A U.S. District Court judge in Boston today dissolved a gag order against a trio of MIT students, a decision that frees them to publicly discuss security flaws they found in the ticketing system used by the Massachusetts Bay Transportation Authority (MBTA).
Following a roughly 90-minute hearing today, U.S. District Judge George O'Toole sided with attorneys from the Electronic Frontier Foundation (EFF) who have been representing the three MIT students — Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa.
The students originally had planned to detail their findings at the Defcon hackers convention last week. But another judge imposed a 10-day restraining order against them on Aug. 9, the day before their scheduled presentation, after the MBTA claimed in a lawsuit that disclosing information about the vulnerabilities would cause "significant damage" to its transit operations.
O'Toole refused to lift the restraining order after an earlier hearing last Thursday. But EFF legal director Cindy Cohn argued at today's hearing that the federal Computer Fraud and Abuse Act governs the transmission of information to protected computers, not speech directed at other people — in this case, the presentation that the students were scheduled to give at Defcon on Aug. 10. The MBTA had contended that the law also applied to "verbal transmission" of information.
In addition, Cohn reiterated earlier promises that the students have no intention of releasing "key" pieces of information that would enable others to hack the MBTA's ticketing system. According to slides that were prepared for the presentation and included on a CD distributed to Defcon attendees, the security flaws could be used to ride for free — for instance, by adding fares to the MBTA's smart cards and electronic tickets without actually paying for them.
During her remarks, Cohn repeatedly framed the dispute as a First Amendment issue and said that if O'Toole extended the restraining order, it would be "an unprecedented ruling" that would make security researchers reluctant to publicize findings for fear of legal reprisals. "This will set an example that will ultimately leave us all less secure," she claimed.
She also characterized the MIT students as victims in the case, saying that they were only trying to help the MBTA by exposing the weaknesses in its ticketing system. "Our clients didn't create a vulnerability, they found it," Cohn said. "They are being punished because they want to talk about it."
MBTA attorney Ieuan-Gael Mahoney asked today for a five-month continuation of the restraining order, saying that was how long the transit authority has determined it will take to fix the vulnerabilities in its CharlieTicket and CharlieCard system.
Although Mahoney sought the extension, he also praised a brief security analysis that the MIT students prepared for the agency in advance of Defcon, saying that the information it contained had convinced MBTA officials that the flaws were valid.
"This is a very useful document," Mahoney said. "From it, we came to the conclusion the CharlieTicket had been compromised."
But along with that praise, Mahoney raised new allegations that the students had committed illegal acts. He didn't provide specifics but said the MBTA has "solid information" backing up that contention.
Mahoney wasn't immediately available after the hearing to comment on whether the MBTA plans to appeal O'Toole's ruling.
The restraining order only pertained to the students' ability to discuss their findings publicly. The MBTA's lawsuit alleging that they violated the Computer Fraud and Abuse Act remains open, according to Cohn.