[sulam]

You're talking about a crypto researcher here. Their behavior absolutely does include a much higher level of awareness around the handling of confidential information. He may well have a policy that all confidential communication is treated separately, including being automatically wiped after some period of time. This would need to be standard for his work as it relates to investigating 0day and other vulnerabilities that must be confidentially disclosed to third parties.

This does not make him a nice guy, and he would likely have been in violation of Title IX, which means any US govt funding for his lab is potentially at risk as a result of this case.

[tptacek]

What do you think crypto researchers are? It's not a cloak and dagger field. It's applied mathematics research. You've never seen a group of people less wrapped up in spycraft than the attendees of an academic crypto workshop. That's one of the things that made Appelbaum's admission to Dan and Tanja's research group so weird.

Think "math department", not Defcon.

[viraptor]

I don't care who he is, or what his daily email routine is. It doesn't matter. At any level, if someone you're superior to in your organisation comes to you and reports abuse from another person in the org, you either follow up immediately, or you shouldn't be superior to them. Any kind of follow up should produce report of that. If the person taking to you doesn't want you to report it further, then it's your business to have a record of that and never lose it. I know it from normal decency and numerous company trainings and I've never even been a manager.

His research topic, or even whether the report is true don't matter. It's in his interest to follow up on his own and keep records. If not because it's right, at least to protect the university and himself from what's happening right now.

[sulam]

Sometimes your best protection is a policy that all electronic communications are automatically deleted after a retention period. Many companies have such policies, and they have them on advice of their legal council, specifically to avoid discovery issues in the event of a suit. You can argue this doesn't apply here from a moral perspective and I would agree with you, but IT and legal policies often do not follow an ethical code.

Crypto research exacerbates this because the likelihood of such suits is higher than with other kinds of research, sometimes rising to the level of nation states getting grumpy at you with all that could entail. Finally, while I can't make any excuse for the behavior, he would be far from the first graduate advisor to have less than stellar management training or skills.