''Massachusetts Bay Transportation Authority v. Anderson, et al.'', Civil Action No. 08-11364, was a challenge brought by the

Massachusetts Bay Transportation Authority The Massachusetts Bay Transportation Authority (abbreviated MBTA and known colloquially as "the T") is the public agency responsible for operating most public transportation services in Greater Boston, Massachusetts. The MBTA transit network in ...

(MBTA) to prevent three

Massachusetts Institute of Technology The Massachusetts Institute of Technology (MIT) is a Private university, private research university in Cambridge, Massachusetts, United States. Established in 1861, MIT has played a significant role in the development of many areas of moder ...

(MIT) students from publicly presenting a

security vulnerability Vulnerabilities are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security. Despite a system administrator's best efforts to achieve complete correctness, vir ...

they discovered in the MBTA's

CharlieCard The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in ...

automated fare collection system An automated fare collection (AFC) system is the collection of components that automate the ticketing system of a public transportation network – an automated version of manual fare collection. An AFC system is usually the basis for integrated t ...

. The case concerns the extent to which the disclosure of a computer security flaw is a form of

free speech Freedom of speech is a principle that supports the freedom of an individual or a community to articulate their opinions and ideas without fear of retaliation, censorship, or legal sanction. The right to freedom of expression has been recognise ...

protected by the

First Amendment First most commonly refers to: * First, the ordinal form of the number 1 First or 1st may also refer to: Acronyms * Faint Images of the Radio Sky at Twenty-Centimeters, an astronomical survey carried out by the Very Large Array * Far Infrared a ...

to the

United States Constitution The Constitution of the United States is the Supremacy Clause, supreme law of the United States, United States of America. It superseded the Articles of Confederation, the nation's first constitution, on March 4, 1789. Originally includi ...

. The MBTA claimed that the MIT students violated the

Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (), which had been included in the Comprehensive Crime Control Act of 1984. Prior ...

(CFAA) and on August 9, 2008, was granted a

temporary restraining order An injunction is an equitable remedy in the form of a special court order compelling a party to do or refrain from doing certain acts. It was developed by the English courts of equity but its origins go back to Roman law and the equitable reme ...

(TRO) against the students to prevent them from presenting information to

DEFCON The defense readiness condition (DEFCON) is an alert state used by the United States Armed Forces. For security reasons, the U.S. military does not announce a DEFCON level to the public. The DEFCON system was developed by the Joint Chiefs of Sta ...

conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional

prior restraint Prior restraint (also referred to as prior censorship or pre-publication censorship) is censorship imposed, usually by a government or institution, on expression, that prohibits particular instances of expression. It is in contrast to censorship ...

. The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the

Streisand effect The Streisand effect is an unintended consequences, unintended consequence of attempts to hide, remove, or Censorship, censor information, where the effort instead increases public awareness of the information. The term was coined in 2005 by ...

, increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.

Background

In December 2007, cautions were published separately by Karsten Nohl and Henryk Plotz regarding the

weak encryption Strong cryptography or cryptographically strong are general terms used to designate the cryptographic algorithms that, when used correctly, provide a very high (usually insurmountable) level of protection against any eavesdropper, including th ...

and other vulnerabilities of the particular security scheme as implemented on NXP's

MIFARE MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards. The brand includes proprietary solutions based on various levels of the ISO/IEC 14443 Type-A 13.56 MHz contactless smart card standard ...

chip set and contactless electronic card system. In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals. A comparable independent

cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...

, focused on the

Classic chip, was performed at the

Radboud University Nijmegen Radboud University (abbreviated as RU, , formerly ) is a public university, public research university located in Nijmegen, Netherlands. RU has seven faculties and more than 24,000 students. Established in 1923, Radboud University has consistentl ...

. On March 7 the scientists were able to recover a

cryptographic key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm In mathematics and computer science, an algorithm () is a finite sequenc ...

from the

RFID Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder called a tag, a radio receiver, and a transmitter. When tri ...

card without using expensive equipment. With respect to

responsible disclosure In computer security, coordinated vulnerability disclosure (CVD, sometimes known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties hav ...

the

published the article six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In

the Netherlands , Terminology of the Low Countries, informally Holland, is a country in Northwestern Europe, with Caribbean Netherlands, overseas territories in the Caribbean. It is the largest of the four constituent countries of the Kingdom of the Nether ...

, the judge ruled on July 18 that publishing this

scientific article Scientific literature encompasses a vast body of academic papers that spans various disciplines within the natural and social sciences. It primarily consists of academic papers that present original empirical research and theoretical ...

falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published. In May 2008, MIT students Zack Anderson, Russell J. Ryan, Alessandro Chiesa, and Samuel G. McVeety presented a final paper in Professor

Ron Rivest Ronald Linn Rivest (; born May 6, 1947) is an American cryptographer and computer scientist whose work has spanned the fields of algorithms and combinatorics, cryptography, machine learning, and election integrity. He is an Institute Profess ...

's ''6.857: Computer and Network Security'' class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system. Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the

DEF CON DEF CON (also written as DEFCON, Defcon, or DC) is a Computer security conference, hacker convention held annually in Las Vegas Valley, Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include comp ...

hacker convention A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Common activities at hacker conven ...

which claimed to review and demonstrate how to

reverse engineer Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompl ...

the data on the

magstripe The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They shar ...

card, several attacks to break the MIFARE-based

Charlie Card The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in ...

, and brute force attacks using

FPGAs A field-programmable gate array (FPGA) is a type of configurable integrated circuit that can be repeatedly programmed after manufacturing. FPGAs are a subset of logic devices referred to as programmable logic devices (PLDs). They consist of a ...

. Before the complaint was filed in August 2008,

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman ...

wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."

Litigation

On August 8, 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge Douglas P. Woodlock and while the students appeared as scheduled, they did not speak or present at the convention. However, the injunction not only garnered more popularity and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards (by what is called the

) since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. The MBTA retained

Holland & Knight Holland & Knight LLP is a multinational law firm with approximately 2,200 attorneys and professional staff worldwide. Headquartered in Tampa, Florida, the firm has a number of different practices areas, including litigation, corporate law, real ...

to represent them and contended that under the norm of

, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the

. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer

irreparable harm An irreparable injury is, in equity (law), equity, "the type of harm which no monetary compensation can cure or put conditions back the way they were." The irreparable injury rule It has traditionally been a requirement of Equity (law), equity tha ...

if the students were allowed to present; that the students converted and trespassed on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA. The MIT students retained the

Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties. It provides funds for legal defense in court, ...

and Fish & Richardson to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a

infringing their

right to protected free speech about academic research. A letter published by 11 prominent computer scientists on August 11 supported the defendants' assertions and claimed that the precedent of the

gag order A gag order (also known as a gagging order or suppression order) is an order, typically a legal order by a court or government, restricting information or comment from being made public or passed on to any unauthorized third party. The phrase may ...

will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."Letter from Computer Science Professors and Computer Scientists, p. 7. On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.

References

External links

Court documents

* Complaint
MBTA vs. Anderson, et al.
* Temporary restraining order
August 9 restraining order
* Response
MIT Students' response and Motion to Modify
* Exhibit
Letter from Computer Science Professors and Computer Scientists

Background

Litigation

See also

References

Further reading

External links

Court documents

Other links