He has lifted an injunction barring three Boston computer
scientists from telling a conference about weaknesses in that
city's subway ticketing systems.
Massachusetts Instistute of Technology (MIT) students Zack
Anderson, R.J. Ryan and Alessandro Chiesa had advertised a talk at
the upcoming hackers' conference DefCon with the question: 'want
free subway rides for life?'
The computer scientists had uncovered vulnerabilities in the
ticketing systems used by the Massachusetts Bay Transportation
Authority (MBTA) and intended to explain them to the audience at
DefCon in Las Vegas.
MBTA asked the courts for an injunction preventing them from
releasing the details of their findings for five months, claiming
that the students had broken the Computer Fraud and Abuse Act
(CFAA). It wanted the men to delay the publication of their results
while they fixed the problems they had uncovered.
It is normal practice for security researchers to alert
organisations with faulty security of flaws before publishing the
results, and to withold publication of vital elements of the flaws
to ensure that they are not unscrupulously exploited.
The MIT students were represented by the Electronic Frontier
Foundation, which said that this is exactly what they did.
"The students had planned to present their findings … while
leaving out key details that would let others exploit the
vulnerability," said an EFF statement. "The students met with the
MBTA about a week before the conference and voluntarily provided a
confidential vulnerability report to the transit agency. However,
the MBTA subsequently sued the students and MIT in United States
District Court in Massachusetts less than 48 hours before the
scheduled presentation, without providing any advance notice to the
students."
The students had argued that preventing them from giving their
talk would be a violation of their rights to free speech, protected
in the US constitution's first amendment.
"The judge today correctly found that it was unlikely that the
CFAA would apply to security researchers giving an academic talk,"
said EFF staff attorney Marcia Hofmann. "A presentation at a
security conference is not some sort of computer intrusion. It's
protected speech and vital to the free flow of information about
computer security vulnerabilities. Silencing researchers does not
improve security – the vulnerability was there before the students
discovered it and would remain in place regardless of whether the
students publicly discussed it or not."
"We're very pleased that the court recognized that the MBTA's
legal arguments were meritless," said EFF legal director Cindy
Cohn, who represented the students in court. "The MBTA's attempts
to silence these students were not only misguided, but blatantly
unconstitutional."
MBTA's suit came too late to stop the publication of the
presentation, though. A CD sent to conference delegations before
the event and before the law suit was filed contained the students'
87-slide presentation, which has since become available online.
