Dawson College student Ahmed Al-Khabaz caught nationwide attention last month after his expulsion for hacking into the school’s security system. Al-Khabaz claimed that he did so to check on a security flaw that he had reported weeks earlier, that he had no malicious intent, and had made no attempt to cover his tracks. Debates around Dawson’s decision to issue an expulsion circulated throughout the media and the 20-year-old almost-graduate became something of an icon. He has since received numerous job offers, including one from the company that designed the Dawson system, in a twist not unlike the story of how notorious jailbreaker Nicolas Allegra was hired
While the media covered his story and explored the fairness of his punishment in great detail, one serious problem was overlooked: If a talented college student could easily navigate in and out of the school’s online security system, can students trust the school with their important information? Despite any breach of policy on his part, Al-Khabaz had reported the fault weeks earlier only to find that the vulnerability was not fixed. Al-Khabaz is not the real issue here, and expelling him doesn’t make Dawson better at securing information. To solve the problem we must address it at its core. Institutions must prioritize security, and not react to these situations as Dawson did, leaving a faulty program unfixed for weeks and then expelling the student who tried to help. Substantial delays seem to be a characteristic of bureaucratic structures in Canada and elsewhere, but when it comes to information security, we shouldn’t let habit get the best of us.
The emergence of social media has taught us that there isn’t any real privacy when it comes to the internet. However, that knowledge did not dampen the shock when the world learned of Project Hellfire, a leak of 120,000 records from 100 of the world’s top universities carried out in 2012 by a hacking group called Team Ghostshell. The University of Mumbai’s students were certainly surprised when some had to take re-examinations because the original exam had leaked out. The school must have known that the exam was accessible through the web, and that the web holds no privacy. They took this risk, however, because while privacy may not be a guarantee, security is there to make up the the difference.
The money in a bank account isn’t “private money.” It is money shared between the bank and the account owner, and with whomever else the bank might have interactions. Yet people, fully aware of this, still decide to put money in banks; although the money is not private, it is secure. Security and privacy are two different entities and should be understood as such. Having no guarantee of privacy should serve as a reason for more security, and not an excuse for less. This applies to a bank, a school, or any other institution where peoples’ personal information is at stake.
Some say that what Al-Khabaz did was wrong and that deserved punishment. After all, ‘rules are rules’ and if they can be broken without consequence, then why have them in the first place? An increased focus on security, not the expulsion of a student, is the only way for Dawson to protect its students’ privacy.