I chose not to comment about the HBS-ApplyYourself story because I was busy, and I forgot about it when I finally got some free time. I am more busy now than I was in the middle of March, but Matt Gline's column in today's Crimson annoyed me:
It's not just copyright, either: many have had a similarly dissonant reaction to the HBS admissions hacking incident of last month. All the now-Harvard-rejects did was guess at the address for a page that was already available on the net-it's as if you had guessed the six-digit code number for this article and found it before it was linked to from the Crimson's online front page (if you don't know what I�m talking about, browse to this column or any other story on-line, and look to see what the address is).
HBS officials would like to frame this as the moral equivalent to walking into an apartment whose front door has been left open and rifling through papers left on a desk. But for people used to typing in strange web addresses all the time, it�s hard to see it that way. Instead, it seems to us that HBS had posted their admit list on a proverbial telephone pole somewhere in Cambridge, location undisclosed, and some curious applicants had gone out looking and stumbled upon it. Is such an action reprehensible? Is it worthy of automatic rejection?
It is always difficult to make real-world analogies for technological situations. Gline's analogy is particularly flawed, as it assumes that the HBS' application site was public (like a message on a telephone pole). While it is very easy to tell the difference between the public and private in the real world, the same is not the case in today's technological landscape, when many computers are connected to the Internet 24 hours a day. HBS assumed that their site was private. Let's assume that the HBS admit list was posted on a telephone pole, but without HBS' knowledge or consent. Would it be right to look at it?
As far as I can tell, from descriptions of the original BusinessWeek posts, the applicants who checked their status knew or should have known that it was not "the right thing" to do. Because of the ease
1 at which it was accomplished, both the applicants and many of the pundits commenting on this story seem to have been blinded to the issues of morality and ethics at its heart. From
a post by PowerYogi, a blogger who wrote about the ApplyYourself problem early on:
Edit Two: Is it right or wrong to check status this way? Basically, we are talking about some sloppily protected software here. If you don't want someone to see it, hide it well. Welcome to the internet.
Interesting rubric. Consider this hypothetical scenario. The computing gods, in an act of massive benevolence, bestow upon me absolutely ridiculous computer skills.
2 Being an advocate of PowerYogi's "new morality," I decide not to use these powers for good, but become a virtual fount of
zero day exploits, giving me the ability to access any piece of information on any computer connected to the Internet, regardless of any precautions you might take. Would the ease at which I could access the personal pictures of your crazy Cancun spring break make my actions any less reprehensible?
"But Martey," you complain, "those 119 applicants were only accessing their own admission letters. Since they were not accessing others' information, there is no invasion of privacy. If you want to hack into my computer and steal pictures of yourself, go right ahead. It's no skin off my back."
But it is? In the real world (which in my opinion, includes HBS applicants), people who find security holes do one of two things:
- tell their closest friends, who proceed to use the hole for various nefarious purposes (like creating viruses).
- inform the website owner or the software manufacturer, who then fixes the problem, preventing unscrupulous people from preying on the rest of us.
Which category do you think our HBS friends fall into? While one could claim that they were "
just following instructions," they should have realized that the hole that they were exploiting could have had ramifications beyond allowing them to see their admissions letters. It was their ethical responsibility as good citizens to inform HBS of the problem. It is telling that at least one of the applicants did. It may not have been an
easy thing to do, but it was definitely
right.
. If it was so easy, why did the applicants need explicit instructions to figure out where their admissions letters were placed?
. Unlike Mr. Gline, I am not talking about the ability to view Crimson articles before they are supposed to appear on the website.
