World Library  
Flag as Inappropriate
Email this Article

Massachusetts Bay Transportation Authority v. Anderson

Article Id: WHEBN0018881186
Reproduction Date:

Title: Massachusetts Bay Transportation Authority v. Anderson  
Author: World Heritage Encyclopedia
Language: English
Subject: Streisand effect, United States district court cases
Publisher: World Heritage Encyclopedia

Massachusetts Bay Transportation Authority v. Anderson

Massachusetts Bay Transportation Authority v. Anderson

United States District Court for the District of Massachusetts

Filed August 8, 2008
Decided August 19, 2008
Case name Massachusetts Bay Transportation Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and the Massachusetts Institute of Technology
Citations Undecided
Holding Injunction lifted
Judge George A. O'Toole, Jr.[1]
Laws applied U.S. Const. Amend. 1; Computer Fraud and Abuse Act

Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority (MBTA) to prevent three Massachusetts Institute of Technology (MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's Charlie Card automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of free speech protected by the First Amendment to the United States Constitution.

The MBTA claimed that the MIT students violated the Computer Fraud and Abuse Act (CFAA) and on August 9, 2008 was granted a temporary restraining order (TRO) against the students to prevent them from presenting information to DEFCON conference attendees that could have potentially been used to defraud the MBTA of transit fares. The MIT students contended that submitting their research for review and approval by a government agency before publication is unconstitutional prior restraint.

The case garnered considerable popular and press attention when the injunction unintentionally became a victim of the [2]


In December 2007, cautions were published separately by Karsten Nohl[3] and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on NXP's MIFARE chip set and contactless electronic card system.[4][5] In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals.[6][7] A comparable independent cryptanalysis, focused on the MIFARE Classic chip, was performed at the Radboud University Nijmegen. On March 7 the scientists were able to recover a cryptographic key from the RFID card without using expensive equipment.[8] With respect to responsible disclosure the Radboud University Nijmegen published the article[9] six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In the Netherlands, the judge ruled on July 18 that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.[10]

In May 2008, MIT students Zack Anderson,[11] Russell J. Ryan,[12] Alessandro Chiesa,[13] and Samuel G. McVeety presented a final paper in Professor [14] Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the DEF CON hacker convention which claimed to review and demonstrate how to reverse engineer the data on the magstripe card, several attacks to break the MIFARE-based Charlie Card, and brute force attacks using FPGAs.[15]

Before the complaint was filed in August 2008, Bruce Schneier wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."[16]


On 8 August 2008, the MBTA filed suit seeking a temporary restraining order, both to prevent the students from presenting or otherwise discussing their findings until its vendors had sufficient time to correct defects and to seek monetary damages. The motion was granted on August 9 by Judge [20][21]

The MBTA retained Holland & Knight to represent them and contended that under the norm of responsible disclosure, the students did not provide sufficient information or time before the presentation for the MBTA to correct the flaw and further alleged that the students transmitted programs to cause damage to (or attempted to transmit and damage) MBTA computers in an amount in excess of $5,000 under the Computer Fraud and Abuse Act. Furthermore, it was contended that this damage constituted a threat to public health and safety and the MBTA would suffer irreparable harm if the students were allowed to present; that the students converted and trespassed on MBTA property; that the students illegally profited from their activities; and that MIT itself was negligent in supervising the undergraduates and notifying the MBTA.[22]

The MIT students retained the Electronic Frontier Foundation and Fish & Richardson to represent them and asserted that the term "transmission" in the CFAA cannot be broadly construed as any form of communication and the restraining order is a prior restraint infringing their First Amendment right to protected free speech about academic research.[23][24] An 11 August letter published by 11 prominent computer scientists supported the defendants' assertions and claimed that the precedent of the gag order will "stifle research efforts and weaken academic computing research programs. In turn, we fear the shadow of the law's ambiguities will reduce our ability to contribute to industrial research in security technologies at the heart of our information infrastructure."[25]

On 19 August, the judge rejected the MBTA's request to extend the restraining order and the TRO likewise expired, thus granting the students the right to discuss and present their findings.[2]

See also


  1. ^ "Judges of the United States Courts - Biography of Judge George A. O'Toole, Jr". Federal Judicial Center. Retrieved 2008-08-15. 
  2. ^ a b Malone, Scott (2008-08-19). "Judge backs hackers in Boston subway dispute". Reuters. Retrieved 2008-08-19. 
  3. ^ "Karsten Nohl webpage". University of Virginia. Retrieved 2008-08-15. 
  4. ^ Plötz, Henryk; Meriac, Milosch (August 2007). "Practical RFID Attacks". Berlin, Germany: Chaos Communication Camp. 
  5. ^ Courtois, Nicolas T.; Nohl, Karsten, and O’Neil, Sean (April 14, 2008). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". IACR pre-print archive. Retrieved 2008-08-15. 
  6. ^ "Group Demonstrates Security Hole in World's Most Popular Smartcard". UVA Today. February 26, 2008. Retrieved 2008-08-15. 
  7. ^ Dayal, Geeta (March 19, 2008). "How they hacked it: The MiFare RFID crack explained : A look at the research behind the chip compromise".  
  8. ^ "Scientists of the Radboud University Nijmegen break the security of the MIFARE Classic cards". 
  9. ^ Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (2008-10-04). "Dismantling MIFARE Classic". 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. 
  10. ^ Arnhem Court Judge Services (2008-07-18). "Pronunciation, Primary Claim (dutch)". Rechtbank Arnhem. 
  11. ^ Zack Anderson homepage at MIT
  12. ^ Russell J. Ryan homepage
  13. ^ Alessandro Chiesa page at MIT
  14. ^ Baxter, Christopher (August 12, 2008). "MIT students' report makes security recommendations to T". Boston Globe. Retrieved 2008-08-15. 
  15. ^ "Speakers for DEFCON 16". DEFCON Communications. Retrieved 2008-08-16. 
  16. ^ Schneier, Bruce (August 7, 2008). "Hacking Mifare Transport Cards". Schneier on Security newsletter. 
  17. ^ "Judges of the United States Courts - Biography of Judge Douglas Woodlock".  
  18. ^ McCullagh, Declan (August 9, 2008). "Judge orders halt to Defcon speech on subway card hacking". CNET News. Retrieved 2008-08-15. 
  19. ^ Lundin, Leigh (2008-08-17). "Dangerous Ideas". MBTA v DefCon 16. Criminal Brief. Retrieved 2010-10-07. 
  20. ^ Heussner, Ki Mae (August 12, 2008). "Injunction to Silence MIT Student Hackers Backfires". ABC News. Retrieved 2008-08-15. 
  21. ^ Stix, Gary (August 14, 2008). "MIT hackers make Massachusetts officials nervous at Defcon". Scientific American: 60-Second Science Blog. Retrieved 2008-08-15. 
  22. ^ Complaint, pp. 12-16
  23. ^ Response, pp. 9-17
  24. ^ McCullagh, Declan (August 13, 2008). "Transit agency wants MIT students to stay gagged". CNET News. Retrieved 2008-08-15. 
  25. ^ Letter from Computer Science Professors and Computer Scientists, p.7

Further reading

  • McGraw-Herdeg, Michael, and Vogt, Marissa, "MBTA Sues Three Students to Stop Speech on Subway Vulnerabilities", The Tech, MIT, Volume 128, Issue 31, Monday, August 25, 2008

External links

Court documents

  • Complaint: MBTA vs. Anderson, et al.
  • Temporary restraining order: August 9 restraining order
  • Response: MIT Students' response and Motion to Modify
  • Exhibit: Letter from Computer Science Professors and Computer Scientists

Other links

  • Electronic Frontier Foundation case homepage
  • Legal Talk Network discussion
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.