« Islam with Chinese characteristics...no, really! | Gene Expression Front Page | Ideological Isolation, Part II »
March 09, 2005

Lesson Learned from the Harvard "Hacking"

By now I'm sure we've all read the account of Harvard denying admission to 119 prospective students who accessed information in their own Harvard Admission accounts because Harvard considers this behavior to be unethical.

Unfortunately, the lesson learned by the rejected students will not be the one intended, rather it'll be that, as an executive, when you're caught with your pants down around your ankles, quickly shift the blame for the fuck-up onto someone else.

Harvard accuses these students of "hacking" into information that they had no right to access. What was the nature of the "hacking?" Simply backspacing on the URL within their account. There was no attempt to access restricted directories, there was no password generator used, there was no subterfuge in attempting to get information from secretaries.

The Harvard Administration placed the student acceptance letters into an open directory without password protection. Now, if they're smart enough in the ways of the internet to be able to read logfiles and determine who accessed which page then they're damn well smart enough to know that they should be placing sensitive information into folders with some security attached, and expectation of ignorance of backspacing is not a form of security.

Here's a rundown on how you too can hack the Harvard system. I've participated in some discussions on this where it's been argued that the information that these students accessed was similar to a file folder left in a private office, or a medical chart on a nurse's desk, and that the rejected students didn't have any right to look at those files. These types of examples use situations where there is an expectation of privacy that has been violated.

I've countered that the more appropriate anology is one where you are instructed to read page 67 of a magazine in a library, but on your own initiative you also read page 68, completely unaware that this is a punishable offense. Upon learning of your transgression of reading more than you've been directed, the instructor takes disciplinary action. In this scenario, the information is publicly available and while you're going beyond your instructions, you're not really reading anything that you shouldn't be reading. Or to put it more colorfully, as you're walking down the street you're told to look up into an office window to see a banner that's on display. When you purposefully glance at the window next to the one with the banner you see a naked person and upon learning of what you saw, your companion smacks you upside the head for your "unethical behavior" of seeing something on public display that he didn't instruct you to see.

Harvard's ass-covering is the result of their having a fundamental ignorance of the open nature of the internet. It is this very openness which allows Google and other search engines to crawl through a website's directory structure and to catalogue and index the entire site.

Further, if one really wants to get finicky about this issue, we can turn to the question of how to interpret the public/private aspect of information. Did the student's admission status become public once it was placed into an open directory, or only days or weeks later when the student is informed of the specific URL? The actions of the Harvard Administration are easily seen as supporting the contention that the information was public because it was placed in the open.

Cover your ass and shift the blame. Yep, an expensive lesson learned, indeed. In fact, these resourceful students, who know the lay of the land in which they operate, are precisely the types I like to hire. I suppose though, that it can be argued that these students erred in assessing which environment they really were operating within.

Posted by TangoMan at 06:38 PM