Exclusive: Trump Administration Launches Probe Into Yale’s Use of Hacked EJMR Data
Oxford University Press set to publish study based on hacked data
Long-time Karlstack readers will recall my crusade against a team of Yale economists who hacked an economics forum (https://www.econjobrumors.com/), which I covered in a series of 10 articles, culminating in me giving a speech at Stanford University on free speech and anonymity.
![Yale University vows to 'geolocate' most EJMR users [PART 1]](https://substackcdn.com/image/fetch/w_140,h_140,c_fill,f_webp,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe2921848-687a-4d6f-bdf8-d07ba7ea4be0_1343x647.png)
![Yale University vows to 'geolocate' most EJMR users [PART 2]](https://substackcdn.com/image/fetch/w_140,h_140,c_fill,f_webp,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc78f22d8-d4cc-4824-b42c-bbeb03e76224_760x441.png)
![Yale University vows to 'geolocate' most EJMR users [PART 6]](https://substackcdn.com/image/fetch/w_140,h_140,c_fill,f_webp,q_auto:good,fl_progressive:steep,g_auto/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F76691cdf-6718-4736-bdf0-0382832b77d8_540x304.gif)
What this entire saga boils down to — the key issue, if, and when, this case goes to court — is one straightforward question: whether brute-forcing a rainbow hash (a precomputed table of password hashes) to deanonymize usernames on a public website qualifies as ‘‘unauthorized access’’ i.e. illegal hacking.
The analogy I use is a bike lock.
Imagine you were walking down the street and saw a bike lock protecting a bike, and you stood outside in the rain for 10 days attempting several quadrillion combinations on that bike lock (‘‘guessing usernames’’) using hundreds of hours of compute time (cracking EJMR took approximately 240 hours of compute time using Nvidia A100 GPUs) costing many thousands of dollars in University resources, until you eventually cracked it and rode away with the bike.
The thief in this analogy, Yale, might argue that it was an imperfect, outdated lock— the owner of EJMR forgot to ‘‘salt the hashes’’, a cybersecurity practice, on his database — but the prosecutor could more convincingly argue that it is still criminally unreasonable for someone to spend 10 days of compute time trying to brute force their way through the imperfect lock.
I argue that Yale stealing this metaphorical bike violates the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) on a federal level, and the Connecticut Computer Crime State (Connecticut General Statutes § 53a-251) on a state level, both of which make a crime to "obtain information" "without authorization" or "exceeding authorized access." Past cases, like United States v. Auernheimer (2012), show that even scraping public data can lead to CFAA charges if it’s deemed unauthorized.
My theory all along has been that these Yale authors (Florian Ederer, Paul Goldsmith-Pinkham, Kyle Jensen) were never prosecuted by law enforcement because they are elite Democrats with PhDs from MIT, MIT, and Harvard, and they were doing the hacking in the name of social justice/wokeness, in 2023, under the protection a sympathetic Biden/Kamala regime.
There’s a new president in town, though, and he’s on a rampage — targeting universities, especially Yale — and both civil and criminal liability in this case remain wide open. This hack is a juicy target for Trump to exploit.
Far from being ashamed of their crime, one of these hackers, Florian Ederer, spent the past 2 years (during which time he was denied tenure at Yale, which he appealed, and lost the appeal) parading this hacked data around in Vox, Bloomberg, NPR, Washington Post, Financial Times, CBS, NY Post, Fortune, etc.
If you click the first article at the top of that list, in Vox, Florian brags about the hack (‘‘we deanonymise a substantial portion of users even on a platform designed to preserve anonymity’’), and says it was justified because ‘‘sexism, and racism are deeply ingrained in the culture of the economics profession.’’ Sorry — but brute force hacking doesn’t suddenly become legal because you think you are doing it in the name of ‘‘sexism and racism.’’ It’s still a crime.
I read the other 16 articles on the list, and they all say the same thing: the economics profession is racist and sexist and therefore, the thinking goes, anti-woke economists should be stripped of anonymity.
Each article glosses over or ignores the legality and morality of the hack. NPR, for example, said the authors ‘‘discovered a flaw in the way the site gives anonymity to users’’ and never questioned if it is moral to exploit that flaw upon ‘‘discovering it.’’ If NPR had bothered to interview a penetration tester or computer science professor, they would have told them that the first principle of ‘‘ethical hacking’’ or ‘‘penetration testing’’ is that if you discover a flaw or exploit in a website, you don’t exploit it unless you explicitly have permission.
Several of the articles ominously boast/warn about how this hacked data can be weaponized via lawsuits to ruin the lives anti-woke econ professors.
“If we can subpoena the IP address and figure out who it is, we can hold them accountable,” says Anya Samek, an associate professor of economics at UC San Diego told Bloomberg.
“I thought maybe we should be trying to hold people accountable,’’ says Ian Ayres, a professor at Yale Law School, “I don’t think this is the end of the story.’’
Crime Pays: Yale Hackers Rewarded with 2 Top Pubs
The first major update today is that the Yale team has finally turned their hacked data into two academic papers, beginning with one titled Anonymous Attention and Abuse published in AEA Papers and Proceedings.
It actually makes sense to publish this in AER P&P—it's a non-peer-reviewed outlet, and this is a political fluff piece dressed up as research, it’s just a fun little word-cloud. Their wordcloud concludes that discussion on EJMR has moved increasingly towards Twitter threads…
…and ‘‘given the rise of importance of Twitter on EJMR it is natural to ask which Twitter accounts receive the most attention on EJMR.’’
Hilariously you can see that realChrisBrunet has the most threads about him, although I don’t have any statistical significance when it comes to valence. Their main result (those two bright red boxes in the image above) shows the profession is misogynistic towards Jennifer Doleac and Claudia Sahm, two insufferable woke activists.
The second publication derived from the hacked data is far more serious: a paper titled Anonymity and Identity Online has received a “Revise & Resubmit” at the Review of Economic Studies (RESTUD), one of the top five peer-reviewed journals in economics, published by Oxford University Press. A single publication in RESTUD is often enough to secure tenure at most universities.
This p-hacked R&R concludes that EJMR is more ‘‘toxic’’ than Reddit.
Groundbreaking stuff.
Literally just a cherry picked word cloud that they ran python text packages on.
Here is how EJMR reacted to this paper getting placed into a top 5 journal:
Department of Health and Human Services Opens Probe
While reporting this update, I heard unconfirmed rumors that Yale Police had opened an investigation into the hack. I reached out to Yale PD for comment — they declined. I then contacted Yale’s media relations office by phone and email — they ignored me. I believed I had a major update, but couldn’t verify it.
Then, unexpectedly, I was contacted by an EJMR user who had filed a formal complaint with the Department of Health and Human Services (HHS) Office of the Inspector General. The complaint alleged that his personal data was used without consent in the Yale study. To my surprise, HHS took the matter seriously, and on May 15th, assigned a Special Agent to investigate.
Now that federal authorities have a foothold, it’s time to escalate. Civil and criminal liability for Yale remains wide open. The Trump administration has shown it is willing to take action against elite institutions abusing power under the guise of social justice. This case is a perfect opportunity to do exactly that.
If you care about academic integrity, digital privacy, or free speech, share this article — and make sure the people in power see it. I’m sure Robert F. Kennedy and Linda McMahon will really love to hear about how elitist Democrats at Yale are threatening to doxx thousands of vulnerable people for using “racist speech” and “sexist speech” coming from a conservative source.
Yes, I voted for this.
Less than that was considered hacking in the case of Assange