Transit agency wants MIT students to stay gagged

The state of Massachusetts plans to ask a federal judge on Thursday to keep in place a restraining order that prevents three MIT students from publicly discussing vulnerabilities they discovered in subway card security.

U.S. District Judge George O'Toole in Boston is scheduled to hear arguments at 11 a.m. ET on whether to modify or eliminate the temporary restraining order, which attorneys for the students characterize as a prior restraint in violation of decades of First Amendment precedent.

A different judge who was on duty on Saturday gave the Massachusetts Bay Transportation Authority an order prohibiting the students from discussing or publishing information that might let anyone "circumvent or otherwise attack the security of the Fare Media System."

In an effort to lessen the sting of free speech complaints, MBTA's attorneys now are asking O'Toole to reword the order to apply only to "nonpublic" information, recognizing that the presentation slides are circulating online. But they insist the rest of the order must remain intact because the agency is greatly "concerned with the core issue of immediate concern in this case--the security and integrity of its Fare Media System."

O'Toole has until August 19 to extend the order in the form of a preliminary injunction or let it expire.

Security researchers are paying close attention to this case because it could eventually set a precedent weighing their First Amendment rights to publish freely--against the desires of vendors to keep embarrassing and potentially explosive details secret.

The Electronic Frontier Foundation, which is providing a legal defense to the MIT students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--plans on Thursday to ask O'Toole to dissolve the restraining order completely.

EFF is offering three main arguments for its position: First, the Defcon conference is over and the presentation and separate analysis (PDF) have been widely circulated online (unfortunately for MBTA, a copy of the presentation was in the materials distributed to conference attendees).

Second, EFF says, the Computer Fraud and Abuse Act's prohibition on the "transmission of...information" that may damage a computer was never intended to encompass a public presentation and was not written to do so. Third, the restraining order is an unconstitutional prior restraint; if the Supreme Court permitted the publication of the Pentagon Papers in 1971 over the heated objections of the Nixon administration, why should a student presentation not also qualify?

"The TRO as initially granted restricted the students from providing true, publicly known, legally acquired information about the MBTA's CharlieCards and CharlieTickets in violation of the First Amendment," the EFF said in a legal brief. "The current TRO as the MBTA suggests that it be modified still restricts the students from providing true, legally acquired information about these cards This restriction also violates the First Amendment."

EFF has enlisted some high-profile academics to help it make the case that the restraining order is antithetical to security research. Carnegie Mellon University's David Farber, Columbia's Steven Bellovin, Berkeley's David Wagner, and the University of Pennsylvania's Matt Blaze are among the academics who signed a letter to the judge on Monday. It says:

We are concerned that the pall cast by the temporary restraining order will stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure. We urge that you reconsider and remove the temporary restraining order issued on August 10, 2008.

For its part, the MBTA says it's willing to negotiate. It's offered to engage in "non-binding" professional mediation, without "preconditions," as an alternative to proceeding with Thursday's hearing. (See our related story).

In an e-mail message to EFF on Monday, Ieuan-Gael Mahony, a partner at the Holland & Knight law firm, wrote:

In a mediation process, for example, we would hope to discuss and obtain an understanding of the information, if any, the MIT Undgrads hold that might threaten Fare Media System security. We do not set preconditions on a mediation, however, as we stongly believe -- again - that discussions between reasonable parties toward a resolution are preferable to an externally imposed resolution... There are countless examples from large to small of relationships that are polarized and entrenched-hostile because of bad choices by both sides shortly after the rift began. We would like to avoid this here, if possible. We think talking in a non-binding, professionally mediated environment is the best way to avoid further misunderstanding, and potential "bad choices." ... You request, in an "on/off" manner, that we now "shut off' the TRO. This is traditional advocacy, where the goal is to "win all" and avoid "lose all." With our mediation proposal, we look for, and are willing to accept, gradations between these poles.

EFF appears to have rejected the request for a mediation. EFF attorney Marcia Hofmann refused to answer our questions, saying only that: "We decline to discuss our ongoing communications with counsel for the MBTA. Our priority at this point is to ensure that the temporary restraining order is lifted..."

In a testy e-mail exchange with MBTA's lawyer, EFF has suggested that he made a tactical error by filing both the presentation and the summary marked "confidential" as publicly available court exhibits. Read on for more details.

[Editor's Note: Below is the text of a e-mail thread between EFF's Jennifer Granick and MBTA attorney Ieuan-Gael Mahony. One topic is whether the EFF will agree to enter into nonbinding mediation, which MBTA would prefer. Another is MBTA's complaint about a "large amount of misinformation" circulating in the press. Any transcription errors arising from placing the e-mail messages into HTML format are ours, not theirs.]

From: Mahony, leuan (BOS - X75835)
Sent: Monday, August 11, 2008 3:36 PM
To: 'jennifer@eff.org'
Cc: 'cindy@eff.org'; 'kurt@eff.org'; 'marcia@eff.org'; JSwope@eadplaw.com; 'WMitchell@mbta.com'; 'SDarling@mbta.com'
Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al

Jennifer:
We are unwilling to lift the TRO in the binary "on/off" manner you state, and respond more fully to your email as follows:
(A) Removing the TRO Is Not a Tailored Solution We are willing to discuss tailored solutions to the underlying problem, and have proposed a formal mediation process for these discussions. You have given no response to our proposal for mediation. You recall that I asked for a negotiated solution before the Saturday hearing. I confirmed these inquiries to you in email, and these emails are public record and freely available on the web. See http://www-tech.mit.edu/V128/N30/subway.html. You did not respond meaningfully to those requests, either.
(B) Misinformation Threatens To Cloud the Issues In following the DEFCON-related press, it is clear that a large amount of misinformation has been circulated concerning the meaning of the TRO, and related points. For example, you know, because Judge Woodlock asked you these questions in open court, that the primary concern was with the content the students might or might not supply to go with the literal expression embodied in the Presentation, as well as the Report. Press reports suggest that the TRO banned circulation of the paper materials themselves. You know this is incorrect.
Yet your email relies on this theme. We made it clear in our papers: based on the information we have (a large part of which you intentionally withheld from us until 4:38 AM Saturday morning) we do not know what your clients have done or are capable of doing. Their broad statements concerning "free subway rides for life" suggest they are capable of a lot. This is the concern. We would like to create an environment, immediately, where all parties can share the information they feel is warranted, in order to quantify and assess this risk. We would like to "re-do" the August 5 (or 4) meeting, but with more sensitivity, hopefully all around, as to the mutual stakes.
We think a mediated solution presents mutual benefits. The structure of non-binding mediation assures mutual benefits - or at a minimum a clear assessment of the alternatives to a negotiated solution. In a mediation process, for example, we would hope to discuss and obtain an understanding of the information, if any, the MIT Undgrads hold that might threaten Fare Media System security. We do not set preconditions on a mediation, however, as we stongly believe - again - that discussions between reasonable parties toward a resolution are preferable to an externally imposed resolution, where it is possible to avoid such an external resolution.
(C) We Are Very Sensitive To Your Clients' Concerns Over The Restraint Finally, we believe we understand the point in your email that the TRO "continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case." One goal with a mediated solution, working together, would be to reduce or eliminate uncertainty (to the extent uncertainty from a legal or practical perspective exists). Another goal of a mediated solution would be to determine other parameters of responsible disclosure under these circumstances. Yet another goal with a mediated solution might be to "make amends" on all sides, whatever that might mean here. There are countless examples from large to small of relationships that are polarized and entrenched-hostile because of bad choices by both sides shortly after the rift began. We would like to avoid this here, if possible. We think talking in a non-binding, professionally mediated environment is the best way to avoid further misunderstanding, and potential "bad choices."
(D) Conclusion: Renewed Request for Mediation You request, in an "on/off" manner, that we now "shut off' the TRO. This is traditional advocacy, where the goal is to "win all" and avoid "lose all." With our mediation proposal, we look for, and are willing to accept, gradations between these poles. We believe - whether in light or not in light of recent history - that reasonable "win-win" solutions are available, if the parties meet and work through options. We ask that you confer carefully with your clients, and respond to our mediation proposal. We believe that mediation should commence as soon as possible. We have made this proposal to MIT counsel as well.
Let me know
leuan

From: Mahony, leuan (BOS - X75835)
Sent: Monday, August 11, 2008 11:37 AM
To: 'jennifer@eff.org'
Cc: 'cindy@eff.org'; 'kurt@eff.org'; 'marcia@eff.org'; 'WMitchell@mbta.com'; 'SDarling@mbta.com'
Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al

Jennifer:
We are considering your proposal. We are having a meeting of senior management on this and related issues this afternoon at 1:30 eastern. I will report our response as soon as it is complete.
I will continue to keep you posted,
leuan
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

From: Jennifer Granick
To: Mahony, leuan (BOS - X75835)
Cc: cindy@eff.org ; kurt@eff.org ; marcia@eff.org ; WMitchell@mbta.com ; SDarling@mbta.com
Sent: Mon Aug 11 00:26:42 2008
Subject: Re: CRITICAL INFORMATION: MBTA v Anderson et al

Dear leuan:

Thank you for your thoughts. I'm surprised your client feels that the Report does not pose a risk, given that it contains information my clients intended to keep confidential. It appears my clients are more cautious about disclosing vulnerability information than yours are. Moving forward, both the slides from our client's intended presentation and the confidential Report are now publicly available. This constitutes more information than the students would have presented at their Defcon talk. Furthermore, your client reportedly does not feel that the security risk posed by the availability of this information warrants emergency measures. Finally, Defcon is over and the students did not give their talk. Under these circumstances, would your client be willing to stipulate to lifting the TRO at this time? While the protection it provides is now moot as to your client's concerns, it continues to hang over our clients' heads, making them uncertain what if anything they can say about their research and this case. Please let me know right away.

Thank you,
Jennifer
Civil Liberties Director
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
415.436.9333 x 134
fax 415.436.9993
jennifer@eff.org

On Aug 10, 2008, at 12:18 PM, wrote:
Dear Jennifer:
Let me address your email and phone call from yesterday, and also return to earlier discussions over a "moving-forward" relationship between the parties.
(A) Your Email First, we want to thank you for your concern. Second, as I indicated earlier today, the MBTA, along with a system vendor, has completed its review of your email, and re-reviewed the three page summary report attached as Exhibit 1 to Scott Henderson's Declaration (the "Report"). This review does not alter the original assessment of the Report, provided by Mr. Henderson in his declaration. Yet it is the case that (a) the quantity and quality of information provided by the three page Report, standing alone, is less than (b) the quantity and quality of the information provided by the Report read in combination with the Students' 87 page presentation entitled "Anatomy of a Subway Hack" (the "Presentation"). If the MBTA had been given the Presentation when first requested (or even at the time when the Presentation , we understand, was made available to DEFCON attendees), the "(b)" circumstance might have been avoided. In any event, the MBTA's evaluators do not assess the risk of this information at the level you set in your email. The MBTA, with vendor support, has begun work on internal responses to the potential security risks at issue. It is our view that an internal, technical and personnel response is the best long-term solution. Accordingly, we do not share your view that legal "emergency measures" are required. We do not think that seeking court relief on this issue and at this point is appropriate. Again, thank you for your concern.
(B) Moving-Forward Relationships We can see from your clients' statements in the press, and the EFF's public statements, that the lawsuit generally, and Temporary Restraining Order in particular, do not from your perspectives represent a fair or balanced situation. From my first conversations with Marcia and Kurt, and then later with you, Jennifer, I stated my view that parties, acting reasonably, will invariably develop and implement a resolution of a dispute that is substantially better tailored to their interests than a resolution imposed on them by an external authority. We think we should continue discussions, to see if we can find a solution that is better tailored to all parties' interests. In my view, Judge Woodlock, in his findings and rulings, directed the parties to work toward a solution perhaps more "creative" and "outside the box" than the standard "keep fighting in court over abstract issues while life goes by". The goal would be to shift from an adversarial mode to a cooperative, discussion mode, if possible. We respect your clients' continued statements that their goal remains to provide solutions to security risks. We propose formal mediation as the process for seeking a more optimal going-forward solution. We think we should reserve a full day, or perhaps two. We suggest that the mediation take place in Boston. Other issues, such as mediator costs, whether formal "written submissions" are exchanged, and the like we can discuss.
Let us know your thoughts.
Thanks
leuan

From: Mahony, leuan (BOS - X75835)
Sent: Sunday, August 10, 2008 9:27 AM
To: 'Jennifer Granick'
Cc: Cindy Conn; Kurt Opsahl; Marcia Hofmann; Mahony, leuan (BOS - X75835)
Subject: RE: CRITICAL INFORMATION: MBTA v Anderson et al

Jennifer:
The MBTA and one of its vendors have completed review per your email, below. I'll have results to you later today.
I'll continue to keep you informed.
Thanks
leuan

From: Jennifer Granick [mailto:jennifer@eff.org]
Sent: Saturday, August 09, 2008 5:14 PM
To: Mahony, leuan (BOS - X75835)
Cc: Cindy Conn; Kurt Opsahl; Marcia Hofmann
Subject: CRITICAL INFORMATION: MBTA v Anderson et al

Dear Mr. Mahony:

This email is to follow up on my phone call to you of just a few minutes ago. As you know, Mr. Anderson, Mr. Ryan and Mr. Chiesa provided your client MBTA with a confidential three page summary of their research and recommendations for securing the fare collection system. It has just come to our attention through third parties at the Defcon conference that plaintiffs have made this report publicly available on the court's pacer website by filing the document as an exhibit. This confidential document contains the checksum information without which an attacker can not create a forged card. This information is highly sensitive, which is why my clients planned to withhold it from their presentation. We strongly urge you to take emergency measures to have it removed expeditiously.

Best wishes,
Jennifer Granick
Civil Liberties Director
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
415.436.9333x134
fax 415.436.9993
jennifer@eff.org