Registering for college classes can be a frustrating and stressful process for students. Many colleges and universities operate a “first come, first served” enrollment system that means latecomers for in-demand classes will either have to wait until the next time the course is offered or hope other enrolled students drop the class and free up spaces.
With competition for space so fierce, students need to be strategic. Some students stay up all night to be online the minute class registration opens, prioritizing more popular classes as their first choice to have a better chance of getting in. Others try to sweet-talk professors into giving them a spot in a class or allowing them to bypass restrictions on the number of students allowed in the course.
At the Stevens Institute of Technology, a private research university in Hoboken, N.J., a student majoring in computer science believed his classmates had taken the enrollment process to a new extreme last semester by hacking into his student account and dropping him from all of his classes, just hours after he’d successfully registered, so they could take his spots.
The student, Jonathan Pavlik, was understandably concerned. He is in his senior year and needs all the courses he selected to graduate. Although he was able to re-register for most of the courses, one course he needed to fulfill the requirements for a minor was full.
Pavlik, who did not respond to repeated requests for comment, went to the university’s student newspaper, The Stute, in November to complain about the hack and help raise awareness of the apparent security flaws in the university’s class registration system.
According to an article in The Stute, Pavlik said he was told by the campus IT staff that someone had hacked into his account and unregistered him from his classes. The article asserted that security flaws in the university’s registration system were not being adequately addressed.
But after investigating the incident, university administrators concluded that something entirely different had actually occurred.
“We investigated this very carefully,” said David Dodd, Stevens’s vice president for information technology and chief information officer. “We take anything like this extremely seriously and wanted to make certain that no systems were compromised.”
Dodd said Pavlik wrote a computer program that helped him enroll in classes as soon as registration opened. He then shared this script with his friends — forgetting to remove his personal information, which was then used by other students. It is not clear whether the students unenrolled Pavlik from his classes by mistake when attempting to use the script for themselves, or whether they deliberately dropped Pavlik from his classes using his university log-in.
“It looks like he inadvertently contributed to his own problems,” said Dodd.
The university found out through a concerned student that a handful of classmates were writing and distributing similar computer programs, or bots, to help them quickly register for classes and get an edge in course selection. University administrators have since discussed the issue with the students involved, told them not to do it again and introduced new security measures, including more close monitoring of the system, to make it more difficult for the students to run similar scripts. Dodd said the class registration system is very secure and that Pavlik has now been enrolled in all of his chosen classes.
“We want to make it a teachable moment,” said Dodd. “Students are young people, and sometimes they do things because they can do them — without thinking enough about whether they should be doing them.”
Dodd doesn’t consider student-designed computer programs to be malicious.
“It’s not meant to harm the system or obtain information inappropriately,” he said. “I wouldn’t call it hacking.”
He does believe that the bots give some students an unfair enrollment advantage over those who don’t use them.
Some students agree.
A business and technology student in his junior year, who asked not to be identified by name, said he is concerned more students might use class registration bots to gain an advantage.
“It isn’t unfair because they would get the classes they want; it’s unfair because if it becomes widespread, more students may simply not be able to graduate on time, and given the expense of an unexpected additional year of college, it could be disastrous to students’ budgets,” he said. “It’s getting ahead while knocking other people down.”
Despite assurances from Stevens that the class registration system is now more secure and potential use of bots is being closely monitored, the anonymous student said he isn’t convinced the system, as it stands, is sufficiently protected against such abuse.
Dodd doesn’t believe the university’s experience with course enrollment bots is unique.
“With how incredibly skilled students are today, it wouldn’t surprise me to learn that other schools may be having the same sort of thing occur, and they may not even be aware of it,” Dodd said.
Mark Simpson, university registrar at Iowa State University and director of technology and transfer conferences for the American Association of Collegiate Registrars and Admissions, said students have been writing scripts to auto-enroll themselves in classes “since we moved to web-based registration in the early ’00s, late 1990s.”
“I think every institution has experience of this — some more than others,” he said. “From a student’s perspective, they don’t think they’re gaming the system. They’re just trying to gain efficiencies and use technology to get the courses they want. They think they’re being smart.”
Class registration bots are similar in concept to those used by ticket scalpers to buy concert tickets before anyone else, and are not difficult to create, said Simpson.
He understands why students might turn to bots to compete for seats in a limited number of courses, and he also doesn’t consider this hacking.
Not all institutions prohibit bots, but many have nonetheless taken steps to curb their use because they can overload registration systems by logging in multiple times in quick succession.
“Most institutions have set up some kind of limit to how many times you can log in to a system in a certain time period. If users exceed that, they get locked out,” said Simpson.
He said the biggest security risk in higher ed is often the students themselves and what they share with others.
“In the Stevens case, other students could have done anything with that student’s ID and password,” Simpson said.
Doug Levin, president of consulting company EdTech Strategies, disagreed that such activity is not hacking.
“While the practice may not involve compromising the registration software directly, it most definitely is a ‘hack’ of and challenge to the institutional course registration process.”
“If institutions are aware of this practice and agree that some students are gaining an advantage in using it, turning a blind eye to the practice is unethical,” Levin said. “Not only should the practice be prohibited in policy, technical tools should be put in place to detect and log anomalous behavior consistent with its use.”