A federal judge Tuesday lifted a gag order on three MIT students who were barred from talking publicly about security flaws they discovered in the state's automated mass transit fare system, even as a lawyer for the agency acknowledged the system was "compromised."
U.S. District Judge George O'Toole Jr. rejected a request by the Massachusetts Bay Transportation Authority to impose a five-month injunction blocking the students from revealing anything about the security system. O'Toole also dissolved a temporary restraining order that had prohibited the students from speaking about their findings this month at DefCon, an annual computer hackers' convention in Las Vegas.
The transit agency sued after learning of a preconference Web advertisement for the presentation by the students - Zack Anderson, R.J. Ryan and Alessandro Chiesa - that said "Want free subway rides for life?"
The MBTA plans to continue with its lawsuit against MIT and the three students, who are all undergraduates and did not attend the hearing Tuesday. The MBTA claims the students violated the federal Computer Fraud & Abuse Act.
But in dissolving the gag order, O'Toole found the MBTA was unlikely to succeed on that claim. He said he agreed with the students' attorney that the 1986 law is aimed at preventing the transmission of computer viruses and worms, not at preventing information from being given to an audience during a speech.
O'Toole did not rule on the students' claim that the MBTA had violated their First Amendment rights by stopping them from speaking at the hackers' convention, which ended Sunday.
Cindy Cohn, a lawyer for the students, said the students had complied with the MBTA's request to turn over slides from their presentation and a 30-page "security analysis" that outlines everything they discovered about weaknesses in the fare system.
"The MBTA ultimately is trying to silence some uncomfortable truths that these students uncovered," said Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based organization that specializes in Internet civil liberties issues. "They brought an action against three college kids rather than address the problems in their own house."
Cohn said the students never intended to reveal key details that would have helped people hack into the fare collection system and ride MBTA transit for free, despite what the online ad for the demonstration said.
Ieuan Mahony, an attorney for the MBTA, said the transit agency simply wanted the students to refrain from revealing details about the security problems until the MBTA has time to correct the flaws, which could take five months.
Mahony said that after reading the security analysis submitted by the students last week, the MBTA "has determined that the CharlieTicket system is compromised." Mahony said the MBTA still wants to get additional information from the students on how they were able to clone a CharlieTicket, one of the two primary payment cards used by the MBTA.
Some of these details are already floating around the Internet, having been released before the students' planned talk at the DefCon conference. Electronic copies of their 87-slide presentation were included on CDs handed out to conference attendees before DefCon officially began and the MBTA filed its lawsuit.