LEIPZIG, Germany—Just before the 34th annual meeting of Europe’s largest hacker conference got under way on December 27, its organizers seemed quite mixed on how to respond to assault accusations among its participants.

According to emails obtained by The Parallax, the Chaos Communication Congress on December 19 banned Netherlands-based Finnish programmer Teemu Hukkanen from attending Chaos. His ex-girlfriend Dina Solveig-Jalkanen had accused him of assaulting her on December 31, 2016, just after last year’s conference. On December 24, it banned Solveig-Jalkanen too, following a counterclaim by Hukkanen. And then on December 26, it lifted both bans.

Hukkanen is a developer for Debian and FairPhone. Solveig-Jalkanen is involved in several European hacker communities under the pseudonym Thomas Covenant, including SHA 2017, Free Software Foundation Europe, and Amsterdam TechInc.

Solveig-Jalkanen chose to attend the conference; Hukkanen told The Parallax that he decided against going, after several of Solveig-Jalkanen’s Twitter followers threatened him with physical violence.

“She assaulted me after barricading herself in my apartment. It was self-defense. I am afraid of what her followers will do to me,” Hukkanen says. He refused to confirm that he made physical contact with her during the incident, citing the advice of his attorney.

Solveig-Jalkanen declined to comment. CCC representative Dirk Engling told The Parallax in an emailed statement that the conference organizers declined to issue a ban after following its internal “investigative process,” which included interviewing “all persons concerned.”

“The process in this case had several unfortunate delays that led to the decision taking way too long. This is an issue we are discussing internally and will address in the future,” Engling wrote.

One of the organizers for SHA2017, a hacker camp in the Netherlands that also banned and then unbanned Hukkanen, acknowledges that the conference “should have handled it better. How should you be handling this? If you look at the justice system, somebody is innocent until proven guilty. But without a criminal conviction, you’re putting yourself up as a judge,” the organizer says. “I don’t think that’s the correct way to go, but I don’t have a good solution.”

“[A] code of conduct is kind of like a New Year’s resolution. You can make one that doesn’t really mean anything.”—Caren Goldberg, management professor, Bowie State University

The organizer spoke to The Parallax on the condition of anonymity and without the approval of the conference leadership. Hukkanen says neither conference asked him for his side of the story before initially banning him.

People familiar with the situation, including current and former CCC staff members who spoke on the condition of anonymity because they weren’t authorized to publicly represent the organization, say conference organizers need clear procedural guidelines on how to handle such complaints.

“I think they didn’t have a process. That’s the problem,” says one CCC volunteer staffer who personally knows Solveig-Jalkanen and Hukkanen.

As public allegations of sexual harassment and assault proliferate across tech and cybersecurity, politics, sports, academia, entertainment, and the media, many organizations are learning the hard way that they need to do more than establish a code of conduct. They need to enforce it, says Caren Goldberg, a management professor at Bowie State University in Maryland, and a frequent expert witness on workplace discrimination and harassment cases.

CCC states on its printed map of the event and on its website that attendees should “be excellent to each other.” The Bill and Ted’s Excellent Adventure quote, while catchy, doesn’t exactly qualify as a thorough conflict resolution policy, she says. And a sentence introducing its code of conduct, published December 20, seems to acknowledge as much: “It appeals to morality rather than trying to instill it.”

Goldberg says “a code of conduct is kind of like a New Year’s resolution. You can make one that doesn’t really mean anything. It shouldn’t just say, ‘Be excellent to each other’; it should say what excellence means, and what happens when people aren’t excellent to each other.”

When organizations don’t provide multiple avenues for reporting a conflict, don’t differentiate between minor infractions and serious ones, and don’t specify what the various disciplinary consequences are for those infractions, they allow themselves to have wiggle room to not enforce the code of conduct at all, she says.

There needs to be a clear process that is followed regularly and that is available for people to review. That would help a lot.”—Dia Kayyali, tech and advocacy program manager, Witness

At least one tech titan in recent months has begun to implement organizational policy changes to address claims of sexual misconduct. Brad Smith, the top lawyer at Microsoft, which became the first Fortune 100 company to endorse bipartisan legislation inspired by the #metoo movement, explained last month that in efforts to make its workplace more fair and safe, the company has scrapped language in employee contracts requiring them to resolve sexual-harassment and assault claims in private arbitration. The move prevents Microsoft from hiding potential future settlements behind legally bound nondisclosure agreements.

“We concluded that if we were to advocate for legislation ending arbitration requirements for sexual harassment, we should not have a contractual requirement for our own employees that would obligate them to arbitrate sexual-harassment claims,” Smith said in a statement.

The incident between Solveig-Jalkanen and Hukkanen is only CCC’s most recent to go public. In June 2016, CCC banned cryptography engineer and privacy advocate Jacob Applebaum, following at least 11 accusations of sexual assault and rape.

Companies and organizations generally still haven’t taken the complaints seriously enough, says Dia Kayyali, a tech and advocacy program manager at human rights video nonprofit Witness.

“We all need to be talking about this as a problem that can be made better,” Kayyali says. “There needs to be a clear process that is followed regularly and that is available for people to review. That would help a lot.”

That process, beyond establishing a clearly defined and accessible code of conduct, should include a straightforward resolution process, Kayyali says.

“You have to have somebody who is designated to deal with this, and who has the authorization, when an emergency comes up, to take action,” Kayyali says. “It doesn’t have to be one person, but it has to be clear who is responsible.”

Updated at 4:03 a.m. PST with a statement from CCC.