News your connection to The Boston Globe

Divide grows on treatment of students in online breach

A small backlash has formed against the business schools of Harvard and some of the nation's other most prestigious universities for denying admission to more than 200 applicants who used a loophole devised by a computer hacker to peek at their admission files.

Last week, Dartmouth's Tuck School of Business, dissenting from Harvard's stern reaction to the digital trespassing, said it had accepted at least a few of the electronic intruders.

For administrators at Harvard, MIT, Duke, and Carnegie Mellon, the attempts to view confidential data this month were the electronic equivalent of breaking and entering, wholly unworthy of the future captains of American commerce. But others see the online breaches as a victimless crime by overeager young people accustomed to copying and pasting links onto websites. The contrasting reactions may expose not only a generational divide in Internet etiquette but also increasingly divergent mores in the physical and virtual worlds at a time when free downloading of music and open-source software is commonplace.

''In a lot of these cases, it hadn't crossed their minds this was a problem," said Lauren Weinstein, cofounder of People for Internet Responsibility, a California advocacy group. ''They weren't trying to change information; they were just trying to see if they were accepted. The reaction of Harvard and the other schools that are making a blanket judgment is out of proportion. It amounts to grandstanding."

The debate, rippling through e-mail, chat rooms, and news media, has divided deans of the nation's elite business schools, and students as well. Nearly 70 percent of 420 current students responding to a survey by a Harvard Business School online publication agreed with the actions taken by school administrators, but almost a third disagreed.

Nell Minow, who specializes in ethics at the Corporate Library, a Washington research firm, said the paramount responsibility of business schools in the aftermath of the recent spate of financial abuses is to set a strong example for future corporate leaders.

''You need to draw a bright line to remind everyone that this is an ethical violation," Minow said. ''As centers of learning, these schools have a responsibility to teach through their actions as well as classes."

Five days after learning of the violations, Harvard said it would deny admission to all 119 applicants who had sought an early look at their files. MIT's Sloan School of Management followed suit, rejecting 32 applicants. Carnegie Mellon and Duke University took the same position; each had one file violated.

Stanford's Graduate School of Business and Dartmouth took a different tack. Both said they would consider applicants who tried to glimpse their files -- 41 at Stanford, 17 at Tuck -- on a case-by-case basis, asking them to come forward and explain what they had done and why. In acknowledging it had accepted a few transgressors, Tuck last week said it had determined their actions, while wrong, did not rise to a level that would bar them from the school. Stanford is to notify applicants of its decisions Thursday.

Ethicists say the answer is not clear-cut. Robert A. G. Monks of Portland, Maine, a specialist in corporate governance who has criticized business schools in the past for ignoring ethics, said the incident is ''being taken just too bloody seriously" by Harvard and others. ''I wonder if you want 20-year-old kids traumatized for life over this," he said.

Management professor Sandra Waddock, senior research fellow with the Center for Corporate Citizenship at Boston College's Carroll School of Management, said she sides with Harvard, because ''if we don't send the message, we'll get more Enrons and WorldComs." But Waddock admitted, ''I think it's a close call. In the Internet culture, there are a lot of people who probably wouldn't understand that this is wrong."

That appeared to be the case March 2, when an anonymous hacker known as ''Brookbond" figured out how to tap into admission files through ApplyYourself, a Web-based processing system used by business schools to receive applications and post decisions.

The hacker displayed the directions a little after midnight on BusinessWeek's message board, a forum for business-school applicants. Brookbond's message suggested Harvard applicants follow eight steps to see whether they had been accepted. Some saw preliminary decisions; others saw blank screens. The how-to also was followed by applicants to other schools, some of whom also applied to Harvard. By 10 a.m., ApplyYourself, a Fairfax, Va., firm, closed the loophole, but by then it had an electronic record that at least 211 applicants around the globe tried to glimpse admission files at a half dozen schools.

Two applicants to Harvard, speaking on condition of anonymity so as not to jeopardize their chances of attending other schools, said they followed the hacker's instructions and found only a blank screen in their files. Both said they had seen Brookbond's posting while checking out the message board at night on the West Coast and had no sense they were doing anything wrong. Working from their homes, they said, they did not think of it as breaking and entering.

On March 5, one of the applicants, a Los Angeles college student, received an e-mail from Harvard reading, in part, ''We have been informed by ApplyYourself Inc. that your PIN [personal identification number] and password were inappropriately used to access admissions information." A previously scheduled interview with Harvard admissions officers was canceled.

The other applicant, a California investment banker, also had her Harvard interview canceled. ''It's kind of like being given a death sentence," she said. Both have also applied to Stanford and sent its admission officers essays explaining their actions. They are awaiting Stanford's decisions this week.

When they learned of the breaches, the schools immediately deplored them. Carnegie Mellon's Tepper School on March 4 became the first to declare it would reject an applicant who had sought to access his file. Then, on March 7, Harvard weighed in.

''This behavior is unethical at best," Harvard's dean, Kim B. Clark, said in a statement, ''a serious breach of trust that cannot be countered by rationalization. Any applicant found to have done so will not be admitted to this school."

Clark, in an interview that day, said rejected applicants would be permitted to reapply in future years. But he also said Harvard would review the hacking incident in considering those applications.

MIT and Duke's Fuqua School soon embraced Harvard's position. But on March 14, Stanford's business school dean, Robert L. Joss, outlined a more nuanced approach: ''In the best case, what has been demonstrated here is a lack of judgment; in the worst case, a lack of integrity. However, Stanford will neither make a collective decision on individual applications nor issue a broad statement on specific cases."

Joss said Stanford had resisted ''external pressure" from alumni and others to make a statement of automatic denial. In an interview, he defended Stanford's ''individualized approach." But he also said ''it's pretty unlikely" the school will admit any of the 41 applicants.

Dartmouth's Tuck School was the last to make its position known. It did so March 17, days before it was scheduled to issue its decisions. ''The involvement in this incident was deemed a very important, negative factor, but only one of many factors in our admissions decisions," wrote Paul Danos, the Tuck dean.

In an interview, Danos said, ''It would have been a lot easier to take a blanket negative approach. But that's not the way we do things."

The raging debate has not only been about which business schools got it right, but also about the definition of hacking, whether the schools or ApplyYourself bore some responsibility for deploying computer software susceptible to security breaches, and the chances for successful lawsuits by business schools or by rejected students.

At MIT, computer science professor Philip Greenspun posted an entry on his weblog questioning the reaction of Harvard and MIT. ''B-schools are degrading the term 'computer hacking' " by applying it to this situation, Greenspun wrote, faulting schools for outsourcing the processing of applications. Weinstein penned a New York Times op-ed piece suggesting pronouncements such as those from Harvard's Clark ''make Dean Wormer from 'Animal House' seem almost reasonable."

Neither Harvard nor MIT is backing down. ''It's analogous to what our faculty have found to be at the heart of some of the recent corporate scandals," said David R. Lampe, a Harvard spokesman. ''Someone makes a small and seemingly innocent decision that tests the limits of an accounting rule, and down the road they find they have stepped off the path."

Robert Weisman can be reached at

Today (free)
Yesterday (free)
Past 30 days
Last 12 months
 Advanced search / Historic Archives