A federal trial court judge in Boston lifted a gag order preventing three Massachusetts Institute of Technology students from disclosing security flaws in Boston’s public transportation ticketing system, according to the Associated Press.
A different judge had imposed a 10-day gag order on the students on Aug. 9, just two days before they were supposed to present their academic research findings at DEFCON, a computer hacker convention. The presentation, titled “The Anatomy of a Subway Hack: Breaking Crypto RFID’s & Magstripes of Ticketing Systems,” would have described security flaws enabling users to ride the Massachusetts Bay Transit Authority for free.
Even though the students claimed that they would leave out information allowing others to exploit the flaw, and they voluntarily provided the MBTA with a vulnerability report explaining the problems they identified, the MBTA sued the students, arguing that they violated the Computer Fraud and Abuse Act by enabling others to defraud the MBTA of transit fares.
Yesterday, the MBTA admitted the error and asked for a five-month continuation of the gag order while they fixed the flaws. The Electronic Frontier Foundation, representing the students, convinced the judge that the order was unconstitutional, arguing that it violated the students’ First Amendment rights and would make other security researchers reluctant to publicize findings for fear of legal reprisals.