Hack Me

Yale’s culpability in the Princeton hacking scandal.

Three weeks ago, the Yale Daily News reported that Princeton admissions officials had entered Yale’s admissions Web site 18 times in April, using applicants’ confidential birth dates and Social Security numbers to learn whether they had been accepted or rejected. Princeton Director of Admission Stephen LeMenager took the blame, and Tuesday he was moved to a different job. But it turns out that LeMenager isn’t as guilty as everyone thought, and the more serious violator of students’ privacy is Yale itself.

When the story broke, LeMenager, the first and most senior Princeton official to access the site, told the YDN that his use of the site was “just an innocent way to check out security.” Right, went the CW, and he’s got some snake oil he’d like to sell you. The incentive for Princeton to find out whether its applicants had been accepted to Yale was obvious: It could protect its yield by rejecting or wait-listing students it thought would choose Yale, or it could match or top Yale’s financial aid packages to coveted students. You’d think that someone whose job involves assessing how smart people are would be smart enough to come up with a better alibi when caught red-handed in espionage.

But the cynics had outsmarted themselves. Tuesday, Princeton President Shirley Tilghman released the findings of an independent investigator hired by the university. Yale President Richard Levin applauded the investigation’s thoroughness. After interviews with 19 individuals at Princeton, four at Yale, and one admissions officer from another Ivy who was present at the deans meeting, the investigator found that LeMenager’s accesses were, well … just an innocent way to check out security.

According to Tilghman, Princeton had considered using an online notification system itself but decided against it in part because of security concerns. On April 3—the day after Princeton sent its admissions decisions and financial aid packages out in the mail—LeMenager logged onto Yale’s site, using the birth date and Social Security number of a Princeton applicant who he thought had also applied to Yale. Where he expected to be asked for a password or ID number, he instead found the applicant’s admissions decision. He told Dean of Admission Fred Hargadon and other staff members about the site and showed it to them three times in the next hour using Princeton applicants’ information.

As word spread around the office, admissions staffers used the Web site that afternoon to see whether particular applicants had gotten in. Tilghman said those staffers were looking at applicants whom they had advocated in the admissions process, although it’s likely that a more gossipy interest led them to check the status of presidential niece Lauren Bush. While LeMenager and his subordinates were wrong to break into the Web site and to misuse confidential information, they didn’t intend to act on what they learned and couldn’t have done so, since the mail had already gone out.

LeMenager is being moved to a position outside the admissions office, and the staffers who followed his lead have been disciplined, although Tilghman would not disclose their punishment. Hargadon, who issued an independent apology for not stopping the activity once he became aware of it and for failing to notify higher-ups, was planning to retire after this academic year anyway and will complete his term. These seem to be reasonable decisions about people whose curiosity got the better of their judgment.

But the report revealed that when LeMenager told Yale officials at a May 15 meeting that he had accessed the site—not the move of a man with something to hide—no one at Yale suggested that he had done something wrong. Instead, according to the report, the officials agreed that better security procedures needed to be implemented. Yale prepared a preliminary internal security report in late June on the matter.

No one at Yale called Princeton to follow up—until Yale President Levin called Tilghman to tell her about the accesses the night before the YDN was going to print the story. Tilghman says she knew nothing about the situation until she heard from Levin. The next day, Yale contacted the U.S. Attorney’s office in Connecticut and asked it to investigate, and Yale general counsel Dorothy Robinson called it a “very serious violation,” which it was.

What accounts for Yale’s about-face? The answer is that the story was going to be made public. Although the YDN was reporting wrongdoing on Princeton’s part, the greater wrong was committed by Yale. Princeton violated the confidentiality of a few applicants, but Yale put the admissions decisions of 15,000 applicants on the World Wide Web with nothing but a Social Security number and date of birth to safeguard them. If you knew that information about any Yale applicant, you could have seen whether they’d gotten in.

To steer the media wolf pack away from that story, Yale fingered its rival. When Slate asked Tilghman Tuesday why she thought Yale had gone after Princeton so belatedly and suddenly with its legal and PR guns loaded, she refused to take the bait. She emphasized that Princeton officials had committed serious infractions and that the university would make sure it never happened again. Yale officials should be thankful Tilghman didn’t turn the wolf pack back on them.