Tom Keane columns

A cyberspace break-in is still a break-in

11 March 2005

A friend calls with some news. The IRS agent looking at my tax return has just left his office for the day, leaving the door unlocked. If I want, I can easily stroll in and look at my file. I can learn if I owe more taxes, whether I'm getting a refund or even if I'm targeted for an audit.

Perhaps I turn down the opportunity. Or perhaps, a bit concerned about the deduction I took for those two bottles of champagne at Centerfolds, I follow his suggestion.

Of course, if someone were to discover me, I'm in a heap of trouble.

Apparently, however, if you're an applicant to a prestigious business school and you commit what is morally and functionally the same act, you're stunned when someone gets upset.

The story is as follows. A clever hacker found a hole in a Web site maintained by ApplyYourself, a firm that handles admissions applications for some schools. On March 2, he (or she - no one knows) posted the information on an online forum maintained by Business Week. Within hours, hundreds of students - including 119 Harvard hopefuls - checked on their status.

Calling the students' behavior "a serious breach of trust," Harvard said it would reject all 119. Carnegie Mellon and MIT have done the same. Dartmouth, Stanford and Duke are hemming and hawing but likely will follow suit.

Those who have grown up in today's online world are reacting with a mixture of finger pointing and disbelief. The Business Week forum now contains hundreds of comments. Most think they did nothing wrong. They lay the blame at the feet of ApplyYourself and the business schools for inadequate security. Some, in fact, regard the students' incursions as a badge of honor. They were "eager and curious," says one; "adventuresome and willing to take a calculated risk," says another. Even those who acknowledge an ethical question trivialize it as "minor." Over 80 percent responding to coolsurveys.com say Harvard is overreacting.

The consternation is genuine. Most simply don't understand why their little look-see is such a big deal.

A curious set of ethics has grown up around the Internet. Few would doubt that breaking into a building is a crime. But in the skewed morality of the online world, the mores are different. Hackers, virus writers, spammers and the like engage in constant cat- and-mouse games, pushing and prodding, trying to defeat whatever walls software writers dream up. It's part of the culture; one shared, it seems, even by those who hope to attend Harvard Business School.

That's not the way it should be. Indeed, that's not the way it can be. As Microsoft and others have discovered, there really is no completely secure system. If you don't want to be some hacker's potential mark, all you can do is sever your Internet connection altogether. If that is unacceptable (and it is), then the only available solution is to treat hacking the same way we treat all crimes: By shifting the burden from those who are the victims to those who would victimize.

No one tries to rationalize burglary by saying an alarm system was poorly designed. The same should be true for a database. Private files really are private files. Harvard's records, Paris Hilton's cell phone and Fred Durst's hard drive are all off limits. You can't look, you can't interfere, you can't take, you can't even try to go in. And if you do, you should be punished.

That's what Harvard is doing - putting the onus on the students, drawing a clear and unmistakable line. It's right to do so. The standards that apply in the real world should also apply online: Just because a door is unlocked doesn't mean you may walk in. Ethics on the Internet is not someone else's responsibility, but rather your own.