A federal court judge in Boston Thursday refused to lift an unconstitutional gag order against three students from the Massachusetts Institute of Technology (MIT) who uncovered vulnerabilities in Boston's transit fare payment system. In an editorial today, the Boston Globe wrote that Judge O'Toole "ought to lift it." Instead, the judge continued the hearing until Tuesday, and left the temporary restraining order in place.
EFF began representing the students in this case on Friday, when the Massachusetts Bay Transit Authority (MBTA) sued the students in federal court. On Saturday, a judge issued the gag order in violation of the students' First Amendment right to discuss their important research.
The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a "transmission" of a computer program that could harm the fare collection system. But discussion in a public forum is clearly not the same as computer intrusion, and the students had already assured the MBTA they would withhold a key detail of the results so others could not use the information for fraudulent purposes.
Compounding the issue Thursday, the judge also ordered the students to hand over more documents about their research, so the judge and the MBTA could see the documents before deciding whether the students could speak. This pre-publication review by a government agency -- whether it is a federal judge or a city transit agency -- is exactly the kind of prior restraint the First Amendment was designed to abolish. As the Supreme Court has noted:
The doctrine [against] prior restraint has its roots in the 16th and 17th century English system of censorship. Under that system, all printing presses and printers were licensed by the government, and nothing could lawfully be published without the prior approval of a government or church censor.
Our founders included the Bill of Rights in the Constitution to reject that system. Thus, under the First Amendment, Court have rejected "not only licensing schemes requiring speech to be submitted to an administrative censor for prepublication review, but also injunctions against future speech issued by judges." Here we have both.
Nevertheless, the students are interested in responsible disclosure, met with the MBTA on August 4, and already voluntarily gave the MBTA a confidential vulnerability assessment last Friday. Prior to today's hearing, the students provided, as part of a good faith effort to help resolve this matter, a more detailed 31-page Security Analysis that discusses the security vulnerabilities uncovered by the students. The report was provided to the MBTA on August 13, and filed with the court under seal.
According to the Boston Globe:
The T is not sure there is a security problem, but the 10-day injunction will provide time to find out. "The injunction is allowing us to review the research that they have and see if there is any validity to their findings, and take corrective action, if any is even necessary," said Lydia Rivera, a T spokeswoman.
The students have made clear that, since DEFCON is over, they will never give the presentation previously planned. Nevertheless, the MBTA is seeking to extend the 10-day TRO into a preliminary injunction that will last indefinitely, and has not indicated that any intent to drop the lawsuit.