Skip to main content

EFF Press Release Archives

Press Releases: August 2008

August 19, 2008

Free Speech Victory for Security Researchers

Boston - Today, a federal judge lifted an unconstitutional gag order that had prevented three Massachusetts Institute of Technology (MIT) students from disclosing academic research regarding vulnerabilities in Boston's transit fare payment system. The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency's request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

Tuesday's ruling lifts the restriction preventing the student researchers from talking about their findings regarding the security vulnerabilities of Boston's Charlie Card and Charlie Ticket -- a project that earned them an "A" from renowned computer scientist and MIT professor Dr. Ron Rivest. The Electronic Frontier Foundation (EFF) represents the students as part of its Coders' Rights Project.

"We're very pleased that the court recognized that the MBTA's legal arguments were meritless," said EFF Legal Director Cindy Cohn, who argued at the hearing. "The MBTA's attempts to silence these students were not only misguided, but blatantly unconstitutional."

The students had planned to present their findings earlier this month at DEFCON, a security conference held in Las Vegas, while leaving out key details that would let others exploit the vulnerability. The students met with the MBTA about a week before the conference and voluntarily provided a confidential vulnerability report to the transit agency. However, the MBTA subsequently sued the students and MIT in United States District Court in Massachusetts less than 48 hours before the scheduled presentation, without providing any advance notice to the students. The lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," said EFF Staff Attorney Marcia Hofmann. "A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security -- the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."

Although the gag order was lifted, the MBTA's litigation against the students still continues. The students have already voluntarily provided a 30-page security analysis to the MBTA and have offered to meet with the MBTA and walk the transit agency through the security vulnerability and the students' suggestions for improvement.

"The only thing keeping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself," said EFF Senior Staff Attorney Kurt Opsahl. "The MBTA would be far better off focusing on improving the MBTA's fare payment security instead of pursuing needless litigation."

This case is part of EFF's Coders' Rights Project, launched two weeks ago to protect programmers and developers from legal threats hampering their cutting-edge research. EFF was assisted in this case by John Reinstein, ACLU of Massachusetts Legal Director, and Fish & Richardson attorneys Adam Kessel, Lawrence Kolodney, and Tom Brown.

For more on MBTA v. Anderson:
http://www.eff.org/cases/mbta-v-anderson

Contacts:

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

Kurt Opsahl
Senior Staff Attorney
Electronic Frontier Foundation
kurt@eff.org

Related Issues:
August 18, 2008

EFF Urges Court to Protect Customers' Privacy

San Francisco - The Electronic Frontier Foundation (EFF) asked a federal court Friday to reject efforts by Echostar to get the names and addresses of every customer that purchased a free-to-air satellite receiver. Echostar claims that the receiver can be modified to pirate DISH satellite TV programming. EFF argues that Echostar's demand, which seeks all purchasers regardless of whether they actually pirated DISH TV, would violate user privacy and leave innocent purchasers vulnerable to bogus legal threats.

The demand for customer records came up in a lawsuit between Echostar, the company behind the DISH satellite TV service, and Freetech, Inc., the manufacturer of Coolsat free-to-air satellite receivers. As part of the suit, Echostar subpoenaed 17 distributors of Coolsat receivers, demanding the names, addresses, phone numbers, email addresses, and other information of every person who purchased a Coolsat receiver over the last five years.

"Innocent customers should not be dragged into federal litigation just because they bought a product that other, less scrupulous purchasers may be hacking for unlawful purposes," said EFF Senior Intellectual Property Attorney Fred von Lohmann. "The court should recognize the privacy interests of these customers, especially since Echostar does not need these customer lists in order to have its day in court against Freetech."

In recent years, satellite TV companies, record labels, and movie studios have all engaged in dragnet litigation tactics that threaten individuals with costly lawsuits unless they pay significant financial sums to "settle" the dispute. These mass litigation campaigns leave innocent consumers trapped between paying a "settlement" for something they did not do or facing even higher legal costs to prove their innocence. Satellite TV provider DirecTV pioneered this approach in 2001, threatening more than 120,000 individuals with legal action and commencing more than 24,000 federal lawsuits, often with no evidence other than the fact that the individual purchased multi-purpose devices that could be used for piracy.

"Once the names of Freetech customers are disclosed to Echostar, there may be little that any court can do to protect these people from harassment, settlement demands, and legal expenses," said EFF Senior Staff Attorney Matt Zimmerman. "This may be the last chance the court has to protect the privacy of these individuals."

For the full amicus brief:
http://www.eff.org/files/filenode/echostar_v_freet/EFFamicusEchostarvFreetech.pdf

For more on Echostar v. Freetech:
http://www.eff.org/cases/echostar-v-freetech

Contacts:

Fred von Lohmann
Senior Intellectual Property Attorney
Electronic Frontier Foundation
fred@eff.org

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

Related Issues:
August 13, 2008

Thursday Hearing Set on Temporary Restraining Order

Boston - The Electronic Frontier Foundation (EFF) urged a federal judge Tuesday to lift an unconstitutional gag order issued to three students at the Massachusetts Institute of Technology (MIT) whose academic research uncovered vulnerabilities in Boston's transit fare payment system.

A hearing on the temporary restraining order is set for 11am Thursday at the United States District Court for the District of Massachusetts in Boston.

The students -- Zack Anderson, RJ Ryan and Alessandro Chiesa -- would like to resolve this dispute amicably with the Massachusetts Bay Transit Authority (MBTA). However, it has been hard to find an amicable resolution when the students are the subjects of a vigorous lawsuit and under the restrictions of a temporary restraining order. This remains true even though the MBTA filed a motion earlier this week to modify the restraining order to only prohibit disclosure of "non-public" information.

"We appreciate the gesture," said EFF Staff Attorney Marcia Hofmann. "But it does not resolve the dispute. Indeed, we would hope everyone acknowledges that it is impermissible under the Constitution for a court to order someone not to repeat publicly available truthful information."

"The restraining order, even if modified, remains an improper prior restraint restricting speech," said EFF Civil Liberties Director Jennifer Granick. "The First Amendment does not allow people to be silenced because their speech exposes flaws, even if those flaws might someday be illegally misused by others. To protect our clients' rights, we had no choice but to ask the court to reconsider the gag order."

As part of EFF's court filing Tuesday, 11 computer scientists and researchers from the nation's top research and educational institutions submitted a letter in support of the MIT students, including Professor David Farber of Carnegie Mellon, Professor Steve Bellovin of Columbia University, and computer security expert Bruce Schneier. The group explained that security research and information are critical for scientific advancement, and stated that restraining orders such as the one issued by the court over the weekend could have a devastating chilling effect on future academic endeavors.

"The students' ultimate goal in the security research was to help the MBTA improve its security," said EFF Senior Staff Attorney Kurt Opsahl. "Despite colorful marketing rhetoric advertising a presentation of the students' work at a security conference, the students never intended to provide sufficient information to the public to replicate the attack."

For more details on Thursday's hearing, contact press@eff.org.

For the full motion to reconsider:
http://www.eff.org/files/filenode/MBTA_v_Anderson/studentresponse081208.pdf

For the full letter from the computer scientists and researchers:
http://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf

For more on MBTA v. Anderson:
http://www.eff.org/cases/mbta-v-anderson

Contact:

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

Related Issues:
August 9, 2008

EFF Backs Researchers Forced to Cancel Presentation on Transit Fare Payment System

Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research.

The Electronic Frontier Foundation (EFF) represents Zack Anderson, RJ Ryan and Alessandro Chiesa, who were set to present their findings Sunday at DEFCON, a security conference held in Las Vegas. However, the Massachusetts Bay Transit Authority (MBTA) sued the students and MIT in United States District Court in Massachusetts on Friday, claiming that the students violated the Computer Fraud and Abuse Act (CFAA) by delivering information to conference attendees that could be used to defraud the MBTA of transit fares. This morning District Judge Douglas P. Woodlock, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

"We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes," said Anderson. "We're disappointed that the court is preventing us from presenting our findings even with this safeguard."

Vulnerabilities in magnetic stripe and RFID card payment systems implemented by many urban transit systems are generally known. The student research applied this information to the specific case of Boston's Charlie Card and Charlie Ticket, and the project earned an A from renowned computer scientist and MIT professor Dr. Ron Rivest.

The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a "transmission" of a computer program that could harm the fare collection system.

"The court's order is an illegal prior restraint on legitimate academic research in violation of the First Amendment," said EFF Civil Liberties Director Jennifer Granick. "The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion. Security and the public interest benefit immensely from the free flow of ideas and information on vulnerabilities. More importantly, squelching research and scientific discussion won't stop the attackers. It will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes."

This case is part of EFF's Coders' Rights Project, launched just this week to protect programmers and developers from legal threats hampering their cutting-edge research. EFF will seek relief for the researchers in the courts.

For the full temporary restraining order:
http://www.eff.org/files/filenode/MIT%20students%20TRO.pdf

For more on the Coders' Rights Project:
http://www.eff.org/issues/coders

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Marcia Hofmann
Staff Attorney
Electronic Frontier Foundation
marcia@eff.org

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

Related Issues:
August 6, 2008

New Initiative to Protect Programmers From Legal Threats

Las Vegas - The Electronic Frontier Foundation (EFF) today launches its Coders' Rights Project -- a new initiative to protect programmers and developers from legal threats hampering their cutting-edge research.

In conjunction with the project's launch, EFF is staffing an "EFF Is In" booth at Black Hat USA 2008 in Las Vegas on August 6 and 7. At the booth, EFF attorneys will provide legal information on reverse engineering, vulnerability reporting, and copyright law, as well as patent, trade secret, and free speech issues.

"Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday. Yet this important work can be stymied by bogus legal threats," said EFF Civil Liberties Director Jennifer Granick, who is heading up the project. "EFF's Coders' Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities."

The Coders' Rights Project will build upon EFF's long history of work to limit the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) from reaching security and encryption researchers. EFF will also expand its involvement in matters involving the Computer Fraud and Abuse Act and state computer crime laws. Additionally, EFF has created resources for programmers doing work involving reverse engineering and vulnerability reporting, available at http://eff.org/coders.

"Those of us doing research on computer security and privacy need to be able to discuss and publish our work without fear of legal threats," said EFF Board Member Edward W. Felten, a security researcher and Princeton University professor who challenged provisions of the DMCA with EFF in 2001. "The Coders' Rights Project will give critical legal help to programmers and developers who do the hard work in keeping technology robust and users safe."

Other goals of the Coders' Rights Project include narrowing computer crime laws and limiting the power of End User License Agreements (EULAs) to protect reverse engineering, reviews, benchmarking, and the consumer's right to tinker.

For more on the Coders' Rights Project:
http://eff.org/coders

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Rebecca Jeschke
Media Coordinator
Electronic Frontier Foundation
press@eff.org

Related Issues:
August 5, 2008

Email and Cell Phone Privacy Threatened in Two Separate Court Cases

San Francisco - The Electronic Frontier Foundation (EFF) has filed friend-of-the-court briefs in two key electronic privacy cases that threaten to expand the government's spying authority.

In the first case, Bunnell v. Motion Picture Association of America (MPAA), EFF filed a brief with the 9th U.S. Circuit Court of Appeals arguing that federal wiretapping law protects emails from unauthorized interception while they are temporarily stored on the email servers that transmit them. This case was brought against the MPAA by the owners and operators of TorrentSpy, a search engine that let Internet users locate files on the BitTorrent peer-to-peer network. After a business dispute, one of TorrentSpy's independent contractors hacked into the company email server and configured it to copy and forward all incoming and outgoing email to his personal account and then sold the information to the MPAA. However, the federal district court ruled that because the emails were stored on the mail server for several milliseconds during transmission, they were not technically "intercepted" under the federal Wiretap Act. In its amicus brief filed Friday, EFF argues that this dangerous ruling is incorrect as a matter of law and must be overturned in order to prevent the government from engaging in similar surveillance without a court order.

"The district court's decision, if upheld, would have dangerous repercussions far beyond this single case," said EFF Senior Staff Attorney Kevin Bankston. "That court opinion -- holding that the secret and unauthorized copying and forwarding of emails while they pass through an email server is not an illegal interception of those emails -- threatens to wholly eviscerate federal privacy protections against Internet wiretapping and to authorize the government to conduct similar email surveillance without getting a wiretapping order from a judge."

The second case concerns a request by the Department of Justice (DOJ) to a federal magistrate judge in Pennsylvania for authorization to obtain cell phone location tracking information from a mobile phone provider without probable cause. The magistrate instead demanded that the DOJ obtain a search warrant based on probable cause, and the DOJ appealed that decision to the federal district court in the Western District of Pennsylvania. In an amicus brief filed Thursday, EFF urged the district court to uphold the magistrate's ruling and protect cell phone users' location privacy.

"Location information collected by cell phone companies can provide an extraordinarily invasive glimpse into the private lives of cell phone users. Courts have the right under statute -- and the duty under the Fourth Amendment -- to demand that the government obtain a search warrant based on probable cause before seizing such sensitive information," said Bankston. "This is only the latest of many cases where EFF has been invited to brief judges considering secret surveillance requests that aren't supported by probable cause. We hope this court recognizes the serious Fourth Amendment questions that are raised by warrantless access to cell phone location information and affirms the magistrate's denial of the government's surveillance request."

The American Civil Liberties Union (ACLU), the ACLU-Foundation of Pennsylvania, and the Center for Democracy and Technology (CDT) also joined EFF's brief.

For the full amicus brief in Bunnell v. MPAA:
http://www.eff.org/files/filenode/Bunnell_v_MPAA/BunnellAmicus.pdf

For the full amicus brief in the cell phone records case:
http://www.eff.org/files/filenode/celltracking/LenihanAmicus.pdf

For more on cell phone tracking:
http://www.eff.org/issues/cell-tracking

Contacts:

Kevin Bankston
Senior Staff Attorney
Electronic Frontier Foundation
bankston@eff.org

Marcia Hofmann
Staff Attorney
Electronic Frontier Foundation
marcia@eff.org

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

August 4, 2008

Misuse of Computer Crime Law Could Turn Millions of Americans into Federal Criminals

San Francisco - The Electronic Frontier Foundation (EFF) and a coalition of academics and public policy groups are urging a judge to dismiss computer crime charges in a case with dangerous ramifications for millions of people who use the Internet.

The defendant in the case, Lori Drew, is charged with violating the Computer Fraud and Abuse Act (CFAA) by using a fictitious name and age on a MySpace account and using that account to make hurtful comments to a teenage girl. Tragically, the girl later took her own life. Federal prosecutors claim Drew broke federal law by violating MySpace's terms of service and that the MySpace communications were responsible for the girl's death. In an amicus brief filed Friday, EFF argues that criminal charges for a terms of service violation is a dramatic misapplication of the CFAA with far-ranging consequences for American computer users.

"This is a novel and unprecedented response to what everyone recognizes as a tragic situation," said EFF Civil Liberties Director Jennifer Granick. "The CFAA is aimed at penalizing computer trespassers, but under the government's theory, the millions of people who disregard -- or don't read -- the terms of service on every website they visit could face computer crime charges. That's a big blank check to give federal prosecutors."

For example, this interpretation of the law would attach criminal penalties to anyone under the age of 18 who uses the Google search engine, because Google's terms of service specify all users must be of legal age to enter into a contract.

"Websites' terms of service are notoriously frivolous and overreaching, often hard to find, and routinely written in legalese bound to confuse a non-lawyer. Many courts have found them unenforceable in civil cases. They certainly should not be the basis for a criminal prosecution," said Granick

EFF's amicus brief was also signed by the Center for Democracy and Technology, Public Citizen, and 14 individual faculty members of law schools across the country.

For the full amicus brief:
http://www.eff.org/files/filenode/US_v_Drew/Drew_Amicus.pdf

Contact:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

August 1, 2008

Empowers Internet Users on Eve of FCC Comcast Action

San Francisco - Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications.

The FCC action, expected later today, is a response to formal complaints regarding efforts by Comcast to interfere with its subscribers' use of BitTorrent to share files over the Internet. These interference efforts were first documented and disclosed in October 2007 by EFF, the Associated Press, and a concerned Internet user, Robb Topolski. EFF subsequently urged the FCC to declare Comcast's efforts inconsistent with the Commission's 2005 "Internet Policy Statement," which sets a benchmark for neutral treatment of Internet traffic.

"The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit."

"Until now, there hasn't been a reliable way to tell if somebody -- a hacker, an ISP, corporate firewall, or the Great Firewall of China -- is modifying your Internet traffic en route," said Peter Eckersley, EFF Staff Technologist and designer of Switzerland. "The few tests available have been for narrow and specific kinds of interference, or have required tremendous amounts of advanced forensic labor. Switzerland is designed to make general-purpose ISP testing faster and easier."

Part of EFF's "Test your ISP" project, Switzerland is an open source, command-line software tool designed to detect the modification or injection of packets of data by ISPs. Switzerland detects changes made by software tools believed to be in use by ISPs such as Sandvine and AudibleMagic, advertising systems like FairEagle, and various censorship systems. Although currently intended for use by technically sophisticated Internet users, development plans aim to make the tool increasingly easy to use.

For more information and to download the Switzerland software:
http://www.eff.org/testyourisp/switzerland

For more about EFF's "Test Your ISP" Project:
http://www.eff.org/testyourisp

Contacts:

Fred von Lohmann
Senior Intellectual Property Attorney
Electronic Frontier Foundation
fred@eff.org

Peter Eckersley
Staff Technologist
Electronic Frontier Foundation
pde@eff.org

Related Issues:
August 4, 2005

EFF Urges Appeals Court to Find Secret Subpoena Power Unconstitutional

New York - The Electronic Frontier Foundation, joined by several civil liberties organizations and online service providers, filed a friend-of-the-court brief yesterday in the case of Doe v. Gonzales arguing that National Security Letters (NSLs) are unconstitutional. NSLs are secret subpoenas for communications logs, issued directly by the FBI without any judicial oversight. These secret subpoenas allow the FBI to demand that online service providers produce records of where their customers go on the Web, as well as what they read and with whom they exchange email. The FBI can even issue NSLs for information about people who haven't committed any crimes.

A federal district court has already found NSLs unconstitutional, and the government is now appealing the case. In its brief to the Second Circuit Court of Appeals, EFF argues that these secret subpoenas imperil free speech by allowing the FBI to track people's online activities. In addition, NSLs violate the First and Fourth Amendment rights of the service providers who receive the secret government demands. EFF and its cosigners argue that NSLs for Internet logs should be subject to the same strict judicial scrutiny applied to other subpoenas that may reveal information about the identities of anonymous speakers – or their private reading habits and personal associations.

Yet NSLs are practically immune to judicial review. They are accompanied by gag orders that allow no exception for talking to lawyers and provide no effective opportunity for the recipients to challenge them in court. This secret subpoena authority, which was expanded by the USA PATRIOT Act, could be applied to nearly any online service provider for practically any type of record, without a court ever knowing.

"The Constitution does not allow the FBI to secretly demand logs about Internet users' Web browsing and email history based on vague claims of national security," said EFF attorney and Equal Justice Works/Bruce J. Ennis Fellow Kevin Bankston. "The district court's decision that National Security Letters are unconstitutional should have been a wake-up call to the House of Representatives, which just voted to renew the PATRIOT Act without adding new checks against abuse."

Although such protections are lacking in the PATRIOT renewal bill that the House of Representatives recently passed, they are included in the Senate bill. It is not yet clear whether those protections will be included in the final bill when it reaches the President's desk.

EFF was joined on the brief by the Center for Constitutional Rights, the Center for Democracy and Technology, the Online Policy Group, Salon Media Group, Inc., Six Apart, Ltd., the US Internet Industry Association, and ZipLip, Inc.

Contacts:

Kevin Bankston
Attorney, Equal Justice Works / Bruce J. Ennis Fellow
Electronic Frontier Foundation
bankston@eff.org

Kurt Opsahl
Staff Attorney
Electronic Frontier Foundation
kurt@eff.org

JavaScript license information