Posted by Orin Kerr:
Is the Alleged B-School "Hack" Bogus?:
I have been getting lots of mail from techie friends and VC readers
about the recent hacking incidents by applicants to a number of top
business schools. I first posted about the incident [1]here. Harvard
and MIT took the matter sufficiently seriously that they decided to
[2]deny the applications of those involved. The odd thing is, it
increasingly seems like the applicants may have done nothing wrong.
The alleged "hack" may be no hack at all.
I have looked for a good technical explanation of how the alleged
intrusion occurred, and the best I have come up with is a post at
[3]Philip Greenspun's blog. According to Philip, this is what
happened:
The ApplyYourself code had a bug such that editing the URL in the
"Address" or "Location" field of a Web browser window would result
in an applicant being able to find out his admissions status
several weeks before the official notification date. This would be
equivalent to a 7-year-old being offered a URL of the form
http://philip.greenspun.com/images/20030817-utah-air-to-air/ and
editing it down to http://philip.greenspun.com/images/ to see what
else of interest might be on the server.
Someone figured this out and posted the URL editing idea on the
BusinessWeek discussion forum, where all B-school hopefuls hang out
and a bunch of curious applicants tried it out.
If this explanation is accurate -- and several correspondents have
suggested to me that it probably is -- it means that the applicants
didn't actually do anything that could reasonably be described as
"hacking in" to a computer. As I understand it, the ApplyYourself
computer had effectively posted everyone's admission decision on the
web, just without broadcasting the URL. The applicants then followed
the advice posted on the BusinessWeek discussion forum on how to find
the public webpage that listed (or would eventually list) their
admission decision. No one hacked into anything. They applicants just
visited a public website.
This raises two questions: First, was visiting the website in this
way a crime? And second, were the business schools justified in
rejecting people who had done it? On the legal question, I think the
answer is "no." The basic crime here is unauthorized access to a
computer; the federal government and all 50 states have such laws. It
just so happens that I recently wrote a [4]70-odd page law review
article on how to interpret these statutes. To make a long story
short, the cases interpreting these statutes are all over the map, but
I am fairly confident that no court would hold defendants criminally
liable under them for visiting a public site in the way they did.
As for whether the business schools were right, their response
certainly seems like an overreaction to me. My guess is that the
admissions people read the press reports and believed that the conduct
was quite different from what it now seems to have been. If my
tecnical understanding is right -- still just an assumption at this
point -- it seems rather odd to deny someone a spot at Harvard
Business School for visiting a public web page.
References
1. http://volokh.com/archives/archive_2005_03_06-2005_03_12.shtml#1110249620
2. http://www.techweb.com/wire/security/159400097
3. http://blogs.law.harvard.edu/philg/2005/03/08
4. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740
_______________________________________________
Volokh mailing list
[email protected]
http://highsorcery.com/cgi-bin/mailman/listinfo/volokh
