Update: I immediately took down my class project site after receiving yesterday’s ultimatum. I still don’t think the simple demo site violated the letter or spirit of the registration rules, but I took it down because I always want to operate in good faith.

They followed up today to thank me for doing it, but also indicated that they were putting a hold on my account anyway. As a result, I am not going to be able to register for my final quarter and have been de facto expelled at the end of this quarter.

Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for. They would presumably own the IP and were clear that I wouldn’t be compensated. But it was implied that they would then remove the hold, allowing me to graduate.

I really love UW and have had a wonderful time here. But this is so demoralizing.

Update #2:

I appreciate you guys for all of your advice.

This platform was never intended to be monetized, and I am not planning to get a lawyer involved as I have faith that UW leadership will make it right in the end.

I'm not planning to pursue this project at this point. If they came up to me at first with the offer to work with them it might be different, but the way they handled it makes me just want to walk away.

His (presumed) dad commented this on LinkedIn:

> I have seen all the emails now and it's as bad as described. I thought there might be some hyperbole but the "University Registrar and Chief Officer of Enrollment Information Services" is clearly saying "work with us to build this for free or you're not graduating". They even specify that he needs to set up the meeting "well before registration opens on February 13th for spring quarter 2025" because they're not going to let him continue otherwise.

https://www.linkedin.com/posts/edkaim_github-jdkaimhuskyswap...

I went to UW a decade ago, and back then it was pretty common knowledge that you don't fuck with software and the class registration system. Registering for classes was really competitive and they were really strict about making sure that no one had an edge over anyone else by being able to write code. There were plenty of rumors of people being expelled for using scripts to try to get the classes they wanted right when they opened. I also believe they forbid or at least frowned on students "trading" registrations, because they didn't want even more people trying to sign up for high value classes and trading them as a commodity.

So at least back when I went there, basically any CS student could have told you that this website was a horrible idea that is sure to get you in trouble.

That’s just how colleges are. I once reported to my alma mater that a somewhat obscure (but obviously public) link seemed to trigger the download of a zip of student details for no discernible reason (I think it was a WIP site), and they immediately threatened to call the FBI on me. I just sort of laughed it off, but I decided that was the last time I was going to initiate any sort of contact with them if I didn’t absolutely have to.

Which is the policy I followed when I found that they had stored one of their LDAP admin passwords in a world readable file on the CS servers.

Student web service in question: https://ws.admin.washington.edu/student/swagger/index.html

FERPA was probably a big factor in UW’s initial response to ask that the site be taken down. Institutions are all about CYA now.

The bit about blackmail seems a bit far fetched. I’d like to see the correspondence between UW and this individual. The entire story is certainly plausible but as other have pointed out, there are a number of inconsistencies.

Why would the school admin go nuclear over a request to integrate with the registration system, a system that is clearly intended to be used by applications:

> “The Student Web Service gives your application access to information in the Student database such as course data, registration data, section data, person data, and term data (general academic data).”

It doesn't make any sense. Was there something left out of the story? Do they offer this web service as a honeypot to find and expel ambitious software developers?

It is wild to me that the bulk of responses here seem to take how this is being described by the poster at face value.

As well as the question of interfering with registration, he has also gone about this in a way that causes reputational damage (& UW have probably caused their own, but that's not necessarily relevant here), which I cant imagine they'll take that kindly either.

But I work in a public university in the EU, so my understanding of how these institutions probably operate is likely a little skewed.

I have several friends on the administrative side at Universities. The two things you have to realize is that there are an incredible number of administrative staff at Universities and they're extremely territorial. You rocked someone's boat and they got upset. They have a lot of time on their hands because there are so, so many people in administration. Now they're coming after you like it's their job.

I think you're doing the right thing by publicizing this far and wide. Stay calm, cool, and stick to the facts as tightly as possible. When this gets picked up across social media and news media it will start to become a problem for other people on the administrative side of the university who are also territorial (about PR/image) and will take it as their job to fix it.

So be loud, but polite.

While at university I had a similar interaction. When the main university IT services team wanted to roll out a replacement to the student portal with a bunch of irrelevant features I mocked up a simple site with the things we actually wanted on it. Later on I re-implemented our students union website, again providing more useful information, like venue schedules and opening hours.

Both times we came under scrutiny for the possibility that we might be handling student data in ways that the university couldn't control, and mostly, that we might be taking passwords on behalf of users.

The first was just a mockup, and while the second initially had full university auth against their open LDAP server, we quickly removed that in favour of our own auth, because it was very apparent that the password input being on our domain was a dealbreaker for the university.

By doing this, and by communicating carefully about what we were doing and what we were not doing, where the boundaries were, and how we handled data, we managed to win them around to some productive discussions. Most of the people we spoke to on university staff who were involved in this were not at the technical level to be able to understand, for example, having an unsecured LDAP server that we could auth against, and were only interested in the policy of whether we were allowed to do it.

It's a common failure mode of software engineers to assume that because something is not technically disallowed, even though it could be, that it must therefore be allowed. This is not true.

What's not clear with this project is whether the university have a fundamental disagreement with the idea of a student project providing services, or if someone has panicked that a non-approved system might be receiving passwords from students. The former is obviously ridiculous, universities should be open to this sort of innovation, especially from their students. But the latter is understandable and a fairly reasonable response, but one that does need careful handling by the student to navigate well.

Interesting. I graduated from the _other_ UW (University of Warsaw) and our uni has course-swapping capability built into the University Study Service System (USOS)[1].

FYI public university education is fully government-funded in Poland (i.e. it is free for students).

1 - https://usosweb.mimuw.edu.pl/kontroler.php?_action=news%2Fde...

The following has been added to the "Tampering and Abuse" section of the UW Registrar's Policies & Procedures page in the last day:

> Additionally, the creation of any service that enables any of the above behaviors is strictly forbidden and constitutes a violation of this policy.

Worth noting that the administrative code is probably more important, here's some relevant sections:

WAC Aiding, assisting, and attempting: https://app.leg.wa.gov/WAC/default.aspx?cite=478-121-113

WAC Computer abuses: https://app.leg.wa.gov/WAC/default.aspx?cite=478-121-117

Registrar before: https://web.archive.org/web/20241208123609/https://registrar...

Registrar after: https://web.archive.org/web/20250109203004/https://registrar...

> Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for. They would presumably own the IP and were clear that I wouldn’t be compensated. But it was implied that they would then remove the hold, allowing me to graduate.

I'm really baffled here because the code Kaim published is itself MIT licensed. The university could use it however they see fit after his version, and perhaps make a modified version which they then incorporate in to their system as the 'official' version.

Perhaps this code being public may expose potential flaws (logical, security, etc) which they don't want to have to deal with. Or might even be known flaws they don't want to expose.

I'm surprised this is upvoted so much. All we have is a LinkedIn post and a GitHub repo. We haven't seen any of the original emails/writing from UW, not have we heard UW's view.

Am I being overly skeptical here?

This does not add up- this is your last term but you’ve only been there a year and a half? The university, who presumably has a professional engineering team making these systems is trying to blackmail an undergrad to reproduce something for free that they also wanted shut down? And you’re marketing this on linkedin in the context of asking for job offers?

How come there was another project team with the same idea? Did everyone have the same task? I'm confused: https://www.sammybharadwaj.com/huskyswap

Amidst all of the talk about the reported coercion attempt, which is bad, may I also ask something about the bait and switch: so you paid a lot of money to attend a given university and then even though your grades and everything else would in theory allow you to follow a class you can be blocked because of resource constraints that are not advertised as something you would have to contend with when you paid the big ticket tuition fee?

How does the course-swapping site work? Is there some part that requires users to enter their credentials (email, password) on a web site that is not operated by the university? Is there some part that saves an access token or a refresh token in other place than the web browser?

Is some OAuth2 authentication flow involved so that the university has registered the application and assigned a client id and return URI?

I think the university might have valid security concerns if the application somehow accesses student accounts without valid OAuth2 authorization flow (or equivalent).

Entering login credentials for university on a third-party site is probably forbidden by terms of service for the university site.

Meanwhile in my Russian university, everyone scraped whatever they wanted. As long as you didn't cause any harm or disruption to these systems, no one cared.

There were tests you had to take in a special classroom full of Sun thin clients. You had to register yourself for some time slot(s) to go there. Sometimes you had to go there in like 2 days to meet a deadline but there were no slots available. So, someone made an app that would continuously scrape that page and notify you when a slot for your chosen time is available. Saved my ass a couple times.

UW registration weren't really open to criticism or improvement ca. 2009, either. Extremely hostile to student projects that would in any way interact with the registration system.

I had something similar happen to me, not threaten with expulsion and I kind of deserved it.

This was back in late 1990s, a group I was part of was getting a web site made on the school pages and I wanted to contribute. I ran my mouth about my dislike of the current site (I was a dumbass) and for some reason hosted the site on my local computer in my room which was accessible everywhere on the network. I wasn’t going to run it permanently, I just wanted to showcase it. That got me in some trouble, what I said got back too, I got my room connection disconnected because we weren’t supposed to run servers.

I apologized, obviously disabled the server, and eventually got reconnected.

They got a notice of "Registration Tampering Abuse Policy" for filling out a request form to request data that is available?

Is the request system just a honeypot?

> Unless, that is, I agree to work on a comparable solution for the university focused on solving the underlying problem I was building HuskySwap for

That's hardly readable, how could they act like that? I am sad to say it but you need the help of a lawyer and the most backup you'll get the better. The way they presented the case will never get solved in a happy manner. Do not let them get the code and the IP. Keep on!

Alleging a violation after he asked for an API key, rather than simply turning him down or saying that he could experiment but that he would need to get agreement before deploying, seems like defamation to me.

It sounds to me like the university is using the threat of expulsion to steal or coerce you into giving over your site. I think you just got the best IRL education ever.

The comments here are almost entirely of one voice: UW bad. Student innocent.

It is not hard to find the policy in question. I quote from the UW Registrar's website, their policy on tampering and abuse of the registration system, as cited in the subject of the email the student received:

> The registration system is provided for the sole express purpose for students to register themselves into sections. Any use of the registration system other than for this purpose is considered abuse of the system. Such abuse includes, but is not limited to, buying or selling one’s seat in a class, holding seats for another student, or otherwise registering for a section that one has no intention of taking. [0]

The student's project, though well-intentioned, is in clear violation of this policy. And it ought to be forbidden. There are plenty of ways this kind of a system could go wrong, including creating incentives to overregister or develop a registration black market, not to mention the technical liabilities of letting a bot talk to the database at bot-speed.

Now, as for follow-up conversations the student and the university have had, we have not seen these emails. We have only heard the student's own summary, which, given the high stakes and personally significant impact, may very well have been editorialized so that the university looks unreasonable and the student reasonable.

I, for one, cannot pass such quick and single-minded judgment as everyone else without seeing these emails.

[0] https://registrar.washington.edu/registration/policies-proce...

I'm so thankful my university (UVA) didn't have these registration problems. Granted, I graduated in '99, so they might now. But I never had any difficulty getting into required classes. At worst, an email to the prof got me a waiver, and IIRC, I only had to do that once.

Don’t trust UW. They have a history of retaliating against students when complaints are raised. When faculty misbehave they cover it up and take it out on the student to silence them.

Reminds me of the time my university made headlines!...for attempting to regulate wifi.

https://m.slashdot.org/story/49515

As a non-student, I received an overzealous takedown request from the University of Washington a decade ago. https://github.com/nayuki/Reference-Huffman-coding/issues/1

Also related: https://meta.stackoverflow.com/questions/295420/how-to-cope-...

some people have to learn the hard way. at least he didn't go to jail!

Sounds like this guy did not even publish or finish the project, but only communicated his intent. The university is clearly persecuting him and he should absolutely talk to a lawyer.

UW's slogan is "Be Boundless". This is the polar opposite of that.

UW has missed a great opportunity to show its current and future students and faculty that innovation is valued there. Their management decision will shutdown the minds of so many brilliant hackers, as we have already witnessed with the OP's decision to back down. I really hope the school can re-evaluate their decision and more importantly, the faculty should support the students, as they are together pursuing the goal of learning by doing. That's what higher education should offer, not conditioning people into rule makers and rule followers.

Pick up a phone and call a lawyer. If any lawyers have already hit you up about this, talk to them.

https://archive.is/8qR7w

1st rule of hacking: don't write your freaking name on it!

Oh hey, I got in trouble at my university for trying to make a tool for students too. This was ~15 years ago now...

In my case, they accused me of copyright infringement and trying to destroy the co-op program. I made the case that while I was reproducing some data from the university's website, none of it had creative value and therefore wasn't protected by copyright. (I drew a parallel to an actual court case about reproducing phone book listings.)

I also reached out to some faculty that I was close to for some character references to show that I didn't have malicious intent.

Ultimately, I wasn't expelled or anything too bad. I was required to take a business ethics course, which I actually ended up enjoying.

Good luck!

something is missing from this story. it doesn’t make sense they jumped right to blocking your account because you requested to integrate. You sort of skipped over the part where you got hold of the Swagger files. would you care to elaborate on how exactly you found those files and if this might have been the reason for the heavy handed response? usually swagger files would be locked down on the backend .

“...find partners to trade spots in critical classes after they filled up”.

I am not from the USA and I don’t understand the context. What does “trade spots” mean? Does it mean that if I have registered to course A but not course B and my friend have registered to course B but not course A, we can swap our registered courses in the official registration system?

Just a thought: maybe replace the MIT license with something more strict (such as GPL-3) or even an "only private use" license.

Wait, so the project is bad, but also they want you to re-create it for them for free else they won't let you register? This is some insane chicanery. I agree with the many comments here about getting legal advice.

I don't understand - what could they possibly expel you for?

There's a reason you wake up at 5:50am to copy paste course codes the moment registrations open up!

I’d like to see the email where they demand you work for free! Lawyer up of this is the case.

Attorney here. Get an attorney.

Stay calm, they will be the ones that will loose a lot and they will end up spending a lot ot time and money to clean-up their mess.

You will get plenty of job offers out of your post, and you don't need their useless degree anyway.

Universities are specialized in bullying from their admins (and often faculty) that have way too much time on their hands.

The utter ridiculousness of this should have stopped them. I hope this post of yours gets plenty of airtime as blocking a solution like this deserves every bit of punishment it gets.

I manage university relations for our corporation and give money (though not very much) to have our corporate logo next to the Udub logo.

I'm not sure this kind of misbehaviour reflects well on our brand.

Do you have a contact at the university I can talk to?

If I was a UW alum I would make it clear I am paying attention to how they deal with this.

IMO it should be ranked order and random assignment

I wanted to chime in with some advice that also can help in any situation involving long administrative processes. I'm sorry you're going through this and I really hope some of this can be helpful.

- Write stuff down! A paper trail is helpful both to prevent hearsay and keep your own timeline of events in check. Recency bias and the like are too common in stressful situations.

- Remember that you are one (1) human who needs food, sleep, and water.

- Reach out to the Ombud (at the HUB), professors, and other administrators you may know. Even within one department there can be mixups -- nevermind when university-wide policies (such as registration) come into play. Having someone who can help point you in the right direction will be invaluable.

- On that note, the HUB has free legal services; for better or worse, you aren't the first student to be in this position.

- I understand in another comment you said you're confident in UW Leadership's ability, but crucially, there is no such thing as a singular leadership. At a university that large, *even when everyone is working to help*, things can turn out bad. (It's like how a CEO can get fired and nothing changes at a company; the system has its own momentum.) It's hard to say what level of intervention needs to happen to resolve this -- School of CSE? Undergrad CS department? Registrar? UW President's Office? -- and each level will likely not know what the level above/around them can do.

  - (And if you do need to escalate, it might be worth reaching out to the Registrar's office directly, over email. I say this because they work at a university-wide level, separate from any school or department, and may have a more-final say on what any individual branch can do/not do w.r.t. your enrollment.)

- Remember that you are (likely still) one (1) human who needs food, sleep, and water. Those damn robots won't take over yet.

- Be careful what you post publicly! There is a reason the best PR teams stay silent. Less is more. Form a close group of people you trust to share information freely, and be very clear (to yourself) what your intention is with every public post. Is it to get validation/advice? Is it to put pressure on the university? The court of public opinion is a double edged sword! Not every interpretation needs to or will be true. (And employers, like the public, might interpret this situation positively or negatively. It's hard to say which way it will go!)

Best of luck. It sounds like you really pissed someone off by threatening some internal power structure or process they controlled. I hope you don't keep quiet about this - I know it's easy to say when I'm watching from the sidelines, but don't let them coerce you into silence!

About a decade ago, some teammates and I built an internal request system for our Ops team to replace the MS Sharepoint crap we were using. We used Bottle, BootstrapJS and SQLite to get it up and going quickly, and under the radar. Our customer IT teams loved it, and managers from elsewhere in our department were even asking half-jokingly if we could support their teams, too.

Well, the IT team that was deploying ServiceNOW was none too happy that a "non-standard" application was running... our manager was a knight and kept them from making us tear it down. We pretended to play ball, we walked through SNOW process of getting a team-specific form to build out. And then we never used it; we kept directing our customers to the self-built tool.

The moral is, people like their fiefdoms. Bureaucrats often shun innovation because it has the chance to make them obsolete, or else they are simply the kind of people who don't like disruption.

You may also have invented a tool that would have obsoleted some multimillion dollar software acquisition or internal process, who knows.

I remember asking for permission to get some innocuous University data to build an app to help students. University said no.

Then Mark Zuckerberg built the Facebook by ignoring the data usage policy and scraping University data.

Student builds tool to circumvent common university registration rules, is surprised when university objects.

Everyone is saying lawyer up like it's the author's only option, but it's not, and likely bad advice. Here's the order of operations I would take:

1. Mea Culpa

Talk to all of the faculty (dean of students, etc) and do your best to get people on your side. You need the petty person on the other end to reverse their decision, and having a lot of administration on your side, and more importantly, expressing (fake) remorse makes it easy for these jobsworth asshole(s) to fulfill their God complex. I'm actually convinced that this would have the highest probability of success. These Dolores Umbridge types adore getting to be the ones issuing mercy to the sinners.

Additionally, informing staff of the expulsion will help bring awareness of this abuse, and spread the word and prevent this from happening to other students.

While you perform your mea culpa groveling, record everything, which can be used as ammo later.

2. Agree to the (illegal) terms

Blackmailing you into slave labor is obviously illegal, but no terms have been laid out, so I don't see any harm in agreeing to them. Best case, they reverse the decision with the expectation that you'll do something (which you can then phone in or do a token exercise of), and worst case they outline terms which are the perfect ammo for negative publicity or a lawsuit.

3. Transfer schools/credits

I don't actually know what is involved in transferring schools or how expulsion factors in, but the reality is that you are effectively already expelled. Try and figure out the feasibility of saving what is salvageable at a school that is less insufferable.

4. Negative publicity

This story is easy to believe, sell, and consume- i.e. perfect ragebait. Start emailing every news outlet you can think of. Post on all social media. If it gets high enough, and probably not even that high, the weight of the negative publicity can easily outweigh the narcissists that started this, forcing a reversal.

5. Seek employment

If you have any employment cards in your deck, I'd consider playing them. If everything else fails, then at least you're financially secure and gain experience.

6. Lawyer

The combined weight of all of the above will assist a lawsuit, even prior to taking any legal steps. Note that all outcomes of a lawsuit that aren't "total win" are effectively a loss (of time, money, energy, and mental health), so I'd hesitate to take this course at all.

This is pretty blatant extortion on their part. It reminds me of MIT and Aaron Schwartz.

Haha. The programmer ananlysts left the Ellucian swagger documentation up and public, and someone was embarrassed.

He wasn't disciplined for building an app or fetching data.

He was disciplined for blatantly trying to "hack" (in the YC sense, in UW's view) the registration process:

https://registrar.washington.edu/winter-2025-registration-ch...

"Know that trading, selling, or buying open spots is a breach of the Registration Tampering Abuse Policy. Consequences include referral to the Student Code of Conduct process, a Registrar’s Hold on your record, and potential diploma withholding for graduating students until the conduct process is complete."

https://registrar.washington.edu/registration/policies-proce...

"Registration Abuse The registration system is provided for the sole express purpose for students to register themselves into sections. Any use of the registration system other than for this purpose is considered abuse of the system. Such abuse includes, but is not limited to, buying or selling one’s seat in a class, holding seats for another student, or otherwise registering for a section that one has no intention of taking."

Disclaimer: I am making no claim about the ethical validity of this policy, and I don't know how well the policy is communicated to students. I am not commenting on the allegation that the University demanded free labor in exchange for not-expelling OP.

Par for the course in the prissiest, most Karen city culture in the entire country. Seriously, living in King County is like living in a giant HOA neighborhood.

GET A LAWYER

Yeah universities are horrific for ethics.

I had a lecturer log in and leak the grades for my entire year, including my own, so his students could choose the best partners for final project.

I am working at a German University on similar systems. I have some thoughts here:

1. The thing you are doing, could provide major value to the university and you did it for free.

2. The fact that you could simply just access that data is a major fuckup on their part that is inexcusable. In my eyes the perdon who walks through an open door is not at fault, the one who left it open is.

If they expell you for that, they do not deserve you.

The first quesrion you should figure out is on whose feet you stepped and why they are butthurt. Simultaneously try to get legal advice and the social/political support of your collegues. If you have a big number of students complaining to the higher ups why your cool service is gone and give them the feeling it is needed, you might even get a cool collab out of that.

Without knowing the details of how US academia operates I would try to maintain a positive angle (you want to help making the university life better), while in privage preparing for the worst.

UW used to cultivate this kind of thing. Pretty sad that administrators choke the life out of everything. I suppose it’s the story of America.

Also... do you have the whole post somewhere. I didn't get past Microsoft's registration wall. It only let me see the first couple of lines.

UW alum here, my alma mater is a disappointment.

He probably accidentally exposed someone’s bug or other screwups

[flagged]

Amazing story. Why post on LinkedIn though? I'm not angry, just disappointed.