Your criticism is equally applicable to any advocacy organization that distances themselves from an alleged situation that they morally oppose.
For example, would you say the same thing about EFF and ACLU speakers canceling their RSA conference talks, due to a "biased interpretation of unclear events" of RSA collaborating with the NSA?
Horvath alleges that illegal behavior took place. Github has said that their investigation has found no such thing, leaving things at an impasse until Horvath produces the evidence that she claims to have.
The NSA likewise says that no illegal behavior took place. Independent investigations by other arms of the government, including the Senate, have found otherwise. Furthermore, some of the behavior that the EFF and ACLU object to -- such as the collection of metadata -- the NSA do not deny that they are doing it. They only claim that such activity is legal and beneficial.
Until Github takes a stand or makes an assertion with which we can agree or disagree with, the situations are not the same. Right now, Github is basically being asked "Have you stopped sexually harassing your female employees yet?" and its refusal to answer that question is apparently grounds to judge Github.
Thanks for your feedback, but please re-read my example more carefully.
In my example, I talked about organizations distancing themselves from RSA (the company), not the NSA (the US govt agency).
And as far as I know, no formal, independent investigation has found RSA guilty of allegations that they knowingly weakened their encryption after the NSA paid them to do so. So it doesn't meet the criteria you just mentioned.
But to your more specific scenario...we are still talking about a much different level of evidence. OK, let's agree that RSA has not been found "guilty" by any authority.
But the allegations do not come from just...well, whoever we might call the original accuser (Snowden? Greenwald?). Independent reports have alleged substantial claims and findings. For example, this is via Reuters, who is also sourcing reports to a group of academics:
> (Reuters) - Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.
Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.
A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability
Even more importantly, RSA did not issue a denial (though I concede that they may have later on, I just haven't googled it yet)...they refused to comment even on the possibility that the NSA made a payment to them regarding the controversial issue.
> We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told Reuters. "We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure."
Curry declined to say if the government had paid RSA to incorporate Extended Random in its BSafe security kit, which also housed Dual Elliptic Curve.
This is quite different than Github. Github not only commented (and took the obvious stance that harassment is wrong) on the allegations a day or so after they were public, but they have launched an independent investigation, and they have asserted that the investigation did not uncover anything for them to cop to. Now you may say that their investigation was a farce...but this, again, is where things stand until more accusers/evidence come out. And it is at this state of uncertainty that Ada Initiative has decided to take a strong position.
> Even more importantly, RSA did not issue a denial (though I concede that they may have later on, I just haven't googled it yet):
Here is RSA's denial (emphasis added):
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
Yes, this leaves leeway for "oh, we just didn't know that they were backdooring us". But do you have proof that RSA was actually aware of the consequences of implementing the NSA's "suggestions" (and did it anyway for the $$$), and not just really naïve about it?
The EFF, on its part, is not basing its stance just on the existence of intentional wrongdoing, but on what it regards as carelessness by RSA to not fix a protocol that was publicly questioned in 2007. That this protocol was questioned is not under debate. And that the protocol was flawed is also not under debate.
So again, you can say, "Well how was RSA supposed to know that those Microsoft researchers were onto something? And how do you expect RSA to figure it out after just five years?" But that's a different deal than we have with Github. The only evidence we have of Github's collective wrongdoings are that Horvath felt that she had to quit. We do have (implicit) evidence that the co-founder did something wrong, because he offered his resignation. But he has made it adamantly clear that what he screwed up in had nothing to do with gender-based discrimination. Which is purportedly the issue that Ada Initiative is most incensed about. What we have now, though, is that there were clearly bad management problems at Github. And if Ada Initiative wants to boycott a company for having such internal strife, then that's their right.
There's a whole lot more clarity in the actions of the NSA than there are with this situation. There isn't a single amount of proof that's been given to anyone outside of GitHub of the investigation that can say one way or the other who is in the wrong. It's a bunch of he said, she said.
For example, would you say the same thing about EFF and ACLU speakers canceling their RSA conference talks, due to a "biased interpretation of unclear events" of RSA collaborating with the NSA?