Judge lifts MIT students' card-hacking gag order

In an abrupt reversal, federal judge rejects the Massachusetts transit agency's attempts to bar three students from discussing subway card vulnerabilities--until sometime next year.

Jim Kerstetter Staff writer, CNET News
Jim Kerstetter has been writing about the high-tech industry since the 1990s. He has been a senior editor at PC Week and a Silicon Valley correspondent at BusinessWeek. He is now senior executive editor at CNET News. He moved back to Boston because he missed the Red Sox. E-mail Jim.
Jim Kerstetter
5 min read

This post was updated at 1:45 p.m. PDT with comment from MBTA General Manager Daniel Grabauskas.

BOSTON--The three Massachusetts Institute of Technology students who have been barred by a court order from discussing subway card vulnerabilities are now free to say what they want.

In a ruling certain to be cheered by computer researchers, a federal judge here Tuesday let the 10-day-old gag order expire. U.S. District Judge George O'Toole Jr. refused to grant a preliminary injunction requested by the Massachusetts Bay Transportation Authority that would have blocked the students from talking about their findings until January 1, 2009.

The MBTA's requested injunction would have replaced a temporary restraining order granted during the Defcon hacker conference, which automatically expires on Tuesday under federal court rules.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The MIT students planned to make a presentation at Defcon on security vulnerabilities in the Massachusetts transit authority's electronic card and ticketing system. But a different federal judge who was on duty that weekend blocked the presentation after MBTA sued the students and MIT.

Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was likely a violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses.

Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA.

On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer "transmission." Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system. Lawyers for the MBTA claimed Tuesday they had proof the students had violated the law, but stopped short of specifying what they did.

Lawyers for the MBTA could still appeal O'Toole's ruling to the U.S. First Circuit Court of Appeals. Unless either side backs down or a settlement happens, a trial on the T's lawsuit against the students and MIT will eventually occur, but so far, no date has been set.

In a statement released on Tuesday afternoon, MBTA General Manager Daniel Grabauskas sounded conciliatory toward the students and hinted that the transit authority may be willing to work with the students outside of the courts.

"The 10-day process yielded a lot more information than we had at the start, and that was a key objective all along," Grabauskas said. "The students had repeatedly said the lawsuit was an impediment to opening up a productive dialogue with the MBTA about their findings. Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself."

He added, "With respect to the information that was sealed, I have every expectation that the students will act in accordance with the principles of 'responsible disclosure.'"

Lawyers for the students, in a case that has generated more attention in local media concerned about problems in the transit system than it has among national media concerned about privacy issues, welcomed the judge's decision. "This was a case of shooting the messenger," said Cindy Cohn, a lawyer with the Electronic Frontier Foundation, a San Francisco-based advocacy group that was representing the students along with the Massachusetts affiliate of the ACLU and the Fish & Richardson law firm.

But Ieuan Mahony, a lawyer for the Boston law firm Holland & Knight who is representing the MBTA, said the transit authority had no interest in chilling computer security research. Instead, he said it merely wanted to ensure that a method for wide-scale fare violations wasn't disseminated.

Security researchers working for the MBTA spent the last several days working through a confidential 30-page analysis--which has not been made public--that students had sent to the court and T officials. The document detailed the complete method for breaking the local Charlie card payment system, including specific details the students say they didn't plan to reveal at the Defcon conference.

MBTA said in documents filed with the court that fixing the security flaws would take five months. ("Students have the ability to cause significant harm to the CharlieTicket system, during the roughly five-month window that remedial actions will require.")

T officials concluded that the students had, in fact, found a way to break the paper Charlie card system, but had only found theoretical methods for breaking the plastic Charlie card, an RFID smart card that can have T fares electronically added to it.

Mahony said the 30-page analysis was a "very useful document," adding, it's "invaluable, but there are additional materials that cause us great concern." In particular, the transit authority wanted correspondence with Defcon officials and materials from their class with MIT professor Ron Rivest, a cryptographer best known as one of the co-inventors of the RSA public key encryption system, which is commonly used in e-commerce.

Despite the First Amendment implications of the case, O'Toole made it clear he intended to steer clear of the Bill of Rights. "I appreciate the breadth of views of others," he said, "but my views are considerably more limited." (Federal judges generally try to avoid constitutional issues if the dispute can be resolved by interpreting the text of a statute. In this case, it was a 1986 law that he decided didn't properly apply in this case.)

What the students intend to do now that the gag order has been lifted is unclear. If they wished, they could still make the Defcon presentation at some other forum. Cohn said she hasn't spoken with the three, who are still on summer break.

One of the students, Zack Anderson, told The Boston Globe in an interview published Monday that after the dust-up with the MBTA is done, he intends to work on a company that converts heat from a car's shock absorbers into energy for the car's engine. He reiterated in the interview that the students never intended to cause harm to the transit system.

"It wasn't to enable others to get a free fare or cause any sort of havoc," Anderson told the Globe. "It was really to show how major the issues are in this system, which also might resonate in many other systems around the world."

But one thing is certain: they have no intention of revealing the 30-page document that contained the specific details that told someone how to break the Charlie card system.

CNET News' Declan McCullagh contributed to this report.