Boston - Today, a federal judge lifted an unconstitutional gag order that had prevented three Massachusetts Institute of Technology (MIT) students from disclosing academic research regarding vulnerabilities in Boston's transit fare payment system. The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency's request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.
Tuesday's ruling lifts the restriction preventing the student researchers from talking about their findings regarding the security vulnerabilities of Boston's Charlie Card and Charlie Ticket -- a project that earned them an "A" from renowned computer scientist and MIT professor Dr. Ron Rivest. The Electronic Frontier Foundation (EFF) represents the students as part of its Coders' Rights Project.
"We're very pleased that the court recognized that the MBTA's legal arguments were meritless," said EFF Legal Director Cindy Cohn, who argued at the hearing. "The MBTA's attempts to silence these students were not only misguided, but blatantly unconstitutional."
The students had planned to present their findings earlier this month at DEFCON, a security conference held in Las Vegas, while leaving out key details that would let others exploit the vulnerability. The students met with the MBTA about a week before the conference and voluntarily provided a confidential vulnerability report to the transit agency. However, the MBTA subsequently sued the students and MIT in United States District Court in Massachusetts less than 48 hours before the scheduled presentation, without providing any advance notice to the students. The lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.
"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," said EFF Staff Attorney Marcia Hofmann. "A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security -- the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."
Although the gag order was lifted, the MBTA's litigation against the students still continues. The students have already voluntarily provided a 30-page security analysis to the MBTA and have offered to meet with the MBTA and walk the transit agency through the security vulnerability and the students' suggestions for improvement.
"The only thing keeping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself," said EFF Senior Staff Attorney Kurt Opsahl. "The MBTA would be far better off focusing on improving the MBTA's fare payment security instead of pursuing needless litigation."
This case is part of EFF's Coders' Rights Project, launched two weeks ago to protect programmers and developers from legal threats hampering their cutting-edge research. EFF was assisted in this case by John Reinstein, ACLU of Massachusetts Legal Director, and Fish & Richardson attorneys Adam Kessel, Lawrence Kolodney, and Tom Brown.
For more on MBTA v. Anderson:
Electronic Frontier Foundation
Senior Staff Attorney
Electronic Frontier Foundation