MIT Coders' Free Speech At Stake

Commentary by Hugh D'Andrade

As regular Deeplinks readers know, EFF's Coders' Rights Project is defending the rights of three MIT students who were prevented from presenting their research on security vulnerabilities in Boston's transit fare payment system. The students were hit with a temporary restraining order that silenced their planned presentation at DEFCON.

Why this is Important

At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers. But as we noted in a post last week, the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War. (The MBTA's stance is all the more ironic, considering Boston's role in that war.)

Beyond this core constitutional principle, EFF is defending the ability to conduct security research in the digital age. As we note in our Vulnerability Reporting FAQ, security researchers by definition raise questions that corporations and government agencies would prefer to keep quiet. But by investigating flaws in security, and alerting the public to vulnerabilities, researchers play an important role in keeping private and public institutions accountable.

The MIT students were behaving as good citizens within this culture of security research. They met with the MBTA before the presentation. They never planned to expose the full details of their successful expose of the vulnerability of the MBTA's fare system, and MBTA officials admit that students had provided them with "a written summary of every vulnerability that they claimed to have discovered and how to fix these vulnerabilities." As promised, the students provided a detailed 31 page analysis of the security vulnerability, and the MBTA has finally admitted that a vulnerability exists.

The free speech implications are even more important because showing faults with a government agency's systems is core political speech. The Boston Herald reports that an MBTA Advisory Council Member was concerned with the fare card payment systems (in light of this controversy), and noted that the "T gave a no-bid contract for CharlieCard services to a former government employee." This makes the public interest in this matter even stronger.

The MBTA is Seeking a Dangerous Precedent

Moreover, if the MBTA's unprecedented expansion of the federal computer intrusion law (considering a talk to people the same as transmission of a program to a computer, considering a piece of paper with a magnetic stripe to be a computer, etc.) is adopted by the federal court in Boston, it would also have the unintended consequence of chilling future academic research and discussion. An anti-virus researcher, for example, presenting virus code on the PowerPoint screen at an anti-virus software conference, could be charged with a similar offense. Releasing a computer security textbook which describes attacks and defenses to networks would become a crime. The court and the MBTA should think about the consequences beyond the scope of this lawsuit.

The MBTA is also misguided with its notion that anytime a security researcher dares looks at a vulnerability, he suddenly has an obligation to provide the vendor of the faulty code with all of the research materials and to stay silent until the vendor decides he can speak. They seem to believe that they have right to all of any such academic researchers' notes, drafts, tools, and anything else, because they did them a favor and told them about a vulnerability the vendor didn't know about previously. The MBTA not only asserts that the researchers have this as a moral obligation, but a legal obligation to allow the vendor pre-publication review.

The MBTA's strategy of shooting the messenger is not only counter-productive and shortsighted, it is dangerous. The vulnerability existed long before the students discovered it, and it could be (and may have been) discovered by others. The MBTA and its vendors are the one who adopted a faulty system for its payment cards, not the students. The MBTA's priority should be fixing the problem, not continuing needless litigation.

A Reasonable Way Forward

The only thing stopping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself. The students have offered to meet with the MBTA and voluntarily walk the transit agency through the security vulnerability and the student's suggestions for improvement--for no charge--if only the MBTA would drop this lawsuit. It appears that the MBTA, a public transit agency supported with billions in public money, would rather spend these taxpayer dollars on litigation in a misguided attempt to keep the vulnerability quiet than work with the students to resolve the situation.

On Tuesday morning, the federal court with either lift the restraining order, or convert the order to a preliminary injunction. EFF's Coders' Rights Project will be there, arguing for the First Amendment rights of the students, and for the right of researchers to investigate security flaws in the public interest.

[Permalink]

MBTA Transit Official Supports MIT Students' Story

Legal Analysis by Kurt Opsahl

Today, Richard Sullivan, a Sergeant Detective in the Transit Police of the Massachusetts Bay
Transportation Authority (and the liaison to the FBI), filed a Supplemental Declaration. In his declaration, Det. Sullivan said:

the MIT Undergrads reiterated that they did not exploit the supposed vulnerabilities that they had identified in the MBTA's computer system, they promised that they would not do so in the future, and they promised that they would not teach others how to.

Earlier the MBTA had asserted that "At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation."

Det. Sullivan, however, says that at the meeting:

I asked the students to prepare a written summary of every vulnerability that they claimed to have discovered and how to fix these vulnerabilities. The MIT Undergrads agreed to provide me with such a paper within two weeks.

While the MBTA had originally requested the information within two weeks of the August 4 meeting (August 18), the students nevertheless provided the MBTA with a confidential vulnerability report on Friday, August 8 (as promised), and a very detailed "Security Analysis" on August 13. After the meeting, the students understood that the MBTA's concerns were resolved, and that the students were to provide a confidential vulnerability assessment by the end of the week.

The disconnect over when to expect further information from the students appears to have been a major factor leading to the lawsuit. According to an MBTA statement: "When no call or information was forthcoming, the MBTA instructed its legal counsel to begin drafting Court papers, so that the MBTA could obtain this information." While we disagree that a lawsuit is the best way to obtain security researcher's work, it appears that this remains a critical purpose of the MBTA's lawsuit.

Det. Sullivan concludes by saying:

On August 6, 2008, both myself and [FBI] Agent Shafer personally met with [MBTA Official] Joseph Kelley and others to discuss the meeting that had taken place. I conveyed to all in attendance that we were confident that the students did not violate any state or federal criminal statues. Moreover, I conveyed that we were both comfortable and confident that the students would honor their declaration to us that they would not disclose any information that would enable others to harm the MBTA. After that meeting, I contacted Professor Rivest to let him know that Mr. Kelley may be reaching out to him.

The students never wanted attackers to have sufficient information to mount an attack. The students left out some key details in the work they did, because they did not want anyone to be able to attack the ticketing system or circumvent the system and get free fares. As security expert Eric Johanson confirmed "key information needed to compromise both the Charlie Ticket and the Charlie Card is not present in the Slides." In any event, the students never gave the talk nor released any software tools.

Unfortunately, it appears that misunderstandings remained. On the late afternoon of August 8, without any advance notice to the students, the MBTA filed a federal lawsuit that falsely asserted that the students violated federal law, were "traveling on the MBTA lines without paying fares," "have instructed others" in riding without paying fares," and "received or will illegally receive money and profits that rightfully belong to MBTA, in the form of lost transit fares." Of course, the students never rode the T for free or helped others do so. Much trouble could have been avoided if these misunderstanding could have been cleared up without the need for litigation.

The students have always been interested in coming to a reasonable resolution, and remain hopeful that the MBTA is willing to be reasonable. In the interim, they have no choice but to litigate.

[Permalink]

MIT Students Still Gagged by Federal Court

News Update by Rebecca Jeschke

A federal court judge in Boston Thursday refused to lift an unconstitutional gag order against three students from the Massachusetts Institute of Technology (MIT) who uncovered vulnerabilities in Boston's transit fare payment system. In an editorial today, the Boston Globe wrote that Judge O'Toole "ought to lift it." Instead, the judge continued the hearing until Tuesday, and left the temporary restraining order in place.

EFF began representing the students in this case on Friday, when the Massachusetts Bay Transit Authority (MBTA) sued the students in federal court. On Saturday, a judge issued the gag order in violation of the students' First Amendment right to discuss their important research.

The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a "transmission" of a computer program that could harm the fare collection system. But discussion in a public forum is clearly not the same as computer intrusion, and the students had already assured the MBTA they would withhold a key detail of the results so others could not use the information for fraudulent purposes.

Compounding the issue Thursday, the judge also ordered the students to hand over more documents about their research, so the judge and the MBTA could see the documents before deciding whether the students could speak. This pre-publication review by a government agency -- whether it is a federal judge or a city transit agency -- is exactly the kind of prior restraint the First Amendment was designed to abolish. As the Supreme Court has noted:

The doctrine [against] prior restraint has its roots in the 16th and 17th century English system of censorship. Under that system, all printing presses and printers were licensed by the government, and nothing could lawfully be published without the prior approval of a government or church censor.

Our founders included the Bill of Rights in the Constitution to reject that system. Thus, under the First Amendment, Court have rejected "not only licensing schemes requiring speech to be submitted to an administrative censor for prepublication review, but also injunctions against future speech issued by judges." Here we have both.

Nevertheless, the students are interested in responsible disclosure, met with the MBTA on August 4, and already voluntarily gave the MBTA a confidential vulnerability assessment last Friday. Prior to today's hearing, the students provided, as part of a good faith effort to help resolve this matter, a more detailed 31-page Security Analysis that discusses the security vulnerabilities uncovered by the students. The report was provided to the MBTA on August 13, and filed with the court under seal.

According to the Boston Globe:

The T is not sure there is a security problem, but the 10-day injunction will provide time to find out. "The injunction is allowing us to review the research that they have and see if there is any validity to their findings, and take corrective action, if any is even necessary," said Lydia Rivera, a T spokeswoman.

The students have made clear that, since DEFCON is over, they will never give the presentation previously planned. Nevertheless, the MBTA is seeking to extend the 10-day TRO into a preliminary injunction that will last indefinitely, and has not indicated that any intent to drop the lawsuit.

[Permalink]

You Bought It, But You Don't Own It

Deeplink by Corynne McSherry

In a devastating blow to user rights, an Arizona federal court has ruled that consumers can be guilty of copyright infringement if they violate the end user license agreement ("EULA") that comes with the software--even where the so-called "violation" is specifically excluded from copyright liability. Why? Because those protections only apply if you own the software you buy--not if you license it. Stunningly, this means that "cheating" while playing a computer game can expose you to potentially huge statutory damages for copyright infringement.

As we noted back in May, Blizzard Entertainment, the company that makes the hugely popular massively multi-player online role-playing game World of Warcraft, sued Michael Donnelly, the developer of Glider, a program that helps WoW users raise their character level to 70 by "playing" for the user. Blizzard said that because the license agreement forbids using Glider with WoW, Glider users are committing copyright infringement when they load copies of WoW into RAM in order to play the game, and Donnelly is illegally contributing to that infringement.

As Public Knowledge explained in its brief, Blizzard's theory confuses a copyright holder's intellectual property rights in the software it develops with a buyer's rights in the actual copy of the software. An owner of software has a right to copy it if that copy is essential to the customer's use of the software. (See Section 117 of the Copyright Act.) This rule helps balance the rights of the copyright holder to manage and benefit from its expressive work, and the rights of the public to use and build on that work.

Blizzard argued that players aren't owners but merely software licensees, so Section 117 doesn't apply. But the question of whether a user is an owner for purposes of Section 117 depends the substance of the transaction, not just how one party wants to describe it. For example, if you buy the software, keep it on your own computer and don't have to return it when you are done, you probably own it.

Sadly, the court in this case found otherwise. It held that because Blizzard says the software is licensed, and because it imposes restrictions on use (including such standard restrictions as a requirement that a user who transfers her copy of the software to another must delete all copies from her computer). And that means that users who violate the EULA could be on the hook for copyright damages--including statutory damages, which start at $750 and rise to as high as $150,000 per infringed work. Most disappointing, the court gave short shrift to the absurd policy consequences of treating users who violate a contract as copyright infringers. The logical implication of the holding is that any time you buy software, be it film editing software, accounting software, iTunes, Skype, etc., software owners can always use license agreements to prevent you from ever having full control over your software and taking advantage of standard copyright limitations (such as the right to sell your copy [Section 109 of the Copyright Act] or the right to make copies necessary for use of the software [Section 117]). You can buy it, but you can’t own it.

But this decision is not the whole story: this is the third holding on the issue by district courts in the Ninth Circuit in the past three months. Given that the recent decisions vary considerably, it’s likely the appellate court will address the issue in the near term.

There's one bright light on the horizon: the court found that WoW Glider does not violate the DMCA anticircumvention provisions by allowing users to evade "Warden," which scans games players' computers for unauthorized software. The DMCA prohibits the manufacture and sale of technology that allows the circumvention of technological measures that control access to a work. The court correctly held that Warden doesn't "control access" to the WoW software already loaded on a user's computer, and, therefore, WoWGlider doesn't circumvent that access. (Though the court did leave some aspects of the claim open for exploration at trial).

[Permalink]

Do You Own Your Software? WoW Glider Case Not Just About Getting to Level 70.

Deeplink by Corynne McSherry

Unbeknownst to most software users, a lawsuit now at a critical stage could drastically expand the ability of software vendors to restrict how their customers can use their software.

Blizzard Entertainment, the company that makes the hugely popular massively multi-player online role-playing game World of Warcraft, sued Michael Donnelly, the developer of Glider, a program that helps WoW users raise their character level to 70 by “playing” for the user while the user goes to get a cup of coffee, read the paper, etc. The WoW licensing agreement ostensibly forbids using programs like Glider. Blizzard says that Donnelly illegally interfered with that agreement by selling Glider and, therefore, encouraging users to breach the license agreement by using the program.

Here’s the scary part: Blizzard also insists that because the license agreement forbids using Glider with WoW, Glider users are committing copyright infringement when they load copies of WoW into RAM in order to play the game. (Blizzard says Donnelly is contributing to that infringement.) If Blizzard’s theory were correct, Glider users could be on the hook for statutory damages, which could start at $750 per RAM copy. Blizzard’s theory would also give software vendors the power to stop the sale of software that interoperates with their product.

But Blizzard’s theory is wrong, because it confuses a copyright holder's intellectual property rights in the software it develops with a buyer's rights in the actual copy of the software. An owner of software has a right to copy it if that copy is essential to the customer’s use of the software. (See Section 117 of the Copyright Act.) This rule is a crucial part of the balance Congress crafted between the rights of the copyright holder to manage and benefit from its expressive work, and the rights of the public to innovate, recreate and otherwise use and build on that work.

Blizzard argues that players aren’t owners but merely software licensees, so section 117 doesn’t apply. But court after court has held that the question of whether a user is an owner for purposes of Section 117 depends the substance of the transaction, not just how one party wants to describe it. For example, if you buy the software, keep it on your own computer and don’t have to return it when you are done, you probably own it.

This is not to say that there might not be a contract, like the license agreement, that restricts use of the software. But violation of that agreement is a matter of contract law, not copyright, which means that different standards apply and there is no minimum statutory damages requirement.

Blizzard has filed for summary judgment on its claims. Given the facts of the case—Glider is, after all, a program that helps some folks cheat at WoW—there is a danger here that the court will lose sight of the implications of its ruling for all software users. Public Knowledge filed an amicus brief last week calling the court’s attention to those implications. We hope the court will take heed, and reject Blizzard’s absurd and overreaching copyright theory.

[Permalink]