea Shepard @puellavulnerata (June 19th, 2016)

On August 9th, Patterson published the first of three blog posts she wrote regarding the Appelbaum allegations, including a response to her witness account of the CCC incident being refuted by Bähring.

Bähring avers that her interactions with Appelbaum were entirely consensual, which I am relieved and pleased to hear. I’m not sure why anyone would expect any other reaction out of me, seeing as how I’ve sung the praises of making mistakes and owning them in public for so long that I’ve given invited talks on it. The interaction I observed took place within my line of sight but out of my earshot, and if I misinterpreted it, then I genuinely am sorry about that. Ultimately, Bähring makes her own decisions about what she consents to or doesn’t. If I was mistaken, well, good.

Patterson outlined several of Appelbaum's "decade-plus... sexual and professional misconduct" allegations, which she claimed were proof of narcissistic personality disorder and psychopathy (including the need to be adored and isolating victims). As references she cited David Chapman's essay on the 'invasion' of subcultures and chapters from an online book "The Psychopath Code - Cracking The Predators That Stalk Us" written by programmer and distributed computing expert Pieter Hintjens. "Appelbaum's siloing techniques" included what she refers to as the "infosec reductio ad absurdum" of "fedjacketing" and recruiting authority figures as a "force multiplier." She claims these factors led to an "abandonment of the community’s core values."

She repeated the allegation of plagiarism and their "fauxpology" reconciliation (see 'Len Sassaman and Plagiarism Allegations'), again without specifying what was stolen or even mentioning Appelbaum's co-speakers for the talk.

She referred to Tomassini as a "low-rent publicist" for not getting Appelbaum to "bang out an apology of the 'I’m sorry you feel that way' variety" to Honeywell, Reilly, Macrina, and Lovecruft. However she also criticised Honeywell's advocation for "private affinity groups for marginalized groups" regarding "members of marginalized groups whom the existing affinity group considers unpersons," since she, Shepard and others were apparently excluded from the 'underground whisper network.' She links a reply-comment from Honeywell to Shepard (commenter 'A') regarding their citation of PandoDaily, a San Francisco-based blogging platform whose members were involved in the online harassment of the Tor Project (see 'Online Harassment of the Tor Project'). She also alleged that during the biannual Tor developer meeting in Valencia from February 27th to March 6th, an organizer attempted to collect handwriting samples from attendees after someone wrote "Thanks for a sexual-assault-free Tor meeting!" on a poster for Appelbaum (who unbeknownst to most of the attendees had been quietly banned).

Patterson's next blog post mostly focused on sociological theories regarding the psychology of 'internet mobs', trying to justify why she became involved, and what should be done with abusers. She particularly draws from Bynum's interpretation of Appelbaum's statement, even though the highlighted quote in question was not said by Appelbaum.

Her third and final blog post again focuses on the psychology of 'information silos' and how sociopaths violate boundaries, including those of organisations and communities. Besides calling Appelbaum a "petty would-be tyrant," she makes only one comment specifically about him in the essay, regarding the necessity of flattening the organisational hierarchy:

Tor’s organizational hierarchy was already flat, but this didn’t help them until Shari Steele came on board. Jake had co-opted leadership so thoroughly that they retaliated against Karen Reilly for reporting his behavior.

In response to the Drupal controversy which began with the presumption that a "mentally handicapped" woman did not have the capacity for informed consent to a relationship, Patterson was "furious" the Drupal Association leadership had assumed she was being exploited without first asking her and used that misplaced judgement to demote a Drupal member:

How hard is it to talk to someone you're concerned about, rather than making assumptions about whether they can act independently at all?

-- Meredith Patterson @maradydd (July 14th, 2017)

After Norton was briefly hired and fired from the The New York Times editorial board on February 13th, Patterson commented that because the social media "mob" was in a "hot-take phase" lacking in context and consistency, they were "punching down" on her. On February 27th, after tweeting about engaging with racists, fascists, white supremacists, and sexists, Norton published an article in The Atlantic reflecting along similar lines:

When the backlash began, I got the call from the person who had sought me out and recruited me. The fear I heard in that shaky voice coming through my mobile phone was unmistakable. It was the fear of a mob, of the unknown, and of the idea that maybe they had gotten it wrong and done something terrible.

She claimed her pacifism justified continuing a "friendship" with Auernheimer (see 'Online Harassment of the Tor Project').

In my pacifism, I can’t reject a friendship, even when a friend has taken such a horrifying path. I am not the judge of who is capable of improving as a person.

On June 18th, Patterson published a Status451 piece about the end of her marriage to Hirsch and resolving an "epistemic crisis" which had been building up since Sassaman's death.

Len’s suicide plunged me into an emotional and ethical dilemma. On the one hand, I was unspeakably angry, but on the other, allowing any of that anger to settle on my memories of him brought on overwhelming waves of guilt over being unfair. I circled that Gordian knot for months, searching for a place to slice it that wouldn’t leave me hating either him or myself for the rest of my life.

Righteous indignation is a hell of a drug, and I imagine that for many people in bad breakups, such offers might be quite comforting. In a sense, reputation damage is just a new species in the “want me to fuck him up for you?” genus of reassurance memes.

Christopher Sheats

Christopher Sheats (@yawnbox), board chair of the Seattle Privacy Coalition and technology & library program intern for the American Civil Liberties Union of Washington, published a blog post on September 7th containing his witness account regarding the allegations by "River." He described his brief interaction with her at the Vabali Spa and the evening movie session at Appelbaum's apartment, where he saw "Jacob and River were cuddling throughout the entire movie."

If River was under the influence of drugs or alcohol, it was not apparent. At no point did she seem distressed or abused. Nobody did. Further, no one was having sex in the living room.

On January 13th 2016, Sheats had tweeted "goodbye Berlin" and tagged Macrina, Crockford, Glaser, Creative Commons director Paola Villarreal, Appelbaum, Ricochet developer John Brooks, Scott, Blockstream chief security officer Jonathan Wilkins, McGrath, and Gutbub.

Andy Isaacson

Andy Isaacson (@eqe), a software engineer, kernel hacker and early member of Noisebridge, said that Lovecruft's Valencia intervention and Appelbaum's response "match his statements to me at the time." Despite claiming he also "witnessed" the relationship between Appelbaum and another alleged victim 'FemCog,' he appeared to be on friendly terms with him as recently as late January 2016; in February 2015 he congratulated Appelbaum on his contribution to the Citizenfour documentary and in September he recommend that a friend "say hi to @ioerror" while visiting Berlin.

In a Medium post published on December 28th 2016, he claimed to remember verbal and visual details about his first interaction with Appelbaum in 2005, yet until recently did not recall a female friend telling him "years before" that she had been raped. He also said he enabled abuse and hurt people himself. In response to his post, Patterson said she was "glad that's changed"; Norton called it "remarkably brave" and 'FemCog' said "This is what solidarity looks like!" Others were hesistant, due to the fact that he had admitted "to behavior that could be described as coercive or even possible rape" without any indication that those wrongs were being amended.

McGrath pointed out other inconsistencies in his timeline. Isaacson claims he "spent two weeks in Berlin during August" and that "weeks" after his final day in Berlin, the DIE ZEIT story was published (it is the first and only story with details of Appelbaum allegedly "providing illegal drugs to party attendees"). However the DIE ZEIT investigation was published in print on August 10th and then uploaded online on August 12th (see under 'Appelbaum Denounces Allegations'); Isaacson did not arrive in Berlin via the Tegel Airport (TXL) until August 14th, and left two weeks later on August 27th. He has not amended or explained these inconsistencies.

When Bähring disputed the story about herself, Isaacson said this was "ill-advised in the current public climate" and that by simply wondering about the accuracy of other stories being promoted by the press, she was "victimblaming."

The Public Reaction

Cult of the Dead Cow

As a result of the allegations, Appelbaum was removed from the computer underground group Cult of the Dead Cow (cDc), where he had been a member since July 2008. Their official statement on June 6th said that "as we have become aware of the anonymous accusations of sexual assault, as well as the stories told by individuals we know and trust, we've decided to remove Jake from the herd effective immediately."

Oxblood Ruffian (pseudonym), a cDc member since April 1996, released their own individual statement on Appelbaum being removed from the group and how he "used our name to advance his career and gain entrance to circles that might have been closed to him." He also says "preying upon the vulnerable is an ungendered pathology" and defends the right of the victims to remain anonymous.

Lovecruft tweeted "I encourage other hacker groups/spaces who value member safety to do the same."

Freedom of the Press Foundation

On June 8th, Freedom of the Press Foundation's co-founder and executive director Trevor Timm announced that Appelbaum was also removed from his position on their volunteer technical advisory board.

In light of the allegations that have been made, Jacob Appelbaum is no longer a member of our outside volunteer technical advisory board. We hope that the serious accusations made against him, and his denial of them, are resolved as fairly and as expeditiously as possible.

Fellow board volunteer Eleanor Saitta (@Dymaxion) had vaguely accused Appelbaum of public "aggressive harassment" during a dispute about the Electronic Frontier Foundation's Secure Messaging Scorecard project in November 2014 (see 'Online Harrassment of the Tor Project').

Former systems administrator Kevin Gallagher, who announced he was leaving Freedom of the Press Foundation on June 24th, said the outside tech advisory board "is not the most active thing. Jake had not even communicated with them in several years." No clarification was made as to why he had still been listed.


Purism quietly removed him immediately after a potential customer, free software advocate Bjarni Rúnar Einarsson, objected to Appelbaum still being listed as their security advisor on June 8th. He had joined Purisim as an advisor less than a year ago.

Prior to June 6th, Einarsson had not publicly indicated that he knew about the allegations or had witnessed any negative behaviour himself. In June the previous year, he had thanked Appelbaum for his journalistic work regarding the U.S. Justice Department and NSA.

Chaos Computer Club

On June 9th, the Chaos Computer Club (CCC) released a "reminder" which did not directly mention Appelbaum or the allegations, but stated that anyone who violates the ethical principles of the Club is "not welcome."

In light of recent accusations against a regular visitor and speaker at our events, the Chaos Computer Club re-emphasizes the following: The CCC is, by its charter and by common consent, a galactic organization of all life forms. We are dedicated to providing a safe, comfortable, and supportive experience for everybody attending our events.

... As stated previously, we do not tolerate life forms who refuse to share this openness and respect towards others: Creatures that are not excellent to others are not welcome.

Based on the statement, it was not clear whether the CCC had determined that Appelbaum was henceforth not welcome, or whether they had investigated the reports of harassment at their events. On June 17th, the CCC clearly stated that Appelbaum is no longer welcome.

On November 18th, the Chaos Communication Congress announced that their content committee had chosen 150 talks from more than 500 submissions to be voted on for placement into the schedule of the coming conference. It was quickly observed that talks by the Tor Project, including annual presentations such as the "State of the Onion," were absent from the chosen list. In their mailing list, it was noted that they had submitted three talks but all had been rejected. On November 22nd, CCC revealed the theme for 33c3 would be 'Works for Me' to reflect how "mutual hate, envy, insensibility and exclusion have driven us apart" this year. According to, it was proposed that Appelbaum be allowed to defend himself at the event, but this was also rejected.

In a 2018 interview, Motherboard DE -- and several of the people quoted including York, Snieb, "recovering journalist" Arikia Millikan, Silke Holtmann, and technical consultant Lilith Wittmann -- argued that the Chaos Communication Congress should adopt a code of conduct, echoing the sentiments of a fake CCC account made in June 2016; a prior article from Gizmodo acknowledged the existence of a code of conduct, yet stated that it "does not explicitly prohibit sexual harassment or assault." On the contrary, the Chaos Computer Club has had an explicit policy against "Ideen von Rassismus, Ausgrenzung... und körperlicher Gewalt" (ideas of racism, exclusion... and physical violence) since 2005, then "sexism, harassment or racism" since 2012; an updated version of their code of conduct and statement against "sexism, group-focused enmity, violence or harassment" was released one month prior to the 2017 event. Both Locker and Millikan ignored or refused requests for correction.


On June 10th, the educational San Francisco hackerspace Noisebridge released a PGP-signed statement that Appelbaum was "no longer welcome in our community, either in its physical or online spaces." On June 21st, they officially banned him through community consensus after it was proposed by San Francisco Bay Area developer Torrie Fischer (@tdfischer_). Rubin Starset, a founding member of Noisebridge, also published a longer statement on how the community's inclusive culture had to be remedied to prevent such harassment and abuse in the future.

Noisebridge ban

Appelbaum co-founded Noisebridge with security expert Mitch Altman (Sassaman was also "mildly involved" despite being out of the country) within the summer and fall of 2007 as an extension of the Chaos Computer Club. Prior to banning Appelbaum from Noisebridge, Altman had said he did not know about the allegations.

I don't know what the allegations against @ioerror are. The one thing I've heard is: "Sexual misconduct". Sexual misconduct is not to be condoned. Does anyone know what the allegation against Jake is? Some on the internet are saying it means he raped someone. If that is true, that would be truly terrible. There is (obviously) no condoning it. Saying terrible things about someone based on allegations, is also terrible. I'd like to live in a world where neither happen.

-- Mitch Altman @maltman23 (June 5th, 2016)

Appelbaum is still listed as a user on their 'People' page, though it is not a membership list. He also remained the domain owner of until 2018.

Appelbaum wearing Noisebridge t-shirt

Friends and Colleagues

M.C. McGrath

M.C. McGrath, founder of the non-profit Transparency Toolkit, shared a picture of the side of a building which had been graffitied to say "A rapist lives here | ein Vergewaltiger wohnt hier!" with an arrow pointing to the middle window. This tactic and phrase is reminiscent of 1970s Manhattan feminists:

Lutz, Mary E. (1949 - ) became a member of The Feminists (1972) in NYC, a group that wrote and published tracts against marriage, for man-hating, and for re-establishing matriarchy. Members also conducted actions and gave speeches advocating political education and direct action. "Once I gave a talk at Dartmouth College in which I shocked students by proclaiming women should consider aborting male fetuses, a remark for which I paid dearly," she says. In 1973, TF targeted Manhattan rapists by identifying their workplaces and homes, and stenciling "A Rapist Lives Here" in red paint on buildings and sidewalks. -- Feminists Who Changed America, 1963-1975 by Barbara J. Love (2006)

McGrath said this was Appelbaum's house in Prenzlauer Berg, Berlin (where he's lived since 2013), but the unidentified defacer(s) had targeted the wrong apartment window. He later posted a second picture made in daylight.

This mob has gone too far. This is not justice. The mob going after @ioerror has done more to make me feel unsafe than people in the intelligence community threatening me about my work. The arrows in that graffiti actually point to the wrong apartment. People who don't even know @ioerror could get hurt from this. This is is not justice for anyone. Not for victims, not for @ioerror, not for any of the others who have been dragged into it.

-- M.C. McGrath @Shidash (June 10th, 2016)

Shepard remarked that Appelbaum "probably graffitied his own apartment for sympathy."

defaced building

Daniel Bernstein

Though he also did not directly mention Appelbaum by name or the allegations, Daniel J. Bernstein, professor of mathematics and computer science at the Technische Universiteit Eindhoven where Appelbaum is currently studying as a PhD student, published a blog post warning of the consequences of skirting due process.

Is it really so hard to recognize both of these directions of error? If I prejudge and punish alleged culprits who have not had their day in court, then I will inevitably punish some innocent people: the unfortunate reality is that many accusations of crimes are false. If I prejudge and punish accusers who have not had their day in court, then I will inevitably punish some innocent people: the unfortunate reality is that many accusations of crimes are true.

When I say "day in court", what I really mean is due process. Due process is a set of ethical principles that civilization has painstakingly developed over several centuries, recognizing that punishment is corrupted by many sources of error on both sides: communication is poor; memories are faulty; sometimes people don't tell the whole truth; sometimes people tell something other than the truth.

... It's really not that hard to stay calm and say something like this: "We weren't there. At this point we can't be sure what happened. Sometimes accusations are true, and sometimes they aren't. It's important for a neutral judge to hear testimony from the accuser and from the accused."

But not everyone stays calm. Angry people continue to join these mobs. They blog and tweet and report their ill-informed speculations in favor of the accuser or the accused, confident in their own righteousness and blithely unaware of the possibility of being wrong. Ultimately the accused and the accuser are both punished, truth be damned.

On May 1st 2016, Ei/PSI announced the speakers for the coming fourth "Security in Times of Surveillance" event on May 29th. While Appelbaum was not an invited speaker as he was the prior year (see 'The Resignation'), he was listed as one of the scientific organizers.

Further information can be found here.

"Our Response"

On June 11th, a group of women consisting of "friends, colleagues, co-workers or partners" of Appelbaum released a statement criticising the "coordinated and one-sided attack on his character and work."

We are not apologists for any genuine wrongdoing, and as women working in this community we know that there are struggles around sexism. However, simple punitivism is not how the human rights that we all defend should be enforced or framed.

We believe that an open and evidence-based discussion in this situation is necessary to allow our community to develop better processes to handle any allegations. Furiously targeting one person without allowing for proper fact analysis will never solve the bigger structural problem that has been highlighted. We should use this moment to grow and make things better, not destroy the movement and create divisions. We need to create a channel for discussions on how to make things better.

The initial twelve signatories of this statement are: Renata Avila, Human Rights Lawyer; Susan Benn, Artist; Cathleen Berger, Policy Advisor; Geraldine de Bastion, Policy Expert; Annegret Falter, Political Scientist; Marie Gutbub, Journalist; Sarah Harrison, Journalist; Christy Lange, Writer; Isik Mater, Infosec Specialist; Angela Richter, Theatre Director; Felicity Ruby, PhD Candidate; Joana Veron, Lawyer.

They also created a website with a copy of the statement, inviting others who agree with "the spirit of this letter," but may not be colleagues or personal friends of Appelbaum, to sign it by contacting this email: To date, there are fifty-one additional signatures and only two people later requested to have their names removed: Herzmut and Bailey Lamon.

We therefore invite all others to add their names to this list (using the below contact details) to show their agreement with the spirit of this letter - solidarity with Jake in how this is being handled, on the side of justice for all, and in belief of the need to develop a safe space for accessing the issues to enable building open and transparent guidelines to deal with sexism and gender issues within our infosec and digital rights communities.

A tweet prompt was added to the website:

In Solidarity with Jacob Appelbaum @ioerror and on the Side of Justice for All. We urge others to add their names to

Though Nerad was not one of the signatories, she expressed a similar sentiment very early on when the allegations were first being made, that she does not believe shaming him so soon is a "sustainable holding pattern."

Another non-signatory, whistleblower protections lawyer Jesselyn Radack, tweeted in June 2018 that she has "always supported @wikileaks. I’ve always supported @ioerror. If anyone tells you otherwise, pls ignore."

Shannon Cunningham

On August 19th, Shannon Cunningham shared her account of experiences with Appelbaum, Macrina, Lovecruft, and Budington. In late 2014, Appelbaum offered to cover her airfare and other living expenses so that she could attend that year's Chaos Communication Congress; he was simultaneously paying for half of Macrina's airfare and it was settled that the two would room together since they were previously acquainted and expressed a mutual interest in meeting. During a misunderstanding about Cunningham's sleeping arrangements in Berlin following the conference, Macrina allegedly tried to convince her that Appelbaum had "abandoned" her because they weren't sleeping together and proceeded to share sensitive information about him, at which point Cunningham stopped communicating with her. Their last public communication prior to Cunningham avoiding and blocking Macrina (until after the Appelbaum allegations were publicised) was January 6th, 2015. At some point, the misunderstanding with Appelbaum was resolved.

Given the volume of false characterizations of Jake floating around amidst the smears, I hope he will not mind me saying… These characterizations of him as a “rockstar,” as “aggressive,” as “selfish” — I don’t see how one could know Jake much at all while choosing these as their go-to descriptions of him, barring bad faith. Perhaps that we come from similar backgrounds has offered me some insight, but whenever I read these stories going around describing his personality, I’ve been unable to recognize him in them. While the those traits, when they do come out, might seem abrasive, when taken in context, the picture is very different. What I do recognize in them, however, is the characterization of him I long ago disputed with Alison, as I again had to push back against this recently, when she DM’d me again to tell me she could not believe I was defending Jake after he had “abandoned” me.

There have certainly been occasions during which he and I have butted heads, but one thing that struck me about our interaction versus that of others with him, is that if I felt he was over-assertive in some regard, I would push back. Perhaps this is because I was not trying to win his favor, but rather that I appreciate him and his personality, and respect his ideas, experiences, and values. Part of being a friend is arguing and contradicting someone when you believe they are wrong, and likewise part of being a friend is letting someone know they’re being difficult even while going out of your way to maximize their comfort.

Laura Poitras

On May 2nd 2017, three days before the official theatre début of 'Risk' (see 'Festival de Cannes') at the IFC Center in New York City, Poitras was interviewed by Newsweek's national politics correspondent Nina Burleigh about the documentary. When asked about her relationship with the IT community and Appelbaum, she said "the allegations against him were made two weeks after the film was screened at Cannes" and that they influenced her decision to remake the film, but she did not reframe it to focus entirely on the "gender war."

"I defend due process, everyone deserves due process."

At the same time, Burleigh published another article reviewing the film, with the title "Documentary Goes Inside Julian Assange's Paranoid World," despite Poitras' repeated assertions that she did not believe he was paranoid. Her review suggestively states that Poitras and Appelbaum were "romatically involved" years before the end of filming. Burleigh summarises the allegations against Appelbaum but neglects to mention that one of them had been disproven by the supposed victim herself (see 'Emerson Tan, Patterson, Shepard, and Hirsch').

On May 3rd, an interview between Poitras and Variety's Brent Lang was published. She said the allegations and the nature of her relationship with Appelbaum were included because "I had insights... about someone close to me that he’d been abusive towards." However, she described her inclusion of "issues of gender and power" as a sub-theme.

On May 4th, International Criminal Court (ICC) lawyer Melinda Taylor, who has served as Assange's legal counsel to the U.N., responded to Burleigh's articles in Newsweek. Taylor claims that "Poitras’ lawyers declined to permit any of us to view the reviewed version of the film." The previous day, Assange had tweeted "I havent seen it. I hear it was altered." She also argued that Burleigh's and Poitras' portrayals of women working with WikiLeaks were "minimizing" and "completely sexist" -- particulary of Harrison, who is described by Burleigh as the "pretty young... trusty Girl Friday" with no mention of her actual position as researcher and section editor at WikiLeaks, or her role in the Snowden leaks. The A.V. Club's Ignatiy Vishnevetsky reviewed Risk as "ethically muddled and "involuntarily insightful," especially when Poitras "admits to having had a sexual relationship with Appelbaum during filming," which contradicts her statement to Burleigh that "the relationship happened after we finished filming," though it is unclear whether she is referring to the filming of Risk or her prior documentary Citizenfour.

On May 5th, in an interview with The Nation's Jon Wiener, she says "you see in the film that he stepped down."

On May 8th, in an interview with The Daily Beast's senior entertainment editor Marlow Stern, Poitras clarified that the relationship began "when I was editing" Citizenfour. When asked about the alleged abuse she witnessed, she claimed to have "confronted him about when it happened" and refused to say if Appelbaum had been abusive to her.

On May 17th, WikiLeaks lawyers Margaret Kunstler, Deborah Hrbek, Avila, and Taylor published a review in Newsweek alleging that Poitras broke at least three contractual obligations by releasing Risk: the raw footage was edited in New York, instead of Berlin; subjects of the film, including Assange, were prevented from viewing the final version prior to release; it was released even when "seven of the participants submitted non-consent forms to the producers."

Poitras was criticized after Cannes for appearing to be overly sympathetic to WikiLeaks. Instead of providing us with a more objective portrayal of her subject matter, she has re-framed her story to turn Risk into a film by Laura Poitras about Laura Poitras; a rather late coming-of-age story about the filmmaker discovering that there is sexism in her social and professional circles.

Instead of a documentary about the abuse of state power and WikiLeaks' important role in exposing it, the emphasis of the film is now to highlight hotly disputed claims about an ex-boyfriend.

Though this was not stated in the review, the WikiLeaks account tweeted that their "legal team may sue Laura Poitras for breaking written promise to not edit footage in the U.S." Their concern about the editing location is likely due to the fact that she has been on the DHS watch list because of her war documentary work and often had "her laptop, camera, mobile phone, and reporter notebooks seized, and their contents copied" during detentions at the U.S. border.

On June 17th, Poitras and her producers responded in Newsweek to the allegations that they broke contractual obligations and infringed on the rights of people she filmed. They countered that "individuals who requested from the beginning not to appear in the film" were "respected," though they neglected to confirm whether anyone retracted their consent during or after filming. They also claim that the last time they screened the film for WikiLeaks staff and lawyers was "inside the Ecuadorian embassy in London on April 1, 2017," and that they had "known since 2015 that we were editing in the U.S."

In 2016, he signed an agreement to license WikiLeaks’ own footage to us and raised no objection to mailing a hard drive with footage directly to our editing room in New York City.

On June 29th, in an interview with Guardian feature writer Simon Hattenstone, Poitras said she "knew I was being followed by intelligence agencies" after making Citizenfour.

Ancilla van de Leest

On August 6th 2017, privacy advocate and former Dutch Pirate Party front-runner Ancilla van de Leest gave a talk at the SHA2017 conference in the Netherlands, titled "Smart, Safe & Happy: Ensuring Civil Rights in the Digital Era." Towards the end of the talk (36:43 - 38:14), she spoke up about how the allegations had been handled.

... Then community-building, taking care of each other, making sure that we're doing well, and also making sure that we have good guidelines on how to handle things that come on our path.

I'm going to say something that might be unpopular, but I'm going to do it anyway. I'm not so pleased with the way SHA has handled the Jacob Appelbaum story. I find it a little bit too easy to spread rumors without any factual evidence, and ban somebody completely from a community. I find that when these accusations take place, of sexual misconduct, it's a very serious conversation that needs to take place, but it shouldn't be one-sided. You shouldn't be able to point a finger at somebody and say, 'I don't like the way this person is behaving,' and then have them completely excluded from a community that they have contributed a lot to. I don't think this is the right way to move forward, because tomorrow it could be any one of us. So I'd really like to ask the SHA commission to re-examine and re-evaluate on their decisions in that part of community-building and trust.

Another speaker, security researcher Martin Schmiedecker, agreed with her.

Internet Freedom Festival

On June 15th, The Daily Dot published information from Tom Lowenthal, currently staff technologist for the Committee to Protect Journalists (CPJ) and a track lead for journalism & media at the Internet Freedom Festival, which in 2016 was held March 1-6th. Lowenthal says that the organizers of the Internet Freedom Festival were aware of the allegations prior to the event and "decided in advance that Appelbaum would not be allowed at the conference or inside the venue and had a contingency plan in place in case he tried to participate."

There's a major public vulnerability which is being exploited in the wild. You need to patch it. Appelbaum wasn't the problem, just a really bad symptom. Our communities are still vulnerable to the attack he used.

-- Tom Lowenthal @flamsmark (June 22nd, 2016)

It isn't stated how long Lowenthal has personally had knowledge of the allegations about Appelbaum's behavior, or how the Internet Freedom Festival became aware of them more than three months prior to the announcement of Appelbaum's resigation from the Tor Project. According to The Guardian, his ban was due to Lovecruft emailing the Tor Project about the allegations in February (see 'Isis Lovecruft'). Both Patterson and de Valence claimed to have been aware of the ban. The festival was advertised as the post-meeting destination for those attending the biannual Tor developer meeting, so word of the incident there may have spread, resulting in a mutual ban.

Debian Project

On June 18th, Appelbaum was removed as a developer at the Debian Project, a role which he had acquired in 2013 after ten years of involvement.

Linux Australia

Russell Coker, a Melbourne-based Debian developer, wrote to the Linux Australia mailing list requesting that Appelbaum be barred from attending the Australian National Linux Conference (LCA) and that the group release a public statement. On June 22nd Hugh Blemings, president of Linux Australia, released a statement from himself and the council on the mailing list saying that they were aware of the recent allegations made, but had not received any reports of misconduct during the 2012 conference when Appelbaum was a keynote speaker.

As facts in this matter become clear Linux Australia will consider what, if any, action is appropriate in relation to Mr Appelbaum’s potential involvement in future Linux Australia activities.

On July 1st, Blemings released a second statement officially banning Appelbaum from Linux Australia events.

Electronic Frontier Foundation

The Electronic Frontier Foundation, like the Intercept, did not publicly comment on the allegations or the general situation at the Tor Project, though several people with ties to the organisation have responded or been active in their own personal capacities. The last blog post in which they even mentioned Appelbaum was in a list of security researchers advocating for DRM reform in March 2016.

The Register, "bullying sex pest," source:

Electronic Frontier Foundation director Jillian York, who said it was "past time for our community to have an open, nonjudgmental conversation about sex," called out The Register's Kieren McCarthy for using the phrase "bullying sex pest" instead of "sexual assault," yet has not criticised Steele for her language choice of "unwanted sexually aggressive behavior."

On May 6th 2014, York was a co-speaker with Appelbaum in a talk titled "Let's Talk About Sex Baby, Let's Talk About PGP" for the re:publica internet and society conference; the focus was how to "make a stronger crypto movement," drawing comparisons between the use of encryption and the 'safer sex' movement. In April 2015, Lovecruft referenced his use of these sexual analogies regarding unencrypted web browsing or communication. On September 10th 2015, prior to attending the opening night of Appelbaum's photography exhibition "Evidence of Conspiracy" at the NOME Gallery, she sent him pictures of herself and her friends drinking. Their last public communication via Twitter was on December 12th 2015.

On August 28th 2018, senior staff technologist Cooper Quintin objected to Amnesty International screening a film that "glorifies two serial rapists," falsely implied that there were "rape charges... against Jake and Julian," and referred to one of them as "Ol' rapey J," when neither has ever been charged (see 'Appelbaum Denounces Allegations'). Lovecruft replied to compliment Quintin on "slaying it today." Reilly commented that Appelbaum had not "pissed off the US government enough for them to cut off your 100% government-funded, 6-figure salary." However, according to the Tor Project's own financial documents from 2007 to 2015 and other reports, their government funding flucuated between 68-93% of their yearly revenue. Also, Appelbaum always had a salary under $100,000: in fiscal year 2008, he was paid $66,000; in 2009, he was paid $96,000; in 2010, he was paid $98,880; between 2011 and 2014, his salary was not reported as he was not in the top five compensated persons and it was under $100,000; in 2015, he was paid $96,208. In that year and other years, Shepard was paid almost $30,000 more.

The Electronic Frontier Foundation has not publicly commented on whether they are still assisting with pro-bono legal counsel for Appelbaum related to the Grand Jury investigation (see 'The Snowden Leaks' and 'Freedom of Information (FOI) Lawsuit').


I used to recommend that my friends visit @telekommunisten when in Berlin, but no longer. Their refusal to eject abusers is inexcusable. You will never see me at another [Stammtisch] again. And [I'm] not the only one.

The German hacker and digital-rights movement is rotten to the core with abuse enablers and rape apologists. [It's] been sad watching it slowly drift off in to obsolescence and meaninglessness. Bye, have fun, and good riddance.

-- Casey Callendrello @squeed (May 10th, 2017)

On May 12th 2017, CoreOS software engineer and Berlin resident Casey Callendrello published a Medium post about Appelbaum joining the recent Telekommunisten Stammtisch at the Café Buchhandlung in Berlin, which he had attended for a number of years. According to Callendrello's statement, Appelbaum "reappeared" at the meetup on May 9th after over a year of absence and stayed for "several hours" after being "welcomed by some," despite Callendrello and "other long-time Stammtisch attendees" saying they were "personally uncomfortable with his presence." He claims Appelbaum refused to answer his questions because Callendrello "bumped in to my girlfriend without apologizing" earlier during the meetup. He didn't think this was "relevant" and cited it as a deflection technique "often employed by abusers." However Leidl twice alleged that Callendrello had indeed assaulted Bähring; she confirmed the allegation a few days later.

Patrick McCulley said he would "talk to everyone I know here and ensure he is prohibited from any groups I am involved with." Reilly, along with Nicolai von Neudeck (@vonneudeck), announced that she would be attending the next Stammtisch to "make clear that Jacob Appelbaum is not welcome," even though von Neudeck admitted he wasn't a Stammtisch attendee himself. She also insinuated that Appelbaum should go to the Botschaft der Demokratischen Volksrepublik Korea (the North Korean Embassy in Berlin) because "I hear his friends like embassies." She deleted the tweet at some later date.

On May 13th, Telekommunisten members Baruch Gottlieb, Dmytri Kleiner, and Franziska Kleiner posted a response to Callendrello. They began by stating that though they prefer for Appelbaum to "not visit Stammtisch until he has unequivocally demonstrated a commitment to address" the allegations, they "can not ban him from Stammtisch" due to having no authority over the premises where the meetup takes place. They also believe those boycotting and blaming them for the incident are acting "opportunistically," and people like Callendrello "are not welcome either" due to their sense of "entitlement" leading to other attendees feeling unsafe.

Telekommunisten have endured your toxic community long enough, you bring your self-importance and entitlement to us, flood our space with your dysfunctional community and then place expectations on us to police you. We owe you nothing. To be honest, we think you are a bunch of petty bourgeois assholes, who we only accommodate because we are polite.

Both Callendrello and Reilly thanked them for their response.

The Intercept

The Intercept as a media organisation largely refrained from reporting on Appelbaum or the allegations against him between mid 2016 and early 2018. Lee, a technologist for The Intercept, Freedom of the Press Foundation, and previously the Electronic Froniter Foundation, claimed he witnessed the allegations by 'Phoenix' (see 'Victims'). On July 16th 2014, around the time of that alleged incident, he thanked Appelbaum for finding an input sanitation bug in OnionShare, anonymous file-sharing software intended to particularly help future whistleblowers and journalists. Clark, lead security architect and former Tor build engineer (see 'Leaked Tor-Internal Chat Logs') has also been vocal in her own personal capacity (see 'The Tor Project').

Since their inception in 2014, there have been five articles featuring, mentioning, or tagging Appelbaum: a quote from George Packer's interview with Appelbaum in a Berlin sauna in comparison to a scene from a television drama (November 2014); a report on the U.S. Justice Department's effort to obtain Appelbaum's Gmail account data (June 2015), which they shared at least eight times on Twitter between June and December 2015; a summary of research into self-censorship under a surveillance state and Greenwald's early experience reporting on WikiLeaks (April 2016); a report on a poorly sourced financial blacklist called "World-Check," which includes Appelbaum and many of his associates (June 2017).

On February 14th 2018, Micah Lee and Cora Currier of The Intercept published the fifth article, which commented on messages from a "private Twitter direct message group" with "an assortment of WikiLeaks’ most loyal supporters." At one point, they incorrectly summarised the timeline of events relating to the allegations against Appelbaum, linking to an article from The Verge and listing the Tor Project's two-month "external investigation" (see 'Tor Project Concludes Investigation') as occurring and concluding prior to Appelbaum's resignation on May 25th 2016. Other media outlets had a similarly disordered timeline.

The Tor Project

On July 16th 2016, Tor directory authority operator 'Lucky Green' announced that they would be shutting down their Dutch-based bridge authority "Tonga" as well as "a number of fast Tor relays." Berlin-based writer Bethany Horne said this announcement has been "demoralizing" with regards to the Tor community.

Tonga DA shutting down

As a bridge authority, 'Tonga' had to be replaced immediately and it was feared that the process of removing it would "cause severe disruption for the bridge ecosystem," according to a leaked email allegedly sent by Hahn.

Hahn email on dir/bridge auth

Lovecruft announced via the mailing list that she was handling the replacement process (including bridges that had stopped working) and that the new bridge authority server would be in Greenhost's Amsterdam offices. 'Tonga' was officially decomissioned and replaced with Lovecruft's new bridge authority 'Bifröst' on August 26th. In a blog post summarising the transition, Lovecruft claims they are looking to "decentralise the Bridge Authority/BridgeDB systems without simply turning a single point-of-failure into multiple points-of-failure."

Bridge authority replacement, source:

On July 23rd, programmer Josef 'veloc1ty' Stautner announced that he had deactivated his Tor exit relay, which he has been running since at least December 2014 after learning about Tor through Snowden's NSA leaks. He said his withdrawal of support was due to how the community handled the allegations against Appelbaum:

Vor zwei bis drei Wochen habe ich mein Tor Exit Relay heruntergefahren [Two or three weeks ago, I shut down my Tor exit relay]. Der Grund hierfür ist der Umgang der Tor „Community“ über die Vorwürfe gegen ioerror [The reason for this is the handling by the Tor "community" of the allegations against ioerror]. Viele Threads gingen auf den Mailing Lists auf und alle spekulierten wild rum [Many threads went up on the mailing lists and all speculated around wildly]. Niemand lieferte Beweise und viele Opfer versteckten sich in der Anonymität [No one provided evidence and many victims hid in anonymity].

Das Verhalten der sogenannten Community hat mich zutiefst bestürzt [The behavior of the so-called community has shocked me deeply]. Danach habe ich beschlossen mein Relay abzuschalten und das Projekt nicht weiter zu unterstützen [After that I decided to shut down my relay and no longer support the project].

Der Daemon ist deinstalliert und die Keys wurde sicher gelöscht [The daemon is uninstalled and the keys have been safely deleted]. Ich habe mich von allen Mailinglisten abgemeldet [I have unsubscribed myself from all mailing lists]. Die negativen Seiten von Tor überwiegen damit für mich [Thus for me, the negative aspects of Tor outweigh].

On July 28th, Macrina announced the creation of the Tor Project Social Contract 1.0, meant to be "a set of promises to our community about what Tor stands for and why we create it," which was in the works since at least late February. The deadline for ratification requests was August 6th. The next day she also said they had a code of conduct "in the works" by the Community Team (of which she is the leader) but provided other documents regarding Tor Project company policy, including: conflicts of interest, internal complaint review process, harassment and discrimination prevention, and employee communications. These documents appear to be relatively new as Fatemi was not aware of them and they were not previously publicly available. People wrote in to say that the "free of cost" stipulation and the conflation of harassment and discrimination under the same policy may cause problems. The most controversial criticism came from Tor2Web developer Virgil Griffith, who argued that the Tor Project's public "human-rights branding" may put affiliated activists in authoritarian countries at risk. A few days later, he left the Tor Project over the issue and took down his blog page on his work with Tor. On September 4th, he published a Medium post, which he subsequently updated, to restate his objections and formally announce his resignation as a volunteer data scientist. Patterson responded that "Tor already ejected" him, repeating Lovecruft's allegation from a May discussion thread started by Tom Ritter on ethical guidelines for networked systems research and whether Tor2Web's explicit allowance for crawling of onion services was against Tor policy. Lovecruft claimed Griffith had harvested Tor hidden-service directory (HSDir) data and tried to sell it to INTERPOL and the Singaporean government, which qualified as "questionable research activity." Griffith replied to Patterson as well as Macrina saying "the chain of attributed behavior is untrue." He is cited as an author of a Tor tech report, though he hasn't been listed under core members or past contributors on the Tor Project website.

On July 31st, a ticket item was reported to the Tor Project requesting the historical and current versions of several corporate documents (including bylaws, voting members, and meeting minutes). Though a few of the documents are either already online or in the process of being drawn up, several have still not been made available.

On August 8th, Macrina announced that the final draft of the Social Contract was ready. She published it to the Tor Project's blog on August 10th. In a review from TechCrunch, editor and journalist Natasha Lomas said the contract had "warm-sounding words about transparency and honesty" but it "might be accused of lacking specific substance — if you were reading it with a critical eye and keeping count of qualifiers and caveats." BoingBoing co-editor, science fiction writer, and Electronic Frontier Foundation special advisor Cory Doctrow described it as "generally excellent," though he "balked at a bit of weasel-wording in the section on openness."

On August 15th, Macrina claimed to take issue with Mondial's (see under 'Appelbaum Denounces Allegations') attendance at a Tor community meeting hosted at The Eleventh HOPE in July, which he "didn't report" on. However, Mondial responded that it was made clear he was not allowed to record anything at the meeting:

Let me tell you a little nugget about that meeting of TOR at #hope11. I was there, never made a secret of it. We were asked to treat the meeting as “private”, NO “quotes”. Yet, there was filming the whole time - by a team working with [Laura] Poitras. Since I was there, listened for about two hours, I made one contribution of an opinion about a question that tor faces in the future. The contribution was this: In order to counter “rockstar” behaviour and attachment to power, tor should run key positions for limited time. The reactions - as to my recollection - were, well, very flat.

According to a review of Risk (see under 'Laura Poitras') by Motherboard's contributing editor Sarah Jeong, scenes show Clark discussing Appelbaum at HOPE during a private session later on the sixth floor, following the publicly-recorded 'Onion Report' (audio):

Clark, on the other hand, is heading up a panel at hacker conference HOPE towards the end of the film, discussing the damaging effects of Appelbaum on their community. One female developer, off-camera, describes how she has never contributed to the Tor Project because of the many stories she had heard about Appelbaum over the years. Clark's expression seems stricken.

Despite no longer being employed by the Tor Project, Clark remains an active member of the Tor community. Prior to the HOPE conference, she said "I believe & stand with Leigh and everyone else he has victimized." She later also apologised, saying "[we're] here for you now and [we're] so sorry it took this long." In November 2017, she commented that "group letters by women in support of harassers & abusers are a bad look at any time and they age even worse," likely referring to 'Our Response.'

Seattle, source:

On August 16th, journalist and Tor advocate Marie Gutbub announced through a public email to Tor-internal that she was leaving the Tor Project after being consistently shunned by both management and other Tor members since the allegations against Appelbaum were publicised in June. Her resignation as an advocate followed the day after Lovecruft publicly called her a "rape apologist." Gutbub, among at least two other people who hadn't declared their support for, was also deliberately excluded from the Seattle developer & board of directors' meeting and Open Hack Day scheduled for September 30th through October 2nd. Pointing to chat logs of recent conversations she'd had or witnessed with various people in the Tor Project, she said that the organisation had been demonstrating "a worrying lack of transparency."

It is really hard to talk about Tor's action because there is a lack of transparency. Why does everything have to be hidden, even from tor-internal? Isn't that contrary to the way Tor has worked in the past? While I understand that the people who claim they are victims need to be protected and I accept the fact that their names cannot be disclosed, I do not understand why all the info must be kept secret from people who dedicate a major part of their daily lives to the Tor project.

Why did Tor first take action (by making Jake quit) and only then started an investigation? Shouldn't that be the other way around? Did Tor do any fact-checking before acting based on the allegations? Why was Jake banned from TorDev in March, and why was his absence not addressed officially at any moment? Why did no discussion about this topic happen at that point?

I cannot even point all the details (from the blogposts to all the refusals to talk on tor-internal) where Tor showed a worrying lack of transparency. I am extremely worried about the direction taken by the organization. This is, to be clear, not a version of the Tor Project I want to be associated with.

Gutbub later responded to messages she had received following her departure:

In the last days, I have recieved a lot of support messages. Thank you everyone. But reading all these kind messages from people calling me "courageous", "brave", etc., made me really sad. I'm ready to take risks, but I wish I wouldn't have to be brave by taking actions against an organization I used to respect. I wish I would have taken risks speaking with/for Tor, not against them. We should be united in our fight against surveillance. I hope some day we will be able to fight together again. People need Tor. Let's not forget our common goals.

-- Marie Gutbub @shiromarieke (August 20th, 2016)

The Tor Project did not remove her from their website until January 2017.

Tor Berlin Open Hack Day Sept-Oct 2015 with Shepard, Gutbub, Matthewson, source:

Shepard, Gutbub, and Matthewson at Tor's Berlin developer meeting / Open Hack Day in September 2015

Following Gutbub's resignation, Seattle Privacy Coalition co-founder and Tor exit relay operator David Robinson announced he no longer planned to collaborate with, or financially support, the Tor Project. After his home was raided and thoroughly searched by Seattle police in the early morning of March 30th, he had previously "planned to discuss Tor’s response to the raid" with Steele, but recinded the offer due to Tor's ongoing management issues regarding the Appelbaum allegations.

In short, I have no confidence in Tor’s will or ability to ensure professionalism among its personnel or to execute an effective communications policy. As a Tor volunteer and contributor, I feel at risk not only from the Seattle Police Department, but now also from Tor Project members who are targeting a growing list of individuals for shunning and character assassination with no apparent push-back from management — indeed, with management’s collusion.

According to BuzzFeed's senior technology reporter Joseph Bernstein, Steele characterised their departures as "sad and unfortunate," but called Gutbub's account of being deliberately excluded from the Seattle developer meeting a "conspiracy" because "she hasn’t been working on Tor recently. She hasn’t been contributing." However, based on an excerpt of an email sent by Steele to Tor-internal that BuzzFeed claims to have obtained, Gutbub was disinvited due to the Appelbaum controversy:

Email from Shari Steele, source:

On August 18th, a Tor relay operator going by the handle "stderr" (short for "standard error stream") submitted a proposal to the Tor Project mailing list for a vote of "no confidence" in Steele. A plan for a general Tor strike was later published by another anonymous account that said they were not associated with 'stderr,' supposedly due to disagreeing with their claim about the identity of Tor's investigator.

Tor strike date & demands, source:

The 'stderr' operator claimed that Macrina's boyfriend Bynum was chosen by the Tor Project "as the 'outside counsel' to investigate the allegations sexual assault and sexual harassment against Jacob Appelbaum." Bynum, Dingledine, and the Tor Project account responded to say this was false. (A Redditor going by the handle "Investiga-Tor" claimed the outside counsel was actually Rebecca A. Speer of Speer Associates, which specialises in employment law. The Tor Project has not confirmed this, though Sheats named her in his witness account). Macrina also denied coordinating the investigation and countered the strike call by asking people to run relays "as an act of solidarity with victims of domestic and sexual violence," which became an opposition campaign to "hijack" the strike's hashtag. Bynum created a new Tor bridge nicknamed 'bifrost'.

Nerad responded to the demands of the Tor strike: "you can't build trust with a corpse."

Basically, this is a call to dissolve the project, it's a culture jamming monkey wrenching set of demands that is not a discussion, but simply adding heat to an already overheated conflict spiral. I'd encourage the author to contact me for a debate if he or she cares to actually learn something about the history of the project and how it got here.

I am not happy about what is going on at Tor either. I am not happy about the current administration. I am not happy about the grievance process, and I am not happy about how we got to that point. I am not happy that a CIA staffer got on staff without being vetted, either.

But this is not the way you deal with "building trust" -- you can't build trust with a corpse. It's just not useful.

Rotor Browser "sneak peek", source:

On the same day as the first strike announcement, Virginia-based security researcher Joshua Yabut (@jmprcx and @movrcx) declared that he had started "a non-SJW fork" of the Tor browser, aka "IndieOnion." On August 19th he launched the Rotor Browser website and proceeded to remove or black out Tor iconography from the forked browser. On August 26th Yabut issued "a declaration to the unnameable corporation," obviously directed at the Tor Project.

In the past year, prominent researchers have been expelled, shamed, and ridiculed without due cause and we stand in support of them. Following their expulsion, the unnameable board was completely replaced in the style of state sponsored regime change.

Our first move in solidarity with those silenced will be to implement advanced features into our own network design. This move marks the beginning of your journey into deprecation. We will implement advanced chaff countermeasures to make our network superior. We will tirelessly devote our efforts into building a high entropy global network.

On September 12th, Yabut tweeted he had "confirmed" the existence of a Tor browser vulnerability, threatening to not only share it with the FBI & NSA but sell it on the exploit market if he was "silenced." On September 13th, Yabut released a public disclosure of the remote code execution (RCE) vulnerability in the Tor browser's auto-update mechanism; he also noted that Appelbaum had raised a GitHub issue on certificate pinning back in February 2013. Former U.S. Cyber Command member Ryan Duff and computer science PhD student Erinn Atwater gave "third-party verification," saying in a write-up that the proposed "attack as described by @movrcx should work as advertised." (He later published a post mortem report describing the vulnerability in more detail.) Hahn advised Firefox and Tor browser users to disable automatic add-on updates for the time being. On September 16th, Mozilla reportedly said they would release a Firefox update on Tuesday (September 20th), while the Tor Project released their own browser update ahead of schedule in response to the disclosure, attributing credit for the Firefox bug discovery only to Duff's write-up.

That vulnerability allows an attacker who is able to obtain a valid certificate for to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states).

Yabut continued to threaten to sell and disclose further discoveries to exploit markets and intelligence agencies ("IC" is short for 'intelligence community'), especially after Atwater criticised his theatrics.

The zero days will continue until @Torproject is utterly destroyed. Next time I'll be responsibly disclosing to the FBI, NSA, and GCHQ. If you are IC-affiliated and want my other bugs. DM me for PGP.

Just injected my other 0-day research into the IC. Tor Project is dead. DING DONG THE WITCH IS DEAD. OTHER TOR EXPLOITS HANDED OVER TO THE IC. BURN IN HELL.

-- Joshua Yabut @movrcx (September 16th, 2016)

On September 22nd, Tor Project developer and researcher Griffin Boyce noted in the mailing list that Yabut hadn't patched his own Rotor Browser.

Bug bounty, patching Rotor Browser, source:

According to the Tor Project, the counter-strike resulted in fifty two new relays joining the network. Yabut has since been arrested in mid 2018 for apparently premeditated, unauthorized use of a National Guard M577 command post vehicle while under the influence.

On the same day as the CCC's theme announcement (see 'Chaos Computer Club'), the Tor Project posted a job opening for Tor daemon core developer with C programming and Windows development experience; this position had belonged to Shepard since June 2012, and while there was no announcement that she left, she recently removed her position as a Tor core developer from her Twitter profile. Sometime between the 5th and 11th of January, Shepard's name was removed from the Tor Project website's core list and added to 'past contributors.'

On January 10th 2017, they also posted a job opening for Communications Director, the position held by Krauss since May 2015. Sometime between mid-January and February 14th, the bio of the Tor Project account changed, around the same time that the job opening for Communications Director was closed (though they did not list who filled the position). On May 2nd, they posted that they were still seeking a Communications Director. Though Krauss was still holding the position according to the Tor Project website, she listed her final month of employment as April. On June 6th, they announced that digital media coordinator Stephanie Whited had joined them as Communications Director. When their blog was redesigned, Perry was also quietly removed from the core contributors page without being added to 'past contributors.' Perry stopped publicly committing from his Tor-associated GitHub account on August 4th 2017 and restarted on January 17th 2018, though he has not been re-added to the current or past contributors pages.

On February 22nd 2018, the Tor Project announced that Steele would be resigning as Executive Director in order to finally "retire at the end of 2018." A job description and instructions for new candidates was added to their website. CyberScoop writer Patrick O'Neill wrote that Steele's tenure was defined by "dealing with the aftermath of the Appelbaum incidents." Komlo responded to the news by saying, "I’m very thankful for all the great work Shari had done at Tor; we are a better and healthier organization for it." On April 23rd, the Tor Project announced that project manager Isabela Bagueros (@Isa) would become the next Executive Director starting in January 2019. They also added that Steele would remain on the Board of Directors after resigning.

Like Shepard, Lovecruft was also moved to 'past contributors' in early July 2018 (see 'Isis Lovecruft').