So...
Did he get the job?
US-CERT has issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are open to being spoofed and need to be upgraded to combat attackers wielding contemporary quantities of computing power. You might think this is no big deal – after all the value of strong cryptography has been …
quote: "It's not against the law to spoof an e-mail"
Arguably fraud? Also, I am unsure where the varous computer misuse type legislation stands regarding deliberately factoring Google's 512-bit key, when the content is "just" an email, but the intent is to enable spoofing of a "secured" email domain.
I can see an unlucky person facing criminal charges, given just how far-reaching some of the computer misuse legislation can be :(
Fraud subpoena maybe, court trial doubtful.
Given his field, his reasons, and his actions, I don't think it rises to the level of "meant to deceive" required by fraud. He does appear to have been wrong in his initial assumption that it was a creative recruiting technique, but given that assumption, his response seems reasonable if unorthodox. Of course his biggest protection is that he performed other research and reported it to CERT.
Absent those, yeah, subpoena and time in the pokey would likely be in order.
DCMA angle is a tough call. It would certainly be easy enough to file the charges. But in this case because of the way the fraud charges would work, I think there would be as much risk to DCMA as there is to him. Oh, the initial trial might be a slam dunk for the prosecution, but the inevitable appeal might get DCMA declared unconstitutional.
Fraud - in the US at least - is an intentional deception made for gain or to damage someone else. Self promotion could, on a stretch, be seen as an attempt for gain but that argument is, IMHO, a stretch. According to the Wikipedia definition I think this would be categorized as a hoax.
DMCA *should* be limited to DRM cryptography used to protect copyrighted material. I'm not sure I can see any copyright angle here, and I am not aware of any cases where DMCA has been used with no copyright angle whatsoever... which would make this, IMHO, also a stretch.
I do seem to recall a case of Facebook impersonation (person X logged in as person Y and did bad things) being pursued as ID Theft... and I'm not sure how it ended up. Maybe that one?