I have been getting lots of mail from techie friends and VC readers about the recent hacking incidents by applicants to a number of top business schools. I first posted about the incident here. Harvard and MIT took the matter sufficiently seriously that they decided to deny the applications of those involved. The odd thing is, it increasingly seems like the applicants may have done nothing wrong. The alleged “hack” may be no hack at all.
I have looked for a good technical explanation of how the alleged intrusion occurred, and the best I have come up with is a post at Philip Greenspun’s blog. According to Philip, this is what happened:
The ApplyYourself code had a bug such that editing the URL in the “Address” or “Location” field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date. This would be equivalent to a 7-year-old being offered a URL of the form http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it down to http://philip.greenspun.com/images/ to see what else of interest might be on the server.
Someone figured this out and posted the URL editing idea on the BusinessWeek discussion forum, where all B-school hopefuls hang out and a bunch of curious applicants tried it out.
If this explanation is accurate — and several correspondents have suggested to me that it probably is — it means that the applicants didn’t actually do anything that could reasonably be described as “hacking in” to a computer. As I understand it, the ApplyYourself computer had effectively posted everyone’s admission decision on the web, just without broadcasting the URL. The applicants then followed the advice posted on the BusinessWeek discussion forum on how to find the public webpage that listed (or would eventually list) their admission decision. No one hacked into anything. The applicants just visited a public website.
This raises two questions: First, was visiting the website in this way a crime? And second, were the business schools justified in rejecting people who had done it? On the legal question, I think the answer is “no.” The basic crime here is unauthorized access to a computer; the federal government and all 50 states have such laws. It just so happens that I recently wrote a 70-odd page law review article on how to interpret these statutes. To make a long story short, the cases interpreting these statutes are all over the map, but I am fairly confident that no court would hold defendants criminally liable under them for visiting a public site in the way they did.
As for whether the business schools were right, their response certainly seems like an overreaction to me. My guess is that the admissions people read the press reports and believed that the conduct was quite different from what it now seems to have been. If my technical understanding is right — still just an assumption at this point — automatically rejecting a candidate for admission seems too harsh. It seems rather odd to deny someone a spot at Harvard Business School for visiting a public web page.
UPDATE: Reader Michael Kwun sends on a link to a more detailed technical explanation. Meanwhile, Michigan law student Heidi Bond is so eager to see next year’s academic schedule that she “hacked in” to the law school’s computer to find it.
Comments are closed.