''Massachusetts Bay Transportation Authority v. Anderson, et al.'', Civil Action No. 08-11364, was a challenge brought by the

Massachusetts Bay Transportation Authority The Massachusetts Bay Transportation Authority (abbreviated MBTA and known colloquially as "the T") is the public agency responsible for operating most public transportation services in Greater Boston, Massachusetts. The MBTA transit network in ...

(MBTA) to prevent three

Massachusetts Institute of Technology The Massachusetts Institute of Technology (MIT) is a private land-grant research university in Cambridge, Massachusetts. Established in 1861, MIT has played a key role in the development of modern technology and science, and is one of the ...

(MIT) students from publicly presenting a

security vulnerability Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...

they discovered in the MBTA's

Charlie Card The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in ...

automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of

free speech Freedom of speech is a principle that supports the freedom of an individual or a community to articulate their opinions and ideas without fear of retaliation, censorship, or legal sanction. The right to freedom of expression has been recog ...

protected by the

First Amendment First or 1st is the ordinal form of the number one (#1). First or 1st may also refer to: *World record, specifically the first instance of a particular achievement Arts and media Music * 1$T, American rapper, singer-songwriter, DJ, and reco ...

to the United States Constitution. The MBTA claimed that the MIT students violated the

Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (), which had been included in the Comprehensive Crime Control Act of 1984. The law pro ...

(CFAA) and on August 9, 2008, was granted a

temporary restraining order An injunction is a legal and equitable remedy in the form of a special court order that compels a party to do or refrain from specific acts. ("The court of appeals ... has exclusive jurisdiction to enjoin, set aside, suspend (in whole or in par ...

(TRO) against the students to prevent them from presenting information to

DEFCON The defense readiness condition (DEFCON) is an alert state used by the United States Armed Forces. (DEFCON is not mentioned in the 2010 and newer document) The DEFCON system was developed by the Joint Chiefs of Staff (JCS) and unified and spec ...

conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional

prior restraint Prior restraint (also referred to as prior censorship or pre-publication censorship) is censorship imposed, usually by a government or institution, on expression, that prohibits particular instances of expression. It is in contrast to censorship ...

. The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the Streisand effect, increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.

Background

In December 2007, cautions were published separately by Karsten Nohl and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on NXP's

MIFARE MIFARE is the NXP Semiconductors-owned trademark of a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards. The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type ...

chip set and contactless electronic card system. In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals. A comparable independent cryptanalysis, focused on the

Classic chip, was performed at the

Radboud University Nijmegen Radboud University (abbreviated as RU, nl, Radboud Universiteit , formerly ''Katholieke Universiteit Nijmegen'') is a public research university located in Nijmegen, the Netherlands. The university bears the name of Saint Radboud, a 9th century ...

. On March 7 the scientists were able to recover a

cryptographic key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key ...

from the RFID card without using expensive equipment. With respect to

responsible disclosure In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible partie ...

the

published the article six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In

the Netherlands ) , anthem = ( en, "William of Nassau") , image_map = , map_caption = , subdivision_type = Sovereign state , subdivision_name = Kingdom of the Netherlands , established_title = Before independence , established_date = Spanish Netherl ...

, the judge ruled on July 18 that publishing this

scientific article : ''For a broader class of literature, see Academic publishing.'' Scientific literature comprises scholarly publications that report original empirical and theoretical work in the natural and social sciences. Within an academic field, scienti ...

falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published. In May 2008, MIT students Zack Anderson, Russell J. Ryan, Alessandro Chiesa, and Samuel G. McVeety presented a final paper in Professor

Ron Rivest Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial In ...

's ''6.857: Computer and Network Security'' class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system. Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the DEF CON

hacker convention A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Events Common activities at hacke ...

which claimed to review and demonstrate how to

reverse engineer Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...

the data on the

magstripe The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share ...

card, several attacks to break the MIFARE-based

, and brute force attacks using

FPGAs A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturinghence the term '' field-programmable''. The FPGA configuration is generally specified using a hardware de ...

. Before the complaint was filed in August 2008,

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...

wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."

Litigation

On August 8, 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge Douglas P. Woodlock and while the students appeared as scheduled, they did not speak or present at the convention. However, the injunction not only garnered more popularity and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards (by what is called the Streisand effect) since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. The MBTA retained

Holland & Knight Holland & Knight LLP is an American multinational law firm with more than 1,700 lawyers and other professionals in 35 offices in the United States, Europe, Latin America, and North Africa. Headquartered in Tampa, Florida, the firm provides repre ...

to represent them and contended that under the norm of

, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the

. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer

irreparable harm An irreparable injury is, in equity, "the type of harm which no monetary compensation can cure or put conditions back the way they were." The irreparable injury rule It has traditionally been a requirement of equity that no relief can be granted un ...

if the students were allowed to present; that the students converted and trespassed on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA. The MIT students retained the Electronic Frontier Foundation and Fish & Richardson to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a

infringing their

right to protected free speech about academic research. A letter published by 11 prominent computer scientists on August 11 supported the defendants' assertions and claimed that the precedent of the

gag order A gag order (also known as a gagging order or suppression order) is an order, typically a legal order by a court or government, restricting information or comment from being made public or passed onto any unauthorized third party. The phrase may ...

will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."Letter from Computer Science Professors and Computer Scientists, p. 7. On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.

References

External links

Court documents

* Complaint
MBTA vs. Anderson, et al.
* Temporary restraining order
August 9 restraining order
* Response
MIT Students' response and Motion to Modify
* Exhibit
Letter from Computer Science Professors and Computer Scientists

Background

Litigation

See also

References

Further reading

External links

Court documents

Other links