A US judge let stand a temporary restraining order preventing three Massachusetts Institute of Technology students from discussing or disclosing their research into security vulnerabilities in the payment system for the local subway system.
US District Judge George O'Toole also granted a request by the Massachusetts Bay Transportation Authority to obtain documents from the three students and their MIT professor Ron Rivest, a renowned researcher best known as co-inventor of the RSA public key encryption system commonly used in e-commerce systems.
O'Toole didn't amend or revoke the temporary restraining order. Instead, he postponed discussion on it until another hearing that will take place next week. None of the students (who are on summer break), nor Rivest, was in court.
On Saturday last week, a different judge who was on duty over the weekend granted the state transportation agency an order against the three students, who had been scheduled to give a presentation at the Defcon hacker conference a day later. They cancelled their presentation, and their attorneys have been fighting to lift the gag order ever since.
Jennifer Granick, an attorney with the advocacy group Electronic Frontier Foundation, who's representing the three students, said the EFF might appeal the judge's ruling to the US First Circuit Court of Appeals, but the timing is tight: the judge has required the students to make a good effort to provide the documents, including a class paper on "The T" hack and records of communications with Defcon organisers, by Friday afternoon in the US.
Under federal rules, the temporary restraining order automatically expires Tuesday, and Granick had asked the judge to terminate it immediately on grounds that it violated the students' First Amendment rights and based on long-standing court precedent that disfavoured prior restraint of speakers. But O'Toole declined to rule on her request, and instead scheduled another hearing for Tuesday morning in the US.
The students provided the court and MBTA officials with a new 30-page report that detailed all of their findings, including particular information to complete the Charlie Card hack that they say they had no intention of revealing in the Defcon discussion.
But T officials still want additional information, saying they want to ensure no other vulnerabilities exist that the students have yet to reveal. (This is in addition to a 5-page analysis, marked "confidential", that the students sent to MBTA last week.)
Granick told reporters after the hearing that there was no more relevant information that her clients, Alessandro Chiesa, RJ Ryan, and Zack Anderson, could provide. "That document should have resolved the whole matter," Granick said, adding, "There is no other shoe to drop."
Debate over responsible disclosure
At the heart of the
case is an increasingly contentious debate between security
researchers and their subjects about what is responsible
disclosure. The students and their lawyers argue that giving that
Defcon presentation would have been a public service. Indeed, at a
time when local politicians and Boston newspapers are debating the
efficacy of the T's electronic payment system, it could have been
a necessary part of the public discussion.
US District Judge Douglas Woodlock in Massachusetts granted the temporary restraining order before the students could make their Defcon presentation, on the grounds that the Computer Fraud and Abuse Act might have been violated. Lawyers for the students argue the CFAA, if properly interpreted, should not apply because it refers to the dissemination of information from computer-to-computer, not person-to-person.
Ieuan-Gael Mahony, a lawyer from the Boston firm Holland & Knight representing the MBTA, argued, however, that at this point, there is no harm being done to the students by the restraining order and there was no reason to lift it. (The gag order goes beyond the Defcon presentation; it continues to bar the students from providing any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.")
A letter written by 11 security researchers was sent to the court backing the students' claims and criticising this form of a gag order. But rather than ruling on the First Amendment and prior restraint questions on Thursday, the judge postponed a decision until he has more material before him.
