Thursday, July 05, 2007

I Know What You Did Last Semester

Attention University of Miami School of Law students: I know your grades.

In a stunning turn of events, the law school has violated the privacy of 1200 students at once. The story takes some explaining, which I will do presently.

Knowing one's grades in law school is less relevant than knowing one's class rank. It is less important to know that you got a B+ than to know that you did better than 90% of the class, for instance, because positions on law review and moot court are apportioned by class rank, and because employers just want to compare you against other students. Class rank is, then, much more important than GPA.

Our GPA was known several weeks ago, when all grades were in and one could easily view those grades via the online system. However, since grades are private, one could not compare those grades to the grades of others, and the important class rank was a mystery. The registrar, defying logic, apparently would take several weeks to calculate class rank. I know, I know - if you have all the grades, like the registrar does, it's a simple matter to input those numbers into a spreadsheet, sort them, and then assign a rank to each. In fact, it's a two-minute job. Doing it by hand, it might take twenty minutes. However, we had to wait. Supposedly.

Then we learned, by e-mail, that the registrar would have the ranks up early. Oh frabjous day! At first, this was a false alarm - some technical difficulty delayed the ranks for a few hours, and a follow-up e-mail informed us of that. But then the third e-mail delivered - a link to a .pdf with class ranks (rank/class size, that size being 400) next to C-numbers. What is a C-number? The university's unique identifier, used for logging in and for other school functions. The number itself is private, unless you are stupid enough to share it with someone else. For law school purposes, it's pretty much your Social Security number. So who would be stupid enough to make that number public?

The school itself...sort of. See, your e-mail address is the last four digits of the C-number, preceded by your initials. Although that information is public (and included in a handy searchable directory for students and non-students alike), the full C-number is still private. But, well, here's the problem. Knowing what someone's name is, I can look up his e-mail address. I then know the last four digits of his C-number, and with that, I can search the .pdf, and as long as that combination is unique (and it appears so), I can know exactly what that person's class rank is.

After having been informed of this catastrophe, the law school took down the .pdf. In its place, they put up another .pdf, this one not having C-numbers at all. Instead, this one simply lists class ranks and the corresponding GPA for that rank. The intention is to maintain privacy - I know now, for instance, that a GPA of 1.5 maps to a class rank of 400. I have no idea, however, who has the 1.5 - the only person who knows that (in theory) is the person who logs into the system and looks at his grades. This appears to maintain privacy.

It doesn't, due to a delicious fluke.

If someone had the original .pdf and saved it, he can still look up class ranks. If he now uses the new .pdf to map ranks to GPA, then this hypothetical evil genius knows everyone's GPA and everyone's class rank.

I won't name this genius. I'll just leave it as a thought experiment.

If the registrar is reading this - you screwed up. Badly. I don't care; in fact, I'm enjoying it. It's thrilling to be able to see the grades of your classmates. I had no idea that (CENSORED) was ranked 392nd, or that (CENSORED), who's a great guy, got 23rd.

Enjoy, guys.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home