Massachusetts Bay Transportation Authority v. Anderson

NOTE: The information and commentary contained in this database entry are based on court filings and other informational sources that may contain unproven allegations made by the parties. The truthfulness and accuracy of such information is likely to be in dispute. Information contained in this entry is current as of the last event mentioned in the "Description" section below; additional proceedings might have taken place in this matter since this event.

Summary

Threat Type: 

Lawsuit

Date: 

08/08/2008

Status: 

Concluded

Location: 

Massachusetts

Disposition: 

Injunction Denied
Withdrawn

Verdict or Settlement Amount: 

N/A
According to the complaint, Zack Anderson, RJ Ryan, and Alessandro Chiesa were undergraduate students at the Massachusetts Institute of Technology (MIT). The students claimed to have discovered a vulnerability in the "CharlieCard" and "CharlieTicket" automated fare collection systems used by... read full description
Parties

Party Receiving Legal Threat: 

Zack Anderson; RJ Ryan; Alessanro Chiesa; the Massachusetts Institute of Technology

Type of Party: 

Large Organization

Type of Party: 

Individual
School

Location of Party: 

  • Massachusetts

Location of Party: 

  • Massachusetts

Legal Counsel: 

Cindy Cohn, Jennifer Granick, Marcia Hoffman, and Emily Berger, Electronic Frontier Foundation (for MIT undergraduate defendants); Lawrence K. Kolodney and Adam J. Kessel, Fish & Richardson P.C. (for MIT undergraduate defendats); John Reinstein (for
Description

According to the complaint, Zack Anderson, RJ Ryan, and Alessandro Chiesa were undergraduate students at the Massachusetts Institute of Technology (MIT). The students claimed to have discovered a vulnerability in the "CharlieCard" and "CharlieTicket" automated fare collection systems used by the Massachusetts Bay Transportation Authority (MBTA) for Boston area public transit. The students planned to share their research at the DEFCON computer security conference on August 10, 2008. Their description of the presentation, as quoted in the complaint, was as follows:

Want free subway rides for life? In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card [sic], we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subway systems around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We go over social engineering attacks we executed on employees, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote to perform these attacks. With live demos, we will demonstrate how we broke these systems.

When the MBTA learned of their planned presentation, they arranged a meeting with the MIT students and MIT Professor Ronald Rivest, who specializes in network security. According to the court records, the students met with the MBTA on August 5, but refused to provide the MBTA with materials they planned to present, and instead agreed to provide a three-page summary of the vulnerabilities they found. The students also modified their event description to remove the reference to "free subway rides for life," and made other small alterations to the event description.

On August 8, 2008 the MBTA filed a complaint and motion for a temporary restraining order against the students and MIT. The complaint alleged that the students committed a violation of the Computer Fraud and Abuse Act (CFAA) by transmitting information that caused damage to computers. The complaint also alleged that the students committed the common law torts of conversion and trespass to chattels by intercepting MBTA rider fares, that MIT negligently supervised the students by failing to instruct the students to "responsibly disclose information concerning perceived security flaws," and that all four defendants committed a violation of Massachusetts's unfair and deceptive trade practices statute, M.G.L. Ch. 93A § 11.

The complaint sought an order preventing the students from "offering to provide software tools or demonstrations to allow others to duplicate the attacks referenced," from "providing information or materials that would assist another in any material way to circumvent the security of the" CharlieCard system, from "publicly stating or indicating that the security or integrity" of the system "has been compromised," from "further circulating" the conference panel announcement, from suggesting that "MIT endorses or approves of the activities" described, and from "declining to provide the MBTA and its vendors with information sufficient to replicate, test, and repair the purported security flaws."

On Saturday, August 9, 2008, U.S. District Court Judge Douglas Woodlock (acting as duty judge covering court matters over the weekend) issued a temporary restraining order forbidding the students from "providing program, information, software code, or command that would assist another in a material way to circumvent or otherwise attack the security of" the MBTA fare system. Per the Federal Rules of Civil Procedure in effect at that time, the injunction was scheduled to last for ten days. At oral argument, Judge Woodlock stated that the planned DEFCON presentation would constitute"transmission" of a program, and that the possible harm to MBTA fare collection constituted "damage," for CFAA purposes. The court also indicated that if someone were to use this information to evade fare collection the students would be aiders and abettors of that crime.

The court noted a possible First Amendment issue with the order, but stated "there's a balance that has to be drawn at various points," and that "we can't expect people in their early 20s to have sufficient judgment or experience to avoid causing those clashes of interest between something as broad and as important as the First Amendment and the need to avoid actual criminal conduct of which words are the constituent elements." The students argued that they had met with the MBTA and provided a report addressing their discovered vulnerabilities and what they planned to present at DEFCON, but the court found that insufficient to remove the risk of irreparable harm.

On August 11, the MBTA filed a motion to modify the terms of the restraining order, to clarify that the injunction only applies to "non-public" information related to the fare collection system. On August 12, the students responded, opposing the modification of the order and moving to have the court reconsider the restraining order altogether. The students argued that the order was an unconstitutional prior restraint on speech, as it prohibited the students' speech without a showing of an intent to induce any unlawful activity, or any other state interest of the highest order. The students further argued that the MBTA failed to show a likelihood of success on the merits of their CFAA claim, as the legislative history and statutory interpretation of the relevant section of the CFAA suggested that it applied only when a person actually transmits code to a protected computer, and not one's mere description of vulnerabilities. The students also noted that the MBTA's disclosure of the students' presentation slides in a public filing in the current action undermined their claim that an injunction was necessary.

On August 14, 2008, the MBTA responded to the students' motion. The MBTA argued that while some of the material related to their fare system was now public in light of the disclosure of the DEFCON slides, there remained non-public information that the students might share, including the source code of the program they used to read and alter the fare cards. The MBTA further argued that the CFAA's language extends to transmitting damaging "information," and not just software, and that the students' planned speech would advocate violation of the law, and would thus be unprotected by the First Amendment under Brandenburg v. Ohio. Finally, the MBTA argued that the presentation was not "research," but was instead commercial speech, and that the students failed to follow industry standards for responsible disclosure of a data breach. 

In a reply filed on August 18, the students argued that the factual record contradicted the claim that the students planned to share anything beyond what was already in the public docket of this court case. The students further argued that the MBTA failed the basic standard for injunctive relief as there was no immediate risk of harm. They also argued that adherence to industry standards for responsible disclosure was not required by law and, if compelled, would lead to censorship of important public information. (To support this, the students also provided a letter from eleven computer science professors and computer scientists discussing responsible disclosure.) The reply also argued that the students were discussing matters of policy and not engaging in commercial speech, as evidenced by the use of the student's research in numerous news articles addressing the data security of the CharlieCard system.

On August 14, Judge George O'Toole, the assigned judge for the case, held a hearing to determine whether the temporary restraining order should remain in effect for the full ten days that it was issued.  Judge O'Toole allowed the restraining order to remain in place, and granted the MBTA's motion for limited discovery against the students in preparation of the MBTA's motion to convert the restraining order into a preliminary injunction. The court allowed the MBTA to obtain: written correspondence, as well as "permissions, waivers, and other agreements" between the students and the DEFCON organizers; a copy of a MIT class paper that the students wrote, which served the basis of the presentation; copies of all software tools the students intended to distribute as part of the DEFCON presentation; and copies of any other materials the students planned to distribute.

On August 17, 2008, the students filed a motion for reconsideration of the court's discovery order as it applied to the the class paper and planned presentation software and materials. The students argued that such material is exempt from disclosure under the First Circuit's decision in Cusumano v. Microsoft, which protects certain academic sources and work product from disclosure. The students argued that the MBTA, a governmental agency, was seeking impermissible pre-publication review of academic work product.

On August 18, the MBTA filed a motion for a preliminary injunction. In its supporting memorandum, in addition to the arguments made previously, the MBTA argued that there remained information that the students had yet to disclose to the MBTA and the court about their planned presentation, including the software they planned to share. The MBTA also included a declaration from Systems Project Manager Scott Henderson, who stated that some of the cards used in the presentation had been used on the MBTA system illegally, based on the MBTA's own audit. The MBTA sought an injunction against the dissemination of this information for five months, in order to give them time to implement security upgrades to the system.

At a hearing on August 19, 2008 the court denied the preliminary injunction and dissolved the temporary restraining order. The court found that the MBTA had failed to show a likelihood of success on the merits of their CFAA claim, indicating that discussion of security topics is not likely to be not be "transmission" of code, commands, or information under the CFAA, as the statute's terms suggest that such transmission would need to be technical instead of informational in order for the statute to apply. The court also raised doubts as to whether the required $5000 of loss under the CFAA had be sufficiently demonstrated, finding the possible loss of future MBTA revenue as "a matter of possibility but [not] sufficiently established to support the injunction requested." The court noted that it was "mak[ing] that point in the first instance without reference to the First Amendment, what it may or may not guarantee under these circumstances," but also noted the valid public interest in such disclosures and discussions.

On October 7, 2008, the MBTA and student defendants filed a stipulation of dismissal, dismissing the claims against the students with prejudice and without costs. On December 22, 2008 the Electronic Frontier Foundation released a statement indicating that the MBTA and MIT students are now working together to improve the data security of the MBTA system. The claims against MIT were dismissed on February 3, 2009.

Details

Content Type: 

  • Text

Publication Medium: 

Forum
Print
Website
Other

Subject Area: 

  • Censorship
  • Trade Secrets
  • Computer Fraud and Abuse Act
Court Information & Documents
CMLP Information (Private)

CMLP Notes: 

Created by AFS