That’s what’s missing in the brouhaha about college applicants who took advantage of poor security to peek at confidential information.
In one corner, we have overwrought commentary, like this gem from Patricia Keefe, editor of Information Week:
Hacking isn’t just wrong, it’s a crime. As noted by MIT dean Richard Schmalensee, the students who peeked made a conscious decision to do so and invested the necessary time. Their self-interest trumped their personal ethics. And that’s what this incident really turns on. The last thing we need in this country is more unethical people coming out of business schools. Haven’t we learned anything from the last two years of corporate debauchery and scandal?…
If these schools don’t take a stand now, to what standard will they later hold these students? If these schools really believe ethics is a serious matter, then they need to reject the students who hacked.
If what those students unwisely did was criminal, then the universities should be prosecuting them. They aren’t.
It’s even a stretch to call what the students did hacking, but that’s to be expected from a business publication. Most corporations are actively distrustful of, if not hostile toward, their IT departments. It’s a not entirely rational idea which, for instance, drives much of the fervor for outsourcing. The business computing press, which should know better, expresses this point of corporate ideology by confusing cracking with hacking. Post-dot-com-boom, management believes that hackers in the original sense of the word are bad, so why not conflate them with crackers? They’re bad, too.
The off-with-their-heads brigade is balanced, if that’s the word, by the unlocked-doors-are-an-invitation-to-enter crowd. Here’s brian d foy, writing here in his weblog:
…They weren’t being sneaky or trying to get information on anyone else other than themselves.
The information each student needed to get to the application status was gladly given to them by the web pages they were already allowed to view. I don’t see any “hacking” here.
Harvard Business School calls this “unethical”. Most businesses would call it “resourceful”, but that’s just another way schools and reality diverge…
How can you say someone isn’t being sneaky who is trying to get information before it’s been officially released? Who is using a hack (not much of one, granted) to peek at information they aren’t supposed to have?
The anthropomorphism of “gladly given to them by the web pages” (web pages aren’t glad–that’s human) hides the underlying issue that the people in charge of admissions information–which is information about both the student and the university, so the students were not just looking for information about themselves–intended for the students not to have that information at that time. The university personnel involved weren’t a bit glad.
As for businesses calling this “resourceful”, I’m thinking about what would happen at, say, a telecom company where a “resourceful” employee took deliberately separated data and reporting about, say, local service and long distance service, and then aggregated them to get sales leads. That would be resourceful as long as no one knew about it, but once the FCC realized that information which, by law, is not supposed to be aggregated had been, the consequences could be substantial. We’re talking millions of dollars in penalties here.
So, back to that sense of proportion. What these applicants did was wrong. It’s just not so wrong as to be a disqualification.
What they did wasn’t that different from what I do when I get a malformed URL to a news site–if I feel it’s justified, I poke around by altering the URL and seeing whether I can find what I’m looking for. What’s accessible on a public server is probably intended for public viewing, and trying to find that isn’t unreasonable–I’d even call it resourceful. In this case, though, the applicants who peeked were consciously trying to find out information they knew (or should have known) was intended not to be public.
What would be proportionate?
Well, what are the universities doing internally to the people responsible for the information leak? Are they firing directors of admission? Are they terminating contracts with ApplyYourself, or suing them for exposing private information? If so, then perhaps rejecting otherwise qualified applicants is fair. Are they doing so? If they are, I haven’t heard about it.
Are there “lessons learned” sessions for university employees who contributed to this screwup? There should be–and perhaps the applicants who peeked should be a part of those sessions. Maybe they should have to show up for school a few days early and spend some time living in the real world (ha!) of meetings and get their head cheese processed. That’s more reasonable, more fair than outright rejection.
The admissions departments might learn something about proportion from this process, as well. At prestigious schools, the admissions process has been turned into a circus. (Again, this comes down to corporate ideology, this time intruding itself into academia.) The process of admissions is deliberately and unnecessarily mystified, and some brave university that hasn’t yet been stampeded into Fudd-like “Kill the
wabbit hacker student!” reaction should take this as a wake-up call to make admissions more transparent.
If Empire State decides in January that it might be best not to admit both Reed Richards and Victor von Doom, and that, as von Doom is a legacy student, Richards needs to make do with MIT, then what is the point of making Richards wait until April to hear about it? Mystique, hoopla, and branding–that’s all. There’s no educational purpose served by stretching things out–it’s inter-university corporate gamesmanship, the educational equivalent of what I saw succinctly described on Slashdot as “marketecture”.
Universities should also examine whether the corporate ideology that drives much outsourcing in business is affecting their decisions about outsourcing, say, parts of the admissions process. Is it really necessary to have a company handle your admissions for you? Is it an appropriate way to deal with sensitive information? Mightn’t that be better handled in-house? Or through a cooperative effort among universities? Perhaps an open-source system for handling admissions, peer-reviewed with security and privacy in mind, might be in the interest of both the universities and the applicants.
What the applicants who peeked did was wrong–no security model doesn’t mean no obligation to act ethically–but the greater wrong was committed and the greater harm done by those who allowed confidential information to be exposed, and there’s where the primary obligation to act, to repent, to reform lies.
Did you peek at my draft of this weblog before it was published? If you could have, would you have done so? If you had, should I have been offended?