Judge lifts gag order on MIT students

A FEDERAL JUDGE yesterday lifted the restraining order on three MIT computer science students who Boston's Massachusetts Bay Transportation Authority (MBTA) had sued for discovering computer security flaws in its automated subway fare payment system.

Observers had thought that arguments in court would revolve around computer security researchers publishing or withholding information on vulnerabilities. However US District Court Judge George O'Toole vacated the MIT student researchers' restraining order on narrower grounds related to the MBTA's attempt to portray them as computer criminals.

He found that the MBTA was not likely to prevail on the merits of its claim that the federal Computer Fraud and Abuse Act (CFAA), which prohibits the transmission of any malicious program to a computer system, extends to the " verbal transmission" of computer security vulnerabilities.

The MBTA had argued that the Computer Fraud and Abuse Act ought to be construed to prohibit insecurity researchers from talking with each other about security vulnerabilities. Such discussions typically take place at computer security shindigs like the Black Hat conference where the three MIT students had been scheduled to present their research findings when the MBTA filed its lawsuit and obtained the restraining order against them.

As Kurt Opsahl of the Electronic Frontier Foundation which represented the MIT students said in its announcement of the judge's decision, "Judge O'Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people."

If the MBTA's argument were accepted, all discussion of computer security vulnerabilities would become subject to potential FBI and Secret Service investigation and prosecution as federal computer crimes, felonies punishable by large fines and terms of imprisonment.

The MBTA had also sought to change its temporary restraining order against the students to a preliminary injunction to prevent them from publishing their findings for five months while it worked to fix the security vulnerabilities, but that hope also went out the window when the judge vacated the restraining order.

It was an attempt to obtain prepublication review, an impermissible prior restraint on the students' free speech rights under the 1st Amendment to the US Constitution, which their lawyers would have opposed on that Constitutional basis if the judge hadn't simply lifted the restraining order instead.

The Electronic Frontier Foundation's Hugh D'Andrade published a good summary of the importance of this decision and what was at stake, in an analysis following Kurt Opsahl's announcement linked below. He wrote:

"Beyond this core constitutional principle, EFF is defending the ability to conduct security research in the digital age. As we note in our Vulnerability Reporting FAQ, security researchers by definition raise questions that corporations and government agencies would prefer to keep quiet. But by investigating flaws in security, and alerting the public to vulnerabilities, researchers play an important role in keeping private and public institutions accountable."

The MBTA mishandled this incident badly from the beginning. When the MIT students first approached it to share their research findings, it initially denied that it had any computer security flaws whatsoever.

The students acted responsibly by notifying the MBTA prior to their planned presentation at Black Hat, and they promised to withhold key details to prevent the vulnerabilities from being easily exploited. They even gave it "a written summary of every vulnerability that they claimed to have discovered and how to fix these vulnerabilities." They also delivered to the MBTA a very detailed 31-page analysis of their discoveries.

Instead of acting reasonably, the MBTA panicked on the Friday just before the Black Hat conference and filed its lawsuit against the students. It got a temporary restraining order to prevent their presentation at Black Hat, but it got that too late to keep the students' presentation materials out of the conference proceedings CD distributed to all attendees, thus effectively slamming the barn door shut after the horse was already loose and gone.

Then the MBTA included the students' complete findings, reportedly including those key details they'd planned to omit from their public presentation, in federal court filings that automatically became public records, thus itself publishing what it sought to suppress.

And, it went totally over the top in over-reacting by attempting to portray these legitimate computer security researchers as computer criminals intent on destruction, writing "...the damage constitutes a threat to public health and safety... affects a computer system used by a government entity for national security purposes...." But the judge wasn't spooked.

Now that the judge has ruled against it, the MBTA has seemingly come to its senses. It's admitted that its fare payment system security vulnerability exists and that the students provided it with full disclosure of their findings. And it claims it wants to meet with them.

Hopefully the students can look forward to the MBTA asking to have its lawsuit dismissed.

The MBTA might have further questions to answer as a result of this self-inflicted public relations gaffe, too. As D'Andrade mentioned and proceeding from this fiasco, the Boston Herald recently reported that an MBTA Advisory Council Member expressed concern that "[The MBTA] gave a no-bid contract for CharlieCard services to a former government employee." That's also likely to motivate some serious investigation soon, we'd imagine. µ

See Also
Massachusetts tries to silence whistleblowing hackers

L'Inqs
Electronic Frontier Foundation
Boston Globe
Groklaw