Lawyers at a digital rights nonprofit worry that a U.S. District Court ruling banning three college students from detailing vulnerability findings at recent hacker conference could set a dangerous anti-free speech precedent involving the presentation of security research.
The problem came to a head Saturday when a judge in Boston issued a temporary restraining order against three Massachusetts Institute of Technology (MIT) students who had planned to present their findings on vulnerabilities in the Massachusetts Bay Transportation Authority's (MBTA) subway fare collection system.
Judge Douglas Woodlock ruled that the students, who were set to give the talk Sunday at the Defcon hacker conference in Las Vegas, were banned “from providing program, information, software code or command that would assist another in any material way to circumvent or otherwise attack the security,” of the fare payment system, he wrote in a ruling.
Woodlock based his decision on the federal Computer Fraud and Abuse Act, said Corynne McSherry, a staff attorney with the Electronic Frontier Foundation, a digital rights watchdog representing the students.
But to base a decision on that particular law implies the students were breaking into a computer – not presenting research, she told SCMagazineUS.com.
“We think the judge's order was fundamentally incorrect,” she said. "It's a completely different context. Now we have a situation with a really bad precedent that needs to get fixed.”
The students – Zack Anderson, R.J. Ryan and Alessandro Chiesa – were expected to divulge details surrounding the insecurity of CharlieTickets and CharlieCards, as the electronic subway passes are called, that could be susceptible to cloning and forgery to get free rides.
But the trio planned to hold off on releasing “key details” that could have been misused to conduct fraud, McSherry said.
When the MBTA learned of the planned presentation, the agency contacted MIT.
“After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday,” the statement said. “At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.”
McSherry said the EFF will represent the students at a planned hearing in 10 days in which a judge will decide whether to issue a permanent injunction.
“It's really crucial that legitimate folks like them be able to speak about their research so security vulnerabilities get identified and fixed,” she said. “The public wants that. That's how security research advances.”
Some security experts agreed. Chris Wysopal, co-founder and chief technology officer of application security firm Veracode, said MBTA is going after the wrong culprits.
“Does this seem backwards to you?” he wrote on the company's blog on Saturday. “Shouldn't the MBTA be suing the vendor who sold them the flawed system? Security problems go away by mandating independent security testing before a product is accepted, not by trying to get security researchers to be quiet.”