A Sense of Proportion

by John Adams

That’s what’s missing in the brouhaha about college applicants who took advantage of poor security to peek at confidential information.

In one corner, we have overwrought commentary, like this gem from Patricia Keefe, editor of Information Week:

Hacking isn't just wrong, it's a crime. As noted by MIT dean Richard Schmalensee, the students who peeked made a conscious decision to do so and invested the necessary time. Their self-interest trumped their personal ethics. And that's what this incident really turns on. The last thing we need in this country is more unethical people coming out of business schools. Haven't we learned anything from the last two years of corporate debauchery and scandal?...

If these schools don't take a stand now, to what standard will they later hold these students? If these schools really believe ethics is a serious matter, then they need to reject the students who hacked.

If what those students unwisely did was criminal, then the universities should be prosecuting them. They aren’t.

It’s even a stretch to call what the students did hacking, but that’s to be expected from a business publication. Most corporations are actively distrustful of, if not hostile toward, their IT departments. It’s a not entirely rational idea which, for instance, drives much of the fervor for outsourcing. The business computing press, which should know better, expresses this point of corporate ideology by confusing cracking with hacking. Post-dot-com-boom, management believes that hackers in the original sense of the word are bad, so why not conflate them with crackers? They’re bad, too.

The off-with-their-heads brigade is balanced, if that’s the word, by the unlocked-doors-are-an-invitation-to-enter crowd. Here’s brian d foy, writing here in his weblog:

...They weren't being sneaky or trying to get information on anyone else other than themselves.

The information each student needed to get to the application status was gladly given to them by the web pages they were already allowed to view. I don't see any "hacking" here.

Harvard Business School calls this "unethical". Most businesses would call it "resourceful", but that's just another way schools and reality diverge...

How can you say someone isn’t being sneaky who is trying to get information before it’s been officially released? Who is using a hack (not much of one, granted) to peek at information they aren’t supposed to have?

The anthropomorphism of “gladly given to them by the web pages” (web pages aren’t glad--that’s human) hides the underlying issue that the people in charge of admissions information--which is information about both the student and the university, so the students were not just looking for information about themselves--intended for the students not to have that information at that time. The university personnel involved weren’t a bit glad.

As for businesses calling this “resourceful”, I’m thinking about what would happen at, say, a telecom company where a “resourceful” employee took deliberately separated data and reporting about, say, local service and long distance service, and then aggregated them to get sales leads. That would be resourceful as long as no one knew about it, but once the FCC realized that information which, by law, is not supposed to be aggregated had been, the consequences could be substantial. We’re talking millions of dollars in penalties here.

So, back to that sense of proportion. What these applicants did was wrong. It’s just not so wrong as to be a disqualification.

What they did wasn’t that different from what I do when I get a malformed URL to a news site--if I feel it’s justified, I poke around by altering the URL and seeing whether I can find what I’m looking for. What’s accessible on a public server is probably intended for public viewing, and trying to find that isn’t unreasonable--I’d even call it resourceful. In this case, though, the applicants who peeked were consciously trying to find out information they knew (or should have known) was intended not to be public.

What would be proportionate?

Well, what are the universities doing internally to the people responsible for the information leak? Are they firing directors of admission? Are they terminating contracts with ApplyYourself, or suing them for exposing private information? If so, then perhaps rejecting otherwise qualified applicants is fair. Are they doing so? If they are, I haven’t heard about it.

Are there “lessons learned” sessions for university employees who contributed to this screwup? There should be--and perhaps the applicants who peeked should be a part of those sessions. Maybe they should have to show up for school a few days early and spend some time living in the real world (ha!) of meetings and get their head cheese processed. That’s more reasonable, more fair than outright rejection.

The admissions departments might learn something about proportion from this process, as well. At prestigious schools, the admissions process has been turned into a circus. (Again, this comes down to corporate ideology, this time intruding itself into academia.) The process of admissions is deliberately and unnecessarily mystified, and some brave university that hasn’t yet been stampeded into Fudd-like “Kill the wabbit hacker student!” reaction should take this as a wake-up call to make admissions more transparent.

If Empire State decides in January that it might be best not to admit both Reed Richards and Victor von Doom, and that, as von Doom is a legacy student, Richards needs to make do with MIT, then what is the point of making Richards wait until April to hear about it? Mystique, hoopla, and branding--that’s all. There’s no educational purpose served by stretching things out--it’s inter-university corporate gamesmanship, the educational equivalent of what I saw succinctly described on Slashdot as “marketecture”.

Universities should also examine whether the corporate ideology that drives much outsourcing in business is affecting their decisions about outsourcing, say, parts of the admissions process. Is it really necessary to have a company handle your admissions for you? Is it an appropriate way to deal with sensitive information? Mightn’t that be better handled in-house? Or through a cooperative effort among universities? Perhaps an open-source system for handling admissions, peer-reviewed with security and privacy in mind, might be in the interest of both the universities and the applicants.

What the applicants who peeked did was wrong--no security model doesn’t mean no obligation to act ethically--but the greater wrong was committed and the greater harm done by those who allowed confidential information to be exposed, and there’s where the primary obligation to act, to repent, to reform lies.

Did you peek at my draft of this weblog before it was published? If you could have, would you have done so? If you had, should I have been offended?


2005-03-12 17:53:08
And I respond...
I say that that the web pages "gladly given to them" because the web server didn't do anything to get in the way of the access. Given the URL, it displayed the results. The applicants didn't have to go through any tricky schemes to fool the web server into doing anything.

I can say they aren't being sneaky because they used their own accounts to get the information about themselves. That's how Harvard knows who they are, after all. To get the information, they had to log in to their previously establised account.

I don't think that unlocked doors are an invitation, and I think that's a bit unfair in this case. People are used to fooling with URLs to get to information they need. Every day I paste, type, or modify a URL in my location bar. Most days, I don't enter unfamiliar private buildings or structures through unlocked doors without a clear invitation. The analogy doesn't hold because people have different patterns of behavior in the tangible and web browser worlds. In the web browser world, the information is out there and you just have to find it, and people do all sorts of things to get to it (often because site navigation is a disaster).

Your example about the telecom's employee is irrelevant too: he's broken the law. As you say yourself, no one is claiming the applicants in this case did anything illegal. I'm not encouraging people to do anything illegal, and it's unfair of you to characterize my statements to mean that. Illegal is illegal, and it's pretty clear what that is because it's defined by laws. I don't see any laws covering the ApplyYourself though, and I don't see any law enforcement involvement. Breaking the law is clearly a problem, but I don't see anyone talking about broken laws in this story.

Still, the reaction is all out of proportion, and my post reacts to that. Despite our disagreement about the bits in the middle, I think our conclusions are the same on responsibility are the same. :)

2005-03-13 02:07:24
Proportion, indeed.
MIT should be prosecuting for gross criminal negligence the incompetent dilettantes who took a boatload of money for writing an application that neglects to make even the most basic security checks whatsoever.

MIT should also announce all other admissions and rejections already decided to level the playing field. The students who peeked by following the posted instructions should have no repercussions at all. Blake Ross opines that the number of students who helped themselves was probably bounded by how quickly word could get out, and there is little doubt in my mind that he is correct. Whoever posted this trick publically should be dinged by whatever measure is deemed appropriate, not for peeking, but for disclosing this information without due notice to those responsible for the application's security. Of course it's wishful thinking to believe that the administration would have thanked him for the lead rather than shooting the messenger, so he didn't have much incentive to handle this correctly anyway.

Very few people outside IT seem to understand IT security (or even security in general) and can take a more meaningful stance to it than reactionism. That's not to say that understanding of IT security is all peachy keen among those who find themselves in IT (or compound fiascos like the one we're talking about wouldn't happen). It's to say that the distribution of competence goes from depressing inside the field to terrifying outside it.

2005-03-13 07:01:47
Proportion is a two-way street

Do you not see anything ethically questionable about what the applicants who peeked did?

I don't see anyone wholly innocent here (except maybe the one poor candidate who gave a spouse account information and discovered the next day that said spouse had peeked).

I, too, muck around with URLs sometimes, but I do so with the consciousness that I'm at risk of crossing the line between harmless, creative poking around and Doing Something Wrong.

True fact: My credit union's website's links to pdfs of loan application forms were broken. I viewed the directory to find them. Not an ethical problem for me--that's information they intended me to have and didn't give me due to an oversight or an error. If I'd discovered preliminary loan decisions in the same place, surely it would've been at least a little wrong to peek at mine.

(And yes, they would have been incredibly wrong to put the information out there in such a carelessly vulnerable manner, which has nothing to do with my own culpability.)

Like animals and Invisibles, all web servers are equal, but some web servers are more equal than others. Humans are supposed to make distinctions that lower forms of life, like browsers, can't.

Anyway, my goal in writing about this is to agitate for these two things:

  1. For these schools to be shamed into admitting they overreacted and to make a more reasonable decision about the students they're rejecting just because of peeking

  2. For these schools to consider what inappropriate qualities in their admissions process help bring out this sort of behavior

I don't think that insisting that the students are complete innocents in the matter will help bring either of those things about, nor do I believe they are complete innocents.

At the very least, they've got bad manners.

If I were at home, I'd look up one of our copies (yes, we're a geek family--we average about three copies per Heinlein title) of Space Cadet and quote a chunk from the admissions process:

One of the tests prospective students undergo is to go into a room with an empty bottle and a cup full of beans. Then they are to set the bottle out in front of them at arm's length, close their eyes, and drop the beans, one by one, into the bottle. The protagonist gets one bean into his bottle. Most of the students get similar results, but a few show up with bean-filled bottles.

Those few are among the ones who aren't admitted. Seems fair to me.

P.S. I've seen an interesting point raised elsewhere: These schools are suggesting by their actions that ethics can't be taught. That's not true, and they should be ashamed of themselves for suggesting it. If they truly believe these people did something unethical (and I agree they did), then they should teach them to do better. If they can't teach that, they're in the wrong business.

P.P.S. The students' behavior is slightly unethical but not of great consequence or interest, except to themselves. What's more important is what the universities do.

2005-03-13 09:57:52
Proportion is a two-way street
I'm specifically skirting the ethics question because it doesn't make sense to talk about something which nobody can define. Ethics isn't some grand set of rules in a book somewher, and although you can teach a particular system of ethics, not everyone uses that set.

I've also not made a judgement on the students. In my original post, I simply said I didn't see any "hacking" in their activities. I can't speak to their ethics because I don't know them, their intent, or how they came across the magical link. I can't make any ethical judgements because I don't know any of the right information in the individual cases.

I've also never said the students were "innocent", and I'm not "insisting" that they are. You want to me choose sides, and that's not fair. You've already decided the students are guilty, and have been coloring what I say to support that.

My point remains: Harvard Business School is over-reacting and information that is available will leak out. Blame ApplyYourself.

2005-03-13 10:55:50
Proportion is a two-way street
Your biggest problem isn't the stance you've chosen but the poor logic you use to defend it. Comparing someone who visits a public URL to someone who cheats (dropping beans in a cup or otherwise) makes no sense.

In fact, brian seems to be the only one with the "sense of proportion" here, but that's just my opinion.

2005-03-13 12:58:05
What's public about a roll-your-own URL?
Let's define, if possible, public URL.

I'd think it's a URL which I, as a site admin, intend to be accessible to and used by the public.

Perhaps I give the world as a whole a static URL, or perhaps I assemble it dynamically for each user. In any event, it's a means through which I point to information that I intend to be public.

I don't think the situation as described is about a public URL, under that definition. This is a URL neither provided statically or built dynamically at the site, but assembled out of session information and used to point to a document I don't intend to be public. It's not a malfunction of the link-generating process served to a user, but a user avoiding my intent as the site owner.

In isolation, that act sounds wrong. Put it in context, and its ethical content can change.

In this context, I don't think it's particuarly wrong. In itself, it's a minor lapse, not signs of a damaged character. I wouldn't call any of these applicants guilty of more than poor judgement.

That's still wrong, just not so very wrong as the universities are saying.

Understanding new and unusual ethical issues is one of the greatest purposes of eductation, and these universities will be cowardly not to accept this as an educational opportunity. Instead, they're exaggerating this minor ethical lapse on the parts of applicants to distract atention from the major ethical and professional lapse they made in puttting information out in an insecure way.

2005-03-13 16:17:46
What's public about a roll-your-own URL?
Disclaimer (that I should have mentioned before): I only know what I've read in brian's blog and now yours. My interest is only in the way that a user accessing a URL is being described as unethical.

> I'd think it's a URL which I, as a site admin,
> intend to be accessible to and used by the public.

You've certainly identified where our perspectives stray. :-) Trying to determine the intent of the site admin isn't part of my definition.

I don't think it makes sense for anyone to be second guessing anyone else's intention when it comes to something so clearly defined as URLs. I request a URL, and if I am allowed to view the resource to which that URL refers, I am shown it.

To me, this is even different from manipulating the raw HTTP request or something in which the user is attempting to make the server or application misbehave (even though I think it can be argued that this is also abiding by the rules). A URL is a very simple and understood interface - one perspective is that it's the public API to your web application. A user should be able to request any URL the user chooses.

If the user chris finds himself at a URL such as http://host/profile?user=chris and then proceeds to request a URL such as http://host/profile?user=john, then I can understand some ethical concerns, but my personal ethics still find such an act to be clearly in the white. Why? In order to consider such an act to be unethical, I would have to assume malicious intent, and I don't think it's wise to make such a assumption or generalization, especially concerning someone's intent.

Stated differently, I think these ideas are separate. If someone visits a URL, and that act alone is being used to judge them ethically, then I see a big problem. In this case, it seems especially flawed, because the judgment is based upon a flaw that has nothing to do with person being judged.

Are all the users who visited the forbidden URL necessarily innocent? No, I don't think it's wise to assume that either, for exactly the same reasons.

2005-03-13 17:03:11
What's public about a roll-your-own URL?
Strongly agreed. I think that without intending it, Adams uses logic thyat would fit well in Kafka's _The Trial_.

Just to take the "wots a public URL bit", very often, when I use my browser to "copy link location", I end up with "http://example.com/index.html". If I am pasting that URL into an e-mail message, I often truncate to "http://example.com/" for brevity. By Adams's test, if I go to that site to make sure the truncated URL works as I expect, I'm committing an unethical act. I have no way of knowing whether the Webmaster intended the truncated form to ever be addressed.

I also very often try to remedy broken links by stemming the broken URL "http://example.com/a/b/c.html" until I can perhaps figure out where the document moved to. Perhaps I try "http://example.com/a/b/" and see whether I can find anything on that page that looks like a link to c.html, and so on. Again, the "Webmaster intent" test makes this a possibly unethical act.

I think this is nonsense. Any definition of Web user ethics that requires understanding of Webmaster intent is broken.

I also agree that Adams's analogies of culling illicit contact information and of cheating on the bean-dropper test are horribly disproportionate in themselves. There's no such thing as a precise moral ruler, but it's obvious, I'd think, that nothing the Harvard applicants did rises even close to the level of those acts. No. Not even the guy who leaked the leak.

2005-03-14 08:46:48
See, there's the thing...
Hi, shifflet,

I think you're right to say this:

You've certainly identified where our perspectives stray. :-) Trying to determine the intent of the site admin isn't part of my definition.

When a site has a static URL posted on it, you don't have to worry about the intent of the site admin or the site owner. If a site serves you up a dynamic URL, same thing. In either case, if the URL points you to information which the people responsible for the site didn't intend for you to see, their intentions don't matter--their actions do--and you don't have to think about intent.

When you do things outside that area, thinking about intent matters. Since you don't have explicit instructions saying "Look at this here!" you're at greater risk of going wrong.

So when you say this, I agree with what you say but not the conclusion you draw from it:

If someone visits a URL, and that act alone is being used to judge them ethically, then I see a big problem. In this case, it seems especially flawed, because the judgment is based upon a flaw that has nothing to do with person being judged.

There's the thing:

In this case, the students and the university had an agreement: Admissions information would be disclosed to everyone who'd applied, as the university finalized their admissions decisions.

Students who peeked at their admissions information early got an advantage over students who didn't, and they did it by breaking an understanding between themselves and the schools.

Unlike almost anyone else accused of "hacking" in a similar circumstance, these people actually did something unethical--not in their technical steps, but in the intent which laid behind them:

They knew, or should have known, they were seeking out information which would break an agreement between themselves and the universities to which they'd applied, an agreement which applied to all the students equally. They knew, or should have known, they were getting, or trying to get, an advantage over the other students by breaking that agreement.

An odd thing: As I go deeper into the details of this incident, the less sympathetic I'm getting toward the students--not that it excuses the schools and ApplyYourself one bit.

2005-03-14 09:07:53
I do this, too, but with the awareness I might do something that was wrong
Hi, uche,

I do the sort of stuff you describe with broken URLs too, and I almost never worry about what I'm doing might be wrong, but I am aware that possibility does exist.

If I were using session info to generate my own URL to peek on a server I knew contained information which those who put it there and I had agreed I'd see only when when they were ready...

...well, I'd sure understand if they said I was in the wrong. And I can imagine my doing this sort of thing. I can imagine times when I'd say "So what?" and other times when I'd say "I'm really sorry."

This is a time for "I'm really sorry" on both sides. The applicants who peeked were a little wrong--the universities and ApplyYourself were dreadfully wrong.

2005-03-14 10:22:24
See, there's the thing...
What advantage did any of these students gain? At that point, all they could get was an answer. They wouldn't be able to change the decision for them or for anyone else.

What agreement did these students have with the university? Why not show everyone what it is? Or, are you simply interfering this based on what you think is true?

Do you know any of the students? Have any of them told you their intent? I've only seen discussion of one individual: the guy who figured it out and posted the method to BusinessWeek. Are you guessing about the intent of other students?

I already know that we disagree, but if we are going to debate this, let's do it based on facts, and not unfounded assertions. You can say that you think what the students did is wrong, and that's fine. You can't make up evidence to support it though.

2005-03-14 16:11:27
See, there's the thing...
> In this case, the students and the university
> had an agreement: Admissions information would
> be disclosed to everyone who'd applied, as the
> university finalized their admissions decisions.

I wasn't aware of this agreement, but even under the assumption that this is true, I still think it's a weak excuse for the unethical label being applied to these students.

If an athletic coach, at the end of team tryouts, mentions that team selections will be posted in the gym on Monday morning, is it necessarily unethical for someone to check on Sunday night?

There's an assumption of malicious intent that I'm not able to understand.

Of course, perhaps it's because I'm just as guilty as these students. Back in 2003, I registered for OSCON before any other speaker, because I thought I had missed the email with the registration URL (it was a few weeks after it was supposed to have been sent). Clicking "speaker registration" took me to a URL that ended in something like speaker_ref.html (which said the real URL would be emailed to us), so I tried speaker_reg.html. It worked, and I registered. It wasn't until Vee emailed me later that I realized she was just a little behind on emailing us, so I hadn't actually missed anything.

I spoke at OSCON 2003. It's a good thing O'Reilly doesn't share your perspective concerning URLs.

Later the same year, I did something similar. I read on Jason Purdy's blog (http://use.perl.org/~Purdy/journal/14492) how to use IRC to check to see whether an ApacheCon talk was accepted. So, I checked, and I was happy to see that my talk was indeed accepted. It wasn't until reading Apache Week (http://www.apacheweek.com/issues/03-09-05) that I realized that speakers weren't supposed to know the status of their proposals yet.

I spoke at ApacheCon 2003. Luckily, the ApacheCon organizers don't share you perspective concerning advanced knowledge of acceptance status.

> Students who peeked at their admissions
> information early got an advantage over students
> who didn't, and they did it by breaking an
> understanding between themselves and the
> schools.

I do not understand the advantage you speak of.

> Unlike almost anyone else accused of "hacking"
> in a similar circumstance, these people actually
> did something unethical--not in their technical
> steps, but in the intent which laid behind them:

This is where I find the greatest fault with your logic. I think it's very unwise to assume malicious intent, especially when a visited URL is the only information you're using to make such an assumption.

2005-03-15 05:21:37
The advantages of being early
Hi, shiflett,

There are lots of advantages to being early.

If you're going to a conference, you get an advantage in scheduling your time further in advance. You get first shot at the best rooms in the hotel (a limited resource) and the cheapest air flights (also limited). You don't have to wait or worry about turning down a conflicting invitation. You get more time to work on your presentation, more time to prepare.

There's a similar set of advantages in getting admissions information early.

And again, I'm using more than "a visited URL...to make such an assumption" of bad intent. I'm using the context in which the URL was used and the method through which the URL was created.

Universities are supposed to teach a basis for ethical judgement. If they see what looks like unethical behavior on the part of prospective students, why shouldn't they react?

It's the inappropriateness of the reaction that I'm concerned about. I'm getting less convinced that the schools overreacted, though--the applicants who peeked really were in the wrong.

2005-03-15 05:35:54
Agreements and intent
Hi, brian,

I explained what I thought about advantages above.

The agreement between schools and applicants is that schools say when admissions decisions are reached and applicants are notified. Applicants agree to that and other rules by applying.

Intent is murkier. I'm looking at it from the point of view of someone charged with making the admissions process as fair as possible. From that point of view, given that you can gain an unfair advantage by peeking, I'm going to assume the worst. It's their responsibility to convince me otherwise. That's a risk taken by anyone who colors outside the lines.

I'll say it one more time:

This is an opportunity for these schools to teach ethics, not compete in tough guy contests.

Any idiot can be a bouncer, throwing out people who do something not in the rulebook. All that takes is size, strength, and willful stupidity. Universities should strive for something better.

2005-03-15 15:37:56
The advantages of being early
If you are already planning on going to the conference, none of these are advantages. Hotels normally give out rooms when people arrive, not when they book, and conferences block out sets of rooms regardless. Cheaper air fare hardly means much more than 14 or 21 days from travel. Cheap flights are hardly limited as air carriers are practically begging people to fly. If you are already going to the conference, you aren't making other plans.

Your argument is embarrassingly weak and uninformed. If this is the advantage you think students got, I don't see how you think Harvard is not overreaccting.

2005-03-15 15:42:00
Agreements and intent
I'll say it again: you don't know what the agreement is because I think you're pulling it out of thin air. Show us the agreement. Show us what the students agreed to. An "unspoken agreement" is no agreement at all.

There is no advantage to getting an early decision in admissions when the timeliness of the decision does not affect anyone else. It's just the opposite: students would would have looked, but didn't because the hole was shut down, now compete for 119 open slots. It has nothing to do with the ethics of the applicants: just who was able to peek and got got. Plently of students who would have peeked still got in.

2005-03-16 01:54:47
Not much advantage in this case...
...because I was working off the example given.

You're right to say there's not a lot of advantage in this case. Still, what if the deadline for committing to ETech comes before you hear about South by Southwest? Or vice versa?

In the case of university admissions, the stakes are higher and the advantage is considerably greater. In the case of Harvard, the advantage is significant. Look at the FAQ page at Common Application: http://app.commonapp.org/index.cfm?APP=AppOnline&ACT=Display&DSP=FAQ Notice that Harvard and Yale don't do what everyone else does with the Early Action and Early Decision programs.

By the way, where did you get the idea I thought Harvard wasn't overreacting? They are. That's not incompatible with the idea that the applicants who peeked at their information were in the wrong.

2005-03-16 02:06:14
Admissions decisions do affect others
Hi, brian,

You're wrong when you think an admissions decision affects only the student to which admissions is offered. It affects the university, and it also affects other students applying to that university who are lower down the list, and the universities to which they're applying. This is about a large number of people competing for a small number of admission slots. The applicants affect each other.

2005-03-16 12:12:23
Admissions decisions do affect others
The admissions decisions do not affect each other. The university makes a list, and that's the list. After they release the list, other things happen, but it doesn't affect the list. A student seeing his spot of the list doesn't re-order it.

You're mixing up time here.