Earlier this month three Massachusetts Institute of Technology (MIT) students were slated to give a presentation at the Defcon conference in Las Vegas. The presentation would have discussed vulnerabilities in the Massachusetts Bay Transit Authority's (MTBA) electronic payment systems. However, MTBA convinced a federal court to hand down a temporary 10-day gag order, thereby preventing the trio from giving their presentation.
According to attorneys from the Electronic Frontier Foundation (EFF), who represented security researchers Zack Anderson, RJ Ryan, and Alessandro Chiesa in the case, MTBA's "lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares." EFF in turn claimed that MTBA's action violated the researcher's First Amendment rights.
A subsequent hearing turned in favor of the researchers when the judge refused to extend the gag order based on the merits of which it was originally issued. The court ruled that the CFAA most likely would not apply to researchers who give academic presentations.
"A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security - the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not," said Marcia Hofmann, staff attorney at EFF.
The researchers disclosed the nature of the vulnerabilities to the MTBA, which would reportedly require approximately five months to remedy. The vulnerabilities center around the ability to reprogram or clone electronic payment cards using inexpensive and readily available hardware. Exploitation of the vulnerabilities could cause the MTBA to lose a significant amount of revenue.
