A federal judge in Boston will decide on Tuesday whether to extend or let expire a restraining order enjoining three students at MIT from publicly speaking about security flaws they discovered in the electronic fare-payment system used by the city's mass transit agency.
The 10-day gag order was imposed by another judge on Aug. 9, one day before the three students were scheduled to detail the flaws in a presentation at the Defcon hacker convention in Las Vegas. The order was issued in response to a motion by the Massachusetts Bay Transportation Authority (MBTA), which sued both MIT and the students, claiming that they hadn't given it enough time or information to assess and mitigate the vulnerabilities.
The agency argued that the presentation would cause "significant damage to the MBTA's transit system" by describing a variety of techniques that could be used to ride for free ? for instance, by adding fares to the MBTA's smart cards and electronic tickets without paying for them.
The Electronic Frontier Foundation, a high-tech civil rights group that is representing the three students, last week filed a motion asking U.S. District Judge George O'Toole to lift the restraining order, which the EFF said violated the students' First Amendment rights to free speech. But O'Toole, who will preside over Tuesday's 10:30 a.m. EDT hearing, refused to lift the order and instead asked the three students to submit additional information related to their research, as requested by the MBTA.
Among the arguments that attorneys at the EFF are likely to make for lifting the order are the following:
Much of the vulnerability information is already in the public domain and common knowledge within the security community. The slides that the students put together for their aborted Defcon presentation were included on a CD given to Defcon attendees and have been posted online. And the MBTA itself released many of the details in a court document as part of its lawsuit against the students.
The three undergrads, who discovered the security holes in independent penetration tests that they did as part of a class project, have repeatedly assured the MBTA that they won't publicly disclose the level of detail needed for anyone to actually take advantage of the vulnerabilities.
Gagging the students violates their free-speech rights. Under the IT security community's generally accepted norms for responsibly disclosing security vulnerabilities, it could be argued that the students should have given the MBTA a reasonable amount of time to fix the flaws before going public with them. But preventing the students from discussing the security holes runs afoul of the First Amendment, according to the EFF.
On the other hand, the MBTA claims that there's no telling if the students have provided it with everything they know about the vulnerabilities. Their presentation at Defcon was initially promoted as a talk that would give people the information they needed to ride the subway in Boston for free -- for life. It also offered to teach attendees how to generate stored-value fare cards, reverse-engineer the magnetic stripes on the back of cards and "tap" into the MBTA's fare-selling system. The agency said the materials it has received thus far don't contain any of that information.
In addition, the MBTA has contended that the presentation and related materials constitute commercial speech, not security research, on the part of the students. According to the agency, the presentation included details that the students publicly promoted despite appearing to know that spreading the information might be illegal; for instance, one of their slides read, "What this talk is not: evidence in court (hopefully)."
Under existing case law, no First Amendment protections are available for commercial speech that advertises or promotes illegal products or services, the MBTA says. The constitution also doesn't guarantee protection to speech that advocates violating the law or that is likely to result in illegal activity, according to the MBTA.