Breaking into a University's Computer System to Inquire about One's Admission Status into a Graduate Program
Can breaking into a computer system ever be justified? Do all computer break-ins result in harm, as some have argued? What about an individual who gains unauthorized access to a computer for the sake of finding out some important information about himself or herself, but not for purposes of either gaining information about others or causing any harm to the computer system accessed?
In March 2005, the Dean of the Graduate Business School at Stanford University announced that 41 people who had applied for admission to the school’s MBA program had gained unauthorized access to Stanford’s admissions database. (Similar “break-ins” had occurred at other “top-tier” graduate schools with MBA programs, such as Dartmouth, Harvard, and MIT.) These applicants had learned about a security flaw in the Apply Yourselfsoftware program used by Stanford and other universities in their respective admissions processes. Although the applicants were able to gain unauthorized access to their electronic files, they were not able to determine whether they had been accepted into the MBA program. Furthermore, these individuals were only able to “break into” and view their own files, they did not access any information in the files of other applicants.
One question that has since arisen is whether any privacy violations occurred in this incident. Some applicants who were caught in the break-ins have argued, through their lawyers, that they are not guilty of any such violations. They point out that they viewed only their own files; they were unable to access information for other applicants. Furthermore, some applicants argued, given that the information in the files they viewed was about them, as individual persons, they were the legal owners of that information (regardless of whether it happened to be stored in someone else’s database). From the point of view of these applicants (and their lawyers), no privacy violations had occurred.
Independent of whether any privacy violations technically occurred, it is clear that the security of Stanford University’s computer system was breached. It is also clear that the applicants gained unauthorized access to information in the university’s database. Regardless of whether the information residing in Stanford’s database relates to individual persons, that information resides in a proprietary database that is not open to public access. Obviously, a computer security violation had occurred in conjunction with the break-in.
Perhaps an analogy in physical space can help us to reflect on some key issues in this incident. Consider the case of Sam, who learns that Sally has a phone directory in her house that contains information about him. Sam breaks into Sally’s house and removes a portion of a page from a phone book that he finds located on a table in Sally’s kitchen. When Sally returns home, she sees that the phone directory on her table is open and that a portion of a page of the directory has been torn out. She decides to call the police, who discover that Sam broke into Sally’s home. Sam is then arrested on charges of breaking and entering. Sam argues that he has done nothing wrong: He simply removed a portion of a page in a phone book that contained personal information about him, which included his name, address, and phone number. Because the information was about Sam as a person-that is, his personal information- Sam argues that he is the owner of this information and that he has the right to do with it as he pleases. In Sam’s view, this right would include going into someone’s private home, if necessary. Not surprisingly, neither Sally nor the police are impressed with Sam’s argument. From their point of view, Sam has violated the law by entering Sally’s home without her permission, regardless of whatever information about him happened to reside there. In this case, a security violation has indeed occurred, irrespective of whether it could be shown that no privacy violation occurred.
Material used in this case description has been extracted from H. Tavani, “The Conceptual and Moral Landscape of Computer Security.” In Kenneth Himma, Internet Security: Hacking, Counterhacking, and Society.Sudbury, MA: Jones and Bartlett, 2007.