Massachusetts Bay Transportation Authority v. Anderson
Encyclopedia
Massachusetts Bay Transportation Authority v. Anderson | ||
---|---|---|
United States District Court for the District of Massachusetts United States District Court for the District of Massachusetts The United States District Court for the District of Massachusetts is the federal district court whose jurisdiction is the Commonwealth of Massachusetts, USA. The first court session was held in Boston in 1789. The second term was held in Salem in 1790 and until 1813 court session locations... |
||
Filed | August 8, 2008 | |
Decided | August 19, 2008 | |
Case name | Massachusetts Bay Transportation Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and the Massachusetts Institute of Technology | |
Citations | Undecided | |
Holding | Injunction lifted | |
Judge | George A. O'Toole, Jr. | |
Laws applied | U.S. Const. United States Constitution The Constitution of the United States is the supreme law of the United States of America. It is the framework for the organization of the United States government and for the relationship of the federal government with the states, citizens, and all people within the United States.The first three... Amend. 1 First Amendment to the United States Constitution The First Amendment to the United States Constitution is part of the Bill of Rights. The amendment prohibits the making of any law respecting an establishment of religion, impeding the free exercise of religion, abridging the freedom of speech, infringing on the freedom of the press, interfering... ; Computer Fraud and Abuse Act Computer Fraud and Abuse Act The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses... |
Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority
Massachusetts Bay Transportation Authority
The Massachusetts Bay Transportation Authority, often referred to as the MBTA or simply The T, is the public operator of most bus, subway, commuter rail and ferry systems in the greater Boston, Massachusetts, area. Officially a "body politic and corporate, and a political subdivision" of the...
(MBTA) to prevent three Massachusetts Institute of Technology
Massachusetts Institute of Technology
The Massachusetts Institute of Technology is a private research university located in Cambridge, Massachusetts. MIT has five schools and one college, containing a total of 32 academic departments, with a strong emphasis on scientific and technological education and research.Founded in 1861 in...
(MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's Charlie Card automated fare collection system
Automated Fare Collection System
The Sydney automated fare collection system is the name given to three interoperable automated ticketing systems for buses, trains and government-run ferries in and around Sydney, Australia.The system was introduced between 1988 and 1993...
. The case concerns the extent to which the disclosure of a computer security flaw
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...
is a form of free speech protected by the First Amendment
First Amendment to the United States Constitution
The First Amendment to the United States Constitution is part of the Bill of Rights. The amendment prohibits the making of any law respecting an establishment of religion, impeding the free exercise of religion, abridging the freedom of speech, infringing on the freedom of the press, interfering...
to the United States Constitution
United States Constitution
The Constitution of the United States is the supreme law of the United States of America. It is the framework for the organization of the United States government and for the relationship of the federal government with the states, citizens, and all people within the United States.The first three...
.
The MBTA claimed that the MIT students violated the Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
(CFAA) and on August 9, 2008 was granted a temporary restraining order (TRO) against the students to prevent them from presenting information to DEFCON conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional prior restraint
Prior restraint
Prior restraint or prior censorship is censorship in which certain material may not be published or communicated, rather than not prohibiting publication but making the publisher answerable for what is made known...
.
The case garnered considerable popular and press attention when the injunction unintentionally increased the dissemination of the sensitive information in the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.
On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.
Background
In December 2007, cautions were published separately by Karsten Nohl and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on NXP's MIFAREMIFARE
MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. According to the producers, billions of smart card chips and many millions of reader modules have been sold...
chip set
Chipset
A chipset, PC chipset, or chip set refers to a group of integrated circuits, or chips, that are designed to work together. They are usually marketed as a single product.- Computers :...
and contactless electronic card
Proximity card
Proximity card is a generic name for contactless integrated circuit devices used for security access or payment systems. The standard can refer to the older 125 kHz devices or the newer 13.56 MHz contactless RFID cards, most commonly known as contactless smartcards.Modern proximity cards...
system. In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals. A comparable independent cryptanalysis
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
, focused on the MIFARE
MIFARE
MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. According to the producers, billions of smart card chips and many millions of reader modules have been sold...
Classic chip, was performed at the Radboud University Nijmegen
Radboud University Nijmegen
Radboud University Nijmegen is a public university with a strong focus on research in Nijmegen, the Netherlands...
. On March 7 the scientists were able to recover a cryptographic key from the RFID card without using expensive equipment.. With respect to responsible disclosure
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...
the Radboud University Nijmegen
Radboud University Nijmegen
Radboud University Nijmegen is a public university with a strong focus on research in Nijmegen, the Netherlands...
published the article six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In the Netherlands, the judge ruled on July 18 that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.
In May 2008, MIT students Zack Anderson, Russell J. Ryan, Alessandro Chiesa, and Samuel G. McVeety presented a final paper in Professor Ron Rivest
Ron Rivest
Ronald Linn Rivest is a cryptographer. He is the Andrew and Erna Viterbi Professor of Computer Science at MIT's Department of Electrical Engineering and Computer Science and a member of MIT's Computer Science and Artificial Intelligence Laboratory...
's 6.857: Computer and Network Security class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system. Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the DEF CON hacker convention which claimed to review and demonstrate how to reverse engineer the data on the magstripe card, several attacks to break the MIFARE-based Charlie Card, and brute force attacks using FPGAs
Field-programmable gate array
A field-programmable gate array is an integrated circuit designed to be configured by the customer or designer after manufacturing—hence "field-programmable"...
.
Before the complaint was filed in August 2008, Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."
Litigation
On 8 August 2008, the MBTA filed suit seeking a temporary restraining order to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects as well as seeking monetary damages. The motion was granted on August 9 by Judge Douglas Woodlock and while the students appeared as scheduled, they did not speak or present at the convention. However, the injunction not only garnered more popular and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint.The MBTA retained Holland & Knight
Holland & Knight
Holland & Knight is an international law firm with more than 1,000 lawyers in 17 U.S. offices. Other offices around the world are located in Abu Dhabi, UAE, Beijing, China, and Mexico City, Mexico. Holland & Knight provides representation in litigation, business, real estate and governmental law.-...
to represent them and contended that under the norm of responsible disclosure
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...
, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer irreparable harm if the students were allowed to present; that the students converted
Conversion (law)
Conversion is a common law tort. A conversion is a voluntary act by one person inconsistent with the ownership rights of another. It is a tort of strict liability...
and trespassed
Trespass to chattels
Trespass to chattels is a tort whereby the infringing party has intentionally interfered with another person's lawful possession of a chattel...
on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA.
The MIT students retained the Electronic Frontier Foundation
Electronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
and Fish & Richardson
Fish & Richardson
Fish & Richardson P.C. is a national law firm practicing intellectual property law.Fish is the 109th largest firm in the United States. Fish has over 350 attorneys, of which 96 percent are dedicated to intellectual property law. Fish is one of the most sought-after firms for both patent...
to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a prior restraint
Prior restraint
Prior restraint or prior censorship is censorship in which certain material may not be published or communicated, rather than not prohibiting publication but making the publisher answerable for what is made known...
infringing their First Amendment
First Amendment to the United States Constitution
The First Amendment to the United States Constitution is part of the Bill of Rights. The amendment prohibits the making of any law respecting an establishment of religion, impeding the free exercise of religion, abridging the freedom of speech, infringing on the freedom of the press, interfering...
right to protected free speech about academic research. An 11 August letter published by 11 prominent computer scientists supported the defendants' assertions and claimed that the precedent of the gag order
Gag order
A gag order is an order, sometimes a legal order by a court or government, other times a private order by an employer or other institution, restricting information or comment from being made public.Gag orders are often used against participants involved in a lawsuit or criminal trial...
will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."
On 19 August, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.
Further reading
- McGraw-Herdeg, Michael, and Vogt, Marissa, "MBTA Sues Three Students to Stop Speech on Subway Vulnerabilities", The Tech, MIT, Volume 128, Issue 31, Monday, August 25, 2008
Court documents
- Complaint: MBTA vs. Anderson, et al.
- Temporary restraining order: August 9 restraining order
- Response: MIT Students' response and Motion to Modify
- Exhibit: Letter from Computer Science Professors and Computer Scientists