Judge leaves gag order intact on subway card-hacking students

In a setback to Electronic Frontier Foundation, judge postpones decision on whether three MIT students can reveal "information" about security problems in Boston subway cards.

Jim Kerstetter Staff writer, CNET News
Jim Kerstetter has been writing about the high-tech industry since the 1990s. He has been a senior editor at PC Week and a Silicon Valley correspondent at BusinessWeek. He is now senior executive editor at CNET News. He moved back to Boston because he missed the Red Sox. E-mail Jim.
Jim Kerstetter
3 min read

BOSTON--A federal judge on Thursday let stand a temporary restraining order preventing three Massachusetts Institute of Technology students from discussing or disclosing their research into security vulnerabilities in the payment system for the local subway system.

In a 45-minute hearing here, U.S. District Judge George O'Toole Jr. also granted a request by the Massachusetts Bay Transportation Authority to obtain documents from the three students and their MIT professor Ron Rivest, a renowned researcher best known as co-inventor of the RSA public key encryption system commonly used in e-commerce systems.

O'Toole didn't amend or revoke the temporary restraining order. Instead, he postponed discussion on it until another hearing that will take place Tuesday. None of the students (who are on summer break), nor Rivest, was in court.

On Saturday, a different judge who was on duty over the weekend granted the state transportation agency an order against the three students, who had been scheduled to give a presentation at the Defcon hacker conference a day later. They canceled their presentation, and their attorneys have been fighting to lift the gag order ever since.

Jennifer Granick, an attorney with the advocacy group Electronic Frontier Foundation who's representing the three students, said the EFF might appeal the judge's ruling to the U.S. 1st Circuit Court of Appeals, but the timing is tight: the judge has required the students to make a good effort to provide the documents--including a class paper on "The T" hack and records of communications with Defcon organizers--by Friday afternoon.

Under federal rules, the temporary restraining order automatically expires Tuesday, and Granick had asked the judge to terminate it immediately on grounds that it violated the students' First Amendment rights and based on long-standing court precedent that disfavors prior restraint of speakers. But O'Toole declined to rule on her request, and instead scheduled another hearing for Tuesday morning.

The students provided the court and MBTA officials with a new 30-page report that details all of their findings, including particular information to complete the Charlie Card hack that they say they had no intention of revealing in the Defcon discussion. But T officials still want additional information, saying they want to ensure no other vulnerabilities exist that the students have yet to reveal. (This is in addition to a 5-page analysis, marked "confidential," that the students sent to MBTA last week.)

Granick told reporters after the hearing that there is no more relevant information that her clients, Alessandro Chiesa, R.J. Ryan, and Zack Anderson, can provide. "That document should have resolved the whole matter," Granick said, adding, "There is no other shoe to drop."

Debate over what is responsible disclosure
At the heart of the case is an increasingly contentious debate between security researchers and their subjects about what is responsible disclosure. The students and their lawyers argue that giving that Defcon presentation would have been a public service. Indeed, at a time when local politicians and Boston newspapers are debating the efficacy of the T's electronic payment system, it could have been a necessary part of the public discussion.

U.S. District Judge Douglas Woodlock in Massachusetts granted the temporary restraining order before the students could make their Defcon presentation, on the grounds that the Computer Fraud and Abuse Act might have been violated. Lawyers for the students argue the CFAA, if properly interpreted, should not apply because it refers to the dissemination of information from computer-to-computer, not person-to-person.

Ieuan-Gael Mahony, a lawyer from the Boston firm Holland & Knight representing the MBTA, argued, however, that at this point, there is no harm being done to the students by the restraining order and there was no reason to lift it. (The gag order goes beyond the Defcon presentation; it continues to bar the students from providing any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.")

Eleven security researchers have sent a letter to the court backing the students' claims and criticizing this form of a gag order. But rather than ruling on the First Amendment and prior restraint questions on Thursday, the judge postponed a decision until he has more material before him.

MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson showed up at, but did not speak at, the Defcon conference in Las Vegas on Saturday. Declan McCullagh/News.com