Kurt Opsahl of EFF has just announced that the restraining order on the MIT students has been lifted:
Today, Judge George O'Toole lifted the gag order on three MIT students who were sued by the Massachusetts Bay Transportation Authority for discovering a security vulnerability in the MBTA's fare payment system. The Court found that the MBTA was not likely to prevail on the merits of its claim under the federal Computer Fraud and Abuse Act. MBTA had argued that the CFAA, which prohibits the transmission of a program that causes damage to a computer, also covers "verbal transmission," such as talking to people at conferences. Judge O'Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people. More details to follow.
[Update: The MBTA had sought to convert the temporary restraining order into a preliminary injunction to last for five months, to give them time to fix the vulnerabilities -- here's the motion [PDF] -- and that was denied. It's worth reading, this motion, if only to see why this thing swirled out of logical bounds. One issue is that when the MBTA hears the word hacker, they seem to think it means cracker, and they viewed the DefCon conference as a meeting where people go to learn how to break in to other people's stuff, which naturally panicked them. And they seem to imagine that using Wireshark, which used to be called Ethereal, is "illegal activity", as you can read on page 25. Nor did they understand geek humor. Just a real culture clash, with misunderstandings that led to litigation that now seems to be resolvable, now that the MBTA's attorney says he wants to meet with the students, to learn more about their research findings.]
So the attempt to stretch the Computer Fraud and Abuse Act has failed. Please read the statute for yourself, and ask yourself: do you want talking about computers and security to become a crime punishable by fines and imprisonment and subject to FBI and Secret Service oversight? That's what almost just happened. You can find the documents in MBTA v. Anderson here. If you read the MBTA's complaint, you'll find the allegations of violations of the CFAA on page 12. I think you'll find the MBTA interpretation of the statute shocking ("... the damage constitutes a threat to public health and safety... affects a computer system used by a government entity for national security purposes..."). The research was about getting a ride on a subway for free. In any case, the judge didn't buy it, with respect to the restraining order.
I first notice that statute when SCO used it in a Memorandum in Opposition to IBM's Motion for Partial Summary Judgment on its Counterclaim for Copyright Infringement, when SCO alleged IBM had violated the statute by downloading software IBM itself authored from SCO's website. An expert on the statute, Jon Stanley, Esq., wrote an article for Groklaw explaining the statute in light of cases, and he pointed out the following:
Here is an example of how a violation might occur:
1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my “access” to be “authorized”.
2. Then I violate this instrument’s conditions, and my access, is, at the very moment of the violation, “unauthorized”.
3. And since, given that I’m probably staring at the screen, I am therefore “obtaining”… (viewing) “information from a protected computer…”
4. In theory, we have, a violation of the CFAA.
Please don’t shoot the messenger. Yes, I think this conclusion is absurd and worrisome. And yes, it may very well mean that every time one checks the stock prices (or whatever) at one’s place of employment, and one does so in violation of one’s agreement to only access the internet for the employers’ purposes, technically one is in violation the CFAA. How did we get to this point? Glib answer? Spammers -- and lack of imagination, perhaps, on the part of the judiciary.
So, that clued me in to how dangerous this statute could be in the wrong hands. I hope you will read what he wrote in full, so you too will understand why I keep writing about this statute. That IBM motion has not yet been decided, by the way.
Next there was the case IAC v Citrin, where the alleged wrongdoing under CFAA was deleting files. And the incredible case of Healthcare Associates, where a law firm was sued for printing some pages publicly available due to a glitch on Internet Archive. Happily that attempt to use the CFAA creatively failed.
EFF's Hugh D'Andrade explains (scroll down) why this MIT case matters:
At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers. But as we noted in a post last week, the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War. (The MBTA's stance is all the more ironic, considering Boston's role in that war.)
Beyond this core constitutional principle, EFF is defending the ability to conduct security research in the digital age. As we note in our Vulnerability Reporting FAQ, security researchers by definition raise questions that corporations and government agencies would prefer to keep quiet. But by investigating flaws in security, and alerting the public to vulnerabilities, researchers play an important role in keeping private and public institutions accountable....
Moreover, if the MBTA's unprecedented expansion of the federal computer intrusion law (considering a talk to people the same as transmission of a program to a computer, considering a piece of paper with a magnetic stripe to be a computer, etc.) is adopted by the federal court in Boston, it would also have the unintended consequence of chilling future academic research and discussion. An anti-virus researcher, for example, presenting virus code on the PowerPoint screen at an anti-virus software conference, could be charged with a similar offense. Releasing a computer security textbook which describes attacks and defenses to networks would become a crime. The court and the MBTA should think about the consequences beyond the scope of this lawsuit.
The MBTA is also misguided with its notion that anytime a security researcher dares looks at a vulnerability, he suddenly has an obligation to provide the vendor of the faulty code with all of the research materials and to stay silent until the vendor decides he can speak. They seem to believe that they have right to all of any such academic researchers' notes, drafts, tools, and anything else, because they did them a favor and told them about a vulnerability the vendor didn't know about previously. The MBTA not only asserts that the researchers have this as a moral obligation, but a legal obligation to allow the vendor pre-publication review.
The MBTA's strategy of shooting the messenger is not only counter-productive and shortsighted, it is dangerous. The vulnerability existed long before the students discovered it, and it could be (and may have been) discovered by others. The MBTA and its vendors are the one who adopted a faulty system for its payment cards, not the students. The MBTA's priority should be fixing the problem, not continuing needless litigation.