Case Analysis – “The Email”

The Email is a 2010 case which highlights the challenges associated with data and system privacy and security. In the case, Bob Smith, a senior MIS student, in an exchange with his professor, Dr. Mel Carnahan, receives a challenge “If you can get past my firewall and get to my printer to print your homework, I’ll not only bring it to class to show them, but I’ll buy you dinner.” This challenge is the foundation for the rest of the case, which reviews the methods Bob uses to attempt to gain access to Dr. Carnahan’s printer. Once Bob exhausts all the technical methods he knows without accessing the printer, Bob switches to deceptive practices in an attempt to gain access to his professor’s printer. The case is designed to initiate a dialog on what, if any, punishment is appropriate for using deception. Questions arise such as, were any violations of university computing or privacy policies, or if any laws were broken.
This case can be summarized as follows. First, in class Dr. Carnahan issues a challenge to Mr. Smith, challenging him to gain access to his printer. Second, Mr. Smith attempts to gain access to Dr. Carnahan’s printer in various ways. Mr. Smith’s last attempt is by using a fake “phishing” email pretending to be another student in an effort to access the printer via an embedded macro virus. Third, the email is immediately discovered to be fraudulent and a small scale investigation begins. Fourth, Bob had originally considered using a password stealing program, but decided against this option. Fifth, Bob admits to sending the email to both Dr. Carnahan and the student he attempted to impersonate (Alice Jones) as part of his attempt to win the challenge. Finally, the case closes with the dilemma as to what sort of disciplinary action the university should take.
When evaluating the options Bob had available to him to attempt to access the printer, there may be technical ways to access the printer, but these were beyond the scope of Bob’s technical capabilities. This leaves only deception as the only other viable alternative available to Bob as he attempts to use the printer.
Just like in the real world, there are many contributing factors to review when evaluating what, if any, disciplinary actions should be taken as a result of impersonating another student in email. The case states that Bob violated University policy and could face punishment up to expulsion. The policy related to this is not clearly stated in the case and, in fact, it states the policy was hard to locate, and students did not have to sign a code of conduct. Additionally, unlike the keystroke logging application, the Excel macro was nothing more than print command. If the university policy clearly outlined this type of action was a violation, then punishment must be issued. Based on the facts provided, I am not convinced the actions related to the Excel macro are in violation of the University’s policies. However, I do believe the keystroke logging application is a violation – and if pressed this is where the campus can and should take action as it did not indicate whether or not Bob removed those applications from the infected PCs or the data he received from those PCs.
One of the mitigating factors in this situation is the “challenge” Dr. Carnahan issues and repeated. This was what a reasonable person would consider a friendly rivalry designed to stretch and improve student’s abilities. When taking this into consideration, along with the contents of the Excel