Harvard Business School has denied admittance to 119 applicants who hacked into the computer system to find out whether they had been admitted or not. Greg at Begging to Differ is concerned that the evidence implicating the hackers might be inconclusive, and he wonders why the server was so insecure. Along the same lines, it would be interesting to know whether each of the applicants hacked in separately, or whether one person was responsible and then told others about the exploit.
Regardless, I'm not entirely convinced that breaking into Harvard's server was unethical in the first place. Nobody was harmed here, and the data must have been pretty easily accessible if 119 people really found it. What about the ethics of storing personal information about students on an insecure server?
UPDATE: Greg has more detail about the nefarious plot, and Don Singleton explains what hacking is for the ignorant Harvard elites. AND: Heidi Bond relates a "hacking" experience of her own.
As I understand it, the server wasn't hugely insecure, or at least no more so than most similar such systems; there was simply a way for a person who already had legitimate access to the system to view files that had been scheduled to be released to them at a later date. A rep from HBS was on NPR yesterday explaining that they knew that the transgression wasn't earth-shattering, but analogized it to breaking into an administrator's office and looking at one's own personal file--it's the person's own info, but the person should know that breaking in isn't the way to get at that info. The rep also noted that they didn't reject the offenders "with prejudice"; everyone rejected this year is encouraged to apply again next year, with the implication that their indiscretion now won't be counted against them in the future.
(The irony of all of this is that, apparently, HBS doesn't even use the service in question to post students' acceptance status, so none of the students in question got any info for their troubles.)
If the whole incident wouldn't be counted against them in the future, why count it against them now? It sounds like they're backpedalling, but they can't really do anything about it because they've already made offers.
You count it against them now for the same reason that any punishment is ever imposed--to deter future transgressions, and to offer an avenue for atonement for the current transgression. That's why someone who, say, gets pulled over for speeding pays a fine and can continue driving, rather than having their license revoked forever, and why people who go to prison don't all get life sentences. It's not backpedalling; it's just making the punishment fit the crime--as the HBS guy also said on NPR, the actions of these students doesn't reflect the ethics and judgment of the people they will eventually be, but it does reflect the ethics and judgment of the people that they are now.
Fair enough, but it's nevertheless a symbolic gesture, since all of the rejected applications will likely just choose to go elsewhere.
And I still think that the punishment doesn't fit the crime here, if it's even a crime at all. I don't think I would feel the least bit of contrition for doing something like this -- I might report it, but it wouldn't occur to me that I'd done something wrong.
What about the analogous situation that the HBS guy proposed, of breaking into a locked office? Would that seem wrong to you if you did it?
I reject the idea that they're analogous, because in this case the "office" wasn't locked. As I understand it, there wasn't any breaking in at all here -- it was just changing a URL.
Now, would I feel bad about going into an office that had been left unlocked and looking into my file? Yes, I think I would, but I'm still not convinced that's the equivalent! In that case I believe I'd be legally trespassing, but with the internet case I don't see that disctinction.
Post a comment