August 15, 2008, 9:59 AM — A federal judge in Boston Thursday refused to lift a temporary restraining order preventing three MIT students from publicly discussing details of several security vulnerabilities that they found in the electronic ticketing system used by the city's mass transit authority.
The decision means that the gag order imposed on the students last Saturday will remain unchanged at least until Aug. 19, when U.S. District Judge George O'Toole is scheduled to hold another hearing in the case. The restraining order, which was issued in response to a lawsuit filed by the Massachusetts Bay Transportation Authority (MBTA), will expire that same day unless it's extended or turned into a permanent injunction.
At Thursday's hearing, O'Toole also asked the MIT students to submit a copy of a class paper in which they detailed the vulnerabilities that they had found, according to the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the students in the case. The MBTA requested a copy of the paper in a motion that it filed, the EFF said.
In addition, O'Toole asked the three undergrads -- Zack Anderson, Russell "RJ" Ryan and Alessandro Chiesa -- to provide copies of programming code that they included in a planned presentation to show how the MBTA's e-ticketing system could be hacked.
The San Francisco-based EFF had filed a motion in court this week asking O'Toole to lift the restraining order (download PDF). A spokeswoman for the group expressed disappointment at the judge's refusal to do so and said that the EFF will now go ahead with a planned appeal of the decision to issue the gag order.
The restraining order was handed down by another judge one day before Anderson, Ryan and Chiesa were scheduled to detail the MBTA's vulnerabilities at the Defcon hacker convention in Las Vegas. In its motion requesting the restraining order (download PDF), the MBTA claimed that it was forced to seek the court's intervention because neither MIT nor the students had given the transit agency enough information to assess the vulnerabilities that were about to be publicly disclosed.
The MBTA said in its court filings that its intention wasn't to permanently gag the students but to give itself some time to determine the validity and seriousness of the issues being raised by the students and to develop a course of action for addressing them.
In a statement sent via e-mail Thursday, the MBTA said it was pleased that a second federal judge had upheld the restraining order, but "disappointed at the defendants' continued resistance to provide the information" requested by the agency. The MBTA added that it remains hopeful that all of the defendants will be "cooperative" as the case continues.
Although the students had to cancel their talk, the slides that they put together for the presentation were included on a CD given to Defcon attendees and thus have become publicly available.
The EFF has called the restraining order a violation of the students' First Amendment rights as well as a prior restraint on free speech. Along with the filing that requested the lifting of the order, the EFF submitted a letter in support of the students signed by 11 computer science professors and security researchers (download PDF).
David Farber, a professor of computer science and public policy at Carnegie Mellon University's School of Computer Science, was one of the people who signed the letter. He said today that the decision to issue the restraining order was a "bad, bad idea."
Based on the available information, the students appear to have notified MBTA officials about their research and even provided them with confidential information relating to the vulnerabilities, Farber said. The students also appear to have assured the MBTA in advance that their presentation wouldn't provide the level of detail needed for someone to actually exploit the vulnerabilities, he said. For the MBTA to then ask a court to gag the students was totally out of line, according to Farber.
What makes its actions even more egregious, he claimed, is the fact that the paper the students were scheduled to present had been vetted by MIT Professor Ron Rivest, who Farber described as one of more respected figures in the security community.
It could be argued that the students could have worked with the MBTA to fix the issues before publicly disclosing them, Farber acknowledged. But it is unconstitutional to prevent them from speaking about their discoveries just because the MBTA felt that it wasn't given adequate notice, he contended. "In practice," Farber said, "a good middle ground is to keep the courts out of it."
But Gartner Inc. analyst John Pescatore said the MBTA wasn't given a reasonable amount of time to fix the problems or develop work-arounds for them.
The intent of disclosing flaws should be to make software and systems more secure, "not to make headlines or sell tickets to security conferences," Pescatore said. In this case, he added, "the students went for publicity."