Hero or Hacker? Student Expelled After Exposing Computer Software Flaw

Montreal’s Dawson College regrets the day it ever decided there is an app for that.

In September, one of Dawson’s students, Hamed (Ahmed) Al-Khabaz, was working on a mobile application for the school that would allow his fellow students to more easily access their college accounts. By December, Dawson had kicked him out of school, failed him in all of his semester classes and threatened him with legal action. The Province of Quebec has asked him to pay back all of his student loans. And they say Canada isn’t interesting…

Why the forced powering down of this young man’s education?

Omnivox is a computer program that allows students to manage their class load, pay fees and store identifying information, such as “social insurance” numbers, home addresses and phone numbers. The software is used at Dawson and most other General and Vocational Colleges in Quebec, which collectively have more than 250,000 students. It appears that Mr. Al-Khabaz and his classmate, Ovidiu Mija, discovered “sloppy coding” in the Omnivox software, a flaw that put all of those students’ data at risk.

According to Mr. Al-Khabaz, he was operating in plain sight as he designed the mobile app that prompted him to suspect, and try to prove, that the school’s student information system could be breached. Then, acting on what he described as his “moral duty,” Mr. Al-Khabaz says he alerted the college of the flaw. No one disputes that Mr. Al-Khabaz’s discovery prevented a potentially widespread security breach; there is no agreement, however, on whether he acted appropriately post-discovery.

Both sides agree that university officials initially congratulated him on the discovery, thanked him for it, and enlisted him to help fix it. Both sides also agree that, shortly thereafter, Mr. Al-Khabaz ran a software program from his home computer to test if any vulnerabilities remained in Dawson’s Omnivox software. The testing program, called Acunetix, is designed to replicate a hacker’s methodology, and is only supposed to be used with permission from the website being subjected to testing.

It was not the first time Mr. Al-Khabaz had used Acunetix. He had relied on the very same program to test the school’s website when he first became suspicious about its security flaws.

The first time, Dawson caught him, triggering the events outlined above. The second time, Skytech Communications, the company that runs Dawson’s website, caught him. They were not pleased.

Skytech obtained Mr. Al-Khabaz’s contact information and called him at his parent’s home the same evening he ran that second test. Skytech’s president accused Mr. Al-Khabaz of conducting a cyber attack and threatened to call the police. Mr. Al-Khabaz claims he was coerced into signing a non-disclosure agreement with the company, which prevented him from discussing the security lapses.

Then Dawson got involved again.

In early November, citing Dawson’s code of professional conduct, the college required Mr. Al-Khabaz to meet with computer science professors and other school officials to discuss the security breaches. Days later, 14 out of 15 professors voted to expel him from the school, with the only “nay” vote coming from the single professor who met with Mr. Al-Khabaz directly. The others agreed that Mr. Al-Khabaz had failed to “exhibit behaviour appropriate to the profession.”

Mr. Al-Khabaz appealed his expulsion twice. Both times, his appeals were denied.

It seems Mr. Al-Khabaz took his story public on Monday, January 21st. Then the story went into overdrive and, somehow, got weirder.

That same day, Skytech supposedly offered him both a job and a scholarship to another university. Dawson issued a statement, disputing his version of events but refusing to give any further details in light of “confidentiality laws.” And a pro-Mr. Al-Khabaz website collected 5,000 signatures on a petition to reinstate Mr. Al-Khabaz at Dawson. By Tuesday, that number had grown to more than 11,000.

As the case gained attention, Dawson apparently decided it could no longer abide by the confidentiality laws that hours before had seemed so definitive. The school issued a statement, which identified Mr. Al-Khabaz by name and insisted that he was expelled not for exposing a security flaw, but for “attempt[ing] repeatedly to intrude into areas of College information systems that had no relation with student information systems.”

As a factual matter, the dispute seems to boil down to the circumstances of that “intrusion.” When Mr. Al-Khabaz first tested the software vulnerability, had he strayed outside the bounds of his mobile app project? During the alleged second test from his home, was he operating on test servers the college gave him access to (as he claims), or was he breaching live servers and/or websites that he had been told to stay away from (as the school’s statement implies)? Does the school have evidence that he tried to “intrude” on other occasions or systems? To date, there is no clear story on the nature and scope of Mr. Al-Khabaz’s activities or his permissions to do what he admits to having done. It is interesting that his partner, Mr. Mija, seems to have escaped repercussions.

As a legal matter, the question is murky, as it always is at this relatively early stage of he said/they said. I’m an American-trained lawyer and can’t speak to Canadian law, but there is likely a hornet’s nest of privacy and proprietary-use laws that could come into play, and the analysis will be complicated by Mr. Al-Khabaz’s insistence that his intent was pure. It is equally likely that Dawson College will be afforded wide latitude in its discipline of its students, and any legal challenge to its decision to expel Mr. Al-Khabaz would probably have little chance of success.

As a philosophical matter, the case perhaps assumes its most interesting dimension. Does the “morality” of Mr. Al-Khabaz’s actions, or the public purpose they served, trump the questionable legality of his “intrusions” or the computer science department’s near-unanimous decision that he broke school rules of conduct? If he had found a software glitch unrelated to protecting personal information, or if he ran his tests on live websites, or if the school had undeniably instructed him to keep out of its systems, would there be as much outrage over his expulsion?

My brain hurts.

You answer.

Featured Image via Shutterstock.