Judge lifts gag order on subway security hack

Out-Law News | 20 Aug 2008 | 3:36 pm | 2 min. read

A US judge has ruled that the country's Computer Fraud and Abuse Act is designed to combat viruses and worms and not to stop people giving out information in a speech.

He has lifted an injunction barring three Boston computer scientists from telling a conference about weaknesses in that city's subway ticketing systems.

Massachusetts Instistute of Technology (MIT) students Zack Anderson, R.J. Ryan and Alessandro Chiesa had advertised a talk at the upcoming hackers' conference DefCon with the question: 'want free subway rides for life?'

The computer scientists had uncovered vulnerabilities in the ticketing systems used by the Massachusetts Bay Transportation Authority (MBTA) and intended to explain them to the audience at DefCon in Las Vegas.

MBTA asked the courts for an injunction preventing them from releasing the details of their findings for five months, claiming that the students had broken the Computer Fraud and Abuse Act (CFAA). It wanted the men to delay the publication of their results while they fixed the problems they had uncovered.

It is normal practice for security researchers to alert organisations with faulty security of flaws before publishing the results, and to withold publication of vital elements of the flaws to ensure that they are not unscrupulously exploited.

The MIT students were represented by the Electronic Frontier Foundation, which said that this is exactly what they did.

"The students had planned to present their findings … while leaving out key details that would let others exploit the vulnerability," said an EFF statement. "The students met with the MBTA about a week before the conference and voluntarily provided a confidential vulnerability report to the transit agency. However, the MBTA subsequently sued the students and MIT in United States District Court in Massachusetts less than 48 hours before the scheduled presentation, without providing any advance notice to the students."

The students had argued that preventing them from giving their talk would be a violation of their rights to free speech, protected in the US constitution's first amendment.

"The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk," said EFF staff attorney Marcia Hofmann. "A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security – the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."

"We're very pleased that the court recognized that the MBTA's legal arguments were meritless," said EFF legal director Cindy Cohn, who represented the students in court. "The MBTA's attempts to silence these students were not only misguided, but blatantly unconstitutional."

MBTA's suit came too late to stop the publication of the presentation, though. A CD sent to conference delegations before the event and before the law suit was filed contained the students' 87-slide presentation, which has since become available online.