Discover more from Karlstack
My email to Yale IRB, legal counsel, provost, president, and deans
Subject: Urgent Inquiry: Ethical and Legal Concerns Regarding Yale's Handling of the EJMR Hack
Dear Yale IRB, legal counsel, provost, president, and deans,
I am sure you are already aware that 3 professors from your institution, Dr. Paul Goldsmith-Pinkham, Dr. Florian Ederer, and Dr. Kyle Jensen (all cc'd on this email) recently hacked the website "www.econjobrumors.com" and stole millions of IP addresses. For full context,I have written 8 articles about this hack (1, 2, 3, 4, 5, 6, 7, 8). The analogy I use to describe this hack is with a bike lock -- imagine you were walking down the street one day and saw a bike lock protecting a bike, and you tried out several quadrillion combinations on that bike lock using thousands of hours of compute time costing many thousands of dollars in University resources, until you eventually cracked it and rode away with the bike.
This hack is especially egregious because there's a reasonable expectation of privacy for users of the site because the ToS for this site stated that IPs were properly encrypted. So if there's a reasonable expectation of privacy, Yale is open to lawsuits. An ethical white-hacker should notify the site owner when they see a cybersecurity vulnerability, not exploit it to steal millions of IPs. These Yale hackers style themselves as "white hat hackers", but in reality they are grey-hat at the very least, and probably even black-hat. A black-hat hacker is a computer hacker who violates laws or typical ethical standards for nefarious purposes, such as cybercrime, cyberwarfare or malice.
The owner of EJMR agrees that this is a hack, according to an interview he gave to one mainstream outlet. He used ChatGPT as a neutral arbiter of truth: Asked for comment, EJMR's owner sent an email saying, “you may wish to consider what a neutral actor (ChatGPT) thinks about the study.” EJMR’s email then includes a question to that artificial intelligence program: “Would reverse engineering partial hash codes of thousands of website users to get their IPs with brute force be considered hacking?” ChatGPT, according to the email, replied “Yes, that activity would certainly be considered hacking, and more specifically, it would be illegal and unethical.”
Dr. Tyler Cowen, an economics professor at George Mason University, also agrees it was a hack. He wrote two blogposts (here and here) arguing as much. "So — and I do not say this lightly — I believe the authors of the paper under consideration are behaving unethically, and I hope they will retract their work and then destroy it." concludes Cowen.
The author's defence of this hack is, as per Goldsmith-Pinkham's tweet, by brute forcing the website, they were only using "math" so they didn't do anything wrong by exploiting it. Goldsmith-Pinkham says as much in a tweet: "There has been a lot of speculation about how we geolocated millions of EJMR posts. The truth is rather mundane—it's just public data and some math."
I would like to counter this "it's just innocent public data and math" argument by using an example of the hacker group known as "Goatse Security" that exposed a flaw in AT&T security in 2010 using the exact same brute-force methodology, which allowed the e-mail addresses of millions iPad users to be revealed. The flaw was part of a publicly-accessible URL, which allowed the group to collect millions of e-mails. The FBI opened an investigation into the incident in 2011 under the Computer Fraud and Abuse Act, and charged the hacker with one count of conspiracy to access a computer without authorization and one count of fraud. The hacker was found guilty and sentenced to 41 months in federal prison. Before his sentencing hearing, the Goatse hacker told reporters, "I'm going to jail for doing arithmetic".
As such, I will be giving a 90-minute speech at Stanford University on October 26th about the hack, where I will issue a full-throated call for these 3 Yale professors to be arrested and criminally charged, just like the Goatse hacker was.
I will also be calling for lawsuits to be brought against Yale directly.
I am writing to you in advance to notify all parties of my call for charges and lawsuits, and to give you a chance to rebut it. Do you have a statement to offer?
I still don't understand why the Yale IRB is doing nothing, and in fact it seems like Yale is happily promoting, supporting, and funding this hack.
I would be remiss if I did not also point out that Goldsmith-Pinkham has a penchant for hoarding blackmail data -- this is a trend with him. While working on this story, I discovered that in addition to hacking EJMR, he also owns the "EconTwitter" mastodon server, which is where leftist economists fled upon Elon Musk buying Twitter. He pays to operate that server straight from his Yale research funds, which effectively makes any economist who uses Mastoton his research subject, thus opening up Yale's Institutional Review Board to further legal liability. As part of owning that server, he owns the IP address of any economist who has ever posted there. So, he owns the EJMR IPs, and he owns the Mastodon IPs, and by linking them with like 2 simple lines of code, he can see who said what on EJMR, attached directly to their real name. He says that he will never link them, but I do not believe him, and nor should any rational economist who posted on Mastodon. All economists on Mastodon are now at risk.
I believe that notifying you of this hack is for your own best interest -- Yale is now open to significant legal liability, and it's worth pointing out that at least one person has publicly indicated that the doxxing threats resulting from the hack have already resulted in sufficient psychological distress to require medical attention. Matt Wimble, cc'd on this email, is an economist with a PhD from Michigan State University. I recently published a statement from Wimble on Substack, which I will re-print here for convenience:
"I’m Matt Wimble. I discussed suicide on EJMR. I was included in the study without my approval or knowledge. Florian Ederer, AEA, NBER, Yale IRB, Yale, and all signatories have refused to provide me the human subjects paperwork which I asked for weeks ago. This triggered an episode which landed me in the hospital and broke up my family. I am an Eagle Scout and a good guy. You people [on EJMR], in your weird way, helped me to recover from a tenure denial and subsequent suicide attempt. I count 5 violations of the Nuremberg Code in their “exempt” study. My PhD is from Michigan State. I stand up for suicidal people. Sue me. I live in north Brookline (next to Boston University, where Florian Ederer now works) and offered to meet Ederer to discuss the hack. He is a coward… I’m from Detroit. Not a coward. My email is firstname.lastname@example.org. I should be out of the hospital in a few days and needed the healing. Zero responses from the authors. I’m moving back to Michigan to be with family, hopefully save my 17 year marriage, and heal my 8yo daughter who has a tremor now. Douchebags. All of them. Excuse my language. I am from Detroit and pissed off. Nice use of my tax dollars, and I bet a few of the authors have national security clearances. This is bad."
Why did you not respond to Matt Wimble when he asked you for human subjects paperwork? Once alerted of non-compliance IRB protocol, I believe your institution is now obligated to investigate.
Question marks about whether this suicide attempt could easily have been avoided if the Yale IRB followed its own policies for responding to complaints.
I know there are many people in Matt's position right now but they are too afraid to speak up.
What if the doxxing pushes yet another mentally fragile person to attempt suicide? Is Yale okay with that? It's a serious question.
In addition to mentally fragile people, I am also concerned about e.g. Chinese and Turkish dissidents who posted criticism of Xi Jinping and Recep Erdogan on EJMR. Many of them are worried they will now be arrested, or put to death, for what they wrote on EJMR, since Ederer, Goldsmith-Pinkham, and Jensen's methodology can easily be reverse-engineered (especially because Yale produced 3 YouTube videos explaining how to do it!) by these authoritarian regimes to identify and persecute dissidents.
Again: If harm comes to someone else and it turns out that it could have been prevented by the IRB, Yale is open to further legal liability.
I look forward to your response. The most important question is: Why did you not respond to Matt Wimble when he asked you for human subjects paperwork?
Contributing Editor, The American Conservative