About

July 2009

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Search

  • Google

    The Entire Web
    Blog Archive

« Follow Up Stories to DePaul Chicago Sex Trafficking Study | Main | Illinois Judicial Council Scholarships Awarded to Three DePaul Students »

September 08, 2008

MIT Students Sued Over Security Class Project

Massachusetts Institute of Technology students, ZACK ANDERSON, RJ RYAN, ALESSANDRO CHIESA, had submitted a paper for a network security class they were taking,that uncovered security weaknesses in the MBTA (Massachusetts Bay Transportation Authority ) fare card using RFID (Radio-frequency identification) technology, called  the "Charlie Card". They received an "A" for their work and were planning to make a presentation at a computer security conference based on this work.

Charlie_card_2The students had contacted the MBTA about the security weaknesses in their  fare card  and indicated that their public "Charlie Card" presentation would not include certain  details that would allow actual misuse of the fare cards. However, on August 8, 2008 ,without notification to the students, the MBTA sued the students and requested a temporary restraining order, to prevent them from speaking publicly about their academic work.

The MBTA memorandum  made claims under the Computer Fraud and Abuse Act (the "CFAA"), of "irreparable harm"; that  the students had not gone through a "responsible disclosure" process; that national security was implicated since RFID chips are also used in national security applications; and that the prior restraint  "... will not create cognizable harm to the defendants". The students were prevented from making their presentation and publicly discussing their findings.

On August 19, a  federal judge finally lifted the restraining order. Judge O'Toole, held that the CFAA does not apply to security researchers like the students talking to people. As EFF Staff Attorney Marcia Hofmann stated, "A presentation at a security conference is not some sort of computer intrusion. It's protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security -- the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not."
( Judge Lifts Unconstitutional Gag Order Against MIT Students )

Despite the above ruling, the MBTA's litigation against the students still continues. The case was also directed at MIT as an institution for negligence in supervising  the activities of its students. It will be interesting to see how far MBTA pushes this case and whether similar future cases may chill the academic work of students and educational institutions.

                         **********************************************

MBTA v. Anderson court documents from EFF

Link to podcast re. MBTA v. Anderson with Law.com bloggers and co-hosts, J. Craig Williams and Bob Ambrogi


Posted by waltguy at 01:33 PM in Legal News, Special Interest: Faculty, Special Interest: Students |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341d167d53ef00e554eed9a88833

Listed below are links to weblogs that reference MIT Students Sued Over Security Class Project:

Comments

The comments to this entry are closed.