Yale Accuses Princeton in Hack Attack

Yale University told the FBI on Thursday that fellow Ivy League institution Princeton hacked into its online admissions notification system and looked through student files during the peak college admissions period in April.

Princeton apologized for the snooping, suspended its director of admissions and promised to conduct an internal investigation and cooperate with other investigators.

Yale said Princeton admissions officials used students’ birth dates and Social Security numbers, apparently gleaned from the students’ Princeton applications, to see confidential admissions decisions on 11 students who applied to both universities.

“We got information today from Yale, and we’re in the process of assessing the situation to determine if federal violations occurred,” said Lisa Bull, spokeswoman for the FBI in New Haven.

In some cases, Princeton officials knew before the students whether they had been admitted to Yale. And because of the way the Yale Web site is set up, Princeton’s intrusions made it difficult for the students themselves to go online and learn whether they were in, said Chris Michel, a Northern California senior who is editor in chief of the Yale Daily News. That paper broke the story Thursday.

Neither Yale nor Princeton offered a motive for the snooping, but some speculated that Princeton was hoping to use confidential information on the Yale site to court applicants to Princeton. It wasn’t clear what Princeton might have gained from so few intrusions.

Stephen LeMenager, Princeton’s director of admissions, told the Yale Daily News that the snooping was an innocent way to evaluate the system’s security.

A disclaimer on the site specifically prohibits anyone but the applicant from logging in.

Alexander Clark, a Yale junior who designed the system and conducted a security audit after the unauthorized use was discovered, said the disclaimer was intended to warn off curious parents and guidance counselors. “We certainly did not want anyone accessing the site without the applicant’s prior authorization,” he said.

LeMenager told the Yale newspaper that such concerns were what prompted his office to look on the site in the first place.

At the very least, Princeton violated student privacy, said Dorothy Robinson, Yale vice president and general counsel. No other security breaches were detected.

Marilyn Marks, spokeswoman for Princeton, said the snooping represented “a serious lapse of judgment by at least one member of our admissions staff.... The improper use of information provided to the university in good faith may have affected the ability of students to obtain information about their admission to Yale, something we deeply regret.”

The action stunned many in the college admissions world.

“Isn’t it wild? Can you believe the egg on the face?” said Paul Kanarek, who runs the Orange County chapter of the Princeton Review, which is not affiliated with the university. “Clearly, human nature got the better of human judgment.”

Jonathan Reider, a former Stanford admissions official who is now director of college counseling at a Bay Area high school, said: “There’s tremendous competition from the inside that isn’t apparent from the outside. This is a little crack in that facade.”

Michel, of the Yale Daily News, said officials learned of the snooping when Princeton officials mentioned it at a dean’s conference in June.

A Yale investigation found records of 18 log-ins from Princeton computers from April 3 to 16.

The Web site, which was activated in December for early-decision students and again for two weeks in April for general admission, was used by 1,200 of the approximately 1,500 admitted students. Thousands of other prospective students also used it to find out they had not been admitted.

At the first log-on, successful applicants heard the Yale fight song, “Bulldog Bulldog, Bow Wow Wow.” Students also were invited to list academic and extracurricular interests.

That screen did not pop up after the first log-on, which meant that if Princeton had viewed students’ files first, the students might have had trouble figuring out they had been admitted.

“I think it’s very discouraging as a student,” Michel said. “A relationship between a university and a student is based on trust, not least of which is providing sensitive information, like birth dates.”

The courts have broadly interpreted computer access as unauthorized if the intruder doesn’t have the computer owner’s permission, said Jennifer Granick, litigation director for the Stanford Law School Center for Internet and Society. The fact that the system had a warning makes Princeton vulnerable to a lawsuit, but criminal charges, which require criminal intent, aren’t likely, she said.

*

Times staff writer Rebecca Trounson and Times wire services contributed to this report.