MBTA Vs. Anderson
   HOME

TheInfoList



OR:

''Massachusetts Bay Transportation Authority v. Anderson, et al.'', Civil Action No. 08-11364, was a challenge brought by the
Massachusetts Bay Transportation Authority The Massachusetts Bay Transportation Authority (abbreviated MBTA and known colloquially as "the T") is the public agency responsible for operating most public transportation services in Greater Boston, Massachusetts. The MBTA transit network in ...
(MBTA) to prevent three
Massachusetts Institute of Technology The Massachusetts Institute of Technology (MIT) is a private land-grant research university in Cambridge, Massachusetts. Established in 1861, MIT has played a key role in the development of modern technology and science, and is one of the ...
(MIT) students from publicly presenting a
security vulnerability Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
they discovered in the MBTA's
Charlie Card The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in ...
automated fare collection system An automated fare collection (AFC) system is the collection of components that automate the ticketing system of a public transportation network - an automated version of manual fare collection. An AFC system is usually the basis for integrated tic ...
. The case concerns the extent to which the disclosure of a computer security flaw is a form of
free speech Freedom of speech is a principle that supports the freedom of an individual or a community to articulate their opinions and ideas without fear of retaliation, censorship, or legal sanction. The rights, right to freedom of expression has been ...
protected by the
First Amendment First or 1st is the ordinal form of the number one (#1). First or 1st may also refer to: *World record, specifically the first instance of a particular achievement Arts and media Music * 1$T, American rapper, singer-songwriter, DJ, and rec ...
to the
United States Constitution The Constitution of the United States is the Supremacy Clause, supreme law of the United States, United States of America. It superseded the Articles of Confederation, the nation's first constitution, in 1789. Originally comprising seven ar ...
. The MBTA claimed that the MIT students violated the
Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (), which had been included in the Comprehensive Crime Control Act of 1984. The law pr ...
(CFAA) and on August 9, 2008, was granted a
temporary restraining order An injunction is a legal and equitable remedy in the form of a special court order that compels a party to do or refrain from specific acts. ("The court of appeals ... has exclusive jurisdiction to enjoin, set aside, suspend (in whole or in par ...
(TRO) against the students to prevent them from presenting information to
DEFCON The defense readiness condition (DEFCON) is an alert state used by the United States Armed Forces. (DEFCON is not mentioned in the 2010 and newer document) The DEFCON system was developed by the Joint Chiefs of Staff (JCS) and unified and spe ...
conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional
prior restraint Prior restraint (also referred to as prior censorship or pre-publication censorship) is censorship imposed, usually by a government or institution, on expression, that prohibits particular instances of expression. It is in contrast to censorship ...
. The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the
Streisand effect Attempts to hide, remove, or censor information often have the unintended consequence of increasing awareness of that information via the Internet. This is called the Streisand effect. It is named after American singer and actress Barbra Streis ...
, increasing the dissemination of the sensitive information of the students' presentation because the slides had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.


Background

In December 2007, cautions were published separately by Karsten Nohl and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on
NXP NXP Semiconductors N.V. (NXP) is a Dutch semiconductor designer and manufacturer with headquarters in Eindhoven, Netherlands. The company employs approximately 31,000 people in more than 30 countries. NXP reported revenue of $11.06 billion in 2 ...
's
MIFARE MIFARE is the NXP Semiconductors-owned trademark of a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards. The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type A ...
chip set and contactless electronic card system. In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals. A comparable independent
cryptanalysis Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic sec ...
, focused on the
MIFARE MIFARE is the NXP Semiconductors-owned trademark of a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards. The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type A ...
Classic chip, was performed at the
Radboud University Nijmegen Radboud University (abbreviated as RU, nl, Radboud Universiteit , formerly ''Katholieke Universiteit Nijmegen'') is a public research university located in Nijmegen, the Netherlands. The university bears the name of Saint Radboud, a 9th century D ...
. On March 7 the scientists were able to recover a
cryptographic key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...
from the
RFID Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver and transmitter. When triggered by an electromag ...
card without using expensive equipment. With respect to
responsible disclosure In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible partie ...
the
Radboud University Nijmegen Radboud University (abbreviated as RU, nl, Radboud Universiteit , formerly ''Katholieke Universiteit Nijmegen'') is a public research university located in Nijmegen, the Netherlands. The university bears the name of Saint Radboud, a 9th century D ...
published the article six months later.
NXP NXP Semiconductors N.V. (NXP) is a Dutch semiconductor designer and manufacturer with headquarters in Eindhoven, Netherlands. The company employs approximately 31,000 people in more than 30 countries. NXP reported revenue of $11.06 billion in 2 ...
tried to stop the publication of the second article through a preliminary injunction. In
the Netherlands ) , anthem = ( en, "William of Nassau") , image_map = , map_caption = , subdivision_type = Sovereign state , subdivision_name = Kingdom of the Netherlands , established_title = Before independence , established_date = Spanish Netherl ...
, the judge ruled on July 18 that publishing this
scientific article : ''For a broader class of literature, see Academic publishing.'' Scientific literature comprises scholarly publications that report original empirical and theoretical work in the natural and social sciences. Within an academic field, scient ...
falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published. In May 2008, MIT students Zack Anderson, Russell J. Ryan, Alessandro Chiesa, and Samuel G. McVeety presented a final paper in Professor
Ron Rivest Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial Intell ...
's ''6.857: Computer and Network Security'' class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system. Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the
DEF CON DEF CON (also written as DEFCON, Defcon or DC) is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyer ...
hacker convention A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts. Events Common activities at hacke ...
which claimed to review and demonstrate how to
reverse engineer Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
the data on the
magstripe The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share ...
card, several attacks to break the MIFARE-based
Charlie Card The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in ...
, and brute force attacks using
FPGAs A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturinghence the term '' field-programmable''. The FPGA configuration is generally specified using a hardware de ...
. Before the complaint was filed in August 2008,
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."


Litigation

On August 8, 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge
Douglas P. Woodlock Douglas Preston Woodlock (born February 27, 1947) is a United States federal judge of the United States District Court for the District of Massachusetts. Born in Connecticut, Woodlock graduated from Yale College and worked as a journalist befo ...
and while the students appeared as scheduled, they did not speak or present at the convention. However, the injunction not only garnered more popularity and press attention to the case, but the sensitive information in the students' presentation became even more widely disseminated afterwards (by what is called the
Streisand effect Attempts to hide, remove, or censor information often have the unintended consequence of increasing awareness of that information via the Internet. This is called the Streisand effect. It is named after American singer and actress Barbra Streis ...
) since it had been both distributed to conference organizers in the weeks before the injunction as well as inadvertently posted to the district court's public website as exhibits to the MBTA's original complaint. The MBTA retained
Holland & Knight Holland & Knight LLP is an American multinational law firm with more than 1,700 lawyers and other professionals in 35 offices in the United States, Europe, Latin America, and North Africa. Headquartered in Tampa, Florida, the firm provides repre ...
to represent them and contended that under the norm of
responsible disclosure In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible partie ...
, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the
Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (), which had been included in the Comprehensive Crime Control Act of 1984. The law pr ...
. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer
irreparable harm An irreparable injury is, in equity, "the type of harm which no monetary compensation can cure or put conditions back the way they were." The irreparable injury rule It has traditionally been a requirement of equity that no relief can be granted un ...
if the students were allowed to present; that the students converted and trespassed on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA. The MIT students retained the
Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. The foundation was formed on 10 July 1990 by John Gilmore, John Perry Barlow and Mitch Kapor to promote Internet ci ...
and
Fish & Richardson Fish & Richardson P.C. is a global patent, intellectual property litigation, and commercial litigation law firm with more than 400 attorneys and technology specialists across the U.S. and Europe. Fish is one of the most sought-after firms for both ...
to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a
prior restraint Prior restraint (also referred to as prior censorship or pre-publication censorship) is censorship imposed, usually by a government or institution, on expression, that prohibits particular instances of expression. It is in contrast to censorship ...
infringing their
First Amendment First or 1st is the ordinal form of the number one (#1). First or 1st may also refer to: *World record, specifically the first instance of a particular achievement Arts and media Music * 1$T, American rapper, singer-songwriter, DJ, and rec ...
right to protected free speech about academic research. A letter published by 11 prominent computer scientists on August 11 supported the defendants' assertions and claimed that the precedent of the
gag order A gag order (also known as a gagging order or suppression order) is an order, typically a legal order by a court or government, restricting information or comment from being made public or passed onto any unauthorized third party. The phrase may ...
will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."Letter from Computer Science Professors and Computer Scientists, p. 7. On August 19, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.


See also

*
Responsible disclosure In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible partie ...
*
Security through obscurity Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. History An early opponent of security through ob ...
*
Streisand effect Attempts to hide, remove, or censor information often have the unintended consequence of increasing awareness of that information via the Internet. This is called the Streisand effect. It is named after American singer and actress Barbra Streis ...


References


Further reading

* McGraw-Herdeg, Michael, and Vogt, Marissa
"MBTA Sues Three Students to Stop Speech on Subway Vulnerabilities"
'' The Tech'', MIT, Volume 128, Issue 31, Monday, August 25, 2008


External links


Court documents

* Complaint
MBTA vs. Anderson, et al.
* Temporary restraining order
August 9 restraining order
* Response
MIT Students' response and Motion to Modify
* Exhibit
Letter from Computer Science Professors and Computer Scientists


Other links


Electronic Frontier Foundation case homepage

Legal Talk Network discussion
{{DEFAULTSORT:Massachusetts Bay Transportation Authority V. Anderson Cryptography case law United States District Court for the District of Massachusetts cases United States Internet case law United States Free Speech Clause case law Electronic Frontier Foundation litigation Massachusetts Bay Transportation Authority 2008 in United States case law Railway litigation in 2008