The MIT Students have now filed their response to the Massachusetts Bay Transportation Authority's Motion to Modify the terms of the temporary restraining order it got from the court. There is also a letter from a group of computer science professors and computer scientists in support, along with two declarations and exhibits. They ask that the court reconsider and vacate the TRO to allow the students to publish their research for three reasons, which could be summed up as on the basis of "changed facts and manifest errors of law":
(1) the order is an unconstitutional prior restraint on First Amendment protected speech about their academic research, (2) the Computer Fraud and Abuse Act does not prohibit communication of information about computers or computer security, and (3) the MBTA's publication of the defendants' research and presentation slides undermines its claim to injunctive relief.
Illustrating the First Amendment issue, EFF, which is representing the students, points out in this statement by Kurt Opsahl that while the MBTA has been issuing statements to the media about the research, the students are unable to speak in response under the original TRO.
Here's the MIT students' response with supporting material, all PDFs:
Wired now has the audio of the hearing as Ogg! Also wma and mp3.
Here's the students' response as text, followed by the letter:
****************************
UNITED STATES DISTRICT COURT
DISTRICT OF MASSACHUSETTS
MASSACHUSETTS BAY
TRANSPORTATION AUTHORITY
Plaintiff
v.
ZACK ANDERSON, RJ RYAN,
ALESSANDRO CHIESA and the
MASSACHUSETTS INSTITUTE OF
TECHNOLOGY
Defendants
_____________________
Civil Action No. 08-11364-GAO
Date: August 14, 2008
Time: 11AM
DEFENDANTS ANDERSON, RYAN AND CHIESA'S RESPONSE TO PLAINTIFF'S
"MOTION TO MODIFY TERMS BUT NOT DURATION OF TEMPORARY
RESTRAINING ORDER" AND CROSS MOTION FOR RECONSIDERATION
INTRODUCTION AND STATEMENT OF FACTS
This motion is about three MIT students' ability to publish academic research applying
known theories about security weaknesses to transit fare payment systems used by the MBTA.
On Saturday August 9, 2008, District Judge Douglas P. Woodlock restrained Defendants
Anderson, Ryan and Chiesa ("students") from "providing [any] program, information, software
code, or command that would assist another in any material way to circumvent or otherwise
attack the security of Plaintiff MBTA's fare CharlieTicket and CharlieCard fare collection
system." Defendants seek reconsideration of that temporary restraining order on the grounds that
(1) the order is an unconstitutional prior restraint on First Amendment protected speech about
their academic research, (2) the Computer Fraud and Abuse Act does not prohibit
communication of information about computers or computer security, and (3) the MBTA's
publication of the defendants' research and presentation slides undermines its claim to injunctive
1 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 2 of 18
relief.
Anderson, Ryan and Chiesa study computer security with professor Ronald Rivest at the
Massachusetts Institute of Technology. The students applied existing research on stored value
cards commonly used for fare payment in transit systems, including the MBTA's CharlieCard
and CharlieTicket. This experiment confirmed that an attacker could modify the CharlieCard
and CharlieTicket as the existing research predicted, and showed that additional security
measures employed by plaintiff Massachusetts Bay Transportation Authority ("MBTA") were
inadequate to prevent these modifications. The students wrote a paper for Rivest on their
findings and received an "A." They also were accepted to present their research at the DEFCON
computer security conference on August 10, 2008 in Las Vegas, Nevada.
The students and the MBTA attempted to contact each other before the DEFCON
presentation. The parties set a meeting on August 4, 2008. The MBTA sent Sergeant Detective
Richard Sullivan of the MBTA Police, and he brought a special agent from the Federal Bureau of
Investigation with him. The students discussed their research with Sullivan and the FBI agent.
At the end of the meeting, the understanding was that the students would deliver a short
confidential report to the MBTA summarizing their findings and recommendations. The
students did in fact deliver that report as planned and believed in good faith that they had
satisfied all of the MBTA's requests.
Detective Sullivan submitted a declaration in this case, but his declaration is oddly silent
on what the students discussed at that meeting and what the parties' agreement was. Detective
Sullivan's declaration does not acknowledge that, as a result of the August 4 meeting, the
students were unaware that MBTA had further demands until the afternoon of Friday, August 8
when the MBTA filed this lawsuit.
2 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 3 of 18
On the afternoon the suit was filed, and after the students had left Massachusetts for
Nevada, MBTA appeared ex parte before Judge Woodlock, who was the duty judge. Judge
Woodlock then convened a special court session on Saturday morning to hear this matter. The
hearing was audio recorded. Counsel for the students, who were not notified about the hearing
until after close of business on Friday afternoon, appeared via telephone.
According to counsel's notes, the Court found that 18 U.S.C. § 1030(a)(5)(A) of the
Computer Fraud and Abuse Act prohibits the transmission of information to conference
attendees or other individuals or groups if that transmission potentially causes damage to a
protected computer. The Court also rejected the students' assertion that any restraining order
would be an unconstitutional prior restraint on First Amendment protected speech. The court
then enjoined and restrained the students "from providing program, information, software code,
or command that would assist another in any material way to circumvent or otherwise attack the
security of the Fare Media System. [sic]" Order at p. 2. The temporary restraining order
("TRO") runs for ten days. Federal Rule Civil Procedure 65(b)(2). As a result of the temporary
restraining order the students did not give their presentation at DEFCON and have refrained from
commenting on the substance of their research. While the students are no longer able to present
their talk at the security conference, and have no plans to present the DEFCON talk in other
forums, they wish to publish detailed information concerning the security vulnerability
uncovered by their research to an interested public.
On August 11, 2008, after the date for the presentation had passed and after defendants
had informed them that they were planning to seek reconsideration of the restraining order,
Plaintiff MBTA filed a "Motion to Modify Terms but not Duration of TRO". The requested
modification attempts to narrow the current TRO by inserting the phrase "non-public" between
3 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 4 of 18
"providing" and "program ..." so that it would enjoin defendants "from providing program,
non-public information, software code, or command that would assist another in any material
way to circumvent or otherwise attack the security of the Fare Media System. [sic]"
STANDARD FOR GRANTING A MOTION FOR RECONSIDERATION
The TRO was granted pursuant to Fed. R. Civ. P. 65. As such, the MBTA was required
the demonstrate (and the Court was required to find):
(1) a substantial likelihood of success on the merits, (2) a significant risk of
irreparable harm if the injunction is withheld, (3) a favorable balance of
hardships, and (4) a fit (or lack of friction) between the injunction and the public
interest.
Nieves-Márquez v. Puerto Rico, 353 F.3d 108, 120 (1st Cir. 2003) (citation omitted). An
"[i]njunction is an equitable remedy which should not be lightly indulged in, but used sparingly
and only in a clear and plain case." Plain Dealer Publishing Co. v. Cleveland Type. Union # 53,
520 F.2d 1220, 1230 (6th Cir. 1975), cert. den. 428 U.S. 909 (1977). "The reluctance to exercise
this drastic power should be especially great where temporary relief is sought." Kass v. Arden-Mayfair, Inc., 431 F. Supp. 1037, 1047 (C.D. Cal. 1977).
A court may grant a motion for reconsideration when the court has misunderstood a party
or there is a significant change in the law or facts since the submission of the issues to the court
by the parties. Reyes Canada v. Rey Hernandez, 224 F.R.D. 46, 48 (D.P.R.2004) (citing Bank of
Waunakee v. Rochester Cheese Sales, Inc., 906 F.2d 1185, 1191 (7th Cir.1990)). Under
Fed.R.Civ.P. 59(e), a party may direct the district court's attention to newly discovered material
evidence or a manifest error of law or fact enabling the court to correct its own errors. Aybar v.
Crispin-Reyes, 118 F.3d 10, 15 (1st Cir. 1997).
In this motion for reconsideration, the students draw the Court's attention to the
following changed facts and manifest errors of law. First, the DEFCON conference at which the
students planned to present their research has now passed and the students did not give their talk.
They no longer plan to present that talk, but merely want to publicly explain and verify the
4 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 5 of 18
security vulnerability uncovered by their research. Second, most, if not all, of the significant
facts known to the students about the Fare Media System are now public, either because they are
contained in the slides prepared for and distributed at DEFCON before the TRO issued, or
because the MBTA filed research information provided to it by the students on the public docket
in this case.
Additionally, the court was wrong to give legal weight to MBTA's version of
"responsible disclosure". See Memo. ISO Plaintiff's Motion for TRO (Dkt. No. 3) at pp. iv-vi.
(arguing for a court order enforcing MBTA's view of responsible disclosure). Contrary to the
MBTA's arguments, "responsible disclosure" means only that security professionals must
carefully consider when and how to disclose vulnerability information. The "responsible
disclosure" norm is not to withhold all details until the vendor or insecure party has a chance to
fix, but to take reasonable steps to avoid inadvertently teaching others how to exploit the flaw.
See Declaration of Marcia Hofmann (hereafter "Hofmann Decl."), Exhibit A, Letter From
Computer Science Professors and Computer Scientists at 4-5. Withholding key information
about the flaws one discovers while publishing other information, as the students here did, is
responsible. This is because disclosure can help security as much or more than hurt it, under
certain circumstances. See, e.g. Swire, Peter P., A Model for When Disclosure Helps Security:
What is Different About Computer and Network Security? Journal on Telecommunications and
High Technology Law, Vol. 2, 2004. Available at SSRN: http://ssrn.com/abstract=531782.
The students also base this motion on two manifest errors of law the holding that the
CFAA prohibits the communication of information about security problems with computers to
any person and the holding that the TRO strikes an acceptable balance between MBTA's
financial interests and the students' constitutionally protected speech. The "likelihood of success
is the touchstone of the preliminary injunction inquiry." Philip Morris, Inc. v. Harshbarger, 159
F.3d 670, 674 (1st Cir. 1998). As discussed in detail below, these manifest errors in law show
that the MBTA was never likely to succeed on the merits.
5 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 6 of 18
The First Circuit does "not find irreparable injury where only money is at stake and
where the plaintiff has a satisfactory remedy at law to recover the money at issue." Foxboro Co.
v. Arabian American Oil Co., 805 F.2d 34, 36 (1st Cir. 1986). Even a claim of irreparable injury
based on an assertion that damages is "not readily susceptible of calculation and likely would not
be recovered from the defendants;" Public Service Co. of New Hampshire v. Town of West
Newbury, 835 F.2d 380, 382 (1st Cir. 1987), is to be closely scrutinized, and "[s]peculative
injury does not constitute a showing of irreparable harm." Id. at 383.
The MBTA's argument on irreparable harm focuses on trade secret law. See Memo. ISO
Plaintiff's Motion for TRO (Dkt. No. 3) at pp. iv. This is inapposite. As an initial matter, the
MBTA has made no trade secret claim. See generally Complaint. Second, trade secrecy law
does not protect against reverse engineering, which is all that is claimed here. See e.g. Complaint
at ¶ 37; see generally Baystate Technologies, Inc. v. Bentley Systems, Inc., 946 F.Supp. 1079,
1090-1091 (D.Mass. 1996); Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974) (holding that
reverse engineering is a "fair and honest means" to obtain a trade secret).
Instead the potential harm that MBTA fears is only economic the possibility that
someone might learn from the student's research sufficient information to evade fare payment.
Moreover, it is very speculative, since the students have repeated told the MBTA that the
students never intended to disclose key details in the public presentation. MBTA admits, as it
must, that the "MIT Undergrads stated that they did not intend to harm the MBTA." Complaint
at ¶ 50. As noted by security professional Eric Johanson, "key information needed to
compromise both the Charlie Ticket and the Charlie Card is not present in the Slides." Johanson
Decl. (Dkt. No. 14) at ¶ 11. For example, "[t]he Slides depict a field called `checksum,' and
show that it changes when the ticket value changes, but do not describe how to compute the
checksum." Id. at ¶ 23; see also Confidential Vulnerability Report ("CVR") filed as Henderson
Decl. Exhibit 1 (Dkt. No. 10-1) at 2 ("We have purposefully omitted details of this checksum in
any public disclosures...").
6 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 7 of 18
To the extent that the MBTA has increased the risk of harm by filing the CVR in the
public docket, it should not be able to place responsibility on the students.
The balance of hardships also favors the students. When a court balances the hardships, it
"must be concerned not only with possible injury to a plaintiff but also with possible injury to the
defendant." Everett J. Prescott, Inc. v. Ross, 383 F. Supp. 2d 180, 191 (D. Me. 2005). "The loss
of first amendment freedoms, for even minimal periods of time, unquestionably constitutes
irreparable injury." Elrod v. Burns, 427 U.S. 347, 373 (1976) (plurality opinion of Brennan, J.).
As noted in the Complaint, the "MIT Undergrads [were] scheduled to give their 'The
Anatomy of a Subway Hack' presentation at 1:00 on Sunday, August 10, 2008." Complaint at ¶
47 (Dkt. No. 1). The conference is now over, the students were silenced, and the presentation
will never be given. Hofmann Decl. at ¶¶ 3-4. Even though the Defcon conference is over, the
students remain enjoined from disclosing the fruits of their security research, or otherwise
demonstrating the security flaws in the MBTA's systems. This restriction causes the students
great hardship.
On Monday, August 11, the MBTA filed a motion which raised the question of "whether
this is in fact a 'prank,' or whether the MIT Undergrads are in fact able to compromise the Fare
Media System in the manner they publicly claim." Motion to Modify Terms But Not Duration
of Temporary Restraining Order at 3 (Docket No.16). Likewise, on August 12, the MBTA said
to the Boston Globe:
"There have been claims in the past that have been made against our card or other
cards, and, happily, they've all been able to be dismissed or dealt with," said
Daniel A. Grabauskas, general manager of the Massachusetts Bay Transportation
Authority. "I'm confident it will be the same thing here."
Christopher Baxter & Hiawatha Bray, MIT students' report makes security recommendations to
T, Boston Globe (August 12, 2008). Thus, the MBTA is publicly questioning whether the
reports that the transit agency is not sufficiently secure are true. The students' research has raised
valid concerns about the security of the MBTA's stored value cards, and the students reject the
7 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 8 of 18
notion that their research was nothing more than a "prank." However, under the terms of the
TRO, the students are unable to effectively participate in this public debate.
Likewise, the public interest strongly favors disclosure. "The public interest carries
considerable weight in these matters. ... The court must weigh any hindrance or furtherance of
the public interest likely to result from interim injunctive relief." Sheck v. Baileyville School
Committee, 530 F. Supp. 679, 693 (D. Me. 1982) (citing Yakus v. United States, 321 U.S. 414,
440-41 (1944)). "Protecting rights to free speech is ipso facto in the interest of the general
public." Westfield High School L.I.F.E. Club v. City of Westfield, 249 F. Supp. 2d 98, 128 (D.
Mass. 2003) (citing Machesky v. Bizzell, 414 F.2d 283, 289 (5th Cir. 1969) ("First Amendment
rights are not private rights ... so much as they are rights of the general public.")).
As an initial matter, open discussion of security vulnerabilities is in the public interest:
Although presentations on security vulnerabilities often discuss how weaknesses
might be exploited, prohibition of open discussion and publication of security
vulnerabilities greatly harms the ability of researchers to function, and has a
chilling effect not only on publication, but on whether some important research is
done in the first place, greatly stifling scientific advancement.
Johanson Decl. (Dkt. No. 14) at ¶ 16; see generally id. at ¶¶ 12-18.
Moreover the question of whether or not the MBTA, "a political subdivision of the
commonwealth," MGL § 161A-2, is adequately performing its public services remains clouded.
Media from Boston and all over the world are now inquiring as to whether the MBTA has
adequate security. Hofmann Decl. at ¶ 6. Again the students are unable to participate
meaningfully in that debate. Id.
It is in the public interest for the residents of the commonwealth to know truthful
information about the performance of the security operations of a political subdivision of the
commonwealth, which is subsidized by billions in public funds. See Complaint at ¶ 19-20
(detailing the billions of tax dollars MBTA received since the 1960s); see also News Group
Boston, Inc. v. National R.R. Passenger Corp., 799 F. Supp. 1264 (D. Mass. 1992) (recognizing
public interest in opening the operations of a quasi-government transportation agency to the
8 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 9 of 18
scrutiny of the public and allowing oversight of operations of a company which is subsidized by
taxpayer monies).
I. THE COMPUTER FRAUD AND ABUSE ACT PROHIBITS THE
TRANSMISSION OF INFORMATION OR CODE TO A PROTECTED
COMPUTER THAT HARMS THAT COMPUTER, NOT THE
COMMUNICATION OR DELIVERY OF NON-CLASSIFIED
INFORMATION OR CODE TO ANY PERSON OR PERSONS
The Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(5)(A), is a criminal
statute targeting unauthorized access to computers, and not the communication of information to
other individuals, as Judge Woodlock has held. This is based on five arguments.
First, the text of the section indicates--by the placement of a comma before the clause "to
a protected computer"--that the offender must both transmit information to the protected
computer and cause damage to that same computer. An offender must transmit information to
and harm a protected computer, not to another person, to violate section 1030(a)(5)(A). That
section reads:
Whoever ... knowingly causes the transmission of a program, information, code,
or command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer; and [causes or would have caused certain
specified loss or harm] shall be punished as provided in subsection (c) of this
section.
18 U.S.C. § 1030(a)(5)(A). If possible, the Court must "'give effect ... to every clause and word
of a statute.'" See Duncan v. Walker, 533 U.S. 167, 174 (2001) (quoting United States v.
Menasche, 348 U.S. 528, 538-39 (1955)). There is a comma between the word "authorization"
and the clause "to a protected computer." That comma indicates that "to a protected computer"
modifies both the preceding clauses. Both the transmission and the damage must be to a
protected computer.
Second, the plain language of the statute indicates that "transmission of information"
does not mean "communication of information." This is most easily seen by comparison to
9 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 10 of 18
section 1030(a)(1) , which expressly includes a prohibition on "communication" of information
about computers deemed to be protected for national defense and related specific purposes.
Section 1030(a)(1) states that:
Whoever-- having knowingly accessed a computer without authorization or
exceeding authorized access, and by means of such conduct having obtained
[Government classified] information ... with reason to believe that such
information so obtained could be used to the injury of the United States, or to the
advantage of any foreign nation willfully communicates, delivers, transmits, or
causes to be communicated, delivered, or transmitted, or attempts to
communicate, deliver, transmit or cause to be communicated, delivered, or
transmitted the same to any person not entitled to receive it ... shall be punished
as provided in subsection (c) of this section.
(Emphasis added.). Where Congress intended to prohibit the dissemination of information to
other persons, it clearly indicated so with specific language to that effect. It did not do so in
section 1030(a)(5)(A) relied on by the plaintiffs here.
Thus, as the statute itself makes clear, when Congress seeks to control the dissemination
of information, it uses the words "communicate" and "deliver" in addition to "transmit," and
specifies that the information it seeks to control may not be given "to any person" not entitled to
receive it. These phrases are not included in section 1030(a)(5)(A), showing that that section
does not apply to or regulate the dissemination of information to persons.
Third, the legislative history of the CFAA shows that Congress intended "transmission"
as a technological term used to refer to sending digital programs, software, code or information
to a computer. ""Transmission does not refer speech or other forms of communication to human
beings. See The Introduction of the National Information Infrastructure Protection Act, 104th
Congress (1996) (Statement of Hon. Bob. Goodlatte in the House of Representatives) (The
provision at issue here "would . . . penalize any person who uses a computer to cause the
transmission of a computer virus or other harmful computer program to Government and
financial institution computers."). This interpretation has been confirmed by the United States in
a criminal prosecution under the statute. See Government's Motion for Reversal of Conviction,
Memorandum of Points and Authorities, Declaration of Ronald L. Cheng, filed in United States
10 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 11 of 18
v. McDanel, Ninth Circuit Court of Appeals No. 03-50135 and attached as Exhibit B to the
Hofmann Decl.
Because the Court misread section 1030, there is no legal basis for the TRO, which was
expressly based only on that provision. For this reason, the order was erroneously entered and
should be dissolved. Furthermore, to the extent that the CFAA provision is read to allow the
prior restraint of communication of truthful information to people-- as distinguished from
transmission from one computer that harms another -- the statute would be in tension with the
First Amendment. As such, the doctrine of constitutional avoidance should lead the court to
adopt an interpretation of the CFAA that does not raise questions about whether the statute
impermissibly burdens First Amendment-protected speech.
The legislative history of the CFAA shows that Congress intended "transmission" as a
technological term used for sending digital programs, software, code or information to a
computer, and not including speech to other human beings. Until 1994, the CFAA generally
prohibited unauthorized access to computers. By that point, however, Congress had become
familiar with the problem of computer viruses that damage computers but do not give a
trespasser unauthorized access. As such, the statute was amended to include a prohibition on
damaging computers through unlawful transmissions of viruses from one computer to another.
See 18 U.S.C. § 1030(a)(5) (1994). As Senator Leahy explained:
[C]omputer abusers have developed an arsenal of new techniques which result in
the replication and transmission of destructive programs or codes that inflict
damage upon remote computers to which the violator never gained "access" in the
commonly understood sense of that term. The new subsection of the CFAA
created by this bill places the focus on harmful intent and resultant harm, rather
than on the technical concept of computer "access."
Violent Crime and Control and Law Enforcement Act of 1994 - Conference Report, 103rd Cong.
(1994) (Statement of Sen. Leahy).
In 1996, Congress adjusted the 1994 provisions to the language we see in section
1030(a)(5)(A) today. The legislative history shows that Congress intended the provision to
prohibit damaging transmissions of computer viruses and the like from one computer to another:
11 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 12 of 18
The bill would also penalize any person who uses a computer to cause the
transmission of a computer virus or other harmful computer program to
Government and financial institution computers not used in interstate
communications, such as intrastate local area networks used by Government
agencies that contain sensitive and confidential information.
The Introduction of the National Information Infrastructure Protection Act, 104th Congress
(1996) (Statement of Hon. Bob. Goodlatte in the House of Representatives), (emphasis added).
The legislative history is further proof that the CFAA does not regulate speech about computers,
but attacks on computers, whether through unauthorized access or through computer viruses,
"worms" and the like.
"'[I]t is a cardinal principle' of statutory interpretation ... that when an Act of Congress
raises 'a serious doubt' as to its constitutionality, 'this Court will first ascertain whether a
construction of the statute is fairly possible by which the question may be avoided.'" See, e.g.,
Zadvydas v. Davis, 533 U.S. 678, 689 (2001) (quoting Crowell v. Benson, 285 U.S. 22, 62
(1932); Ashwander v. Tennessee Valley Authority, 297 U.S. 288 (1936) (Brandeis, J.,
concurring)). To the extent that the CFAA regulates information about computer security flaws,
it is a content-based speech regulation, presumptively unconstitutional and subject to strict
constitutional scrutiny.
II. THE TEMPORARY RESTRAINING ORDER IS AN UNCONSTITUTIONAL
PRIOR RESTRAINT ON PROTECTED SPEECH AND MUST BE
OVERTURNED
This TRO is an unconstitutional prior restraint that must be overturned, and no
preliminary injunctive relief could constitutionally issue in the alternative. A prior restraint is a
government regulation that limits or conditions in advance the exercise of protected First
Amendment activity. Prior restraints are extremely disfavored and rarely, if ever, upheld. The
Supreme Court has rejected prior restraints in cases involving national security, and cases where
12 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 13 of 18
the information to be published has been illegally obtained, whether by a third party or by the
speaker. The TRO here, which has already resulted in preventing the students from presenting
their research publicly and which continues to gag them from discussing their factual findings, is
unjustified, vague and overbroad. It must be rejected and no TRO or other restraining order
should issue at least until there has been a full trial on the merits to determine whether the
students have (1) committed the alleged torts and (2) whether their conduct or the content of their
research means that their research findings are not constitutionally protected.
A judicial injunction that prohibits speech prior to a determination that the speech is
unprotected constitutes a prior restraint. Near v. Minnesota, 283 U.S. 697, 719 (1931). Any prior
restraint is the most dangerous imposition on individuals' freedom of speech. Nebraska Press
Ass'n v. Stuart, 427 U.S. 539, 559 (1976) ("Prior restraints on speech and publication are the
most serious and least tolerable infringement on First Amendment rights"). Therefore, request
for such a restraint "comes to [the] Court bearing a heavy presumption against its constitutional
validity." New York Times Co. v. United States, 403 U.S. 713, 714 (1971). See also Auburn
Police Union v. Carpenter, 8 F.3d 886, 903 (1st Cir. 1993).
"In the case of a prior restraint on pure speech, the hurdle is substantially higher [than for
an ordinary preliminary injunction]: publication must threaten an interest more fundamental than
the First Amendment itself. Indeed, the Supreme Court has never upheld a prior restraint, even
faced with the competing interest of national security or the Sixth Amendment right to a fair
trial." (Proctor & Gamble Co. v. Bankers Trust Co., 78 F.3d 219, 226-227 (6th Cir. 1996); cf.
Nebraska Press Assn. v. Stuart, 427 U.S. 539, 563 (1976) (the Sixth Amendment right of a
criminal defendant to a fair trial does not outrank the First Amendment right of the press to
publish information); New York Times Co. v. United States (1971) 403 U.S. 713, 718-726
("national security" interest in suppressing classified information in the Pentagon Papers did not
outrank First Amendment right of press to publish classified information). "[I]t is clear that few
things, save grave national security concerns, are sufficient to override First Amendment
interests." United States v. Progressive, Inc. 467 F. Supp. 990, 992 (DC Wisc. 1979) (court
13 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 14 of 18
issued prior restraint on publication of technical information about hydrogen bomb only because
it found that such information was analogous to information about troop movements which
posed a grave threat to national security).
The Plaintiff has not and cannot justify a prior restraint on the speech at issue in this case,
as explained below. First, truthful scientific speech, including instructions that enable the
recipient to use the scientific information for an illegal purpose, are constitutionally protected.1
For example, information about how to cultivate marijuana or how to pick a lock is
constitutionally protected. Second, the speech remains protected even if the students obtained
the information illegally (which they did not) or if another party could use the information for
illegal purposes. Third, the information is on a matter of public interest. In contrast, the
MBTA's interests do not come close those of the government in the Pentagon Papers case, which
also failed to justify a prior restraint on publication.
This TRO limits the exercise of the students' free speech, despite the fact that the First
Amendment protects scientific speech. Courts have subjected restrictions on the dissemination of
technical scientific information and scientific research to First Amendment scrutiny. United
States v. Progressive, Inc., 467 F. Supp. 990 (W.D. Wis. 1979); Board of Trustees of Stanford
University v. Sullivan, 773 F. Supp. 472, 473 (D.D.C. 1991). Instructions are also
constitutionally protected expression. See, e.g., United States v. Raymond, 228 F.3d 804, 815
(7th Cir. 2000) (First Amendment protects instructions for violating the tax laws, but not where
such instructions are an incitement to imminent unlawful activity); United States v. Dahlstrom,
713 F.2d 1423, 1428 (9th Cir. 1983) (same); Herceg v. Hustler Magazine, Inc., 814 F.2d 1017,
1020-25 (5th Cir. 1987) (First Amendment protects instructions for engaging in a dangerous sex
act); see also Bernstein v. United States Department of State, 922 F. Supp. 1426, 1435 (N.D. Cal.
1996) ("Instructions, do-it-yourself manuals, [and] recipes" are all "speech"). Thus the TRO in
14 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 15 of 18
this matter, which continues to prevent the students from publicly discussing scientific facts and
research that they have conducted, is an unconstitutional prior restraint.
The TRO as initially granted restricted the students from providing true, publicly known,
legally acquired information about the MBTA's CharlieCards and CharlieTickets in violation of
the First Amendment. See Veilleux v. National Broadcasting Co., 206 F.3d 92, 127 (1st Cir.
2000) (truthful information is more deserving of protection than false information). The current
TRO as the MBTA suggests that it be modified still restricts the students from providing true,
legally acquired information about these cards This restriction also violates the First
Amendment. Id. See also Bartnicki v. Vopper, 532 U.S. 514, 535 (2001) (the publication of even
illegally-acquired information enjoys some First Amendment protection).
This conclusion does not change even if other people could use the information contained
in the students' presentation for criminal purposes. Settled precedent provides that even such
information is constitutionally protected. The Supreme Court has stated that while there are
some rare occasions in which a law suppressing one party's speech may be justified by an
interest in deterring criminal conduct by another, these occasions are extremely rare, and only
occur when the speech at issue is of extremely low value. Id. at 530 (referring to child
ibiblioography). The speech at issue here is of much higher value than ibiblioography,
consisting of facts learned from scientific investigation and analysis. Most speech that is alleged
to be "crime facilitating" has both harmful and valuable uses, including some that are not
initially obvious. Eugene Volokh, Crime-Facilitating Speech, 57 STAN. L. REV. 1095, 1105
(2005).
For example, the letter from computer science professors and computer scientists
discusses the ways in which disclosure of security vulnerability information promotes security
rather than defeats it, regardless of the wishes of the entity whose systems are weak. Hofmann
Decl. Exhibit A at 2 ("Researchers discover flaws. They invent new and improved ways to detect
and correct flaws, and they invent new and improved approaches to system design and
implementation. This investigative approach has driven the computer systems field forward at an
15 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 16 of 18
extraordinary pace for more than half a century"); see also 5 ("When large public security
systems are at issue, the norm in our field is that researchers take reasonable steps avoid
inadvertently teaching others how to exploit the flaw. ... Yet at the same time that researchers
need to act responsibly, vendors should not be granted complete control of the publication of
such information, as it appears MBTA sought here.")
Because disclosure can benefit security and because security researchers need to make
careful decisions about how much detail about a particular security risk they should make public,
prohibiting vulnerability disclosure before any adjudication of criminality or constitutionality is
unconstitutional. Recognition that it is hard to judge whether speech is "good" or "bad" ahead of
time is the basis for the constitutional distaste for prior restraints.
Even if the information contained in the students' presentation was itself obtained
illegally, which it was not, that information is constitutionally protected and my not be the
subject of a prior restraint. In In re King World Productions, Inc., 898 F.2d 56 (6th Cir. 1990),
the Sixth Circuit overturned a temporary restraining order prohibiting a news program from
airing video footage it illegally taped of a doctor allegedly engaging in malpractice. Similarly, in
CBS, Inc. v. Davis, 510 U.S. 1315 (1994), a television network obtained undercover footage at a
South Dakota meat packing plant that it intended to air. The packing plant operator obtained an
order restraining the network from broadcasting its footage. The Court vacated the temporary
restraining order: "Although the prohibition against prior restraints is by no means absolute, the
gagging of publication has been considered acceptable only in 'exceptional circumstances.'" Id.
at 1317.
These are not exceptional circumstances. The students' research on the MBTA's fare
payment system is a matter of great public concern. Even before this case occurred, both the
Boston Globe and the Boston Herald published articles on security flaws with the CharlieCard.
Bray, Hiawatha, "T Card Has Security Flaw, Says Researcher", Boston Globe, March 6, 2008;
Szaniszlo, Marie, "Research: Charlie Card is Far From Hack Proof", Boston Herald, March 6,
2008. On the other hand, the MBTA's interest in keeping this information quiet is certainly no
16 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 17 of 18
greater than that of the government in squelching the Pentagon Papers. Nor is the possibility that
someone may use the information to get free subway rides sufficient reason to suppress
publication of the research.
Finally, the scope of this TRO is both overbroad and vague. The initial TRO
unconstitutionally prohibited discussion even of information the plaintiff placed in the public
record. MBTA has moved to narrow the TRO to only "non-public" information in recognition of
this problem, but this limitation does not resolve the issue. is the TRO remains vague because it
is uncertain what information materially helps another person to circumvent the security of the
Fare Media System. As the court stated, merely drawing attention to a security problem could
focus an attacker on the fact that a particular attack can be done and might be worth trying. The
attacker no longer has to wonder whether it is possible; it is. Just that fact might materially assist
someone. It is impossible to know in advance, and neither the court nor MBTA could give any
clear guidance, which is why counsel felt compelled to advise the students that they could not
give their presentation at the Defcon conference. As the Court itself recognized, red-penciling
the student presentation to delete objectionable material was not a viable option, the injunction
meant that the students might choose not to go forward with their talk, and that if they did, they
faced the possibility of contempt charges. Thus, the TRO chilled protected speech.
///
17 Case 1:08-cv-11364-GAO Document 23 Filed 08/12/2008 Page 18 of 18
CONCLUSION
For the foregoing reasons, the students request that this court vacate the temporary
restraining order.
Dated: August 12, 2008
DEFENDANTS ANDERSON, RYAN
AND CHIESA
By their attorneys,
/s/ Emily A. Berger
Emily A. Berger, BBO No. 650,841
[email]
Jennifer Stisa Granick, CA Bar No. 168423
[email]
Kurt Opsahl, CA Bar No. 191303
[email]
Marcia Hofmann, CA Bar No. 250087
[email]
ELECTRONIC FRONTIER FOUNDATION
18
1
Nor do First Amendment protections disappear if the MBTA does not approve of the tone of the speech.
As Justice Frankfurter wrote, the right of free expression "means not only informed and responsible criticism but the
freedom to speak foolishly and without moderation." Baumgartner v. United States, 322 U.S. 665, 674 (1944).
*****************************************
*****************************************
EXHIBIT B
Case 1:08-cv-11364-GAO Document 24-3 Filed 08/12/2008 Page 2 of 8
August 11, 2008
Hon. George A. O'Toole, Jr.
United States District Court
Federal District of Massachusetts
[address]
Re: Massachusetts Bay Transportation Authority v. Anderson, et. al,
Case # 08-11364-GAO
Letter from Computer Science Professors and Computer Scientists
Dear Judge O'Toole:
We are computer scientists and researchers, many from the nation's top research
and educational institutions. We write in letter form because we understand that
time is short and that a temporary restraining order is currently in effect preventing
the MIT student researchers from discussing their work. We hope this letter will
assist you in your consideration of the Motion for Reconsideration.
Each of us engages in scientific research relating to computer systems and
technologies. Each of us also engages in the routine publication and public
discussion of that work. Our specific titles are listed with our signatures below.
We were quite troubled to learn that the Court has enjoined the students from
discussing their research on the MBTA's fare payment system because that
research might materially assist another person in defrauding the system. We
write to express our firm belief that research on security vulnerabilities, and the
sensible publication of the results of the research, are critical for scientific
advancement, public safety and a robust market for secure technologies. Generally
speaking, the norm in our field is that researchers take reasonable steps to protect
the individuals using the systems studied. We understand that the student
researchers took such steps with regard to their research, notably by planning not
to present a critical element of a flaw they found. They did this so that their
audience would be unable to exploit the security flaws they uncovered. We also
believe that restraining orders such as that issued by the court over the weekend
could have a devastating chilling effect on such research in the future.
Hon. George A. O'Toole Jr.
August 11, 2008
Page 2
Factual Background to this Letter
The focus of our letter is not on the specifics of this security research done by the
MIT student researchers. Instead, we wanted to provide you with information
about publishing computer security research and the dangerous impact that
restraining orders such as the one issued here could have on that research.
This letter is based on our understanding of the following facts: the MIT students
performed security research on the payment mechanisms for the MBTA fare
collection system as part of a class project for which they received a superior
grade. The students then submitted a presentation based on that research to the
DEFCON security conference held in Las Vegas from August 6-10, 2008.
The students presented their research to technical representatives of the MBTA
and to the FBI a few days before the conference. They also provided a
confidential paper detailing the problems they found and proposed solutions. The
confidential paper contained technical information not contained in their planned
public presentation. The students informed the MBTA that they were not intending
to release the entire results of their research, but instead were intending to
withhold key pieces of information that could allow replication of their exploits.
We also understand that the students engaged in puffery in advertising their
presentation, stating that it would allow "free subway rides for life."
We are aware that both the slides for the intended presentation and the confidential
paper have now been made widely publicly available, both through the conference
materials submitted prior to the filing of the lawsuit and through filings in the
public docket in this case by the MBTA.
The Nature Of Computer Systems Research
Much research in computer systems is based upon analysis - the careful
examination of existing systems and approaches in order to understand what
works well and what works poorly. Researchers discover flaws. They invent new
and improved ways to detect and correct flaws, and they invent new and improved
approaches to system design and implementation. This investigative approach has
driven the computer systems field forward at an extraordinary pace for more than
half a century.
Analysis is no less important when the system being studied is used to pay for
public transit or any other public function. The best security systems are not one-
off systems designed from scratch for single use, but designs that build upon prior
Hon. George A. O'Toole Jr.
August 11, 2008
Page 3
research. For this reason, it is critical that the researchers and engineers developing
new systems be able to study existing ones for advantages and flaws. In turn, a
system's ability to withstand repeated attacks best allows engineers and the public
to trust its security. At a recent major computer security conference, for instance,
about 15% of the papers presented were papers describing attacks on technical
systems. Such research is broadly accepted in the profession.
The Importance Of Open Discussion And Publication To Computing
Research
Open discussion of computing research and publication of its results is essential to
the conduct of computing research. The computing research community is large -
many thousands of individuals who follow the literature of security research. In
computer science research, the "literature" includes code, algorithms, and their
analysis.
Broad review and critique are fundamental to the advancement of research. There
is a long history of open research in computer security and information hiding. It
is no exaggeration to say that most of the security and information hiding
technologies upon which we rely today are the products of this open research
process.
The Importance Of Open Discussion And Publication On Public Safety And
The Market
The restraining order at issue in this case also fosters a dangerous information
imbalance. In this case, for example, it allows the vendors of the technology and
the MBTA to claim greater efficacy and security than their products warrant, then
use the law to silence those who would reveal the technologies' flaws. In this case,
the law gives the public a false sense of security, achieved through law, not
technical effectiveness. Preventing researchers from discussing a technology's
vulnerabilities does not make them go away - in fact, it may exacerbate them as
more people and institutions use and come to rely upon the illusory protection. Yet
the commercial purveyors of such technologies often do not want truthful
discussions of their products' flaws, and will likely withhold the prior approval or
deny researchers access for testing if the law supports that effort.
As an example, computer anti-virus experts rely heavily on public dissemination
of timely information about threats on the horizon. For instance, the "Code Red"
worm released a few years ago was designed to spread rapidly for about a week,
and it was very successful at infecting more than 200,000 computers. Security
Hon. George A. O'Toole Jr.
August 11, 2008
Page 4
researchers across the country rallied together in a concerted effort to blunt the
attack, and discovered through last-minute reverse engineering (disassembly) that
the worm was designed to make all infected machines attack the White House web
server on a specified date. With only a few days to counter this threat, experts
were able to study the reverse engineered worm to identify a weakness of the
attack and counter it, protecting the White House web server and others. This
containment of the Code Red worm would not have been possible without
immediate, unrestricted public dissemination of full information about its spread,
which included open discussion of the flaws it exposed in other computer
software.
Similarly, in 1989 complexity theorists Adi Shamir and Eli Biham invented the
technique called differential cryptanalysis, which called into question the strength
of various ciphers. The research prevented weaker systems from being adopted to
replace the famous DES block cipher, which was then being used by all
commercial banking systems and by the U.S. government. Nonetheless, the two
scientists were treated as heroes rather than criminals. The publication of a new
means of attacking encryption called differential cryptanalysis - made it possible
for the research community to design the AES block cipher, which is vastly more
secure as a result of this understanding and is now the federal encryption standard.
This free flow of information also helps the market. With free flow of information
about the cost and quality of different payment and security schemes, market
forces should lead to the production of better and cheaper schemes. By chilling the
flow of information about the quality of competing fare collection schemes, orders
such as that issued by the court cripple the market's ability to reward higher quality
schemes.
The analogy to the research done by the MIT students is obvious. A break in the
security system for payments on the MBTA system teaches how to design better
systems. If a break exists it will be discovered. It is much better from everyone's
perspective if researchers discover the break and publish it than if unscrupulous
discoverers of the break exploit it without public notice. While the publication
need not always contain every detail necessary to allow criminal exploitation of
the flaw, as the students here rightly decided, the fact of the security flaw should
not have been hidden from the public.
Responsible Security Disclosures
It is the case that security researchers need to make careful decisions about how
much detail of a particular security break they should make public. Generally
Hon. George A. O'Toole Jr.
August 11, 2008
Page 5
speaking, when large public security systems are at issue, the norm in our field is
that researchers take reasonable steps avoid inadvertently teaching others how to
exploit the flaw. From what we understand of the facts, the MIT student
researchers took such steps in planning their presentation, withholding key
information about the flaws they discovered. They also intended to do the same in
the future, although this might not be necessary any more since we understand that
the MBTA has now voluntarily placed that same information in the public record
in this case.
Yet at the same time that researchers need to act responsibly, vendors should not
be granted complete control of the publication of such information, as it appears
MBTA sought here. As noted above, vendors and users of such technologies often
have an incentive to hide the flaws in the system rather than come clean with the
public and take the steps necessary to remedy them. Thus, while researchers often
refrain from publishing the technical details necessary to exploit the flaw, a legal
ban on discussion of security flaws, such as that contained in the temporary
restraining order, is especially troubling.
Chilling Effect of the Court's Order
The court's order, if not lifted, will chill research and publication when the
technologies or systems in question are used to collect payments on public
transportation. Fears of violating vaguely-defined prohibitions are expected to lead
researchers to choose "safer" topics of study and to censor their publications rather
than risk lawsuits.
In particular, the court's ruling that "transmission" of a computer program to a
computer system could include a public presentation about flaws in the security of
the system is especially troubling. It is even more so here because we understand
that key portions of the research needed to duplicate the attack were not going to
be presented at the conference and will not be presented in the future.
Hon. George A. O'Toole Jr.
August 11, 2008
Page 6
Conclusion
In sum, we are concerned that the pall cast by the temporary restraining order will
stifle research efforts and weaken academic computing research programs. In turn,
we fear the shadow of the law's ambiguities will reduce our ability to contribute to
industrial research in security technologies at the heart of our information
infrastructure. We urge that you reconsider and remove the temporary restraining
order issued on August 10, 2008.
Sincerely,
Professor David Farber
Distinguished Career Professor of Computer Science and
Public Policy in the School of Computer Science
Carnegie Mellon University
Professor Steven M. Bellovin
Professor of Computer Science
Columbia University
Professor David Wagner
Associate Professor of Computer Science
University of California at Berkeley
Professor Dan Wallach
Associate Professor of Computer Science
Rice University
Professor Tadayoshi Kohno
Assistant Professor of Computer Science and Engineering
University of Washington
Professor David Touretzky
Research Professor
Computer Science Department &
Center for the Neural Basis of Cognition
Carnegie Mellon University
Hon. George A. O'Toole Jr.
August 11, 2008
Page 7
Patrick McDaniel
Co-Director Systems and Internet
Infrastructure Security Laboratory (SIIS)
Pennsylvania State University
Professor Lorrie Faith Cranor
Associate Professor of Computer Science
and Engineering and Public Policy
Carnegie Mellon University
Professor Matthew Blaze
Associate Professor of Computer and Information Science
University of Pennsylvania
Stefan Savage
Associate Professor
Department of Computer Science and Engineering
University of California, San Diego
Bruce Schneier
Chief Security Technology Officer, BT
|