Three students who were carrying out academic research into the security vulnerabilities of Boston’s transit fare payment system have had a court order that forbade them to discuss the issues, reversed.
You might have thought that in the ‘land of the free,’ forbidding free speech is the kind of thing that could never happen. Thank goodness this reversal restores a balance.
Until now the Massachusetts Bay Transportation Agency (MBTA) had refused to acknowledge that there had been any problems with their Charlie
Card and Charlie Ticket products – despite seeking a gagging order on the three MIT students.
Background to the legal action
The attention — legal attention as it turned out — of the MBTA was gained by the students presenting their findings of the security weaknesses to MBTA.
They planned to present their findings at a security conference, withholding key pieces of information.
Rather than thanking them for helping point out the weaknesses, the MBTA sued the students and MIT, the college they attended, without notice.
The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares.
EFF: Coders’ Rights Project
The Electronic Frontier Foundation (EFF)
represented the students in court as part of its Coders’ Rights Project, which was recently launched at Black Hat USA 2008, an American security conference.
The Coders’ Rights Project seek to inform programmers of the sometimes tricky path between security research such as software reverse engineering and the reporting of systems vulnerabilities that have been created by the Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act and other US state computer crime laws.
This whole issue really weighs on my mind considering the industry ramfications. Jon Longoria wrote an interesting, albeit brief, article regarding the plausible thought process MBTA took going into this. You can check it out here: http://thereformed.org/2008/08/25/mbta-put-profit-before-security/