Legal spat over MIT subway hack

Researchers are fighting to disclose information about hacking Boston's transit card system

Civil liberties groups are stepping into the battle between the federal government and three students from MIT.

The students were planning to give a presentation on Sunday at the Defcon conference in Las Vegas. The presentation detailed security flaws in the Charlie Card automatic payment system used by the Massachusetts Bay Transit Authority (MBTA).

The authority argued that the presentation would give users the ability to tamper with the Charlie Card system and ride Boston's subways for free. As such, the MBTA claims that the presentation violated the Computer Fraud and Abuse Act (CFFA).

In response to the claim, a US district court judge has issued a ruling that prevents the three students from disclosing any information on the subject for 10 days, well after the conference has ended.

The judge's decision to issue prior restraint on the students caught the attention of the Electronic Frontier Foundation (EFF), which is now representing the three researchers in their appeal of the judge's order.

The EFF claims that the temporary restraining order violates the students' free speech rights and distorts the CFFA.

"The court has adopted an interpretation of the statute that is blatantly unconstitutional, equating discussion in a public forum with computer intrusion, " said Jennifer Grannick, civil liberties director for the EFF. "More importantly, squelching research and scientific discussion won't stop the attackers. It will just stop the public from knowing that these systems are vulnerable and from pressuring the companies that develop and implement them to fix security holes."

The group also argues that security flaws in RFID and magnetic stripe systems used by the MBTA and other transit systems are well-documented and have already been disclosed.

Courts in the Netherlands recently wrapped up a similar case involving London's public transport system. The judges ruled that a group of professors would be allowed to publish their findings on hacking London's Oyster card payment system.