Hacking into Harvard
Case Study taken from Moral Issues In Business by William H. Shaw & Vincent Barry
Everyone who has ever applied for admission to a selective college or who has been interviewed for a highly desired job knows the feeling of waiting impatiently to learn the results of one’s application. So it’s not hard to identify with those applicants to some of the nation’s most prestigious MBA programs who thought they had a chance to get an early glimpse at whether their ambition was to be fulfilled. While visiting a Business Week Online message board, they found instructions, posted by an anonymous hacker, explaining how to find out what admission decision the business schools had made in their case. Doing so wasn’t hard. The universities in question –Harvard, Dartmouth, Duke, Carnegie Mellon, MIT and Stanford–use the same application software from ApplyYourself, Inc. Essentially, all one had to do was change the very end of the application-specific URL to get to the supposedly restricted page containing the verdict on one’s application. In the nine hours it took ApplyYourself programmers to patch the security flaw after it was posted, curiosity got the better of about two hundred applicants, who couldn’t resist the temptation to discover whether they had been admitted.
Many of them got only blank screens. But a few learned that they had been tentatively accepted or tentatively rejected. What they didn’t count on, however, were two things: first, that it wouldn’t take the business schools long to learn what had happened and who had done it and, second, that the schools in question were going to be very unhappy about it. Harvard was perhaps the most outspoken. Kim B. Clark, dean of the business school, said “This behavior is unethical at best–a serious breach of truth that cannot be countered by rationalization.” In a similar vein, Steve Nelson, the executive director of Harvard’s MBA program, stated, “Hacking into a system in this manner is unethical and also contrary to the behavior we expect of leaders we aspire to develop.”
It didn’t take Harvard long to make up its mind what to do about it. It rejected 119 applicants who had attempted to access the information. In an official statement, Dean Clark wrote that the mission of the Harvard Business School “is to educate principled leaders who make a difference in the world. To achieve that, a person must have many skills and qualities, including the highest standards of integrity; sound judgment and a strong moral compass–an intuitive sense of what is right and wrong. Those who have hacked into this web site have failed to pass that test.” Carnegie Mellon and MIT quickly followed suit. By rejecting the ethically challenged, said Richard L. Schmalensee, dean of MIT’s Sloan School of Management, the schools are trying to “send a message to society as a whole that we are attempting to produce people that when they go out into the world, they will behave ethically.”
Duke and Dartmouth, where only a handful of students gained access to their files, said they would take a case-by-case approach and didn’t publicly announce their individualized determinations. But, given the competition for places in their MBA programs, it’s a safe bet that few, if any, offending applicants were sitting in classrooms the following semester. Forty-two applicants attempted to learn their results early at Stanford, which took a different tack. It invited the accused hackers to explain themselves in writing. “In the best case, what has been demonstrated here is a lack of judgmen; in the worst case, a lack of integrity,” said Derrick Bolton, Stanford’s director of MBA admissions. “One of the things we try to teach at business schools is making good decisions and taking responsibility for your actions.” Six weeks later, however, the dean of Stanford Business School, Robert Joss, reported, “None of those who gained unauthorized access was able to explain his or her actions to our satisfaction.” He added that he hoped the applicants “might learn from their experience.”
Given the public’s concern over the wave of corporate scandals in recent years and its growing interest in corporate social responsibility, business writers and other media commentators warmly welcomed Harvard’s decisive response. But soon there was some sniping at the decision by those claiming that Harvard and the other business schools had overreacted. Although 70 percent of Harvard’s MBA students approved the decision, the undergraduate student newspaper, The Crimson, was skeptical. “HBS [Harvard Business School] has scored a media victory with its hard-line stance,” it said in an editorial. “Americans have been looking for a sign from the business community, particularly its leading educational institutions, that business ethics are a priority. HBS’s false bravado has given them one, leaving 119 victims in angry hands.”
As some critics pointed out, Harvard’s stance overlooked the possibility that the hacker might have been a spouse or a parent who had access to the applicant’s password and personal identification number. In fact, one applicant said that this had happen to him. His wife found the instructions at Business Week Online and tried to check on the success of his application. “I’m really distraught over this,” he said. “My wife is tearing her hair out.” To this, Harvard’s Dean Clark responds, “We expect applicants to be personally responsible for the access to the website, and for the identification and password they receive.”
Critics also reject the idea that the offending applicants were “hackers.” After all, they used their own personal identification and passwords to log on legitimately; all they did was to modify the URL to go to a different page. They couldn’t change anything in their files or view anyone else’s information. In fact, some critics blamed the business schools and ApplyYourself more than they did the applicants. If those pages were supposed to be restricted, then it shouldn’t have been so easy to find one’s way to them.
In an interview, one of the Harvard applicants said that although he now sees that what he did was wrong, he wasn’t thinking about that at the time–he just followed the hacker’s posted instructions out of curiosity. He didn’t consider what he did to be “hacking,” because any novice could have done the same thing. “I’m not an IT person by any stretch of the imagination,” he said. “I’m not even a great typist.” He wrote the university a letter of apology. “I admitted that I got curious and had a lapse in judgment,” he said. “I pointed out that I wasn’t trying to harm anyone and wasn’t trying to get an advantage over anyone.” Another applicant said that he knew that he had made a poor judgment but he was offended by having his ethics called into question. “I had no idea that they would have considered this a big deal.” And some of those posting messages at Business Week Online and other MBA-related sites believe the offending applicants should be applauded. “Exploiting weakness is what good business is all about. Why would they ding you?” wrote one anonymous poster.
Richard L. Schmalensee, dean of MIT’s Sloan School of Management, however, defends Harvard and MIT’s automatically rejecting everyone who peeked “because it wasn’t an impulsive mistake.” The instructions are reasonably elaborate,” he said. “You didn’t need a degree in computer science, but this clearly involved effort. You couldn’t do this casually without knowing that you were doing something wrong. We’ve always taken ethics seriously, and this is a serious matter.” To those applicants who say that they didn’t do any harm, Schmalensee replies, “Is there nothing wrong with going through files just because you can?”
To him and others, seeking unauthorized access to restricted pages is as wrong as snooping through your boss’s desk to see whether you’ve been recommended for a raise. Some commentators, however, suggest there may be a generation gap here. Students who grew up with the Internet, they say, tend to see it as wide-open territory and don’t view this level of Web snooping as indicating a character flaw.
Comments
This entry is filed under . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Why would knowing if you are accepted or not give you an advantage other than you can get an early start in finding housing? Why would this information not be readily available to the student anyways? The sooner they know, the sooner they can make a decision, right? In the world that we live in, information flows at a tremendous rate compred to just ten years ago. Making students wait on their status so you can “mail” them a letter is so last century. Typical institutional higher learning in America. This is one of the reasons that America is falling behind in the technology market.
You will get a letter in due process. There will always be housing.
As to your statement of “making students wait”. If you rerally want to attend the universtiy, you will wait. “The world we live in” does not NEED to have this information readily availble. The classes aren’t going to magically start any sooner than anticipated. The syllabus will still have the same criteria. School will start on time. There will be time to respond to the school and notify them of your choice. Even if you have to wait to find out.
Hacking into a system to find out is still “hacking”. There is no line to draw. It is unethical. Thus, I applaud the decision that was made. This world NEEDS ethical behavior NOT speedy results.
Why? Why wouldn’t this information be available to the person it pertains to most? Why isn’t the entire process more transparent? Perhaps it has ethical issues of its own. These students did not do anything unethical. They were given an opportunity to access information about themselves and took it. The reason they were rejected is not because they seemed to lack integrity, but rather because the Universities could not afford to admit them. They could not afford to be perceived as condoning anything unethical. Its unfortunate, but the court of public opinion forced their hand. The entire case may seem like ethics, but it smells a lot more like politics.
The 119th should have followed compliance and waited for a letter. This was the procedures known by all. Ultimately, ethical dilemmas always require choices, and often in an ethical dilemma refraining from action is itself a moral decision. Indeed, in some moral dilemmas one must choose whether to disobey a particular prohibition, such as a law, when compliance results in immoral consequences. In this case, not acting is obeying the law, but the result is morally reprehensible.
Ultimately your opinion on this case rests on this:
Was security reasonable to make students aware that this was not okay?
The internet generation sees this level of security as pitiful, nonexistent. If information is this easy to access, it is essentially public.
Older people are unfamiliar with the technology and assume that modifying a url is a significant effort on the part of the ‘hacker’
and so the student should have known that this information was privileged.
[...] Hacking into Harvard Case Study | Ethics in Business 23 Oct 2007. Case Study taken from Moral Issues In Business by William H. Shaw. “HBS [ Harvard Business School] has scored a media victory with its Hacking into Harvard Case Study | Ethics in Business [...]
I really appreciate your post and you explain each and every point very well.Thanks for sharing this information.And I’ll love to read your next post too.
regards
Best B Schools in india
[...] your status online, unless you are committing online trespass. A bunch of MBA applicants caused a scandal a few years back when they hacked into a site to find out if they had been accepted, and both HBS [...]