The annual DEFCON conference in Las Vegas in early August got a bit more interesting than usual when three graduate students from the Massachusetts Institute of Technology were enjoined from giving a presentation by a Court in Boston.
The three -- Zach Anderson, RJ Ryan and Alessandro Chiesa -- intended to present both a paper and slides to the assembled masses of hackers explaining certain configuration issues with respect to the Massachusetts Bay Transportation Authority (MBTA) fare card system for riding the Boston subway system. The fare card system, or Fare Media system, used stored value cards, known as CharlieCards, after a locally famous song by the Kingston Trio called Charlie on the MTA.
Let me tell you the storyThe cards were subject to various cloning attacks, which would permit both sophisticated and unsophisticated hackers to create duplicate CharlieCards, and therefore evade payment for subway rides.
Of some boys from MIT
On a tragic and fateful day
They put out some information
Kissed their career and reputation
And took for ride the MTA
Needless to say, the when the lawyers for the MBTA learned of the DEFCON presentation, they were not amused. While there are disputes about who contacted whom first, and precisely what information was going to be disclosed or not disclosed at the presentation, ultimately the MBTA went to court in Boston and obtained a temporary restraining order (TRO) preventing the release of certain information about the vulnerabilities. The TRO was eventually reversed by the court, but not until the trio was denied the opportunity to make their presentation. Of course, in keeping with the Streisand effect, where attempts to censor content merely draws attention to it, both the slides and the paper to be presented were widely disseminated in advance of the TRO.
Much of the debate over the TRO has focused on the prior restraint on free speech aspects of the case. However, more important to security researchers are the questions of responsible or irresponsible disclosure of security vulnerabilities, and potential civil or criminal liability for doing so.
Security Research as a crime?
In their efforts to get a court to keep the MIT students from disclosing the results of their research, lawyers for the MBTA argued (pdf) not simply that the release of this information would harm the mass transit system, but also that the actions of the undergrads was criminal. Yet, everybody seems to have acknowledged that the information was not obtained by the undergraduates unlawfully -- that is, they didn't steal it, and didnít violate trade secrets to get it.
Did they ever return,
No they never returned
And their ultimate fates still unlearn'd
They may try forever
In the Courts of Boston
They're the kids who never returned.
So what was the MIT students' crime? Apparently nothing more than telling people about the vulnerabilities.
When the first U.S. federal computer crime statute was written, it punished things like computer trespass and theft of electronic services or information. After the Cornell Internet Worm case in 1988, Congress added a provision to explicitly criminalize computer viruses. This provision made it a crime to:
knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; which causes or would have caused loss of more than $5,000
When Congress was considering this provision, at least one influential member of Congress made it clear that "transmission does not refer [to] speech or other forms of communication to human beings" (pdf).