The Duality of EJMR
EconJobMarketRumors (EJMR) is a confounding website for the economics profession. On one hand, it has one of the highest concentrations of academic economists and economics grad students anywhere online, and gets millions of impressions per month. It hosts anonymous discussion boards where people share information about the economics job markets for regions and different disciplines of economics. It also hosts valuable conversations about economics topics - you can discuss research, ask for help on statistical methods, and more. Because the site is anonymous, there’s often frank discussion of which jobs are good and which departments are not, what people really think of research ideas, the unwritten rules of the profession, etc. The site clearly serves a useful purpose.
On the other hand, that anonymity also allows for some truly vile and bigoted content.
The site’s owner is anonymous and mostly unconcerned with this kind of behavior, so despite outrage from the community EJMR doesn’t appear to be going anywhere. For years it’s been a festering sore on the economics profession - it’s unsightly and gross, everyone would prefer it didn’t exist, and occasionally it leaks out into the real world… but ultimately it could be covered up and ignored most of the time.
Over the last two weeks, a new paper with the potential to de-anonymize EJMR posters has roiled the world of academic economics, upset the existing equilibrium, and caused fierce debate about the nature of doxxing.
Locating EJMR Posters
The paper in question is from Florian Ederer, Paul Goldsmith-Pinkham & Kyle Jensen and introductory slides can be found here. I don’t want to spend too much time on the technical details (they don’t matter that much), but gist of the situation is this:
EJMR usernames are a randomly generated string, which is generated from hashing the topic’s title and the user’s IP address.
Crucially, the site did not take the normal security step to ‘salt’ its hashes,1 allowing them to be reverse engineered by brute force. To oversimplify, you can try trillions of potential IP addresses and see which ones match. This takes hundreds of hours of specialized computing power, but it’s feasible.
The authors performed this brute force method and were able to pin down around 66% of EJMR posts to a specific IP address.
Some in the economics community applauded this move. They view EJMR as an embarrassment to their profession and would prefer the bigots who post there be exposed. They’re quite enthusiastic about EJMR posters being named and shamed.
Some even suggested that to be employed, economists should have to submit all social media comments for review during the job application.
Others took the opposite view. Tyler Cowen writes that the authors are behaving unethically and should retract and destroy their work. Itai Sher objected that some of those celebrating the paper were totalizing and draconian. Others objected to cases where posters may have shared mental health details, stories of abuse, relationships, or where posters live in authoritarian countries. It was also pointed out that anonymous posting on forums was key to uncovering several scandals.
(An important point - No one’s identity or specific IP address has been revealed to date. And it’s not clear that any individual’s identity will be revealed at any point. But it is clear that given the data set they have, the authors could identify some specific posters with their real world names if they wanted to.)
The economics profession has been fighting with itself over the past week about this paper. The central ethical question, once you strip away all the detail: When is it ok to doxx someone?
Nobody has a Consistent Ethical Theory for Doxxing
Doxxing (for those of you who are not terminally online) refers to revealing personal information about someone via the internet that they do not wish to be widely known. Abstracting away from our economics example, online communities have historically had a strong bias against doxxing. Especially during the early internet, anonymity was seen as a key feature of the web and a tool to allow truly free expression. These days, attitudes towards doxxing are more complicated (as can be seen from the split reaction above).
The reason this sort of discussion gets so heated and is so hard to resolve is that universal rules and principles almost all fall apart when you look at the details of how doxxing works in practice. Consider a continuum of bad behavior in an online forum:
Mildly rude but true comments
Very rude, questionably true comments
Edgy, politically incorrect jokes
Outright racism, sexism or other bigotry
Defamatory and false content
A dedicated campaign of harassment/threats
Swatting or maliciously doxxing another person
Planning acts of terrorism
Very few people would support a doxxing campaign against people simply making a few rude comments. And very few people would object to a doxxing campaign to reveal the identities of people planning acts of violence or terror.2 For virtually everyone, the answer to our dilemma seems to be ‘Doxxing is sometimes good and sometimes bad and it depends on how awful the people involved are’. This is an unsatisfying answer, but at least it’s kind of an answer. You can write your list of all the bad things, draw a line and say the ones above the line shouldn’t get doxxed and the ones below the line should. Easy, right?
Unfortunately, even this approach fails when considering how such things actually work. Consider the problems with just a few of the real world ways people would try to implement this:
“We’ll just draw a line at certain types of behavior and only doxx those people”
Who gets to decide where the line is, and judge which instances fall above or below the line? The world is usually gray, not black/white.
Is it even possible to only doxx certain users, or do you risk widely doxxing innocent parties as well?
“We’ll only reveal the identities of people who are doing illegal activities”
Does this mean you’ll reveal anonymous critics to authoritarian regimes who have rules against online criticism?
How will you judge what is illegal when the parties in question have not been found guilty by the legal system?
“We’ll have a central authority that makes these decisions with guiding principles from the entire profession”
Isn’t it in some ways worse for a large organization to doxx people rather than just a lone wolf individual doing it?
Doesn’t that risk entrenching bad norms? For instance, a central authority in generations past may have held women to different standards than men due to sexism in the profession.
“Fine, we’ll just say that nobody should ever doxx anyone, it’s too problematic”
If someone posts they are a tenured professor who purposefully fails all their Indian students because they hate Indian people, are you actually going to be upset if that person’s identity is revealed and they’re forced to resign? Really?
This is just a small slice of the thorny ethical questions at play here. If you are exposing a racist poster, do the ethics change if your methods are “hack their website and steal information” vs “visually notice them posting from their laptop in the classroom”? Does it matter to what degree you doxx them - revealing IP addresses vs names vs job and home address? What if someone who has made anonymous racist remarks is the same person as someone who exposed sexual harassment from a colleague?
I don’t have answers to these questions, but what I notice in the debate over doxxing is that nobody else does either. As best I can see, nobody taking any position in this debate has a consistent ethics of doxxing. To me this seems like the consequence of how recent this all is - doxxing is a new phenomenon and it takes time for us to figure out the right ethics for a new kind of harm. Contrast this with something like the morality of physical violence. When violence is ethical is a very well studied problem in moral philosophy, and a Google Scholar search provides more than 3 million hits on the topic. Not everyone agrees3 on the correct ethics of violence, but there are absolutely coherent models on the subject with serious intellectual consideration behind them.
Doxxing, as a new kind of harm, simply doesn’t have those well-developed ethical theories yet. I see a lot of discussion on the subject without much acknowledgement of that fact. Until we do have better theories of when to doxx, we’re going to be stuck with case-by-case fighting and interminable debates about whether or not specific instances are bad enough to justify doxxing.
To be clear, this is egregiously terrible security on EJMR’s part.
There may be a few lonely souls who insist on the ultimatums that doxxing is never or always good, but I’m not going to spend any time grappling with what seem to be obviously absurd positions.
Moral philosophers, famously known for agreeableness and non-pedantry
retvrn to r/be
I'd say that in the cyber security sense, the paper authors should have done a responsible disclosure to the ejmr security team or not. But to publish a "zero-day" is not ethical.