Security gag order against MIT students gets another day in court

August 18, 2008 (Computerworld) A federal judge in Boston will decide on Tuesday whether to extend or let expire a restraining order enjoining three students at MIT from publicly speaking about security flaws they discovered in the electronic fare-payment system used by the city's mass transit agency.

The 10-day gag order was imposed by another judge on Aug. 9, one day before the three students were scheduled to detail the flaws in a presentation at the Defcon hacker convention in Las Vegas. The order was issued in response to a motion by the Massachusetts Bay Transportation Authority (MBTA), which sued both MIT and the students, claiming that they hadn't given it enough time or information to assess and mitigate the vulnerabilities.

The agency argued that the presentation would cause "significant damage to the MBTA's transit system" by describing a variety of techniques that could be used to ride for free — for instance, by adding fares to the MBTA's smart cards and electronic tickets without paying for them.

The Electronic Frontier Foundation, a high-tech civil rights group that is representing the three students, last week filed a motion asking U.S. District Judge George O'Toole to lift the restraining order, which the EFF said violated the students' First Amendment rights to free speech. But O'Toole, who will preside over tomorrow's 10:30 a.m. EDT hearing, refused to lift the order and instead asked the three students to submit additional information related to their research, as requested by the MBTA.

Among the arguments that attorneys at the EFF are likely to make for lifting the order are the following:

• Much of the vulnerability information is already in the public domain and common knowledge within the security community. The slides that the students put together for their aborted Defcon presentation were included on a CD given to Defcon attendees and have been posted online. And the MBTA itself released many of the details in a court document as part of its lawsuit against the students.
• The three undergrads, who discovered the security holes in independent penetration tests that they did as part of a class project, have repeatedly assured the MBTA that they won't publicly disclose the level of detail needed for anyone to actually take advantage of the vulnerabilities.
• Gagging the students violates their free-speech rights. Under the IT security community's generally accepted norms for responsibly disclosing security vulnerabilities, it could be argued that the students should have given the MBTA a reasonable amount of time to fix the flaws before going public with them. But preventing the students from discussing the security holes runs afoul of the First Amendment, according to the EFF.