decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Judge Lifts Restraining Order: MIT Students Win - Updated
Tuesday, August 19 2008 @ 02:39 PM EDT

Kurt Opsahl of EFF has just announced that the restraining order on the MIT students has been lifted:
Today, Judge George O'Toole lifted the gag order on three MIT students who were sued by the Massachusetts Bay Transportation Authority for discovering a security vulnerability in the MBTA's fare payment system. The Court found that the MBTA was not likely to prevail on the merits of its claim under the federal Computer Fraud and Abuse Act. MBTA had argued that the CFAA, which prohibits the transmission of a program that causes damage to a computer, also covers "verbal transmission," such as talking to people at conferences. Judge O'Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people. More details to follow.

[Update: The MBTA had sought to convert the temporary restraining order into a preliminary injunction to last for five months, to give them time to fix the vulnerabilities -- here's the motion [PDF] -- and that was denied. It's worth reading, this motion, if only to see why this thing swirled out of logical bounds. One issue is that when the MBTA hears the word hacker, they seem to think it means cracker, and they viewed the DefCon conference as a meeting where people go to learn how to break in to other people's stuff, which naturally panicked them. And they seem to imagine that using Wireshark, which used to be called Ethereal, is "illegal activity", as you can read on page 25. Nor did they understand geek humor. Just a real culture clash, with misunderstandings that led to litigation that now seems to be resolvable, now that the MBTA's attorney says he wants to meet with the students, to learn more about their research findings.]

So the attempt to stretch the Computer Fraud and Abuse Act has failed. Please read the statute for yourself, and ask yourself: do you want talking about computers and security to become a crime punishable by fines and imprisonment and subject to FBI and Secret Service oversight? That's what almost just happened. You can find the documents in MBTA v. Anderson here. If you read the MBTA's complaint, you'll find the allegations of violations of the CFAA on page 12. I think you'll find the MBTA interpretation of the statute shocking ("... the damage constitutes a threat to public health and safety... affects a computer system used by a government entity for national security purposes..."). The research was about getting a ride on a subway for free. In any case, the judge didn't buy it, with respect to the restraining order.

I first notice that statute when SCO used it in a Memorandum in Opposition to IBM's Motion for Partial Summary Judgment on its Counterclaim for Copyright Infringement, when SCO alleged IBM had violated the statute by downloading software IBM itself authored from SCO's website. An expert on the statute, Jon Stanley, Esq., wrote an article for Groklaw explaining the statute in light of cases, and he pointed out the following:

Here is an example of how a violation might occur:

1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my “access” to be “authorized”.

2. Then I violate this instrument’s conditions, and my access, is, at the very moment of the violation, “unauthorized”.

3. And since, given that I’m probably staring at the screen, I am therefore “obtaining”… (viewing) “information from a protected computer…”

4. In theory, we have, a violation of the CFAA.

Please don’t shoot the messenger. Yes, I think this conclusion is absurd and worrisome. And yes, it may very well mean that every time one checks the stock prices (or whatever) at one’s place of employment, and one does so in violation of one’s agreement to only access the internet for the employers’ purposes, technically one is in violation the CFAA. How did we get to this point? Glib answer? Spammers -- and lack of imagination, perhaps, on the part of the judiciary.

So, that clued me in to how dangerous this statute could be in the wrong hands. I hope you will read what he wrote in full, so you too will understand why I keep writing about this statute. That IBM motion has not yet been decided, by the way.

Next there was the case IAC v Citrin, where the alleged wrongdoing under CFAA was deleting files. And the incredible case of Healthcare Associates, where a law firm was sued for printing some pages publicly available due to a glitch on Internet Archive. Happily that attempt to use the CFAA creatively failed.

EFF's Hugh D'Andrade explains (scroll down) why this MIT case matters:

At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers. But as we noted in a post last week, the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War. (The MBTA's stance is all the more ironic, considering Boston's role in that war.)

Beyond this core constitutional principle, EFF is defending the ability to conduct security research in the digital age. As we note in our Vulnerability Reporting FAQ, security researchers by definition raise questions that corporations and government agencies would prefer to keep quiet. But by investigating flaws in security, and alerting the public to vulnerabilities, researchers play an important role in keeping private and public institutions accountable....

Moreover, if the MBTA's unprecedented expansion of the federal computer intrusion law (considering a talk to people the same as transmission of a program to a computer, considering a piece of paper with a magnetic stripe to be a computer, etc.) is adopted by the federal court in Boston, it would also have the unintended consequence of chilling future academic research and discussion. An anti-virus researcher, for example, presenting virus code on the PowerPoint screen at an anti-virus software conference, could be charged with a similar offense. Releasing a computer security textbook which describes attacks and defenses to networks would become a crime. The court and the MBTA should think about the consequences beyond the scope of this lawsuit.

The MBTA is also misguided with its notion that anytime a security researcher dares looks at a vulnerability, he suddenly has an obligation to provide the vendor of the faulty code with all of the research materials and to stay silent until the vendor decides he can speak. They seem to believe that they have right to all of any such academic researchers' notes, drafts, tools, and anything else, because they did them a favor and told them about a vulnerability the vendor didn't know about previously. The MBTA not only asserts that the researchers have this as a moral obligation, but a legal obligation to allow the vendor pre-publication review.

The MBTA's strategy of shooting the messenger is not only counter-productive and shortsighted, it is dangerous. The vulnerability existed long before the students discovered it, and it could be (and may have been) discovered by others. The MBTA and its vendors are the one who adopted a faulty system for its payment cards, not the students. The MBTA's priority should be fixing the problem, not continuing needless litigation.


  


Judge Lifts Restraining Order: MIT Students Win - Updated | 113 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
"...the CFAA does not apply to security researchers..."
Authored by: tiger99 on Tuesday, August 19 2008 @ 02:45 PM EDT
That, I think is the extremely important core of the case, and the ruling would
seem to agree with any common-sense interpretation of the intent of the law. I
do hope that it stands up to scrutiny by higher courts, should that happen.

[ Reply to This | # ]

Corrections here please
Authored by: tiger99 on Tuesday, August 19 2008 @ 02:47 PM EDT
If any. Your input will assist PJ to maintain the excellent quality of Groklaw.

[ Reply to This | # ]

[ot] off topic here
Authored by: sumzero on Tuesday, August 19 2008 @ 02:47 PM EDT
and please make those clinks lickable.

sum.zero

---
48. The best book on programming for the layman is "alice in wonderland"; but
that's because it's the best book on anything for the layman.

alan j perlis

[ Reply to This | # ]

[NP] News Picks comments
Authored by: Aladdin Sane on Tuesday, August 19 2008 @ 02:52 PM EDT
Comment on Groklaw News Picks here.

Please fail to keep secret which News Pick you are commenting on.

---
"The choice to exact consideration in the form of compliance with the open source requirements..., is entitled to no less legal recognition." --US CAFC

[ Reply to This | # ]

In a way, the MBTA has one, the students missed DefCon.
Authored by: Anonymous on Tuesday, August 19 2008 @ 02:58 PM EDT

What I don't like, is that even though the MBTA's case was rejected, the MBTA has in many ways won. It has succeeded in preventing these students appearing at DefCon. In terms of a legal strategy, this has worked. Legally, suing a bunch of defenseless students works as a method of blocking a presentation at DefCon.

In terms of a PR strategy, the MBTA have lost. Undoubtedly, far more people know about this presentation now than before. By attempting to cover the story up, they have effectively admitted to the world that the MBTA has security problems.

The good news for the students is that they have a much higher profile than before. Consequently, they are much more likely to get "their foot in the door" in their search for jobs. The type of job these students get may be different, given this publicity, but publicity rarely hurts in marketing.

[ Reply to This | # ]

So has the MBTA met its MGL Chapter 93H requirements?
Authored by: Anonymous on Tuesday, August 19 2008 @ 03:58 PM EDT

Several of the slides in the suppressed talk showed widespread failures by the MBTA to physically secure the network closets in T stations. Perhaps that unsecured networking connects the machines that let you use your credit card to buy or add value to Charley cards with the servers that validate the card transactions. Such physically unsecured networking wouldn't meet the Credit Card industry standards for securing Credit Card transactions. Perhaps the new Data Breech law (MGL Chapter 93H) in Massachusetts applies here, and the MBTA has a lot of letters to send out.

http://www.mass.gov/legis/la ws/mgl/93h-1.htm

[ Reply to This | # ]

Happened to Me
Authored by: Anonymous on Tuesday, August 19 2008 @ 04:02 PM EDT
I was sued by my employer for destroying computer files in violation of state
statutes.

The files were text documents created, edited, printed, then the hard copies
were stored in file cabinets. Once stored away in hard copy form they were
deleted off the hard drive in violation of the law.

The fact that the exact printed copies were readily available was no defense. It
did however render the claim of damages a bit harder to prove.

Never delete ANYTHING off a computer unless specifically authorized in writing
in advance. Otherwise you are shark bate.

[ Reply to This | # ]

disappointment
Authored by: nola on Tuesday, August 19 2008 @ 05:23 PM EDT
The lifting of the gag order unfortunately sidesteps the prior-restraint issues.
So
I guess we can expect to see this sad tactic employed again next
time.

Disrupt, delay ...

[ Reply to This | # ]

Judge Lifts Restraining Order: MIT Students Win - Really?
Authored by: Laomedon on Tuesday, August 19 2008 @ 05:50 PM EDT
I am disappointed by this article. It appears to leave out pertinent at least two facts.

First of all, the TRO expired today, Aug 19 at 1:30pm EDT. s that the same as lifting the order?

Second, the MBTA filed a "MOTION TO CONVERT TEMPORARY RESTRAINING ORDER TO TIME-LIMITED PRELIMINARY INJUNCTION" yesterday. The memo in support makes an interesting reading. i.e. it alleges that the student actually forged and used CharlieTickets despite their earlier denials (p 15).

[ Reply to This | # ]

Evidence of Illegal Acts
Authored by: Anonymous on Tuesday, August 19 2008 @ 09:17 PM EDT
> This audit trail demonstrates that the Linked Tickets
> were used illegally, and the users of these Linked Tickets
> obtained MBTA transit services without proper payment.

Uhuh. Something tells me their "Audit Trail" found some
linked tickets that had been validated by turnstile[s].
Was anybody caught riding the T with a forged ticket?
By MBTA employee on the train, or by camera at the gate?
If I were a student doing ethical hacking on this case,
I would validate the tickets too, but ride on my own dime.

My warning light went on at the statement of facts, P.1,
The system "relies" on Charlie Cards & Tickets for payment
of fares; contains security features "designed" to prevent
free services, or "causing other harm"; and it cost $180M.

Strange then that the Boston Herald story says it was
a no-bid contract to a former government employee....

[ Reply to This | # ]

  • Like this? - Authored by: argee on Wednesday, August 20 2008 @ 04:36 AM EDT
  • Or like this - Authored by: Anonymous on Friday, August 22 2008 @ 11:31 AM EDT
Health and safety. So it would be even wider!
Authored by: piskozub on Wednesday, August 20 2008 @ 03:38 AM EDT
EFF's Hugh D'Andrade writes (cited in the article above):

"Moreover, if the MBTA's unprecedented expansion of the federal computer
intrusion law (considering a talk to people the same as transmission of a
program to a computer, considering a piece of paper with a magnetic stripe to be
a computer, etc.) is adopted by the federal court in Boston, it would also have
the unintended consequence of chilling future academic research and discussion.
An anti-virus researcher, for example, presenting virus code on the PowerPoint
screen at an anti-virus software conference, could be charged with a similar
offense."

He meant a computer virus, obviously. But would it be any different if it were a
medical conference and the virus was actually biological? The research was done
using computers (all modern medical research is). The talk was transmitted to a
computer to make the PowerPoint (or hopefully OpenOffice) presentation. The
"health and safety" rule cited by MBTA would fit here even better.
Think how the research results of the virologist might help [put your favorite
class of enemies here]!

[ Reply to This | # ]

Judge Lifts Restraining Order: MIT Students Win - Updated
Authored by: Anonymous on Wednesday, August 20 2008 @ 06:45 AM EDT
"...now that the MBTA's attorney says he wants to meet with the students,
to learn more about their research findings."

So they're still treating it as a legal issue rather than a technical one then.
Isn't it about time they got to speak to some actual engineers instead?

Sounds like the cluetrain hasn't reached MBTA's station just yet.

[ Reply to This | # ]

Judge Lifts Restraining Order: MIT Students Win - Updated
Authored by: Anonymous on Wednesday, August 20 2008 @ 11:17 AM EDT
>So the attempt to stretch the Computer Fraud and Abuse Act has failed.


But the attempt to impose prior restraint succeeded.

[ Reply to This | # ]

What recourse is possible?
Authored by: Anonymous on Wednesday, August 20 2008 @ 11:43 AM EDT
Are damages caused by an injunction (for a case that
ultimately fails) recoverable? If so, how? Would
they be requested when the case fails or a separate
action?

In this case the students have lost an opportunity
to present their research. There is no direct
financial loss, but there is loss of an opportunity
for professional development and a line in their CV.

In other cases, an injunction could affect the timing
of a product introduction perhaps causing it to miss
a critical sales period (back to school, Christmas)
with possible extreme consequences (bankruptcy).

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )