In mid March 2005, it was reported that Harvard Business School and MIT Sloan had rejected applicants who hacked into the admissions web site. After exploring the facts a bit more, a number of us from the MIT Crypto group wrote to the Dean of the MIT Sloan School, Prof. Schmalensee. The entire discussion is posted for all to read, as agreed by all parties.
We write to ask the MIT Sloan School to reconsider its recent blanket rejection of applicants who sought to learn their acceptance status via an insecure web site. To call such actions unethical encourages an erroneous and dangerous interpretation of computer security and the architecture of the Web. As an institution that prides itself on the technological prowess of its members, MIT should lead the charge in teaching security to the world (including other business schools), rather than laying blame on a few students who are guilty of nothing more than legitimate curiosity.
Let us consider the analogy made by Dean Schmalensee: that these students performed the equivalent of "picking a lock and breaking into an office" [6,7]. The facts now emerging [1,3,4] do not support this grim picture. The applicants in question simply copied and pasted their user ID into the browser address bar. Using only their given credentials, they were granted access, without warning or notice, to the very web page which they would have been directed to by the school a few days later. No breaking of locks was involved. No server malfunction was elicited. A number of experts agree that the root cause was a grossly insecure web site, not a hack [1,2]. The right analogy should read: "The results were mistakenly posted in a dark, but public, corridor. Someone found the results and alerted others. Applicants rushed to the location with a flashlight." The school's mistake does not make its applicants unethical.
Consider a more practical analogy. An applicant calls the admissions office in the hope of obtaining his acceptance information early. Does the applicant's simple request, whether or not he is given an answer, make him unethical? Empirical evidence and reason both indicate a strong negative: curiosity is not a crime. The onus is on the school to enforce its own policies. This intuition is confirmed by the legal analysis of Professor Orin Kerr: obtaining information posted without protection on a web site is perfectly acceptable [5]. Whether the request is served by a person on the phone or by a web server should be irrelevant.
At the core of this debate lies a crucial issue: how are individuals expected to behave online? Online security and ethics should be no different than their offline counterparts. If a school operates an insecure service that indiscriminately hands out confidential information, the school is at fault. To assume otherwise in this case is to impose an unreasonable atmosphere of rigidity to the web that is antithetical to academics and entrepreneurship.
MIT should not only understand this, it should take a leadership role in teaching others. We hope MIT Sloan will reevaluate their extreme reaction and give these applicants a fair shot.
Sincerely,
Ben Adida, Susan Hohenberger, Matthew Lepinski, David Liben-Nowell,
Akshay Patil, Chris Peikert, Abhi Shelat, David Wilson.
Members of the Cryptography and Information Security Group and CSAIL, MIT.
Dear Members of the MIT
Cryptography and Information Security Group and of CSAIL,
I am replying to your thoughtful email of March 13 and The Tech letter to the
editor from March 16th, regarding MIT Sloan's position on the
treatment of applicants who gained unauthorized access to a restricted area of
the Apply Yourself admissions site.
I spent a good deal of time thinking about this issue before I set our
policy, and I've read and considered a number of emails from people who, like
you, think we were too severe. I
remain convinced that we were not too severe.
First, let's start with a
clarification of the facts. The
instructions for gaining access to the admissions decisions area of the web
site, which were posted on the Business Week site, made it clear that whoever
followed those instructions was taking advantage of poor coding.to enter an
unauthorized area:
I know
everyone is getting more and more anxious to check status of their apps to HBS,
given their black box. So I looked around their site and found a way. Here are the steps
1. Login to
HBS site.
2. check
your url, it contains something like:
AYID=3533396-CA54-403A-B6F5-3D804B35AE9.
Copy it somewhere.
3. Next,
click on the link called application for admission on the main page.
Open the
source from your browser (view->page source)
4. Next,
search for packageanswerid it will be a 7 digit number. copy it (they call it
id) replace the following URl with your own values of AYID and id:
<a
href="file://localhost/AyApplicantMain/ApplicantDecision.asp">
https://app.applyyourself.com/AyApplicantMain/ApplicantDecision.asp?AYID</a>
=3533396-CA54-403A-B6F5-3D804B35AE9&mode=decision&id=1234567
paste this
link in the browser.
You will be
able to check your decision immediately, no waits.
love u
applyyourself for bad coding...
The Apply Yourself server did not indiscriminately hand out confidential
information, as you allege – someone had to follow deliberate and unusual
steps to gain unauthorized access to a portion of the web site. From looking at the posting and
following the steps, a reasonable person would have known these instructions
were intended to provide unintended and unauthorized access.
I believe the lock and key
analogy holds in this situation.
If Person A picks the poor lock on his neighbor's house and tells Person
B how to do the same thing, is it alright for Person B to use the information
to pick the lock and enter his neighbor's house? Or if Person A steals his neighbor's easy-to-copy key, makes
a copy and gives it to Person B, is it alright for Person B to use it to enter
his neighbor's house? In either
case, if B enters his neighbor's house, it doesn't matter if he does it only
out of curiosity or for some other reason, it is still breaking and entering.
You are correct in stating
that curiosity is not a crime, but acting on that curiosity to enter your
poorly locked neighbor's house without authority is a crime, and acting on that
curiosity to over-ride poor security on a web site to gain unauthorized access to
the site is clearly unethical as well.
Your analogy about an applicant calling the admissions office to ask for
his decision early doesn't hold. Asking is not taking without authority. Asking provides the admissions office
(as it would provide your neighbor or the owner of a web site) the ability to
deny the request. What if the
posting on the Business Week site said that Admissions keeps the decisions in
the Director's office, and provided a map of how to get to the Director's
office, noted which file cabinet contains the decisions, and provided the
combination to a padlock being used to secure the cabinet? Breaking into the locked file cabinet
would be clearly unethical. In
fact, accessing the file cabinet even if it were not locked would be unethical
because it is clear that applicants are not authorized to access it. This is analogous to the people who
gained unauthorized access to the Apply Yourself decisions site. We would deny admission to people for
intentionally gaining unauthorized access to a secured (even if poorly secured)
web site, just as we would for gaining unauthorized access to a file cabinet
whether or not it was protected by the best available lock.
In your letter, you mentioned that "MIT should lead the charge in teaching security to the world (including other business schools), rather than laying blame on a few students that are guilty of nothing more than legitimate curiosity." We will leave it to EECS and groups like yours to teach the world about security. (I will note, however, that nobody in fact got access to any confidential MIT Sloan information. The locked file cabinet was empty.) MIT Sloan, however, will take a stand against intentional breaches of security, good or bad, to gain unauthorized access to web sites. Curiosity is not an excuse. We will take a stand on ethics and good judgment, attributes that are important to us in our mission of developing principled, innovative leaders who improve the world.
We take ethics seriously at MIT Sloan.
We also take fairness seriously, which is why we have repeatedly said
that we will consider appeals on decisions related to the Apply Yourself
incident if there is good information that we do not have and that is relevant
to our conclusion about the ethics and judgment demonstrated by a particular
applicant. We also believe that
people can learn from their mistakes, and this is why we have also said that
the decline decision is only for this year and that we welcome people to
reapply for admission next year.
While very serious, this is not the worst possible offense, and we have
not applied the most stringent possible penalty. I continue to believe that a one year penalty is appropriate
and fair in this case.
Nonetheless, I want to thank
you again for your thoughtful comment.
It seems that this incident has provoked a broad national conversation
on the ethics of actions like the ones at issue here, and I believe will
ultimately benefit us all.
Sincerely,
Richard Schmalensee
John C Head III Dean
MIT Sloan
Dear Dean Schmalensee,
Thank you for taking the time to read and answer our letter. I'm certain you've been bombarded with comments and I appreciate your taking the time to engage in this conversation with the MIT community.
I wanted to answer a couple of your points, most importantly your analogies. I'm not cc'ing the Tech.
You compare the situation to that of a poorly secured personal home. This analogy fails on one critical point: a poorly secured home is *always* a private space, and accessing it is *always* a violation. There is no ambiguity in the case of personal, physical property. On the other hand, the URL the applicants accessed is exactly the URL they would have been directed to a few weeks later. It is not an always-private space. In fact, it's a mostly-public space: it's not an administrative URL, it's not a URL meant only for your admissions staff, and it's not a "hacked" URL that elicits some kind of server malfunction. It's a URL whose sole purpose is to give students their acceptance status.
Another point you make is that pointing your browser to a URL is the equivalent of taking without asking. I would strongly question that interpretation. The web server set up by ApplyYourself had, in fact, the choice to refuse access to that page before the deadline. A correctly-programmed page would have done exactly that. Allow me to tweak the phone analogy: assume you have an automated phone acceptance status answering service. Would you consider it unethical for someone to call the service early? Would a misconfiguration of this answering service really be blamed on the callers? (You can even assume that the phone number is meant to be confidential until the deadline.)
At a technical level, that is exactly what's happening here. The students found the right phone number (the URL), and dialed it. The system was poorly set up so that it started answering questions (serving up the page) before the appropriate date without any notification that this data was confidential.
The reason I insist is that I worry about a web where the actions of these applicants are considered unethical and wrong. That world is one of "CLOSED by default." That is not the promise of the Web. The promise of the Web is in universal access, exploration and free-form linking and creativity. Certainly, private areas should be easily maintainable, but with an "OPEN by default, notify when private" approach.
This goes to the core of your argument. I am not making the claim that you were too severe in response to a small act of unauthorized access. I am making the claim that there was no unauthorized access to begin with.
-Ben
PS: I wrote this letter in the first person because I haven't checked its contents with other members of the crypto group, and I take full responsibility for it. However, some of these arguments result from group discussions between us.
Dear Ben,
Thanks for yet another thoughtful note. Let me accept for the sake of argument the "OPEN by default, notify when private" standard, which, I agree, has much to recommend it on the web. Given that standard, it seems to me that we differ on how to interpret "notify." I hear you saying that "notification" requires blocking, that since ApplyYourself had the option of blocking access but didn't exercise it, that made the space OPEN. I don't think that is tenable. I always have the option of locking my office door, for instance, but during the day, even when I'm out, I usually don't lock it. That doesn't make my office public, since, as you correctly point out, the default on my office is CLOSED. But under your standard, notification can also make a space private.
At another extreme, I agree that simply pointing your browser at a URL is not -- absent more -- taking with out asking. One can always point someplace unintended via a simple typo, for instance, and that raises no ethical issues. (A claim that I wandered into someone's home by accident, on the other hand, is somewhat less credible.) Or one can simply be told by a friend of a particularly interesting URL and go there without raising ethical issues, even if the author intended that URL to be private. What matters under your standard is whether you or your friend were notified that that URL was intended to be private.
Now let's turn to the case at hand. As I said above, one useful way to frame the issue is to ask what constitutes "notification." We agree, I think, that if ApplyYourself had denied access when a browser was pointed to the relevant URL, that would constitute "notification" that the URL was intended to be private, and any further actions designed to gain access would, at least, raise ethical issues. But in fact applicants were notified that decisions would not be released until April 4, and the URLs used to reveal decisions were kept secret until then. This surely constituted more than adequate notification that these URLs were CLOSED until April 4. Moreover, the posted instructions had the cute line "thank you applyyourself for bad code." That seems to me a crystal-clear signal that following those instructions would exploit an error made by ApplyYourself -- a failure on their part that seems to me exactly like my failing to lock my office door. Applicants had been told the decisions were not public and then told that access to them had not been adequately blocked. (Keeping the URLs secret seved to block access by most people, of course.) Surely this constitutes more than ample notification that access was not authorized until April 4. I don't think a system can work in which failure to bar normal browser access by itself constitutes failure to notify; clear notification provided in other ways must count as notification under your standard.
Look at it another way. MIT Sloan did in fact protect the relevant information; it appears that HBS relied on ApplyYourself and thus did not. It is hard for me to see an ethical difference between those who tried to learn about our decisions and failed and those who tried to learn about HBS decisions and may have succeeded. Both tried to access a URL containing information they had been told was private until April 4. I do not see why the folks who came after our decisions have any different standing than those who tried the HBS URLs; they all had the same information about what was CLOSED, and they all nonetheless attempted access.
You are right in suggesting that this implies that if I tell applicants that decisions will be revealed on April 4 via a phone number to be kept secret until that date, and if somebody (somehow) discovers and broadcasts that number, I would consider calling that number in advance to be an ethical violation -- whether the system malfunctions and gives the decisions or not.
Finally, for the record, those who have taken me to task for calling what the applicants did "hacking" are right as that term is generally used -- except, perhaps for the person who found the URL and posted the instructions. But that doesn't make it right.
Dick
PS: I haven't copied The Tech either, though I'd be happy for this pair of mails to be made public if (and only if) you and your colleagues think it would be useful to do so. The conversation around us shows no sign of slowing down...
Hi,
thank you for the well thought-out letter. Naturally, I have some thoughts in response :).
First, I think we all agree that the outcome of an applicant's attempt (whether or not he learned his admission status) is not relevant: it's the act of visiting the URL that is in question.
Now let's turn to the case at hand. As I said above, one useful way to frame the issue is to ask what constitutes "notification." We agree, I think, that if ApplyYourself had denied access when a browser was pointed to the relevant URL, that would constitute "notification" that the URL was intended to be private, and any further actions designed to gain access would, at least, raise ethical issues. But in fact applicants were notified that decisions would not be released until April 4, and the URLs used to reveal decisions were kept secret until then. This surely constituted more than adequate notification that these URLs were CLOSED until April 4. Moreover, the posted
This seems, upon initial consideration, to be a pretty good standard. Perhaps it even is the "right" one: let's say for now that the act of _attempting_ to learn one's admission status _before_ the announced date is unethical. (I won't get into whether this is a reasonable standard that applicants would be expected to know and understand.)
But consider the applicant who calls the admissions office on April 3, asking if she has been admitted. Even if the staff rightfully rebuffs her attempt (after all, the success or failure of the gambit isn't relevant), has she been unethical? Even if so, would her admission be summarily denied?
Suppose further that there's a brand-new employee, let's call him Joe, in the admissions office. Joe hasn't been briefed on the notification date. Our eager applicant calls up the office, gets Joe, asks about her admissions status, and Joe tells her. She suggests that her friends also call up the office and "ask for Joe, he'll tell you, even though it's not April 4 yet." Are these applicants being unethical? Maybe yes, maybe no -- certainly under our strict standard, yes. But would these applicants be denied admission? I have my doubts.
Not to disparage some other well thought-out analogies, but it seems to me that the URL-twiddling process is very much like calling up and asking for Joe.
You are right in suggesting that this implies that if I tell applicants that decisions will be revealed on April 4 via a phone number to be kept secret until that date, and if somebody (somehow) discovers and broadcasts that number, I would consider calling that number in advance to be an ethical violation -- whether the system malfunctions and gives the decisions or not.
Fair enough. This is at least consistent with the standard. But I wonder whether you'd actually use the caller-ID list for that phone number and deny admissions.
We all see where this is going: was the punishment too strict? It seems to me that the punishments for "on-line" violation of this ethical standard should be roughly commensurate with an analogous "off-line" violation -- once an analagous off-line violation has been established.
I think I have made a strong case that the proper "off-line" violation is not picking an office lock, nor sneaking into your office (which you've accidentally forgotten to lock one afternoon), but it *is* calling and asking for Joe. And therefore the proper punishment might be something like a small demerit to one's application, a stern warning about one's expected conduct while enrolled in Sloan, or possibly nothing at all.
best,
-Chris
Hello Christopher,
Thanks for yet another interesting and thoughtful communication on this matter. I'm drowning in analogies suggested by my correspondents on this, but I do I agree that if there was an ethical violation here (I think there was; you sound be uncertain), the offense was not grave -- well short of a felony. Certainly if an enrolled student did something of the same sort, I would not advocate expulsion. The question you pose at the end is probably the one on which I spent the most time: what's the right penalty for an applicant? When lots of folks are upset about business ethics and looking for schools like Sloan to do something about it, I believe that doing nothing would not have been acceptable. We don't have a highly structured disciplinary system (which is fine by me, by the way) that would enable us to make "admission with a warning" meaningful. Some schools did, in effect, announce a slight demerit policy -- "we will take this into account" -- and we thought hard about that. Stanford asked everyone to explain themselves, and this is presumably the same sort of thing -- with the requirement of writing another essay. I'm not prepared to say that these others were too lenient, though that is what I have come to believe, and I'll bet if you ask their deans, they would not be not prepared to say that we and Harvard were too tough. This was a hard call for everyone.
For the record, there were tougher responses that we could have made but didn't seriously consider: banning the applicants for life (instead of one year), sending their names to all MBA programs, or, on some basis or other, taking legal action. Also for the record, averages suggest that we probably would have admitted at most a half-dozen of these applicants, and they would all almost certainly have been admitted somewhere else as well. The actual consequences thus are not as serious as they might appear.
Dick Schmalensee
(Note: this email was meant to be sent early this week, but I've been sick since then.)
Dean Schmalensee,
This discussion has been very productive: thanks again for taking the time to make it so. We are more than happy to publish this discussion in its entirety in any forum that seems appropriate. We agree with a number of your statements, in particular that notification is the key issue here and that, had ApplyYourself put the simplest of blocks on that page, attempts to bypass it would raise ethical questions. Where we seem to disagree is on the requirements of a well-formed notification.
Consider the proximity of the notification to the act it governs. If one is supposed to consider all means of trespass notification when accessing a web page, no matter how temporally or physically distant from the act in question, then the result is clearly a web that is closed by default: how could someone take the risk of visiting a URL if they hadn't read the entire fine print of the application guidelines? The notification should be proximal enough that a reasonable, honest person cannot miss it at the time of the action.
Consider, also, the target of the notification. Your letter to students said "results will not be available until April 4th." It did not say "do not visit this URL until April 4th." Many schools post results earlier than their advertised deadline. A reasonable person could easily conclude that visiting this URL is nothing more than checking if the results date has been moved up. Such an interpretation is even supported by the way you and your staff interacted with the ApplyYourself web site: you didn't use it as a place to store in-progress decisions, only as a place to post final results.
All in all, such notification does not ensure that a reasonable, honest person will be aware of it. It seems to us, then, that although some applicants may have understood the notice - particularly the ones who read the complete, original, online instructions including the last ominous line you quote -, many of them may be innocent and completely well-meaning.
That said, if this is where we remain stuck, we have still had a very constructive discussion concerning the nature of online notice. We would like to reiterate our thanks for your time and detailed responses: whatever the outcome, it is clear that you've given this issue and its many debaters genuine in-depth consideration.
Ben Adida
David Liben-Nowell
Abhi Shelat
Ben,
Sorry you were sick; glad you've recovered.
I think your latest thoughtful note describes our disagreement well. I find it hard to believe that anybody in our applicant pool, with significant non-academic work experience, didn't know they were attempting unauthorized access, while you believe this may well have happened.
Just a couple of points, though. I don't think any notification does the trick; this is where lawyerly notions of reasonability would come in were we in court. And this is where you and I would have our debate. We didn't say "don't visit this URL," since that would have been dangling temptation in front of applicants. Instead, the ApplyYourself system keeps the URL secret -- an indication, surely, that you're not intended to use it. It seems Harvard may have posted results earlier, but this is (pardon yet another analogy) like printing the letters as they are written, before they are mailed. It doesn't imply authorization.
Finally, it really was hard to miss that last line in the instructions, and that really cinched it for me.
Thanks in any case for an interesting conversation. I appreciate your kind works and your recognition that we did not lash out reflexively but, right or wrong, proceeded in a thoughtful manner.
Dick
PS: I'm happy if our entire interchange gets published somewhere, and I'm also happy if it never sees the light of day. Most conversations, even good ones, don't make it into print.