Gag order on student research into MBTA fare payment system flaws threatens academic freedom

FOR IMMEDIATE RELEASE
CONTACT: info@aclum.org

BOSTON - Today, in a case with national importance for academic freedom and freedom of speech, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union of Massachusetts are seeking to lift a gag order on three MIT students who have discovered flaws in the electronic "Charlie Card" and "Charlie Ticket" payment systems used by the Massachusetts Bay Transportation Authority (MBTA). The hearing in MBTA v. Anderson takes place in U.S. District Court for the District of Massachusetts today, August 19, at 10:30 a.m., in the John Joseph Moakley Courthouse, Courtroom 9, before Judge George A. O'Toole, Jr.

In their project for a class on computer and network security taught by renowned Prof. Ronald R. Rivest, the MIT students investigated known security vulnerabilities, in magnetic stripe and RFID (radio frequency identification) card payment systems, specifically examining the MBTA's Charlie Card and Charlie Ticket media. The students - whose work on the project received an "A" grade, and whose work was accepted for a presentation on Aug. 10 at a computer security conference in Las Vegas called DEFCON - have said repeatedly that they never planned to release the information needed to actually breach the MBTA fare payment systems, and they withheld key security details from slides they prepared for their conference presentation, in order to prevent malicious use of their work.

On August 4, they even provided the MBTA with an assessment of what the agency could do to safeguard its systems.

The MBTA, however, responded by seeking a prior restraint preventing the defendants from speaking publicly about their research findings. The MBTA filed suit on Friday, August 8, after the close of business, with the students out of state. Hours later, on August 9, in a hearing which the students' legal representatives were only able to participate in by phone, U.S. District Judge Douglas P. Woodlock sided with the MBTA, issuing a restraining order that prevented the students from giving their talk at the DEFCON conference.

Today, the EFF and ACLU of Massachusetts will oppose continuation of this restriction, on the grounds that the order is unconstitutional prior restraint on First Amendment protected speech about their research.

Ironically, while the students remain subject to the gag order, the MBTA itself submitted in publicly available court documents copies of the confidential "vulnerability report" which the students had prepared for the MBTA, effectively distributing more information to the public about the security vulnerabilities than the students did.

"The MBTA has missed an important opportunity to work with these students to secure its electronic payment system and to otherwise improve MBTA security," said Carol Rose, Executive Director of the ACLU of Massachusetts.

"Instead of embracing work which could make the fare payment system more secure against vulnerabilities that are already generally known in the world of network security, the MBTA is making a knee-jerk attempt to punish the messengers."

"Attempts to gag freedom of speech and freedom of academic inquiry increase the chances that security flaws will be exploited in a malicious attack, rather than examined as part of benign academic inquiry," said Rose. "We urge the MBTA to drop this case and to focus on ensuring the security of its systems - and to take advantage of the enormous brainpower which Massachusetts cultivates and attracts, instead of fighting it."

Eleven computer scientists and researchers from top research and educational institutions also submitted a letter in support of the students, as part of a brief filed last week. "Researchers discover flaws," said the letter.

"They invent new and improved ways to detect and correct flaws, and they invent new and improved approaches to system design and implementation."

Attorneys on the case are Jennifer Stisa Granick, Kurt Opsahl, Marcia Hofmann, and Cindy Cohn of the Electronic Frontier Foundation, with John Reinstein, ACLU of Massachusetts Legal Director, and Fish & Richardson attorneys Adam Kessel, Lawrence Kolodney, and Tom Brown, as local co-counsel.

For more information on MBTA v. Anderson, the letter of support on behalf of the MIT students, EFF press releases, and court documents, go to: www.eff.org/cases/mbta-v-anderson

For more information about the ACLU of Massachusetts, go to: www.aclum.org