March 10th, 2005
beware, tech savvy folks!
Over at Volokh, Orin Kerr muses about the Harvard B-School hack, eventually concluding that what these students did wasn’t worth the punishment they received (rescinded offers of admission).
He bases his opinions on this post by Phillip Greenspun, which compares what the the B-students did to going up a level in the directory hierarchy and, voila!, finding their information. Now, I’ve seen a few other suggestions that indicate it wasn’t quite so simple as that—but it was certainly not beyond anyone familiar with using a browser, and certainly not a true hack. Some manipulation of some values might have been required to get to the desired location, but nothing more complex than that.
So, OK, it was a fairly easy backdoor that these people took advantage of, and they were punished for it.
Now, last night on NPR, the dean of admissions at MIT, which also had some students derailed by this mess, stated that they felt this act was ethically equivalent to breaking into the physical admissions office and finding their paperwork. Well, that’s called breaking and entering, and is a crime. According to Prof. Kerr, what these kids did would not be considered a crime—they essentially just visited a live-but-unpublished webpage.
So I’d say a better analogy is that this was more like wandering down a hall where you know admissions offices are and randomly trying for unlocked doors. And when you find one, you go in and start scrounging around on desks for the file folder with your name on it. Still ethically questionable—after all, you have to know you’re not really supposed to be in there—but certainly not illegal. The door was open! You just happened to come upon it! And look—my admissions decision is sitting on that desk right there!*
I don’t know the full extend of Harvard’s punishment for their 100-something admittees, but MIT apparently will let their group of 30-something reapply next year. That actually seems quite fair to me. They made a bad decision and got caught. That’s not to say the institutions themselves aren’t overreacting just a bit, but we should consider that, just like Heidi did, the finder of the original weakness could always have alerted the company first. Instead, that person spread the word.
*I’ve heard some rumors that Georgetown law school is considering similar punishments for students who access the admitted students’ site before receiving their actual letters of admission. I think this is hooey because how can they know how long it takes to get the letter in US Mail? If you have information to the contrary, I’d love to hear it; otherwise, if you’ve seen it on the boards, I think you can discount it.
comments
Yeah, I’m sympathetic to the students–the anxiety surrounding admissions can be gut wrenching. And they didn’t really “hack” anything.
But I heard Schmalensee on NPR yesterday as well, and I think he’s right that it did show poor judgment on the applicant’s part. And that’s whey they’re being rejected this year–but not barred from reapplying. I think that’s very fair, all things considered. (No pun intended…
I feel for those b-school applicants. Not because the anxiety of the process, but because I would have tried the URL just out of curiosity to see if it really worked. I may have decided that being a professional geek isn’t for me, but I’m still enough of one to think hacks like this are interesting and want to try them out for myself. Besides, they just saw their own info a little early; why is it a secret, anyway?
I would say even your analogy would require more effort than what these students did. It’s more like if someone said, “Psst, Kristine, I heard that if you call this number, you can get your admissions decision early! It’s not supposed to be set up for a few weeks, but they put it up early and didn’t publicize it, and it works!”
Wouldn’t you call? I would. And I wouldn’t think there was anything wrong about it.
It’s hard to say in retrospect, but I am not sure I would have tried the URL, mostly because I think I would not have been comfortable with the means of finding out the method—a message board. If I had figured it out on my own (or if a friend had told me about it), I probably would have tried and wouldn’t have worried too much. But with that many people knowing about it…it seems like that would invite scrutiny, and that might have made me think twice about whether I’d do it if I knew the school would find out.
So, yeah, I think the schools are overreacting a bit, but I also think the students were thinking more about, “What’s good for me?” than “What’s the right thing to do in this situation?” It’s very sticky, and I do feel for the students—they’re suffering the consequences of something that people do all the time without considering the ethics of it.
The biz-school hack that wasn’t?
Did MBA wanna-bes applying to Harvard and MIT really hack the system to find out how their applications were progressing? I wonder, now that I’ve read this post by The Volokh Conspiracy’s Orin Kerr, whether it’s a simple case of