Charlie Could Not Get Off That Train ….

by Lee Gesmer on August 21, 2008

Let me tell you the story
Of a man named Charlie
On a tragic and fateful day
He put ten cents in his pocket,
Kissed his wife and family
Went to ride on the MTA

Charlie on the MTA (Jacqueline Steiner and Bess Lomax Hawes, 1949)


U.S. District Judge O’Toole has his hands full with this one. Here’s the quick and dirty:

In 2006 the Boston MBTA released the “CharlieCard,” a passcard containing an integrated chip that allows riders of the “T” (the nation’s oldest subway) to store value for rides.

Two weeks ago Anderson, Ryan and Chiesa, three MIT students, announced that they had hacked the CharlieCard, and would present their results at DEFCON 16, scheduled for August 8-10 in Las Vegas. Their presentation slides, titled “Anatomy of a Subway Hack” were published in advance of DEFCON.

This upset the T, which filed suit in federal court in Boston on August 8th. What passes for legal fireworks ensued – the T’s complaint, along with other public pleadings in the case, are available on the Justia web site.

Before filing suit the T reportedly asked the students not to disclose their research until the T had a chance to fix the security flaw. Apparently, the students and the T were unable reach agreement acceptable to the T. The T’s lawsuit sought a temporary restraining order (translation: an temporary emergency order on very short notice) that would prevent disclosure of the students’ research at DEFCON.

The T’s main legal thrust was the Computer Fraud and Abuse Act (CFAA), a complex 1986 criminal and civil federal law that makes it illegal to access a computer without authorization; in essence, a federal anti-hacking law. The T alleged that the students’ action violated this statute, and represented a threat to public health or safety, as well as national security. The T argued that it was entitled to a temporary halt to disclosure under the so-called “responsible disclosure” doctrine. (A “doctrine” which, as far as I can tell, has no legal precedent, but appears to state that if a computer security flaw is discovered, the discoverer should give the owner a chance to fix it before disclosing the flaw to the public).

Judge Woodlock, who handled the emergency motion, was persuaded; he entered a temporary restraining order on August 9th, ordering the students not to disclose their knowledge.

The case, assigned to Judge O’Toole, quickly became a cause célèbre, and within no time the ACLU and the San Francisco-based Electronic Frontier Foundation came to the defense of the students. Time, however, waits for neither man nor lawyer, and before the EFF and the ACLU were able to persuade Judge O’Toole to lift the gag order, DEFCON 16 had concluded.

Legal commentators and computer scientists have commented on this case by the hundreds in the short week since it was filed, and the status of the case today is likely to be different by tomorrow. Therefore, I’ll zero in on my first thought after hearing about this case, and that was “prior restraint.” If the Supreme Court had refused to enjoin publication of the classified study “History of U.S. Decision-Making Process on Viet Nam Policy” by the New York Times and the Washington Post in 1971 on grounds that the injunction requested by the government in that case was a prior restraint in violation of the First Amendment (the “Pentagon Papers” case), how could the T restrain the MIT students from publication of their study? Did the CFAA permit a court to supress academic speech?

In fact, the CFAA makes only one reference to injunctions:

Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain . . . injunctive relief or other equitable relief.

A “violation,” however, is unauthorized access of a computer (legalese for hacking) – it does not make illegal a publication (academic, scholarly or otherwise) telling others how to access a computer without authority. I am oversimplifying a bit, but my basic point holds true – the statute does not appear to make the conduct of the MIT students illegal. In addition, it’s not clear how the students’ hack of an MBTA payment card could threaten national security, unless the prospect of riding the T for free might somehow encourage terrorists to use the T.

The bottom line: regardless of how this case turns out, it appears that the injunctions entered against disclosure were improper, and possibly unconstitutional as a prior restraint not authorized by federal law.

Note:The EFF has created a web page for the case (as it typically does when it enters a case) containing all pleadings and background information on the case and it’s rapid-fire developments. The Wikipedia page for the
case is here.

Previous post:

Next post: