Judge Lifts Unconstitutional Gag Order Against MIT Students

Free Speech Victory for Security Researchers

Boston - Today, a federal judge lifted an unconstitutional gag order that had prevented three Massachusetts Institute of Technology (MIT) students from disclosing academic research regarding vulnerabilities in Boston's transit fare payment system. The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency's request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

Tuesday's ruling lifts the restriction preventing the student researchers from talking about their findings regarding the security vulnerabilities of Boston's Charlie Card and Charlie Ticket -- a project that earned them an "A" from renowned computer scientist and MIT professor Dr. Ron Rivest. The Electronic Frontier Foundation (EFF) represents the students as part of its Coders' Rights Project.

"We're very pleased that the court recognized that the MBTA's legal arguments were meritless," said EFF Legal Director Cindy Cohn, who argued at the hearing. "The MBTA's attempts to silence these students were not only misguided, but blatantly unconstitutional."

The students had planned to present their findings earlier this month at DEFCON, a security conference held in Las Vegas, while leaving out key details that would let others exploit the vulnerability. The students met with the MBTA about a week before the conference and voluntarily provided a confidential vulnerability report to the transit agency. However, the MBTA subsequently sued the students and MIT in United States District Court in Massachusetts less than 48 hours before the scheduled presentation, without providing any advance notice to the students. The lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," said EFF Staff Attorney Marcia Hofmann. "A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security -- the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."

Although the gag order was lifted, the MBTA's litigation against the students still continues. The students have already voluntarily provided a 30-page security analysis to the MBTA and have offered to meet with the MBTA and walk the transit agency through the security vulnerability and the students' suggestions for improvement.

"The only thing keeping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself," said EFF Senior Staff Attorney Kurt Opsahl. "The MBTA would be far better off focusing on improving the MBTA's fare payment security instead of pursuing needless litigation."

This case is part of EFF's Coders' Rights Project, launched two weeks ago to protect programmers and developers from legal threats hampering their cutting-edge research. EFF was assisted in this case by John Reinstein, ACLU of Massachusetts Legal Director, and Fish & Richardson attorneys Adam Kessel, Lawrence Kolodney, and Tom Brown.

For more on MBTA v. Anderson:
http://www.eff.org/cases/mbta-v-anderson

Contacts:

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

Kurt Opsahl
Senior Staff Attorney
Electronic Frontier Foundation
kurt@eff.org

[Permalink]

EFF Urges Judge to Lift Gag Order on MIT Students

Thursday Hearing Set on Temporary Restraining Order

Boston - The Electronic Frontier Foundation (EFF) urged a federal judge Tuesday to lift an unconstitutional gag order issued to three students at the Massachusetts Institute of Technology (MIT) whose academic research uncovered vulnerabilities in Boston's transit fare payment system.

A hearing on the temporary restraining order is set for 11am Thursday at the United States District Court for the District of Massachusetts in Boston.

The students -- Zack Anderson, RJ Ryan and Alessandro Chiesa -- would like to resolve this dispute amicably with the Massachusetts Bay Transit Authority (MBTA). However, it has been hard to find an amicable resolution when the students are the subjects of a vigorous lawsuit and under the restrictions of a temporary restraining order. This remains true even though the MBTA filed a motion earlier this week to modify the restraining order to only prohibit disclosure of "non-public" information.

"We appreciate the gesture," said EFF Staff Attorney Marcia Hofmann. "But it does not resolve the dispute. Indeed, we would hope everyone acknowledges that it is impermissible under the Constitution for a court to order someone not to repeat publicly available truthful information."

"The restraining order, even if modified, remains an improper prior restraint restricting speech," said EFF Civil Liberties Director Jennifer Granick. "The First Amendment does not allow people to be silenced because their speech exposes flaws, even if those flaws might someday be illegally misused by others. To protect our clients' rights, we had no choice but to ask the court to reconsider the gag order."

As part of EFF's court filing Tuesday, 11 computer scientists and researchers from the nation's top research and educational institutions submitted a letter in support of the MIT students, including Professor David Farber of Carnegie Mellon, Professor Steve Bellovin of Columbia University, and computer security expert Bruce Schneier. The group explained that security research and information are critical for scientific advancement, and stated that restraining orders such as the one issued by the court over the weekend could have a devastating chilling effect on future academic endeavors.

"The students' ultimate goal in the security research was to help the MBTA improve its security," said EFF Senior Staff Attorney Kurt Opsahl. "Despite colorful marketing rhetoric advertising a presentation of the students' work at a security conference, the students never intended to provide sufficient information to the public to replicate the attack."

For more details on Thursday's hearing, contact press@eff.org.

For the full motion to reconsider:
http://www.eff.org/files/filenode/MBTA_v_Anderson/studentresponse081208....

For the full letter from the computer scientists and researchers:
http://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf

For more on MBTA v. Anderson:
http://www.eff.org/cases/mbta-v-anderson

Contact:

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

[Permalink]

MIT Students Gagged by Federal Court Judge

EFF Backs Researchers Forced to Cancel Presentation on Transit Fare Payment System

Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research.

The Electronic Frontier Foundation (EFF) represents Zack Anderson, RJ Ryan and Alessandro Chiesa, who were set to present their findings Sunday at DEFCON, a security conference held in Las Vegas. However, the Massachusetts Bay Transit Authority (MBTA) sued the students and MIT in United States District Court in Massachusetts on Friday, claiming that the students violated the Computer Fraud and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of transit fares. This morning District Judge Douglas P. Woodlock, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

"We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes," said Anderson. "We're disappointed that the court is preventing us from presenting our findings even with this safeguard."

Vulnerabilities in magnetic stripe and RFID card payment systems implemented by many urban transit systems are generally known. The student research applied this information to the specific case of Boston's Charlie Card and Charlie Ticket, and the project earned an A from renowned computer scientist and MIT professor Dr. Ron Rivest.

The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a "transmission" of a computer program that could harm the fare collection system.

"The court's order is an illegal prior restraint on legitimate academic research in violation of the First Amendment," said EFF Civil Liberties Director Jennifer Granick. "The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion. Security and the public interest benefit immensely from the free flow of ideas and information on vulnerabilities. More importantly, squelching research and scientific discussion won't stop the attackers. It will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes."

This case is part of EFF's Coders' Rights Project, launched just this week to protect programmers and developers from legal threats hampering their cutting-edge research. EFF will seek relief for the researchers in the courts.

For the full temporary restraining order:
http://www.eff.org/files/filenode/MIT%20students%20TRO.pdf

For more on the Coders' Rights Project:
http://www.eff.org/issues/coders

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Marcia Hofmann
Staff Attorney
Electronic Frontier Foundation
marcia@eff.org

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

[Permalink]

EFF Launches Coders' Rights Project at Black Hat Conference

New Initiative to Protect Programmers From Legal Threats

Las Vegas - The Electronic Frontier Foundation (EFF) today launches its Coders' Rights Project -- a new initiative to protect programmers and developers from legal threats hampering their cutting-edge research.

In conjunction with the project's launch, EFF is staffing an "EFF Is In" booth at Black Hat USA 2008 in Las Vegas on August 6 and 7. At the booth, EFF attorneys will provide legal information on reverse engineering, vulnerability reporting, and copyright law, as well as patent, trade secret, and free speech issues.

"Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday. Yet this important work can be stymied by bogus legal threats," said EFF Civil Liberties Director Jennifer Granick, who is heading up the project. "EFF's Coders' Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities."

The Coders' Rights Project will build upon EFF's long history of work to limit the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) from reaching security and encryption researchers. EFF will also expand its involvement in matters involving the Computer Fraud and Abuse Act and state computer crime laws. Additionally, EFF has created resources for programmers doing work involving reverse engineering and vulnerability reporting, available at http://eff.org/coders.

"Those of us doing research on computer security and privacy need to be able to discuss and publish our work without fear of legal threats," said EFF Board Member Edward W. Felten, a security researcher and Princeton University professor who challenged provisions of the DMCA with EFF in 2001. "The Coders' Rights Project will give critical legal help to programmers and developers who do the hard work in keeping technology robust and users safe."

Other goals of the Coders' Rights Project include narrowing computer crime laws and limiting the power of End User License Agreements (EULAs) to protect reverse engineering, reviews, benchmarking, and the consumer's right to tinker.

For more on the Coders' Rights Project:
http://eff.org/coders

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

[Permalink]