IT securityJudge imposes gag order on Boston subway hackers

Published 11 August 2008

Three MIT students hacked smartcards used by the Boston subway system; they were planning to make a presentation about the hacking at this weekend Defcon event in Las Vegas — but a U.S. district judge imposed a gag rule on them

A federal judge on Saturday granted the Massachusetts transit authority’s request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system. The Electronic Frontier Foundation (EFF), which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl. The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference being held in Las Vegas, a presentation they had said would describe “several attacks to completely break the CharlieCard,” an RFID card which the Massachusetts Bay Transportation Authority (MBTA) uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide “program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.” Woodlock granted the MBTA’s request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday. EFF staff attorney Kurt Opsahl said that the temporary restraining order is “violating their First Amendment rights”; another EFF attorney said a court order pre-emptively gagging security researchers was “unprecedented.” EFF attorneys appeared with the three students — Zack Anderson, R. J. Ryan, and Alessandro Chiesa — in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit.  

C|NetNews’s Declan McCullagh writes that the students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on 30 July or 31 July, but the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time. The conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the “initial contact, they said the FBI was investigating and that was not — we didn’t find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening,” said Anderson, one of the students. EFF’s Opsahl said the students only intended to “provide an interesting and useful talk, but not