Topics

Due Process for Alleged Student Hacker?

Tufts University recently expelled a student for allegedly hacking grades, but did the university make the right call?

March 29, 2019
 
Courtesy of Tiffany Filler
Tiffany Filler poses in front of the Cummings School of Veterinary Medicine at Tufts University

Just four months before she was due to graduate, Tiffany Filler was expelled from the Cummings School of Veterinary Medicine at Tufts University.

Leaders at Tufts say Filler hacked into university systems and changed her grades. Filler says she has proof she didn’t do it.

Tufts is standing by its decision. But an article recently published by TechCrunch identified possible holes in the university's investigation. A petition demanding fair treatment for Filler has since been signed by hundreds of Tufts students and alumni.

Both the TechCrunch article and the petition posit that Tufts failed to follow its own procedures by not telling Filler the nature of the allegations made against her at least seven days before she was called into a hearing with the university's Ethics and Grievance Committee. Filler said she only knew that the investigation had “something to do with her computer” and had no idea about the specific allegations.

A report from Tufts' IT department to the grievance committee, shared by Filler with Inside Higher Ed, said the university had reason to believe she created a university account under the name Scott Shaw in late 2017. This account, which has the username “sshaw02,” was used to change Filler’s grades multiple times and to look at assessments prior to tests, the report said.

The sshaw02 account was discovered by the institution last July, the report said, when two assessments were deleted from the learning management system. Scott Shaw is a former assistant professor of veterinary medicine at Tufts who owns the user account sshaw01, but he has not taught at the institution for several years.

After seeing a pattern of activity that benefited Filler and noting that the IP address used by sshaw02 was the same as the one used by Filler, Tufts' Educational Technology Services and its Office of Information Security identified her as the culprit.

But Filler believes her laptop was compromised. A scan of the computer found malware that may have granted someone remote access to it, she said. And several times when Filler was accused of hacking, she said she has proof she was asleep or traveling without her laptop. Filler also said she lives with several people who share the same IP address and that the phone she owns is a different model than the one that Tufts said she used to access the university system.

“I do feel that there was a burden on me to prove my innocence rather than on them to prove my guilt,” said Filler in an email. “The school wanted me to provide irrefutable proof that I could not have done this. However, they threw out any evidence I brought forward, including sleep-tracker data, pictures, payment times, hospital records, as well as witness statements. Their minds had already been made up.”

Filler received her expulsion notice on Jan. 16 and was advised to return to her native Canada as soon as possible. Now back in Toronto, she is wondering what to do next. The expulsion notice is on her transcript, she said, which will make it difficult to transfer to another university.

“I have considered taking legal action against the university, and I do believe that I have a case. However, I do not have the $5,000-$6,000 required to take on a giant like Tufts, which is why I am unable to do so,” said Filler. “I would hope to overturn their decision more than anything else.”

Patrick Collins, a Tufts spokesman, said in an emailed statement that the institution understood the story had “upset a number of people, including students and others, who have raised concerns about the university’s review.”

“We are confident in our determination, which was based on the totality of evidence uncovered during our extensive review,” said Collins. “We recognize the gravity of student disciplinary decisions, and we take action only after thorough and thoughtful deliberation.”

As a private university, Tufts is obligated to follow its established procedures when investigating misconduct, said Scott Johnson, a professor at Purdue University Global's Concord Law School. Students are not always entitled to the same due process protections they might receive at a public institution, he said, except in the case of Title IX investigations.

In order to bring a successful court case against Tufts, he said, Filler would need to prove that the university failed to uphold its contractual obligations or broke state law. Few students have been successful in such cases.

There is a “low evidentiary standard” that private universities have to meet in order to say that it is “more likely than not that someone did something,” said Johnson. “The standard is pretty low in terms of what has to be presented. It falls on the student to bring in other evidence.”

Samantha Harris, vice president of policy research at the nonprofit Foundation for Individual Rights in Education, said that in Massachusetts, where Tufts is located, all institutions are required to conduct disciplinary hearings with “basic fairness.” But Harris agreed with Johnson that students’ rights at private universities are primarily contractual.

“This case illustrates the problem with universities adjudicating complex matters that also have potential criminal implications,” said Harris. “Universities do not have the powers that law enforcement does to subpoena evidence, compel witness testimony, nor do university judiciaries generally provide students with the types of procedural protections -- access to and the right to present evidence, the ability to call expert witnesses, the ability to cross-examine adverse witnesses, etc. -- that individuals have in courts of law.

Despite this, universities have the power “to effectively end a student’s career, and to brand him or her for life as someone who has committed a very serious offense,” said Harris. “This is not to say that universities should not address these important conduct issues -- they should -- but university processes need to be conducted with the utmost concern for the rights of everyone involved, and that is too often not what happens.”

Several questions remain about the investigation that Tufts conducted, said Jonathan Rajewski, founder and director of the Senator Leahy Center for Digital Investigation at Champlain College in Vermont. He wonders what other information the hacker might have had access to if they were able to view assessment and change grades. Tufts did not address questions about whether it reported a data breach or experienced any Family Educational Rights and Privacy Act violations.

The best way to determine what really happened would be to bring in outside experts with digital forensics expertise, said Rajewski. But he acknowledged this could quickly become a very expensive undertaking. From what little information has been made public by Tufts, he said, “There just isn’t enough evidence to know what happened.”

Brad Judy, information security officer at the University of Colorado system, said that incidents of student hacking are rare -- at a large university there might be just one or two reports a year.

It’s difficult for security staff to discern whether changes to student grades are legitimate or not, said Judy. Student conduct offices typically make security teams aware of unusual changes. And investigations usually are conducted internally, he said. Most large universities employ staff members with some digital forensics expertise. But it’s not unheard-of for institutions to get help from outside experts, or perhaps even call the Federal Bureau of Investigation if the scale of the attack warrants it.

A key defense against grade hacking is log-in systems with two-step authentication processes, said Judy. But it might be a good idea for faculty to occasionally check that the grades they have assigned students have remained unaltered, much like financial information may be subject to audits. Institutions can also set up alerts for unusual activities, such as log-ins from outside the country.

Investigations into student conduct are different across institutions, said Judy. But he feels perhaps there is room for such probes to feature more guidelines. "Adjudicating borderline criminal cases is a weird space to be in."

Read more by

Be the first to know.
Get our free daily newsletter.

 

 
+ -

Expand commentsHide comments  —   Join the conversation!

Inside Digital Learning Articles

Today’s News from Inside Higher Ed

Inside Higher Ed’s Quick Takes

Back to Top