On Thursday August 14th, 2008, there was another hearing in the dispute between the group of MIT students and the Massachusetts Bay Transportation Authority (MBTA). Judge O’Toole decided to allow the temporary restraining order which prevented the students from giving their presentation titled “Anatomy of a Subway Hack” or to discuss related information to stand without modification. The next hearing will be on Tuesday when the temporary restraining order expires. It seems likely that the MBTA will then ask for a more permanent injunction.
During the emergency hearing on Saturday, August 9th, the Electronic Frontier Foundation (EFF) providing counsel for the students argued that a temporary restraining order of this kind imposed prior restraint upon their speech. A party seeking prior restraint of another’s speech is considered to have a very high burden to prove that they are not unduly burdening the other parties freedom of speech. The most famous case involving prior restraint is New York Times Co. v. United States, better known as the Pentagon Papers. In this case the Supreme Court found that the Government’s interest in restricting the publication of classified material was not sufficient to trump the New York Time’s 1st Amedment rights. The material in question described the Government’s actions in Vietnam, while American soldiers were still fighting in the region. Subsequently the courts have stated that only the most important of government needs, such as revealing the location of our troops in the field, would allow prior restraint. It would not seem that the possible harm of informing people how to get a free ride on the subway would rise to that level.
How is it then that the MBTA was able to obtain a temporary restraining order preventing the students from speaking? Judge Woodlock, the judge who presided over the emergency hearing on August 9th, interpreted the Computer Fraud and Abuse Act (CFAA) to mean that the students, while giving a talk at Defcon and/or making software available for download, could be in violation of the CFAA. Specificly the clause that criminalizes anyone who “knowingly causes the transmission of a program, information, code, or command and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”. The Judge’s interpretation is that the talk constitutes transmitting information and that if after the talk any of the attendees then damage the MBTA by bypassing the fare system, this counts as damage.
The EFF, needless to say, disagrees. The EFF argued that in the CFAA transmission means transmitting information to a computer, not a person (otherwise the statue would infringe upon the 1st Amendment and in other paragraphs uses the term communicate to refer to giving information to a person). The EFF also argues that the damage must occur as a direct result of the transmission of the information / code. They say that if someone else later commits a crime based upon information you transmitted to them, the link between the action and the damage is too attenuated to be combined into a violation of the statute. It also seems that according to the EFF the damage must be to the computer system, or damages associated with downtime or cleaning up after an incident. There are other provisions of the CFAA that cover stealing information and unauthorized access with intent to defraud. However they do not seem to apply in this case and are not the provisions the judge relied upon when he granted the temporary restraining order. The CFAA, although a criminal statute, allows people to bring civil action to recover damages incurred from violating the statute and to ask the court to enjoin continued violation of the statue.
The free speech issues the EFF raised at the emergency hearing on Saturday, August 9th were not addressed at that time, but the MBTA did mention them in their brief for the August 14th hearing. The MBTA first called the MIT students’ speech an incitement to a crime, and second stated that: “The Individual Defendants’ DEFCON presentation constitutes commercial speech. Commercial speech is any speech that proposes a commercial transaction. As commercial speech advertising illegal activity, it receives no First Amendment protection. Here, the Presentation is full of marketing, and self-promotional statements. It is not a research paper. [Plaintiff's Opposition to Cross Motion for Reconsideration of Defendants]
I have not heard a recording of the hearing on the 14th, however I’m sure the EFF would take the position that the students’ paper was academic research, which is fully protected by the 1st Amendment. The paper was written while the students were attending one of the most prestigious engineering schools in the world, it was written (and turned into a talk) under the guidance of the extremely well known and respected Professor Rivest (the R in RSA) and then was intended to be presented at a computer security conference. The EFF also submitted as evidence a letter from 11 professors and industry professionals detailing the dangers of preventing this kind of research from being made public.
The other interesting aspect about this is that the MIT students provided a confidential vulnerability assessment of the fare system to the MBTA. The students stated that this document contained more detailed and potentially damaging information then they intended to give at their Defcon talk. The MBTA submitted this document as evidence in the court hearing and in doing so it became part of the public record. The EFF advised the MBTA of the dangers of this, and suggested that they take emergency action in sealing the information so as to prevent it from becoming public. It does not appear the MBTA took any action to prevent this from happening.
This raises many questions in my mind. If we were to look at the MIT students’ conduct in the worst possible light, it is that they wanted to provide details of security flaws to a large group of hackers with either the intent or reckless disregard to the fact that some of the attendees would use this information to evade paying fares at the T. The MBTA calls this commercial speech and an incitement to a crime.
According to the MIT students, the MBTA provided substantially the same or more information to the public in the form of a court filing. What is the difference between these two? What makes one actionable under the law and not the other? Is it the substantiative information about the security flaws? Is it the location and audience that makes the difference? There was a presentation on the Mifare card (the same card used by the T) security at Blackhat that went on without a legal challenge. There was a legal action brought against a university in the Netherlands to attempt to prevent them from publishing similar Mifare research, but a Dutch court ruled in favor of the university.
If the students had presented this same information in an academic journal or a more academic sounding (as opposed to the scary sounding, hacker infested Defcon) conference would that have been ok? Or was it the provocative language in the students presentation? They did use phrases like “Want free subway rides for life?”, “This is illegal – for educational use only” (the judge in the emergency hearing found this phrase to be tongue in cheek and offensive), and “Is this hackable? Yes!”. Or is it motive that makes this speech possibly unprotected? Is the difference that the MIT students wanted to encourage others to break the law and that the MBTA is just trying to educate the court? Can the aforementioned choice of venue, audience, and tone of their speech be seen as sufficient to indicate that their motive is to incite others to violate the law?
I’m not a lawyer, so I can’t speak authoritatively on what speech is protected under the First Amendment. However, it seems that it is the tone of the students speech more than the technical content that is causing (or exacerbating) their legal problems. Unfortunately I’ve found in looking into other caes that it seems that when faced with complex questions of technology and law, sometimes judges will fall back to one of the more classical elements of crime – motive.
If the defendant seems to have had malicious intent, then he likely violated a law. For example, in the David Ritz case I blogged about earlier, one of the findings was that, “The Court finds by clear and convincing evidence that Ritz is guilty of actual malice. Sierra is entitled to an award of exemplary damages for the sake of example and by way of punishing Ritz.” Ritz may have harbored malicious intent towards Sierra (Ritz alleges that Sierra is a spam house), but is that the key point that should make his DNS zone transfer unlawful? Is it right to punish one person but not another for obtaining the same publicly available information simply because their motives differed? Likewise, should the MIT students be stopped from sharing their research because of the admittedly juvenile and offensive manner in which it was presented. I don’t agree, but instead of suggesting a way to deal with these questions, I’ll end with a quote from Justice Black’s opinion in the Pentagon Papers case “The word ’security’ is a broad, vague generality whose contours should not be invoked to abrogate the fundamental law embodied in the 1st Amendment.” [New York Times Co. v. United States]
SecureWorks follows a responsible disclosure policy when discovering a vulnerability. It can be found at http://www.secureworks.com/research/disclosure.html
Share This Information | 
ShareThis
