Zazzle Shop

Screen printing

Wednesday, August 20, 2008

Federal Judge tosses MIT students' Gag order

A federal judge in Boston this morning let expire a temporary gag order against three MIT students who were prevented from presenting a talk on security vulnerabilities in the Boston subway's fare tickets and cards.

U.S. District Judge George A. O'Toole, Jr., vacated the temporary 10-day restraining order that another judge had instituted more than a week ago against the students and which was scheduled to expire today. District Judge O'Toole also threw out a request by the Massachusetts Bay Transportation Authority (MBTA) to obtain a preliminary injunction against the students to expand the restraining order beyond the original 10 days.

"It's great news for the free speech rights for these students," said Rebecca Jesche, a spokeswoman for the Electronic Frontier Foundation, which represented the students. "Although it's extremely unfortunate that the students were not allowed to give their talk at DefCon."

The students had planned to give their talk last Sunday at the DefCon hacker conference in Las Vegas. The talk was based on a research project and paper that they had submitted for a class taught by their MIT professor, noted cryptographer Ron Rivest. The paper had earned them an "A."

A week before the scheduled DefCon talk, the students had met with the MBTA to discuss the transit authority's concerns that the students would teach others how to defraud the system. The students reassured the transit authority that they would withhold key information from their talk and would not be teaching someone how to defraud the system. They were under the impression after that meeting that the MBTA was fine with their talk. They were then surprised to learn, two days before their presentation, that the MBTA had filed a suit and a motion for a restraining order. When a different federal judge, District Judge Douglas Woodlock, granted the restraining order, the decision was criticized as an unconstitutional prior restraint of speech.

In granting the restraining order, District Judge Woodlock had invoked the Computer Fraud and Abuse Act, implying that the students' speech about how the MBTA system was vulnerable to hacking was equivalent to someone actually hacking the MBTA system -- or at least aided that illegal hacking activity.

District Judge O'Toole, however, said that the Computer Fraud and Abuse Act does not apply to speech and that the MBTA had failed to supply sufficient proof to merit other claims with regard to the statute, to merit a restraining order or preliminary injunction.

"It was definitely unfair to use that statute to silence the students," Jesche said. "We certainly hope the next time that people are allowed to present their important research instead of being silenced by bogus lawsuits."

Zack Anderson, one of the students sued in the case (and the second person from the right in the picture above), was elated by the judge's decision today.

"We're glad the court actually saw things as they should be," the 21-year-old told Threat Level. "We're glad the court read the law correctly."

Although the restraining order has gone away, it doesn't mean the students are completely in the clear. Still standing is a lawsuit the MBTA has filed against them, accusing them of hacking its system and causing damages.

Anderson said the students regret that they weren't allowed to give their presentation last Sunday but have no intention of giving the talk anymore.

"All the material we were going to talk about has been made public ... and more," he said, referring to the fact that their presentation slides as well as a confidential report describing vulnerabilities with the Boston system were posted online after the judge granted the restraining order.

Anderson maintains that the students never planned to present key information that would have allowed someone to defraud the MBTA system and says they still stand by that.

"Despite what's happened, and the animosity the MBTA has brought toward us," he said, "we don't want people to defraud them."

When asked if he and the other students ever created bogus MBTA cards and used them to get free rides on Boston's T subway, Anderson declined to respond.

"I can't really comment on the actual means that we used," he said. "It's probably not a good idea to comment on that. We certainly did not get free fare. We had to spend several hundred dollars on buying tickets to look at the data structure. Far more than we ever would have used."

The MBTA, in a hearing on the case last week, had asked the court to require the students to hand over the class paper they had submitted to their MIT professor, Ron Rivest, about their research of the MBTA transit system. The students declined to hand over that paper but they did provide the MBTA with a 30-page sealed report, which Anderson says "went over the entire universe of our knowledge of the system, even more than the class paper has."