Canadian student expelled for idealistically pointing out security flaws

Hamed Al-Khabaz. Courtesy of Martin Reisch

The recent tragedy of Internet activist Aaron’s Swartz’s suicide cast the spotlight directly on MIT’s actions in dealing with this case. MIT’s actions were totally at odds with their rhetoric of being a University that believes in open access. More fundamentally however, it brought into focus how a university differs from any other public institution in supposedly standing for educational ideals, for enquiry and for nurturing the development of students who will go on to change the world for the better.

In this case, ideals were not in evidence and banal corporate practice kicked in. MIT administrators did their jobs unthinkingly, untouched by their context. Although some members of the faculty were opposed to the actions of the University, it seems their voices went unheeded. As a result of the publicity from Swartz’s suicide however, MIT President L. Rafael Reif launched an investigation into MIT’s role in the prosecution of the young man. It is yet to be seen what MIT will do as a consequence of this other than try and limit further damage to its reputation, and more importantly, limit any consequences for future donations from MIT alumni.

In a case that has parallels with MIT and Swartz, a Canadian student, Ahmed Al-Khabaz has been expelled from Montreal’s Dawson College for exposing a security flaw in a student system which could have compromised the security of over 250,000 students’ personal information.

The Director of Information Services and Technology at Dawson College initially congratulated Al-Khabaz on finding the flaw and promised that Skytech, the company responsible for the flawed student system Omnivox would fix the problem.

Two days later, Al-Khabaz decided to check if the flaw had been fixed by running a web site vulnerability testing software program called Acunetix. This was detected by Skytech who contacted Al-Khabaz asked him to stop the program and allegedly threatened to report the incident to the Canadian police unless Al-Khabaz signed a non-disclosure agreement.

The matter was referred to the administration of Dawson College. Al-Khabaz was interviewed by the coordinator of the program Ken Fogel and the dean, Dianne Gauvin. Then fifteen professors of the computer science department were asked to vote on whether to expel Al-Khabaz and fourteen voted yes. Any further appeals were refused.

In what is turning out to be a reputational disaster for Dawson College, it bizarrely decided to use Facebook to post a statement about the incident. The College claims that the media report only presents one side of the story and are inaccurate but that they are not allowed to discuss the details of the case because of student privacy.

Of course, as in MIT’s case, following the letter of the law, they were probably “justified” in expelling Al-Khabaz and in some ways, the student is lucky that the matter has not been referred for criminal prosecution as in the case of Swartz or others that have tried to point out security flaws on sites.

But that is missing the point. Al-Khabaz was a computer science student putting into practice skills that he had learned at the College that was now expelling him. The intent was not malicious and the consequences for the College and others if the vulnerability had been maliciously exploited would have been severe. There would have been any number of ways the College could have punished Al-Khabaz without resorting to expulsion. It is also not clear that everyone who was asked to vote on the expulsion would have really understood the nuances of Al-Khabaz’s actions - despite their teaching computer science.

The consequences for Dawson College however were immediate. Their website and Skytech’s website have been offline and unavailable all day, ironically probably as a result of someone exploiting a vulnerability in their sites.

An online petition to reinstate Al-Khabaz has been set up and already has 6,827 signatures. Media worldwide have picked up the story and companies are now apparently sending offers of employment to him. This includes an offer from Skytech of a full scholarship to a private college in order for Al-Khabaz to finish his studies.

If Dawson College thought it was making a point or example by expelling the student, it was one that had resulted in the absence of any profound thought or consideration of how educational institutions should be teaching a lesson.