October 4, 2022

Harvard Business School Boots 119 Applicants for "Hacking" Into Admissions Site

Harvard Business School (HBS) has rejected 119 applicants who allegedly “hacked” in to a third-party site to learn whether HBS had admitted them. An AP story, by Jay Lindsay, has the details.

HBS interacts with applicants via a third-party site called ApplyYourself. Harvard had planned to notify applicants whether they had been admitted, on March 30. Somebody discovered last week that some applicants’ admit/reject letters were already available on the ApplyYourself website. There were no hyperlinks to the letters, but a student who was logged in to the site could access his/her letter by constructing a special URL. Instructions for doing this were posted in an online forum frequented by HBS applicants. (The instructions, which no longer work due to changes in the ApplyYourself site, are reproduced here.) Students who did this saw either a rejection letter or a blank page. (Presumably the blank page meant either that HBS would admit the student, or that the admissions decision hadn’t been made yet.) 119 HBS applicants used the instructions.

Harvard has now summarily rejected all of them, calling their action a breach of ethics. I’m not so sure that the students’ action merits rejection from business school.

My first reaction on reading about this was surprise that HBS would make an admissions decision (as it apparently had done in many cases) and then wait for weeks before informing the applicant. Applicants rejected from HBS would surely benefit from learning that information as quickly as possible. Harvard had apparently gone to the trouble of telling ApplyYourself that some applicants were rejected, but they weren’t going to tell the applicants themselves!? It’s hard to see a legitimate reason for HBS to withhold this information from applicants who want it.

As far as I can tell, the only “harm” that resulted from the students’ actions is that some of them learned the information about their own status that HBS was, for no apparent reason, withholding from them. And the information was on the web already, with no password required (for students who had already logged on to their own accounts on the site).

I might feel differently if I knew that the applicants were aware that they were breaking the rules. But I’m not sure that an applicant, on being told that his letter was already on the web and could be accessed by constructing a particular URL, would necessarily conclude that accessing it was against the rules. And it’s hard to justify punishing somebody who caused no real harm and didn’t know that he was breaking the rules.

As the AP article suggests, this is an easy opportunity for HBS (and MIT and CMU, who did the same thing) to grandstand about business ethics, at low cost (since most of the applicants in question would have been rejected anyway). Stanford, on the other hand, is reacting by asking the applicants who viewed their Stanford letters to come forward and explain themselves. Now that’s a real ethics test.


  1. Whatever says:

    If there was a breach of ethics, it was committed by HBS, which failed to balance its desire to fill its class roster against the needs of its applicants to get on with their lives.

  2. The UK’s Computer Misuse Act says something along the lines that in order to define an act as unauthorised access, you must tell the person committing the act that unauthorised access is prohibited. I forget the exact wording.

    I know that UK law isn’t applicable to a US case, but it’s an intelligent principle: if Harvard had, at any point, told applicants that they should not be accessing this data, then the students’ actions were unethical and Harvard has a perfectly strong case. Irrespective of how, why or when the access took place.

    Does anyone know if Harvard ever made clear that this data was confidential?

  3. Is a file available on a server using the “right” URL equivalent to a file on a shelf in an open library, or a piece of beef dropped on the floor? If so, then the bar for secure administration of servers–especially by ordinary citizens–just got raised substantially. I daresay there’s a lot of private stuff out there on the shelves of the world’s “libraries” right now….

    Of course, that’s not to say that such files are the equivalent of an unlocked filing cabinet in an unlocked storage room, either. The problem with all these analogies is that they compare an unfamiliar situation with a familiar–and therefore fundamentally different–one. As a society, I don’t think we’ve decided yet what accessing a file unintentionally made available on a server is “like”. It’s therefore worth considering not just our own intuitive analogies, but also the broad social consequences of those analogies. I’m not sure it’s a good idea to declare that everybody’s server is by definition fair game for exploration, and that anything found there is effectively public.

    Ed has suggested considering “harm” as a criterion, which certainly seems relevant–learning one’s own admissions status at a university is less disturbing than, say, learning all the students’ credit card numbers and SSNs. He also mentions the issue of whether the students knew they were breaking the rules–a less useful criterion, I think, since it seems so dependent on the “harm” criterion. After all, even if someone didn’t know it was “against the rules” (by whatever definition) to harvest credit card numbers from a server, the obvious potential damage such an action could do should suffice as a “red light”. (And conversely, a harmless action is harder to punish even when the perpetrator knows it’s against the rules–especially if he or she can give a plausible justification for it.)

    The one criterion that I’m fairly confident should not be used is the ultimate ease of obtaining the information. If information can be obtained from a server by any means, no matter how obscure, then it’s still highly likely that someone can write a program to do it, and obtaining the information will therefore be–for some people, at least–as easy as running a program given to them by someone else. I don’t believe that that should be a mitigating factor in determining whether such an action was acceptable behavior.

  4. QrazyQat says:

    Here’s a thought: why is secrecy so widespread in academia? Why shouldn’t the admissions process be fairly transparent for the applicant? Why shouldn’t you be allowed to see the status of your application, much like tracking your package at FedEx, UPS, or the post office (Canada Post, at least — I don’t know about the USPO)?

  5. When you drop a piece of meat on the floor, do you euthanize the dog because he dared to sniff it. I like Stanford’s response, much more appropriate.

  6. re obvious analogy

    Change unlocked storage room to open library, and then the analogy fits.

  7. An obvious analogy: suppose that a website had posted the information that the admissions results were filed in an unlocked filing cabinet in an unlocked storage room in the university administration building, and thus readily accessible to anyone who cared to look. Would it have been acceptable for the students who read this information to walk into that storage room, open the filing cabinet, find their own file, and read their own results?

    I actually don’t know the answer to that question, either according to the law, or the regulations of any particular university, or the moral code of any particular established moral system. But I’m quite confident that the answer hinges on considerations that go well beyond how easy it might have been for students to walk in and read their file.

  8. Perhaps they are selecting for “incurious” candidates.

  9. Ed,

    Indeed, I didn’t remember that you had spoken out about this before — or I’d at least have referenced it (adding to the irony?). But it’s pretty sad that colleges haven’t learned the lessons of relying on security through obscurity or shared not-so-secret secrets.


    Nice comment.

    My guess is that one or more of the affected students will appeal, and the summary rejections will be retracted. But let’s see….

  10. If a web site TELLS me how to go about getting to a piece of information, I have not broken any ethical boundaries by going to that information.

    The schools are guilty of an ethical violation because they are abusing positions of power to punish others in an attempt to cover up their own folly. That is a sin.

    Hacking? Cracking? This doesn’t rise anywhere near the level of a script kiddie. Modifying URLs is a standard and accepted practice of navigating the web. If the web site doesn’t want the viewer to be able to take such actions, then it is the web sites duty to prevent it. There are no laws against or ethical violations in modifying a URL by hand rather than via builtin HTML in a page.

  11. What I take away from this story is that Harvard (+ others schools involved) is looking only for students who have no innate curiousity and no desire to test the boundaries of any situation, and also that Harvard have displayed a lack of understanding of modern technology business practices.

    This does not make me value Harvard Graduates too highly.

  12. Fred,

    My very first post on this blog was about the Princeton/Yale admissions “hacking” story. What happened there was much worse, since the perpetrators were accessing the admissions results of other people (without their permission). Of course, Princeton ultimately punished the people who did it.

  13. I find a certain irony in this discussion occurring on a Princeton blogsite. Wasn’t it the Princeton admissions office that used something similar to break into Yale’s admissions website a couple of years ago, when they learned something they had access to (SSNs?) granted access to the info?

  14. Anonymous says:

    Ah, sorry, I just read the AP article and it says that MIT followed suit. I’m unable to find the official MIT announcement however. :-/

  15. Anonymous says:

    Just wondering, where did you read that MIT followed the same steps as HBS? Your article reads “As the AP article suggests, this is an easy opportunity for HBS (and MIT and CMU, who did the same thing) ”

    As far as I know, and I’ve been trying to read everywhere about it, MIT has not made an official/public announcement as to what their decision is.

  16. Consider the privacy expectations of the applicant: does ApplyYourself provide tools to analyze an applicants usage of the service or give access to an applicant’s log file? What about drafts or changes in the application?

    I think that most applicants presume that the only thing that gets transferred to the school is the final application!

  17. In my opnion those who hadn’t attempted to acces other user’s info should not be punished in any way.
    Even independently if people intentionally or unintentionally accesed info about themselves.
    Because it really can happen that someone wants to access a page by copy-pasting-modifying the url of his/her browser.
    So, anyone who accessed only page about him/herself and appealing that it was unintentional those should be reliefed about this case. And the schools MUST believe that explanation even the acccess was 10 minutes after the critical post into the forum. Becasue even in such case really NOTHING and NOONE can prove that whether it was a software failure of a scpecific browser failure or it was really intention of the user to access that webpage.
    Not to mention if a “publicly” accessible web page does not mentione with huge size font that access is really prhibited to that specific page.
    So, that’s all about the opinion of ethic professors…

  18. waflorek says:

    The URI(L?) reconstruction via view source et al`s is a very old pretty well
    known & fairly simple trick, logged-in or not, that I would rate
    barely at, or just below “script kiddie” level. A brief glance at
    ApplyYOselfs’ site reveals quite a few common problems with
    their..ah-hum..”security policy”<?>
    Maybe their webmaster/security personnel were off for the week? Or
    were recently defectors from ChoicePoint? Bruce (Schneier) should get a
    chuckle outta’ this one.

  19. Brian Srivastava says:

    I wouldn’t think giving out acceptance letters in a staggered fashion like you do for grad students (who have supervisors and such)

    From the schools perspective you don’t want to give some people acceptance and have your other applicants assume they aren’t getting in, and take the first offer they get, because that will leave you without a full load of students. You also may want to change your mind later if you just happen to have a stack of really good or bad applicants on the bottom of the pile.

    I’m not sure this is an ethical violation though. When I applied to grad school I was told I would recieve a letter but that my acceptance would be online first. To the extent that I found out I was accepted august 20th (to start sept 1). I moved out to the institution and was into my classes before the letter itself arrived, at my house a time zone behind, so if the applicants didn’t know they would recieve notice on the 30th, and no earlier there is no reason for them to know this isn’t just their letter before it arrives in the mail.

  20. Apparently the letters were available only to students who were logged in to the site. As far as I can tell, it was not possible to access a student’s letter without that student’s username and password.

  21. How is the school determining who did and who did not access the rejection information? If it’s simply a matter of “this student’s file was touched; that student’s was not”, then isn’t it the case that a malefactor could sabotage a student’s acceptance by using the URL to access the letter?

    And couldn’t an applicant (or friend of an applicant) simply touch everyone’s letters, so that there would be no way to distinguish between the alleged hackers and other students?

  22. I wonder: did ANY of the applications write to the grad school as follows:

    “As per this web story, you have probably already decided whether to admit me to your school, but have not sent a notification to me. If that is the case, I request that you notify me right now. Like any business-worthy candidate, I want to plan accordingly, and my time is worth money.”
    – PB

  23. Cypherpunk says:

    I could see reasons for sending out all the letters at once, rather than quickly rejecting the obvious failures, and only later rejecting the ones who just barely missed the cut. Doing so would increase the tension and pressure on those who had not yet received their letters, and increase their disappointment when they didn’t make it. It also is somewhat disparaging to the people who receive instant rejections. Notifying everyone at once eliminates these extreme reactions and may actually make things easier on the applicants.

  24. Matthew Ernest says:

    Something that I have not yet heard about is if there was an criteria used other than a student’s letter was accessed. Surely, with such a sloppy “security” arrangement there must be some reasonable way of a letter being accessed by a third party.