Gag order against MIT students dissolved by judge

IDG News Service - A U.S. District Court judge in Boston today dissolved a gag order against a trio of MIT students, a decision that frees them to publicly discuss security flaws they found in the ticketing system used by the Massachusetts Bay Transportation Authority (MBTA).

Following a roughly 90-minute hearing today, U.S. District Judge George O'Toole sided with attorneys from the Electronic Frontier Foundation (EFF) who have been representing the three MIT students — Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa.

The students originally had planned to detail their findings at the Defcon hackers convention last week. But another judge imposed a 10-day restraining order against them on Aug. 9, the day before their scheduled presentation, after the MBTA claimed in a lawsuit that disclosing information about the vulnerabilities would cause "significant damage" to its transit operations.

O'Toole refused to lift the restraining order after an earlier hearing last Thursday. But EFF legal director Cindy Cohn argued at today's hearing that the federal Computer Fraud and Abuse Act governs the transmission of information to protected computers, not speech directed at other people — in this case, the presentation that the students were scheduled to give at Defcon on Aug. 10. The MBTA had contended that the law also applied to "verbal transmission" of information.

In addition, Cohn reiterated earlier promises that the students have no intention of releasing "key" pieces of information that would enable others to hack the MBTA's ticketing system. According to slides that were prepared for the presentation and included on a CD distributed to Defcon attendees, the security flaws could be used to ride for free — for instance, by adding fares to the MBTA's smart cards and electronic tickets without actually paying for them.

During her remarks, Cohn repeatedly framed the dispute as a First Amendment issue and said that if O'Toole extended the restraining order, it would be "an unprecedented ruling" that would make security researchers reluctant to publicize findings for fear of legal reprisals. "This will set an example that will ultimately leave us all less secure," she claimed.

She also characterized the MIT students as victims in the case, saying that they were only trying to help the MBTA by exposing the weaknesses in its ticketing system. "Our clients didn't create a vulnerability, they found it," Cohn said. "They are being punished because they want to talk about it."

MBTA attorney Ieuan-Gael Mahoney asked today for a five-month continuation of the restraining order, saying that was how long the transit authority has determined it will take to fix the vulnerabilities in its CharlieTicket and CharlieCard system.