As regular Deeplinks readers know, EFF's Coders' Rights Project is defending the rights of three MIT students who were prevented from presenting their research on security vulnerabilities in Boston's transit fare payment system. The students were hit with a temporary restraining order that silenced their planned presentation at DEFCON.
Why this is Important
At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers. But as we noted in a post last week, the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War. (The MBTA's stance is all the more ironic, considering Boston's role in that war.)
Beyond this core constitutional principle, EFF is defending the ability to conduct security research in the digital age. As we note in our Vulnerability Reporting FAQ, security researchers by definition raise questions that corporations and government agencies would prefer to keep quiet. But by investigating flaws in security, and alerting the public to vulnerabilities, researchers play an important role in keeping private and public institutions accountable.
The MIT students were behaving as good citizens within this culture of security research. They met with the MBTA before the presentation. They never planned to expose the full details of their successful expose of the vulnerability of the MBTA's fare system, and MBTA officials admit that students had provided them with "a written summary of every vulnerability that they claimed to have discovered and how to fix these vulnerabilities." As promised, the students provided a detailed 31 page analysis of the security vulnerability, and the MBTA has finally admitted that a vulnerability exists.
The free speech implications are even more important because showing faults with a government agency's systems is core political speech. The Boston Herald reports that an MBTA Advisory Council Member was concerned with the fare card payment systems (in light of this controversy), and noted that the "T gave a no-bid contract for CharlieCard services to a former government employee." This makes the public interest in this matter even stronger.
The MBTA is Seeking a Dangerous Precedent
Moreover, if the MBTA's unprecedented expansion of the federal computer intrusion law (considering a talk to people the same as transmission of a program to a computer, considering a piece of paper with a magnetic stripe to be a computer, etc.) is adopted by the federal court in Boston, it would also have the unintended consequence of chilling future academic research and discussion. An anti-virus researcher, for example, presenting virus code on the PowerPoint screen at an anti-virus software conference, could be charged with a similar offense. Releasing a computer security textbook which describes attacks and defenses to networks would become a crime. The court and the MBTA should think about the consequences beyond the scope of this lawsuit.
The MBTA is also misguided with its notion that anytime a security researcher dares looks at a vulnerability, he suddenly has an obligation to provide the vendor of the faulty code with all of the research materials and to stay silent until the vendor decides he can speak. They seem to believe that they have right to all of any such academic researchers' notes, drafts, tools, and anything else, because they did them a favor and told them about a vulnerability the vendor didn't know about previously. The MBTA not only asserts that the researchers have this as a moral obligation, but a legal obligation to allow the vendor pre-publication review.
The MBTA's strategy of shooting the messenger is not only counter-productive and shortsighted, it is dangerous. The vulnerability existed long before the students discovered it, and it could be (and may have been) discovered by others. The MBTA and its vendors are the one who adopted a faulty system for its payment cards, not the students. The MBTA's priority should be fixing the problem, not continuing needless litigation.
A Reasonable Way Forward
The only thing stopping the students and the MBTA from working together cooperatively to resolve the fare payment card security issues is the lawsuit itself. The students have offered to meet with the MBTA and voluntarily walk the transit agency through the security vulnerability and the student's suggestions for improvement--for no charge--if only the MBTA would drop this lawsuit. It appears that the MBTA, a public transit agency supported with billions in public money, would rather spend these taxpayer dollars on litigation in a misguided attempt to keep the vulnerability quiet than work with the students to resolve the situation.
On Tuesday morning, the federal court with either lift the restraining order, or convert the order to a preliminary injunction. EFF's Coders' Rights Project will be there, arguing for the First Amendment rights of the students, and for the right of researchers to investigate security flaws in the public interest.