Update: I immediately took down my class project site after receiving yesterday’s ultimatum. I still don’t think the simple demo site violated the letter or spirit of the registration rules, but I took it down because I always want to operate in good faith.
They followed up today to thank me for doing it, but also indicated that they were putting a hold on my account anyway. As a result, I am not going to be able to register for my final quarter and have been de facto expelled at the end of this quarter.
Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for. They would presumably own the IP and were clear that I wouldn’t be compensated. But it was implied that they would then remove the hold, allowing me to graduate.
I really love UW and have had a wonderful time here. But this is so demoralizing.
Update #2:
I appreciate you guys for all of your advice.
This platform was never intended to be monetized, and I am not planning to get a lawyer involved as I have faith that UW leadership will make it right in the end.
I'm not planning to pursue this project at this point. If they came up to me at first with the offer to work with them it might be different, but the way they handled it makes me just want to walk away.
I went to UW a decade ago, and back then it was pretty common knowledge that you don't fuck with software and the class registration system. Registering for classes was really competitive and they were really strict about making sure that no one had an edge over anyone else by being able to write code. There were plenty of rumors of people being expelled for using scripts to try to get the classes they wanted right when they opened. I also believe they forbid or at least frowned on students "trading" registrations, because they didn't want even more people trying to sign up for high value classes and trading them as a commodity.
So at least back when I went there, basically any CS student could have told you that this website was a horrible idea that is sure to get you in trouble.
That’s just how colleges are. I once reported to my alma mater that a somewhat obscure (but obviously public) link seemed to trigger the download of a zip of student details for no discernible reason (I think it was a WIP site), and they immediately threatened to call the FBI on me. I just sort of laughed it off, but I decided that was the last time I was going to initiate any sort of contact with them if I didn’t absolutely have to.
Which is the policy I followed when I found that they had stored one of their LDAP admin passwords in a world readable file on the CS servers.
> I have seen all the emails now and it's as bad as described. I thought there might be some hyperbole but the "University Registrar and Chief Officer of Enrollment Information Services" is clearly saying "work with us to build this for free or you're not graduating". They even specify that he needs to set up the meeting "well before registration opens on February 13th for spring quarter 2025" because they're not going to let him continue otherwise.
Why would the school admin go nuclear over a request to integrate with the registration system, a system that is clearly intended to be used by applications:
> “The Student Web Service gives your application access to information in the Student database such as course data, registration data, section data, person data, and term data (general academic data).”
It doesn't make any sense. Was there something left out of the story? Do they offer this web service as a honeypot to find and expel ambitious software developers?
I have several friends on the administrative side at Universities. The two things you have to realize is that there are an incredible number of administrative staff at Universities and they're extremely territorial. You rocked someone's boat and they got upset. They have a lot of time on their hands because there are so, so many people in administration. Now they're coming after you like it's their job.
I think you're doing the right thing by publicizing this far and wide. Stay calm, cool, and stick to the facts as tightly as possible. When this gets picked up across social media and news media it will start to become a problem for other people on the administrative side of the university who are also territorial (about PR/image) and will take it as their job to fix it.
FERPA was probably a big factor in UW’s initial response to ask that the site be taken down. Institutions are all about CYA now.
The bit about blackmail seems a bit far fetched. I’d like to see the correspondence between UW and this individual. The entire story is certainly plausible but as other have pointed out, there are a number of inconsistencies.
While at university I had a similar interaction. When the main university IT services team wanted to roll out a replacement to the student portal with a bunch of irrelevant features I mocked up a simple site with the things we actually wanted on it. Later on I re-implemented our students union website, again providing more useful information, like venue schedules and opening hours.
Both times we came under scrutiny for the possibility that we might be handling student data in ways that the university couldn't control, and mostly, that we might be taking passwords on behalf of users.
The first was just a mockup, and while the second initially had full university auth against their open LDAP server, we quickly removed that in favour of our own auth, because it was very apparent that the password input being on our domain was a dealbreaker for the university.
By doing this, and by communicating carefully about what we were doing and what we were not doing, where the boundaries were, and how we handled data, we managed to win them around to some productive discussions. Most of the people we spoke to on university staff who were involved in this were not at the technical level to be able to understand, for example, having an unsecured LDAP server that we could auth against, and were only interested in the policy of whether we were allowed to do it.
It's a common failure mode of software engineers to assume that because something is not technically disallowed, even though it could be, that it must therefore be allowed. This is not true.
What's not clear with this project is whether the university have a fundamental disagreement with the idea of a student project providing services, or if someone has panicked that a non-approved system might be receiving passwords from students. The former is obviously ridiculous, universities should be open to this sort of innovation, especially from their students. But the latter is understandable and a fairly reasonable response, but one that does need careful handling by the student to navigate well.
Interesting. I graduated from the _other_ UW (University of Warsaw) and our uni has course-swapping capability built into the University Study Service System (USOS)[1].
FYI public university education is fully government-funded in Poland (i.e. it is free for students).
I'm surprised this is upvoted so much. All we have is a LinkedIn post and a GitHub repo. We haven't seen any of the original emails/writing from UW, not have we heard UW's view.
It is wild to me that the bulk of responses here seem to take how this is being described by the poster at face value.
As well as the question of interfering with registration, he has also gone about this in a way that causes reputational damage (& UW have probably caused their own, but that's not necessarily relevant here), which I cant imagine they'll take that kindly either.
But I work in a public university in the EU, so my understanding of how these institutions probably operate is likely a little skewed.
> Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for. They would presumably own the IP and were clear that I wouldn’t be compensated. But it was implied that they would then remove the hold, allowing me to graduate.
I'm really baffled here because the code Kaim published is itself MIT licensed. The university could use it however they see fit after his version, and perhaps make a modified version which they then incorporate in to their system as the 'official' version.
Perhaps this code being public may expose potential flaws (logical, security, etc) which they don't want to have to deal with. Or might even be known flaws they don't want to expose.
Best of luck. It sounds like you really pissed someone off by threatening some internal power structure or process they controlled. I hope you don't keep quiet about this - I know it's easy to say when I'm watching from the sidelines, but don't let them coerce you into silence!
About a decade ago, some teammates and I built an internal request system for our Ops team to replace the MS Sharepoint crap we were using. We used Bottle, BootstrapJS and SQLite to get it up and going quickly, and under the radar. Our customer IT teams loved it, and managers from elsewhere in our department were even asking half-jokingly if we could support their teams, too.
Well, the IT team that was deploying ServiceNOW was none too happy that a "non-standard" application was running... our manager was a knight and kept them from making us tear it down. We pretended to play ball, we walked through SNOW process of getting a team-specific form to build out. And then we never used it; we kept directing our customers to the self-built tool.
The moral is, people like their fiefdoms. Bureaucrats often shun innovation because it has the chance to make them obsolete, or else they are simply the kind of people who don't like disruption.
You may also have invented a tool that would have obsoleted some multimillion dollar software acquisition or internal process, who knows.
This does not add up- this is your last term but you’ve only been there a year and a half? The university, who presumably has a professional engineering team making these systems is trying to blackmail an undergrad to reproduce something for free that they also wanted shut down? And you’re marketing this on linkedin in the context of asking for job offers?
UW registration weren't really open to criticism or improvement ca. 2009, either. Extremely hostile to student projects that would in any way interact with the registration system.
Amidst all of the talk about the reported coercion attempt, which is bad, may I also ask something about the bait and switch: so you paid a lot of money to attend a given university and then even though your grades and everything else would in theory allow you to follow a class you can be blocked because of resource constraints that are not advertised as something you would have to contend with when you paid the big ticket tuition fee?
"Know that trading, selling, or buying open spots is a breach of the Registration Tampering Abuse Policy. Consequences include referral to the Student Code of Conduct process, a Registrar’s Hold on your record, and potential diploma withholding for graduating students until the conduct process is complete."
"Registration Abuse
The registration system is provided for the sole express purpose for students to register themselves into sections. Any use of the registration system other than for this purpose is considered abuse of the system. Such abuse includes, but is not limited to, buying or selling one’s seat in a class, holding seats for another student, or otherwise registering for a section that one has no intention of taking."
Disclaimer: I am making no claim about the ethical validity of this policy, and I don't know how well the policy is communicated to students. I am not commenting on the allegation that the University demanded free labor in exchange for not-expelling OP.
How does the course-swapping site work? Is there some part that requires users to enter their credentials (email, password) on a web site that is not operated by the university? Is there some part that saves an access token or a refresh token in other place than the web browser?
Is some OAuth2 authentication flow involved so that the university has registered the application and assigned a client id and return URI?
I think the university might have valid security concerns if the application somehow accesses student accounts without valid OAuth2 authorization flow (or equivalent).
Entering login credentials for university on a third-party site is probably forbidden by terms of service for the university site.
I had something similar happen to me, not threaten with expulsion and I kind of deserved it.
This was back in late 1990s, a group I was part of was getting a web site made on the school pages and I wanted to contribute. I ran my mouth about my dislike of the current site (I was a dumbass) and for some reason hosted the site on my local computer in my room which was accessible everywhere on the network. I wasn’t going to run it permanently, I just wanted to showcase it. That got me in some trouble, what I said got back too, I got my room connection disconnected because we weren’t supposed to run servers.
I apologized, obviously disabled the server, and eventually got reconnected.
Alleging a violation after he asked for an API key, rather than simply turning him down or saying that he could experiment but that he would need to get agreement before deploying, seems like defamation to me.
The comments here are almost entirely of one voice: UW bad. Student innocent.
It is not hard to find the policy in question. I quote from the UW Registrar's website, their policy on tampering and abuse of the registration system, as cited in the subject of the email the student received:
> The registration system is provided for the sole express purpose for students to register themselves into sections. Any use of the registration system other than for this purpose is considered abuse of the system. Such abuse includes, but is not limited to, buying or selling one’s seat in a class, holding seats for another student, or otherwise registering for a section that one has no intention of taking. [0]
The student's project, though well-intentioned, is in clear violation of this policy. And it ought to be forbidden. There are plenty of ways this kind of a system could go wrong, including creating incentives to overregister or develop a registration black market, not to mention the technical liabilities of letting a bot talk to the database at bot-speed.
Now, as for follow-up conversations the student and the university have had, we have not seen these emails. We have only heard the student's own summary, which, given the high stakes and personally significant impact, may very well have been editorialized so that the university looks unreasonable and the student reasonable.
I, for one, cannot pass such quick and single-minded judgment as everyone else without seeing these emails.
Summary: Media attention gathers. UW issues a response that the site was in violation of the rules. But in fact rules were updated to make that site a violation just now. UW has acknowledged the site was taken down and a commitment made to not pursue any similar project. UW has lifted the hold. He can graduate.
Meanwhile in my Russian university, everyone scraped whatever they wanted. As long as you didn't cause any harm or disruption to these systems, no one cared.
There were tests you had to take in a special classroom full of Sun thin clients. You had to register yourself for some time slot(s) to go there. Sometimes you had to go there in like 2 days to meet a deadline but there were no slots available. So, someone made an app that would continuously scrape that page and notify you when a slot for your chosen time is available. Saved my ass a couple times.
Sounds like this guy did not even publish or finish the project, but only communicated his intent. The university is clearly persecuting him and he should absolutely talk to a lawyer.
> Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for
That's hardly readable, how could they act like that?
I am sad to say it but you need the help of a lawyer and the most backup you'll get the better. The way they presented the case will never get solved in a happy manner. Do not let them get the code and the IP. Keep on!
> Thanks for your inquiry and for the opportunity to clarify this situation and our general approach to potential student conduct violations. Federal law does not allow UW to comment on matters regarding specific students, but I can provide some general information regarding UW policy and practice.
> Since you asked about swapping classes, I will tell you that students are reminded at the start of each academic year that trading, selling, or buying spots is a breach of the Registration Tampering Abuse Policy. Consequences may include referral to the Student Code of Conduct process, a Registrar's Hold on their record, and potential diploma withholding for graduating students until the conduct process is complete.
> On occasion, the Registrar will place a temporary registration hold in order to prompt a meeting with a student about a potential policy violation. This is standard practice.
> The Office of the University Registrar does not oversee Student Code of Conduct processes. Any corrective actions are only considered once a student conduct investigation has been completed and there has been a finding of wrongdoing. The Office of the University Registrar does not make threats regarding disciplinary action, other than to state what potential consequences could be for violating policy.
> Furthermore, the UW cannot and would not aim to effectively steal intellectual property from a student. There have been instances where a student's class project has turned into a potentially useful tool that UW-IT could help them develop into something that could serve other students. In any such case, appropriate partnership, ownership or credit for such a collaboration would be determined jointly with the student.
It contains a statement from the university as well:
> "On occasion, the Registrar will place a temporary registration hold in order to prompt a meeting with a student about a potential policy violation. This is standard practice." Victor Balta, UW Spokesperson
Someone who says they were OP's teaching assistant for this project replied on LinkedIn (seems trustworthy)
> JD, this has just been brought to my attention. I was the CSE 403 TA in charge of this project last quarter, and while I don't have the full context of how the site developed after the quarter ended and the token request, hearing this I am genuinely baffled and do not understand in the slightest what the UW has found a violation in and the legality of their actions. From my heavy experience with the site, it was developed completely independently from the UW registration system and did not even include any UW-specific information. I don't understand how they could request you take it down. If you need help in advocating for yourself or testimony, please let me know. I can also get in contact with the professor from your quarter. From the information I currently have, this seems like an insane and incomprehensible violation of justice, and I'd fight to overturn it.
UW's slogan is "Be Boundless". This is the polar opposite of that.
UW has missed a great opportunity to show its current and future students and faculty that innovation is valued there. Their management decision will shutdown the minds of so many brilliant hackers, as we have already witnessed with the OP's decision to back down. I really hope the school can re-evaluate their decision and more importantly, the faculty should support the students, as they are together pursuing the goal of learning by doing. That's what higher education should offer, not conditioning people into rule makers and rule followers.
> (…) Final update. The university has determined that I have satisfactorily complied with their request to take down the site, and I’ve said publicly that I do not plan to pursue anything like HuskySwap, so the hold has been removed without a meeting and I am back on track to graduate next quarter. I have thanked them for closing the matter. (…)
I'm so thankful my university (UVA) didn't have these registration problems. Granted, I graduated in '99, so they might now. But I never had any difficulty getting into required classes. At worst, an email to the prof got me a waiver, and IIRC, I only had to do that once.
Are you looking for a job? I’m hiring a software engineer and was definitely impressed by reading this story! Regardless, you should definitely consider working at a startup - the world is full of annoying gatekeepers to innovation.
When I was an undergraduate, I built a system to better forecast and map campus bus shuttle routes and also received a letter like this
Wait, so the project is bad, but also they want you to re-create it for them for free else they won't let you register? This is some insane chicanery. I agree with the many comments here about getting legal advice.
Don’t trust UW. They have a history of retaliating against students when complaints are raised. When faculty misbehave they cover it up and take it out on the student to silence them.
It sounds to me like the university is using the threat of expulsion to steal or coerce you into giving over your site. I think you just got the best IRL education ever.
I wanted to chime in with some advice that also can help in any situation involving long administrative processes. I'm sorry you're going through this and I really hope some of this can be helpful.
- Write stuff down! A paper trail is helpful both to prevent hearsay and keep your own timeline of events in check. Recency bias and the like are too common in stressful situations.
- Remember that you are one (1) human who needs food, sleep, and water.
- Reach out to the Ombud (at the HUB), professors, and other administrators you may know. Even within one department there can be mixups -- nevermind when university-wide policies (such as registration) come into play. Having someone who can help point you in the right direction will be invaluable.
- On that note, the HUB has free legal services; for better or worse, you aren't the first student to be in this position.
- I understand in another comment you said you're confident in UW Leadership's ability, but crucially, there is no such thing as a singular leadership. At a university that large, *even when everyone is working to help*, things can turn out bad. (It's like how a CEO can get fired and nothing changes at a company; the system has its own momentum.) It's hard to say what level of intervention needs to happen to resolve this -- School of CSE? Undergrad CS department? Registrar? UW President's Office? -- and each level will likely not know what the level above/around them can do.
- (And if you do need to escalate, it might be worth reaching out to the Registrar's office directly, over email. I say this because they work at a university-wide level, separate from any school or department, and may have a more-final say on what any individual branch can do/not do w.r.t. your enrollment.)
- Hanlon's razor, or more optimistically, "assume good intention". Always. Even when someone has stated not-good intention. This will help in a few ways: keeping your tone cordial, clearing up miscommunication. Maybe someone genuinely misunderstands what you built, or has pressure on their end to uphold some policy, however arcane. But most importantly, this will give yourself a way to not feel cornered, and distance your day-to-day/identity/etc. from this situation.
- Remember that you are (likely still) one (1) human who needs food, sleep, and water. Those damn robots won't take over yet.
- Be careful what you post publicly! There is a reason the best PR teams stay silent. Less is more. Form a close group of people you trust to share information freely, and be very clear (to yourself) what your intention is with every public post. Is it to get validation/advice? Is it to put pressure on the university? The court of public opinion is a double edged sword! Not every interpretation needs to or will be true. (And employers, like the public, might interpret this situation positively or negatively. It's hard to say which way it will go!)
“...find partners to trade spots in critical classes after they filled up”.
I am not from the USA and I don’t understand the context. What does “trade spots” mean? Does it mean that if I have registered to course A but not course B and my friend have registered to course B but not course A, we can swap our registered courses in the official registration system?
Oh hey, I got in trouble at my university for trying to make a tool for students too. This was ~15 years ago now...
In my case, they accused me of copyright infringement and trying to destroy the co-op program. I made the case that while I was reproducing some data from the university's website, none of it had creative value and therefore wasn't protected by copyright. (I drew a parallel to an actual court case about reproducing phone book listings.)
I also reached out to some faculty that I was close to for some character references to show that I didn't have malicious intent.
Ultimately, I wasn't expelled or anything too bad. I was required to take a business ethics course, which I actually ended up enjoying.
The utter ridiculousness of this should have stopped them. I hope this post of yours gets plenty of airtime as blocking a solution like this deserves every bit of punishment it gets.
something is missing from this story. it doesn’t make sense they jumped right to blocking your account because you requested to integrate. You sort of skipped over the part where you got hold of the Swagger files. would you care to elaborate on how exactly you found those files and if this might have been the reason for the heavy handed response? usually swagger files would be locked down on the backend .
I am working at a German University on similar systems. I have some thoughts here:
1. The thing you are doing, could provide major value to the university and you did it for free.
2. The fact that you could simply just access that data is a major fuckup on their part that is inexcusable. In my eyes the perdon who walks through an open door is not at fault, the one who left it open is.
If they expell you for that, they do not deserve you.
The first quesrion you should figure out is on whose feet you stepped and why they are butthurt. Simultaneously try to get legal advice and the social/political support of your collegues. If you have a big number of students complaining to the higher ups why your cool service is gone and give them the feeling it is needed, you might even get a cool collab out of that.
Without knowing the details of how US academia operates I would try to maintain a positive angle (you want to help making the university life better), while in privage preparing for the worst.
I went through similar crap with University of Texas at Austin when I wrote Classgrabber around 2002. Universities are pathetic when it comes to this stuff. If a CS student (or any student) does anything to show how incompetent their own staff is, they go berserk. And they still have the balls to ask me for alum money every year.
Par for the course in the prissiest, most Karen city culture in the entire country. Seriously, living in King County is like living in a giant HOA neighborhood.
I'm sorry... what? Trading class registrations is cheating the system, and is not going to inherently be looked at as a good thing just because it's "entrepreneurial" to make an app for it.
Maybe if it were a high school student doing it, but making an app as a college student is not some impressive thing only prodigy students can do.
Everyone is saying lawyer up like it's the author's only option, but it's not, and likely bad advice. Here's the order of operations I would take:
1. Mea Culpa
Talk to all of the faculty (dean of students, etc) and do your best to get people on your side. You need the petty person on the other end to reverse their decision, and having a lot of administration on your side, and more importantly, expressing (fake) remorse makes it easy for these jobsworth asshole(s) to fulfill their God complex. I'm actually convinced that this would have the highest probability of success. These Dolores Umbridge types adore getting to be the ones issuing mercy to the sinners.
Additionally, informing staff of the expulsion will help bring awareness of this abuse, and spread the word and prevent this from happening to other students.
While you perform your mea culpa groveling, record everything, which can be used as ammo later.
2. Agree to the (illegal) terms
Blackmailing you into slave labor is obviously illegal, but no terms have been laid out, so I don't see any harm in agreeing to them. Best case, they reverse the decision with the expectation that you'll do something (which you can then phone in or do a token exercise of), and worst case they outline terms which are the perfect ammo for negative publicity or a lawsuit.
3. Transfer schools/credits
I don't actually know what is involved in transferring schools or how expulsion factors in, but the reality is that you are effectively already expelled. Try and figure out the feasibility of saving what is salvageable at a school that is less insufferable.
4. Negative publicity
This story is easy to believe, sell, and consume- i.e. perfect ragebait. Start emailing every news outlet you can think of. Post on all social media. If it gets high enough, and probably not even that high, the weight of the negative publicity can easily outweigh the narcissists that started this, forcing a reversal.
5. Seek employment
If you have any employment cards in your deck, I'd consider playing them. If everything else fails, then at least you're financially secure and gain experience.
6. Lawyer
The combined weight of all of the above will assist a lawsuit, even prior to taking any legal steps. Note that all outcomes of a lawsuit that aren't "total win" are effectively a loss (of time, money, energy, and mental health), so I'd hesitate to take this course at all.
I had to take down my course-swapping site or be expelled
(linkedin.com)1343 points by jdkaim 8 January 2025 | 695 comments
Comments
They followed up today to thank me for doing it, but also indicated that they were putting a hold on my account anyway. As a result, I am not going to be able to register for my final quarter and have been de facto expelled at the end of this quarter.
Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for. They would presumably own the IP and were clear that I wouldn’t be compensated. But it was implied that they would then remove the hold, allowing me to graduate.
I really love UW and have had a wonderful time here. But this is so demoralizing.
Update #2:
I appreciate you guys for all of your advice.
This platform was never intended to be monetized, and I am not planning to get a lawyer involved as I have faith that UW leadership will make it right in the end.
I'm not planning to pursue this project at this point. If they came up to me at first with the offer to work with them it might be different, but the way they handled it makes me just want to walk away.
So at least back when I went there, basically any CS student could have told you that this website was a horrible idea that is sure to get you in trouble.
Which is the policy I followed when I found that they had stored one of their LDAP admin passwords in a world readable file on the CS servers.
> I have seen all the emails now and it's as bad as described. I thought there might be some hyperbole but the "University Registrar and Chief Officer of Enrollment Information Services" is clearly saying "work with us to build this for free or you're not graduating". They even specify that he needs to set up the meeting "well before registration opens on February 13th for spring quarter 2025" because they're not going to let him continue otherwise.
https://www.linkedin.com/posts/edkaim_github-jdkaimhuskyswap...
> “The Student Web Service gives your application access to information in the Student database such as course data, registration data, section data, person data, and term data (general academic data).”
It doesn't make any sense. Was there something left out of the story? Do they offer this web service as a honeypot to find and expel ambitious software developers?
I think you're doing the right thing by publicizing this far and wide. Stay calm, cool, and stick to the facts as tightly as possible. When this gets picked up across social media and news media it will start to become a problem for other people on the administrative side of the university who are also territorial (about PR/image) and will take it as their job to fix it.
So be loud, but polite.
FERPA was probably a big factor in UW’s initial response to ask that the site be taken down. Institutions are all about CYA now.
The bit about blackmail seems a bit far fetched. I’d like to see the correspondence between UW and this individual. The entire story is certainly plausible but as other have pointed out, there are a number of inconsistencies.
Both times we came under scrutiny for the possibility that we might be handling student data in ways that the university couldn't control, and mostly, that we might be taking passwords on behalf of users.
The first was just a mockup, and while the second initially had full university auth against their open LDAP server, we quickly removed that in favour of our own auth, because it was very apparent that the password input being on our domain was a dealbreaker for the university.
By doing this, and by communicating carefully about what we were doing and what we were not doing, where the boundaries were, and how we handled data, we managed to win them around to some productive discussions. Most of the people we spoke to on university staff who were involved in this were not at the technical level to be able to understand, for example, having an unsecured LDAP server that we could auth against, and were only interested in the policy of whether we were allowed to do it.
It's a common failure mode of software engineers to assume that because something is not technically disallowed, even though it could be, that it must therefore be allowed. This is not true.
What's not clear with this project is whether the university have a fundamental disagreement with the idea of a student project providing services, or if someone has panicked that a non-approved system might be receiving passwords from students. The former is obviously ridiculous, universities should be open to this sort of innovation, especially from their students. But the latter is understandable and a fairly reasonable response, but one that does need careful handling by the student to navigate well.
> Additionally, the creation of any service that enables any of the above behaviors is strictly forbidden and constitutes a violation of this policy.
Worth noting that the administrative code is probably more important, here's some relevant sections:
WAC Aiding, assisting, and attempting: https://app.leg.wa.gov/WAC/default.aspx?cite=478-121-113
WAC Computer abuses: https://app.leg.wa.gov/WAC/default.aspx?cite=478-121-117
Registrar before: https://web.archive.org/web/20241208123609/https://registrar...
Registrar after: https://web.archive.org/web/20250109203004/https://registrar...
FYI public university education is fully government-funded in Poland (i.e. it is free for students).
1 - https://usosweb.mimuw.edu.pl/kontroler.php?_action=news%2Fde...
Am I being overly skeptical here?
As well as the question of interfering with registration, he has also gone about this in a way that causes reputational damage (& UW have probably caused their own, but that's not necessarily relevant here), which I cant imagine they'll take that kindly either.
But I work in a public university in the EU, so my understanding of how these institutions probably operate is likely a little skewed.
I'm really baffled here because the code Kaim published is itself MIT licensed. The university could use it however they see fit after his version, and perhaps make a modified version which they then incorporate in to their system as the 'official' version.
Perhaps this code being public may expose potential flaws (logical, security, etc) which they don't want to have to deal with. Or might even be known flaws they don't want to expose.
About a decade ago, some teammates and I built an internal request system for our Ops team to replace the MS Sharepoint crap we were using. We used Bottle, BootstrapJS and SQLite to get it up and going quickly, and under the radar. Our customer IT teams loved it, and managers from elsewhere in our department were even asking half-jokingly if we could support their teams, too.
Well, the IT team that was deploying ServiceNOW was none too happy that a "non-standard" application was running... our manager was a knight and kept them from making us tear it down. We pretended to play ball, we walked through SNOW process of getting a team-specific form to build out. And then we never used it; we kept directing our customers to the self-built tool.
The moral is, people like their fiefdoms. Bureaucrats often shun innovation because it has the chance to make them obsolete, or else they are simply the kind of people who don't like disruption.
You may also have invented a tool that would have obsoleted some multimillion dollar software acquisition or internal process, who knows.
Is the request system just a honeypot?
He was disciplined for blatantly trying to "hack" (in the YC sense, in UW's view) the registration process:
https://registrar.washington.edu/winter-2025-registration-ch...
"Know that trading, selling, or buying open spots is a breach of the Registration Tampering Abuse Policy. Consequences include referral to the Student Code of Conduct process, a Registrar’s Hold on your record, and potential diploma withholding for graduating students until the conduct process is complete."
https://registrar.washington.edu/registration/policies-proce...
"Registration Abuse The registration system is provided for the sole express purpose for students to register themselves into sections. Any use of the registration system other than for this purpose is considered abuse of the system. Such abuse includes, but is not limited to, buying or selling one’s seat in a class, holding seats for another student, or otherwise registering for a section that one has no intention of taking."
Disclaimer: I am making no claim about the ethical validity of this policy, and I don't know how well the policy is communicated to students. I am not commenting on the allegation that the University demanded free labor in exchange for not-expelling OP.
Is some OAuth2 authentication flow involved so that the university has registered the application and assigned a client id and return URI?
I think the university might have valid security concerns if the application somehow accesses student accounts without valid OAuth2 authorization flow (or equivalent).
Entering login credentials for university on a third-party site is probably forbidden by terms of service for the university site.
This was back in late 1990s, a group I was part of was getting a web site made on the school pages and I wanted to contribute. I ran my mouth about my dislike of the current site (I was a dumbass) and for some reason hosted the site on my local computer in my room which was accessible everywhere on the network. I wasn’t going to run it permanently, I just wanted to showcase it. That got me in some trouble, what I said got back too, I got my room connection disconnected because we weren’t supposed to run servers.
I apologized, obviously disabled the server, and eventually got reconnected.
I'm not sure this kind of misbehaviour reflects well on our brand.
Do you have a contact at the university I can talk to?
It is not hard to find the policy in question. I quote from the UW Registrar's website, their policy on tampering and abuse of the registration system, as cited in the subject of the email the student received:
> The registration system is provided for the sole express purpose for students to register themselves into sections. Any use of the registration system other than for this purpose is considered abuse of the system. Such abuse includes, but is not limited to, buying or selling one’s seat in a class, holding seats for another student, or otherwise registering for a section that one has no intention of taking. [0]
The student's project, though well-intentioned, is in clear violation of this policy. And it ought to be forbidden. There are plenty of ways this kind of a system could go wrong, including creating incentives to overregister or develop a registration black market, not to mention the technical liabilities of letting a bot talk to the database at bot-speed.
Now, as for follow-up conversations the student and the university have had, we have not seen these emails. We have only heard the student's own summary, which, given the high stakes and personally significant impact, may very well have been editorialized so that the university looks unreasonable and the student reasonable.
I, for one, cannot pass such quick and single-minded judgment as everyone else without seeing these emails.
[0] https://registrar.washington.edu/registration/policies-proce...
https://m.slashdot.org/story/49515
Also related: https://meta.stackoverflow.com/questions/295420/how-to-cope-...
Summary: Media attention gathers. UW issues a response that the site was in violation of the rules. But in fact rules were updated to make that site a violation just now. UW has acknowledged the site was taken down and a commitment made to not pursue any similar project. UW has lifted the hold. He can graduate.
There were tests you had to take in a special classroom full of Sun thin clients. You had to register yourself for some time slot(s) to go there. Sometimes you had to go there in like 2 days to meet a deadline but there were no slots available. So, someone made an app that would continuously scrape that page and notify you when a slot for your chosen time is available. Saved my ass a couple times.
Then Mark Zuckerberg built the Facebook by ignoring the data usage policy and scraping University data.
That's hardly readable, how could they act like that? I am sad to say it but you need the help of a lawyer and the most backup you'll get the better. The way they presented the case will never get solved in a happy manner. Do not let them get the code and the IP. Keep on!
> Thanks for your inquiry and for the opportunity to clarify this situation and our general approach to potential student conduct violations. Federal law does not allow UW to comment on matters regarding specific students, but I can provide some general information regarding UW policy and practice.
> Since you asked about swapping classes, I will tell you that students are reminded at the start of each academic year that trading, selling, or buying spots is a breach of the Registration Tampering Abuse Policy. Consequences may include referral to the Student Code of Conduct process, a Registrar's Hold on their record, and potential diploma withholding for graduating students until the conduct process is complete.
> On occasion, the Registrar will place a temporary registration hold in order to prompt a meeting with a student about a potential policy violation. This is standard practice.
> The Office of the University Registrar does not oversee Student Code of Conduct processes. Any corrective actions are only considered once a student conduct investigation has been completed and there has been a finding of wrongdoing. The Office of the University Registrar does not make threats regarding disciplinary action, other than to state what potential consequences could be for violating policy.
> Furthermore, the UW cannot and would not aim to effectively steal intellectual property from a student. There have been instances where a student's class project has turned into a potentially useful tool that UW-IT could help them develop into something that could serve other students. In any such case, appropriate partnership, ownership or credit for such a collaboration would be determined jointly with the student.
It contains a statement from the university as well:
> "On occasion, the Registrar will place a temporary registration hold in order to prompt a meeting with a student about a potential policy violation. This is standard practice." Victor Balta, UW Spokesperson
See also the dedicated submission of the news report: https://news.ycombinator.com/item?id=42658766
> JD, this has just been brought to my attention. I was the CSE 403 TA in charge of this project last quarter, and while I don't have the full context of how the site developed after the quarter ended and the token request, hearing this I am genuinely baffled and do not understand in the slightest what the UW has found a violation in and the legality of their actions. From my heavy experience with the site, it was developed completely independently from the UW registration system and did not even include any UW-specific information. I don't understand how they could request you take it down. If you need help in advocating for yourself or testimony, please let me know. I can also get in contact with the professor from your quarter. From the information I currently have, this seems like an insane and incomprehensible violation of justice, and I'd fight to overturn it.
https://www.linkedin.com/feed/update/urn:li:activity:7282891...
UW has missed a great opportunity to show its current and future students and faculty that innovation is valued there. Their management decision will shutdown the minds of so many brilliant hackers, as we have already witnessed with the OP's decision to back down. I really hope the school can re-evaluate their decision and more importantly, the faculty should support the students, as they are together pursuing the goal of learning by doing. That's what higher education should offer, not conditioning people into rule makers and rule followers.
https://www.linkedin.com/posts/jdkaim_github-jdkaimhuskyswap...
https://www.linkedin.com/posts/jdkaim_github-jdkaimhuskyswap...
https://www.linkedin.com/posts/jdkaim_github-jdkaimhuskyswap...
> (…) Final update. The university has determined that I have satisfactorily complied with their request to take down the site, and I’ve said publicly that I do not plan to pursue anything like HuskySwap, so the hold has been removed without a meeting and I am back on track to graduate next quarter. I have thanked them for closing the matter. (…)
He's being allowed to continue graduating.
- Write stuff down! A paper trail is helpful both to prevent hearsay and keep your own timeline of events in check. Recency bias and the like are too common in stressful situations.
- Remember that you are one (1) human who needs food, sleep, and water.
- Reach out to the Ombud (at the HUB), professors, and other administrators you may know. Even within one department there can be mixups -- nevermind when university-wide policies (such as registration) come into play. Having someone who can help point you in the right direction will be invaluable.
- On that note, the HUB has free legal services; for better or worse, you aren't the first student to be in this position.
- I understand in another comment you said you're confident in UW Leadership's ability, but crucially, there is no such thing as a singular leadership. At a university that large, *even when everyone is working to help*, things can turn out bad. (It's like how a CEO can get fired and nothing changes at a company; the system has its own momentum.) It's hard to say what level of intervention needs to happen to resolve this -- School of CSE? Undergrad CS department? Registrar? UW President's Office? -- and each level will likely not know what the level above/around them can do.
- Hanlon's razor, or more optimistically, "assume good intention". Always. Even when someone has stated not-good intention. This will help in a few ways: keeping your tone cordial, clearing up miscommunication. Maybe someone genuinely misunderstands what you built, or has pressure on their end to uphold some policy, however arcane. But most importantly, this will give yourself a way to not feel cornered, and distance your day-to-day/identity/etc. from this situation.- Remember that you are (likely still) one (1) human who needs food, sleep, and water. Those damn robots won't take over yet.
- Be careful what you post publicly! There is a reason the best PR teams stay silent. Less is more. Form a close group of people you trust to share information freely, and be very clear (to yourself) what your intention is with every public post. Is it to get validation/advice? Is it to put pressure on the university? The court of public opinion is a double edged sword! Not every interpretation needs to or will be true. (And employers, like the public, might interpret this situation positively or negatively. It's hard to say which way it will go!)
I am not from the USA and I don’t understand the context. What does “trade spots” mean? Does it mean that if I have registered to course A but not course B and my friend have registered to course B but not course A, we can swap our registered courses in the official registration system?
In my case, they accused me of copyright infringement and trying to destroy the co-op program. I made the case that while I was reproducing some data from the university's website, none of it had creative value and therefore wasn't protected by copyright. (I drew a parallel to an actual court case about reproducing phone book listings.)
I also reached out to some faculty that I was close to for some character references to show that I didn't have malicious intent.
Ultimately, I wasn't expelled or anything too bad. I was required to take a business ethics course, which I actually ended up enjoying.
Good luck!
You will get plenty of job offers out of your post, and you don't need their useless degree anyway.
Universities are specialized in bullying from their admins (and often faculty) that have way too much time on their hands.
1. The thing you are doing, could provide major value to the university and you did it for free.
2. The fact that you could simply just access that data is a major fuckup on their part that is inexcusable. In my eyes the perdon who walks through an open door is not at fault, the one who left it open is.
If they expell you for that, they do not deserve you.
The first quesrion you should figure out is on whose feet you stepped and why they are butthurt. Simultaneously try to get legal advice and the social/political support of your collegues. If you have a big number of students complaining to the higher ups why your cool service is gone and give them the feeling it is needed, you might even get a cool collab out of that.
Without knowing the details of how US academia operates I would try to maintain a positive angle (you want to help making the university life better), while in privage preparing for the worst.
I had a lecturer log in and leak the grades for my entire year, including my own, so his students could choose the best partners for final project.
Maybe if it were a high school student doing it, but making an app as a college student is not some impressive thing only prodigy students can do.
1. Mea Culpa
Talk to all of the faculty (dean of students, etc) and do your best to get people on your side. You need the petty person on the other end to reverse their decision, and having a lot of administration on your side, and more importantly, expressing (fake) remorse makes it easy for these jobsworth asshole(s) to fulfill their God complex. I'm actually convinced that this would have the highest probability of success. These Dolores Umbridge types adore getting to be the ones issuing mercy to the sinners.
Additionally, informing staff of the expulsion will help bring awareness of this abuse, and spread the word and prevent this from happening to other students.
While you perform your mea culpa groveling, record everything, which can be used as ammo later.
2. Agree to the (illegal) terms
Blackmailing you into slave labor is obviously illegal, but no terms have been laid out, so I don't see any harm in agreeing to them. Best case, they reverse the decision with the expectation that you'll do something (which you can then phone in or do a token exercise of), and worst case they outline terms which are the perfect ammo for negative publicity or a lawsuit.
3. Transfer schools/credits
I don't actually know what is involved in transferring schools or how expulsion factors in, but the reality is that you are effectively already expelled. Try and figure out the feasibility of saving what is salvageable at a school that is less insufferable.
4. Negative publicity
This story is easy to believe, sell, and consume- i.e. perfect ragebait. Start emailing every news outlet you can think of. Post on all social media. If it gets high enough, and probably not even that high, the weight of the negative publicity can easily outweigh the narcissists that started this, forcing a reversal.
5. Seek employment
If you have any employment cards in your deck, I'd consider playing them. If everything else fails, then at least you're financially secure and gain experience.
6. Lawyer
The combined weight of all of the above will assist a lawsuit, even prior to taking any legal steps. Note that all outcomes of a lawsuit that aren't "total win" are effectively a loss (of time, money, energy, and mental health), so I'd hesitate to take this course at all.