A federal judge in Boston ruled Aug. 19, 2008 that three Massachusetts Institute of Technology (MIT) students can publicly discuss the findings of a research project that explains how to manipulate the state’s electronic payment system for transit fares. The ruling lifted a temporary restraining order, granted ten days earlier, that prevented the students from presenting their project at the DEFCON 16 computer security and hacker conference in Las Vegas on August 10.
Zack Anderson, Russell Ryan, and Alessandro Chiesa earned an “A” for the research project as part of an undergraduate computer security course at MIT. Their research explains how to hack the Massachusetts Bay Transportation Authority’s (MBTA) electronic payment system to obtain free rides on Boston’s T subway.
The T’s payment system, which replaced cash and tokens with magnetically coded tickets called CharlieCards or CharlieTickets, was installed in 2006 at a cost of more than $180 million. Systems employing the same software are used by transit agencies in many other cities around the world, including London and Minneapolis, according to Power Point slides the students prepared for their presentation that are available at http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf.
The slides were distributed to people planning to attend the DEFCON conference before the restraining order was issued. Later, after the court proceedings generated publicity, they were widely disseminated over the Internet via Web sites like Wikileaks and MIT’s student newspaper, The Tech. The slides contain technical information about the students’ research, but according to court documents filed by the students, they leave out key details that would be required to hack the payment system.
The slides also acknowledge that manipulating the payment system would be a crime. The fifth slide features plain black type on a white background reading: “AND THIS IS VERY ILLEGAL!” Below the warning, in smaller print, the slide cautions: “So the following material is for educational use only.”
On August 9, the day before the students were scheduled to present their research at the DEFCON conference, Judge Douglas Woodlock granted a 10-day restraining order to the MBTA barring the students from disclosing programming information or software code that could aid in circumventing the payment system. The order was based on the Computer Fraud and Abuse Act, 18 U.S.C. section 1030, which makes it illegal to “knowingly cause the transmission of a program, information, code, or command … [that] intentionally causes damage without authorization, to a protected computer” if the aggregate harm would result in more than $5,000 damage or cause public health or national security concerns. Woodlock’s order in MBTA v. Anderson, No. 08-11364-GAO (D. Mass. 2008) is available online at http://www.eff.org/files/filenode/MBTA_v_Anderson/mbta-temp-restraining-order.pdf
According to court documents filed by the MBTA, the agency argued that the students’ presentation would show hackers how to create and market fake CharlieTickets to the public. The fake tickets would allow transit riders to board trains without paying the fair. The MBTA’s complaint alleged that the aggregate harm would result in more than $5,000 damage and create national security concerns.
In order to fit the students’ conduct within the prohibitions of the computer fraud statute, the MBTA also argued that an oral presentation at the DEFCON conference constituted a “transmission” and each CharlieTicket was a “protected computer.”
The statute does not define “transmission,” but the attorneys for the students argued in court documents that the intention of the statute was to prohibit electronic distribution over the Internet, not oral presentations. The statute defines computer as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing … storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device … .” To be “protected,” the computer must be used in interstate commerce or by a federal agency.
At an August 19 hearing to determine whether to convert the restraining order into a 5-month injunction to allow the MBTA time to fix its security flaws, a second U.S. District Court Judge, George O’Toole Jr., ruled that an oral presentation did not qualify as a “transmission” within the meaning of the computer fraud statute. He also ruled that the MBTA had failed to prove that the students’ research was likely to cause $5,000 damage, The Boston Globe reported on August 20. The ruling cleared the way for the students to discuss their findings, but came too late to save their scheduled presentation at DEFCON 16.
Although O’Toole did not focus on the issue, attorneys for the students and other First Amendment lawyers argued that the restraining order was also an unconstitutional prior restraint.
Cindy Cohn, an Electronic Frontier Foundation (EFF) attorney who represented the students at the August 19 hearing, argued that the students did not create the CharlieTicket problems, they simply exposed them to the public, the Globe reported. “This is a public debate on a matter of public importance, and they want to participate,” she said at the hearing.
Marc Randazza, a First Amendment attorney not affiliated with the case, was critical of the MBTA’s decision to sue the students in comments to the Legal Talk Network on August 28. “It seems to me that this is a case of getting caught with your pants down, and they wanted the government to put a sheet over them while they pulled their pants up,” he said.
Randazza said the restraining order should never have been issued in the first place. “When we are looking at suppressing speech, we’re looking at a prior restraint, a court coming and saying [that] what you are about to say in public is so god awful dangerous, that we’re going to gag you from speaking about it. The harm that should come from that should be either an imminent riot [or] a nuclear weapon detonating, not the MBTA getting caught that it, perhaps, did not have the best security system for its fare cards,” he said.
MBTA General Manager Daniel Grabauskas said the court proceedings helped the agency understand the CharlieTicket’s security risks, according to an August 19 c|net report. “The 10-day process yielded a lot more information than we had at the start, and that was a key objective all along,” he said. “Now that the court proceedings are behind us, I renew my invitation to the students to sit down with us and discuss their findings. A great opportunity now presents itself.”
Zack Anderson, one of the students, said they would be willing to speak with the MBTA about the problems, the Globe reported August 20. “We’ve always wanted to settle this amicably,” he said. “My God, we never wanted any of this.”
– Michael Schoepf