No reporters have called in the last couple of weeks to ask about the Harvard Business School “hacking” incident, in which applicants who edited URLs could discover whether or not they’d been admitted. I had a tough time understanding why the story had such long legs when, after all, quite a few Web sites over the past 15 years have had similar vulnerabilities. What was unusual about the business schools is that they blamed their Web site users. Every other publisher has secretly spanked its programmers, patched the hole, and tried to pretend that it never happened. The B-schools, however, somehow came up with the innovative idea of blaming everything on the cut-and-pasters out there in the wider world rather than on the dazed-by-donuts coders who couldn’t get the authorizations right for various pages. That’s what made the story different and what attracted so much press.
[This was not actually the first time that HBS had trouble with the world of commercial junkware. They outsourced their placement office interview scheduling a few years back and the system managed to screw up students desperate for jobs in a down economy. The student newspaper ran a cartoon lampooning the administrators responsible and the deans decided to fix the problem by threatening to expel the editor of the newspaper for violating Harvard’s speech code (see http://www.thefire.org/index.php/article/4909.html).]16 thoughts on “B-school “hacking” incident finally fades from the news”
Comments are closed.
“Sue your customers” seems to be a popular mantra in business these days, good to see that Havard is keeping up with the times.
I still want to know how many people responsible for buying this crappy web managment service were fired at the various business schools and how many contracts with the crappy software supplier were cancelled.
I still say that whatever punishment is meted out to the applicants who peeked–which was not so wrong as to deserve the death penalty from admissions–needs to be proportionate to what punishment is given to the people who made it possible, and that schools who fail to use this opportunity to teach ethics are irresponsible.
Has any school taken a more nuanced approach than “Deny ’em all admission and let god sort ’em out”?
us geeks will find this reprehensible, but the bottom line is that the students who, ahem, “hacked” to find out their status before the official announcement were being impatient and violated trust between them and HBS, that answers will not be handed out anytime before the announcement date. Since HBS said so, as all b-schools do, then merely peeking through the window of an admissions office to see the writing on your file, is violating the implied trust. Shows poor ethical judgement on the part of students, crappy software notwithstanding. HBS had no choice but to take a stand. I just sincerely hope that they were just as tough on their admin staff for using a crappy application. Wharton on the other hand uses a web app that is much simpler, doesn’t use much java-script and more the urls are permanent, which make hacking like this more difficult.
But were they so in the wrong as to deserve to be disqualified from admission? I just don’t think so.
if they broke the trust, why would you want them in b-school? how’d it make them look to the other students who were patient enough? it’s all about ethics, and b-schools feel the pressure to push ethics, there’s simply no way to give these guys a slap on the wrist and look like you care about ethical behavior. besides, it sets a very clear example to others. what would have been your punishment and what would it say about you if you were the admin office?
I really don’t understand a few aspects of this story. If the applicatants had merely browsed to a web page, then they would have been fairly anonymous. Perhaps their ip address could have been logged, but only if the application had been designed to do so.
I suppose that they may have determined which files had been accessed and identify the culprit from that, but that method would be fairly indeterminate.
My initial impression was that the emails had been sent to the applicants intentionally by the administration and that these emails had used a gif file to plant a tracking cookie. After that was accomplished, then it would be easy to identify the users computer, and their email address when they went to the url.
So what was it? Incompetent software or an investigation by an administration that used pretty common commercial web tracking/spam techniques?
Compared to stuff that goes on in corporate America, the early peekers were Boy Scouts.
Vele, what would I do?
First, I wouldn’t think of it as an exercise in punishment. Universities are educational institutions, not legal systems. This is an opportunity for education.
Denial of admission can’t be a unfair punishment, because it’s inherently inequitable. Applicants who would have gained admission had they not peeked lose their opportunity to attend Harvard. Applicants who would not have gained admission have lost nothing. Yet both groups of applicants committed exactly the same act.
Second, I’d make it proportionate to what was being done to those responsible for the system that allowed unauthorized access, in the university’s admissions and IT departments, as well as at the vendor.
Third, I’d try to clarify the murkier parts of the incident. While I agree with you that the students broke trust with the university, I’ve been having a hard tine verbalizing that judgement. It’s also not clear to me that the students did something wrong technically. I think they did, but it’s not obvious where the line (if one exists) lies between innocent poking around and inappropriate peeking.
So, what would I do?
I assume the universities involved will have internal reviews of the incident. I’d schedule them to take a week and start them just before the fall semester. An applicant caught peeking who would otherwise have been admitted would spend a week participating in that review. I’d set goals for the review, including clarifying those murky questions, and I’d bring the axe down on those who didn’t help reach them.
It’s wrong for the universities to avoid this opportunity. It suggests they don’t believe ethics can be taught, which undercuts their attempts to teach ethics.
i think you’re trying to dilly-dally around the issue. if you agree that trust was broken, then why have them in school. HBS has 10k applicants for 800 positions. many more are just as qualified but don’t make it. Nothing lost here and no issue on fairness, it’s not about justice either, but about trust. If your behavior at such a small issue is to break that trust, then how do you buy that these guys won’t do the same on bigger issues? Their judgement stinks!
So, if you do agree on the broken trust, then why mention innocent poking around, it’s irrelevant. I see that your reaction comes from not being convinced that trust was broken and you focus on internal HBS issues rather than trust.
what makes people think that some sort of trust was broken?
i dont see how applicants are committed to any sort of trust aside from being honest on their application and acting within the limits of US law. i think you have to sign the intent to attend after receiving admission in order to be subject to any rules.
i wonder if the students are suing harvard? i sure would, but would not even consider attending after a fiasco like that.
easy target, there’s a breach of trust when someone tells you they’ll give you an answer on one date and you use other means to get the answer early, gaining an advantage over the other applicants.
I’m not satisfied with that answer, because the circumstances under which the applicants who peeked are circumstances under which it’s not immediately apparent that trust is being broken. I can put myself into the place of someone doing the same thing and can understand myself having innocent motivations. I’m also not satisfied with it because it’s a vague answer.
Sometimes, ethics are like pornography. I can’t alway codify them, but I know them when I see them. In this case, though I’m having trouble articulating exactly and explicitly what was done wrong, it was wrong.
That’s not a standard under which to give an academic death penalty. There, Vele and I differ.
Vele, as you can see above, I do think trust was broken, or at least violated, by the actions of at least some (most, really–but exactly which ones?) of the students who peeked.
Where we disagree is on two related but distinct questions: the severity of the violation by the applicants, and the proper nature of the universities’ response to the violation.
Is the violation of trust severe enough to deserve punishment? On that, I think we’ll have to disagree. I’ve made my arguments, and unless you’d like to discuss them in detail, I’ll stand on them.
What is the proper response of universities to this violation? I’ll argue this all day–it’s important.
Harvard’s response is wrong for a variety of reasons, but the most important one is that it is a cowardly failure to teach ethics. No, it’s worse–it’s an abandonment of the idea that ethics can be taught.
Let’s look at the universities’ response. All applicants who were caught peeking have been summarily denied admission this year, on grounds of bad ethics. So, if their ethics are that bad, then should Harvard admit them next year? Should they even be allowed to apply? The consistent answer is no, but Harvard’s answer is yes. The students who were denied admission will be allowed to apply again next year.
Are their ethics going to be improved by the one year wait? I doubt it very much. They’ll be determined not to get caught acting unethically, but will they be determined not to act unethically? I don’t see why.
Is Harvard incapable of teaching ethics? Possibly so.
What Harvard’s actions say is this: We can punish, but we can’t instruct. These applicants we’re disallowing this year? Why, they’re to be punished, and then we’ll let them apply next year. We aren’t going to check whether their ethics improved or not–we’re just going to re-evaluate their applications. They’ll still be the same people, with the same ethical failings–but they won’t get caught!
I find that to be a morally disgusting point of view.
People aren’t born with some sort of ethical sense. We acquire it through trial and error, through explicit ethical instruction, through example, so long as we’re alive. Part of the job of the university is to teach ethics. Is this single violation of trust so severe, so horrible, that these students can’t be taught better? Harvard says yes. I say no.
I’ll tell you again, the university should engage these applicants–at least those they would have otherwise admitted–in the process of determining where things went wrong in this process. The universities who hired this shoddy admissions processing service and the service provider itself are not blameless–they did a lousy job, and they, too, need to face correction.
Again, I think the parties involved should spend some time–a week of long days seems about right–going through these issues and clarifying the ethics of what was done–what was wrong, what wasn’t, and what was marginal. This effort should produce some actual results in explaining (for instance) where the line is between harmless poking around and illicit peeking. (It’s not an easy question.)
I’m not saying, “Go sit through a week of workshops and then we’ll admit you.” I’m saying, “Go spend a week grappling with these issues. Produce some intellectually respectible results from it. If you succeed in this, and in showing some ethical growth from the exercise, then you can start school the next week. If not, then too bad–it’ll be too late for you to get into another school that semester.”
That right there will help sort the wheat from the chaff.
I predict that most of the applicants who peeked who truly are ethically deficient will bail on the idea, and go for whatever school will take them. The ones who will go for it are, by and large, the ones who have some understanding that what they did was questionable, who have a will to understand and improve their behavior, and are willing to risk an academic year to do so.
Tell me those aren’t the people you want in your business school. Tell me they aren’t likely to be at least as ethically strong as the average applicant who didn’t peek.
One other, more personal note: I looked at your website, Vele, and I’m thrilled to see that someone with such a strong moral sense has decided to become an American citizen.
There’s a value which seems to me to be peculiarly American–giving slack–which I urge you to consider. We learned it the hard way, after a bloody civil war initiated by treasonous racists. The just thing to do after our civil war was to start hanging the generals and politicians who brought that horror upon us, but we were lucky to have a wise man for president, who chose instead to cut them as much slack as possible.
They did hang quite a few of them, such as those involved in mistreatment of prisoners of war, but it wasn’t turned into a wholesale slaughter, and that’s one of the reasons this fractured nation held up.
It’s a value worth considering.
not to beat a dead horse, but until someone points out a rule from harvard specifying any sort of trust requirement, i will assume trust was not broken. i cant seem to find any such rule.
adamsj, you wrote:
“easy target, there’s a breach of trust when someone tells you they’ll give you an answer on one date and you use other means to get the answer early, gaining an advantage over the other applicants.”
i have to disagree wholeheartedly. there is only a breach of trust if a promise is made not to get an early answer, but no such promise was ever made by the students as far as i know. whether an advantage is gained or not is irrelevant, unless a student promises not to gain an early advantage. again, there is no such promise. the students acted within their legal means and within the rules of harvard app. proces. if someone points out a harvard rule stating the contrary, i will gladly aquiesce.
easy target, I don’t know there is a written rule, and I don’t know that it matters. The admissions process involves a certain amount of subjective judgement, and in the eyes of the admissions departments involved, trust was broken. That’s just how it works–it’s not a court of law. The externals of the admissions process are well-known–the applicants involved should have known better.
It’s happening again, by the way: When I discuss this with someone who simply cannot see that there’s anything wrong with what the applicants did, I get less convinced the schools were wrong to bounce them. At the very least, the applicants who peeked showed bad manners. At the worst, they deceived the universities and cheated their fellow applicants. There doesn’t need to be a written rule against that.
adamsj,
i think the admissions process to hbs is an extremely formal beast. the whole thing smells of rigid formality. if i were rejected on such a matter i would definitely take it to court and i think i would be successful in proving that hbs had no right to reject me. i would sue harvard for $1.
whether the actions of the students are moral is an entirely different issue, in my opinion. i think students acted within their rights and did nothing wrong. so we will just have to disagree on this issue.
The saga continues…
http://www.cnn.com/2005/EDUCATION/05/30/hackers.rejected.ap/index.html