Copyright 2007-22 Digital Media Law Project and respective authors. Except where otherwise noted,
content on this site is licensed under a Creative Commons Attribution-Noncommercial-ShareAlike 3.0 License: Details.
and Privacy Notice
According to the complaint, Zack Anderson, RJ Ryan, and Alessandro Chiesa were undergraduate students at the Massachusetts Institute of Technology (MIT). The students claimed to have discovered a vulnerability in the "CharlieCard" and "CharlieTicket" automated fare collection systems used by the Massachusetts Bay Transportation Authority (MBTA) for Boston area public transit. The students planned to share their research at the DEFCON computer security conference on August 10, 2008. Their description of the presentation, as quoted in the complaint, was as follows:
When the MBTA learned of their planned presentation, they arranged a meeting with the MIT students and MIT Professor Ronald Rivest, who specializes in network security. According to the court records, the students met with the MBTA on August 5, but refused to provide the MBTA with materials they planned to present, and instead agreed to provide a three-page summary of the vulnerabilities they found. The students also modified their event description to remove the reference to "free subway rides for life," and made other small alterations to the event description.
On August 8, 2008 the MBTA filed a complaint and motion for a temporary restraining order against the students and MIT. The complaint alleged that the students committed a violation of the Computer Fraud and Abuse Act (CFAA) by transmitting information that caused damage to computers. The complaint also alleged that the students committed the common law torts of conversion and trespass to chattels by intercepting MBTA rider fares, that MIT negligently supervised the students by failing to instruct the students to "responsibly disclose information concerning perceived security flaws," and that all four defendants committed a violation of Massachusetts's unfair and deceptive trade practices statute, M.G.L. Ch. 93A § 11.
The complaint sought an order preventing the students from "offering to provide software tools or demonstrations to allow others to duplicate the attacks referenced," from "providing information or materials that would assist another in any material way to circumvent the security of the" CharlieCard system, from "publicly stating or indicating that the security or integrity" of the system "has been compromised," from "further circulating" the conference panel announcement, from suggesting that "MIT endorses or approves of the activities" described, and from "declining to provide the MBTA and its vendors with information sufficient to replicate, test, and repair the purported security flaws."
On Saturday, August 9, 2008, U.S. District Court Judge Douglas Woodlock (acting as duty judge covering court matters over the weekend) issued a temporary restraining order forbidding the students from "providing program, information, software code, or command that would assist another in a material way to circumvent or otherwise attack the security of" the MBTA fare system. Per the Federal Rules of Civil Procedure in effect at that time, the injunction was scheduled to last for ten days. At oral argument, Judge Woodlock stated that the planned DEFCON presentation would constitute"transmission" of a program, and that the possible harm to MBTA fare collection constituted "damage," for CFAA purposes. The court also indicated that if someone were to use this information to evade fare collection the students would be aiders and abettors of that crime.
The court noted a possible First Amendment issue with the order, but stated "there's a balance that has to be drawn at various points," and that "we can't expect people in their early 20s to have sufficient judgment or experience to avoid causing those clashes of interest between something as broad and as important as the First Amendment and the need to avoid actual criminal conduct of which words are the constituent elements." The students argued that they had met with the MBTA and provided a report addressing their discovered vulnerabilities and what they planned to present at DEFCON, but the court found that insufficient to remove the risk of irreparable harm.
On August 11, the MBTA filed a motion to modify the terms of the restraining order, to clarify that the injunction only applies to "non-public" information related to the fare collection system. On August 12, the students responded, opposing the modification of the order and moving to have the court reconsider the restraining order altogether. The students argued that the order was an unconstitutional prior restraint on speech, as it prohibited the students' speech without a showing of an intent to induce any unlawful activity, or any other state interest of the highest order. The students further argued that the MBTA failed to show a likelihood of success on the merits of their CFAA claim, as the legislative history and statutory interpretation of the relevant section of the CFAA suggested that it applied only when a person actually transmits code to a protected computer, and not one's mere description of vulnerabilities. The students also noted that the MBTA's disclosure of the students' presentation slides in a public filing in the current action undermined their claim that an injunction was necessary.
On August 14, 2008, the MBTA responded to the students' motion. The MBTA argued that while some of the material related to their fare system was now public in light of the disclosure of the DEFCON slides, there remained non-public information that the students might share, including the source code of the program they used to read and alter the fare cards. The MBTA further argued that the CFAA's language extends to transmitting damaging "information," and not just software, and that the students' planned speech would advocate violation of the law, and would thus be unprotected by the First Amendment under Brandenburg v. Ohio. Finally, the MBTA argued that the presentation was not "research," but was instead commercial speech, and that the students failed to follow industry standards for responsible disclosure of a data breach.
In a reply filed on August 18, the students argued that the factual record contradicted the claim that the students planned to share anything beyond what was already in the public docket of this court case. The students further argued that the MBTA failed the basic standard for injunctive relief as there was no immediate risk of harm. They also argued that adherence to industry standards for responsible disclosure was not required by law and, if compelled, would lead to censorship of important public information. (To support this, the students also provided a letter from eleven computer science professors and computer scientists discussing responsible disclosure.) The reply also argued that the students were discussing matters of policy and not engaging in commercial speech, as evidenced by the use of the student's research in numerous news articles addressing the data security of the CharlieCard system.
On August 14, Judge George O'Toole, the assigned judge for the case, held a hearing to determine whether the temporary restraining order should remain in effect for the full ten days that it was issued. Judge O'Toole allowed the restraining order to remain in place, and granted the MBTA's motion for limited discovery against the students in preparation of the MBTA's motion to convert the restraining order into a preliminary injunction. The court allowed the MBTA to obtain: written correspondence, as well as "permissions, waivers, and other agreements" between the students and the DEFCON organizers; a copy of a MIT class paper that the students wrote, which served the basis of the presentation; copies of all software tools the students intended to distribute as part of the DEFCON presentation; and copies of any other materials the students planned to distribute.
On August 17, 2008, the students filed a motion for reconsideration of the court's discovery order as it applied to the the class paper and planned presentation software and materials. The students argued that such material is exempt from disclosure under the First Circuit's decision in Cusumano v. Microsoft, which protects certain academic sources and work product from disclosure. The students argued that the MBTA, a governmental agency, was seeking impermissible pre-publication review of academic work product.
On August 18, the MBTA filed a motion for a preliminary injunction. In its supporting memorandum, in addition to the arguments made previously, the MBTA argued that there remained information that the students had yet to disclose to the MBTA and the court about their planned presentation, including the software they planned to share. The MBTA also included a declaration from Systems Project Manager Scott Henderson, who stated that some of the cards used in the presentation had been used on the MBTA system illegally, based on the MBTA's own audit. The MBTA sought an injunction against the dissemination of this information for five months, in order to give them time to implement security upgrades to the system.
At a hearing on August 19, 2008 the court denied the preliminary injunction and dissolved the temporary restraining order. The court found that the MBTA had failed to show a likelihood of success on the merits of their CFAA claim, indicating that discussion of security topics is not likely to be not be "transmission" of code, commands, or information under the CFAA, as the statute's terms suggest that such transmission would need to be technical instead of informational in order for the statute to apply. The court also raised doubts as to whether the required $5000 of loss under the CFAA had be sufficiently demonstrated, finding the possible loss of future MBTA revenue as "a matter of possibility but [not] sufficiently established to support the injunction requested." The court noted that it was "mak[ing] that point in the first instance without reference to the First Amendment, what it may or may not guarantee under these circumstances," but also noted the valid public interest in such disclosures and discussions.
On October 7, 2008, the MBTA and student defendants filed a stipulation of dismissal, dismissing the claims against the students with prejudice and without costs. On December 22, 2008 the Electronic Frontier Foundation released a statement indicating that the MBTA and MIT students are now working together to improve the data security of the MBTA system. The claims against MIT were dismissed on February 3, 2009.