The Website and Blog of Joshua R. Kagan

Shhh! The Anatomy of a Hacker’s Prior Restraint

It started out like a classic story:  Government creates RFID system.  Engineering students find loopholes in said system.  Engineering students start to tell others about said loopholes.

Except that this time, the last step didn’t happen.

DEF CON is an annual computer security convention where experts gather to hear about the latest in computer and hacking-related topics.  This year’s convention was held this past weekend at the Riviera Hotel & Casino in Las Vegas.  Three MIT students prepared a presentation for this conference in which they would have discussed the the “vulnerabilities in magnetic stripe and RFID card payment systems implemented by many urban transit systems.”  The scheduled presentation was the result of the students’ research project, conducted under the auspices of a renowned MIT computer science professor.  All was well until the Massachusetts Bay Transportation Authority (MBTA) filed suit in federal court to enjoin¹ the students from speaking at DEF CON because the disclosure of their research could compromise the MBTA ticketing system.  A federal judge, apparently agreeing that the students should not be permitted to speak, issued a temporary restraining order² that prohibited the students from presenting at the conference.

It’s not hard to see why the MBTA would want to shut these researchers down.  Their work, if disclosed to the public, would severely undermine the security of the card systems that the MBTA and other transit authorities have invested heavily in.  But the problem here is that, in agreeing with the plaintiff in this case, Judge Douglas P. Woodlock imposed a prior restraint on the students, which is generally unconstitutional except in extreme circumstances.  A prior restraint occurs when the government somehow prohibits someone from speaking before the actual speech occurs. It is a much stronger restraint on speech than censorship, and therefore as a matter of public policy it is close to taboo because of the fear of chilling effects.  Courts have traditionally held that prior restraints are unconstitutional except in extremely limited circumstances such as national security issues.³ Later cases clarified that “any prior restraint on expression comes . . . with a ‘heavy presumption’ against its constitutional validity”⁴ and suggested that even the “national security” exception requires some grave and irreparable imminent danger.⁵

When we apply these prior restraint standards to MBTA’s case, the results aren’t pretty.  The MBTA relies primarily on the Computer Fraud and Abuse Act,⁶ a law designed to criminalize unauthorized access and damage to computer systems, and the issue here is whether the danger of any criminal activity resulting from the students’ speech would have been sufficient to maintain a valid prior restraint.  The relevant case law points strongly toward there being a requirement of some imminent danger.  In the absolute worst case scenario here, if these students were allowed to present their research and a few evil-doers used the research to get free rides on the Massachusetts public transit system, the damage done would be a few subway fares.  Taken to an extreme, it could mean the premature obsolescence of the MBTA’s RFID card system.  While obviously not a desirable outcome, this still clearly doesn’t threaten national security.  For this reason, this prior restraint doesn’t seem to pass muster.

If you follow technology law, you might be drawing a parallel to the DeCSS case,⁷ in which the Court of Appeals for the Second Circuit held that a defendant could be enjoined from releasing a computer program that makes it possible to copy DVD movies in violation of the relevant provision of the Digital Millennium Copyright Act.⁸  But this case is easily distinguishable.  In the DeCSS case, the appellate judges skirted around the free speech issue by contending that computer programs have both “speech and non-speech” features, and that the injunction only targeted the “non-speech” ones.  That argument might fly for regulating computer programs, but I don’t think it’s possible to argue that a speech at an academic conference has any significant “non-speech” qualities that could be exempt from First Amendment protection.

It seems clear to me that the temporary restraining order issued in this case was an unconstitutional prior restraint.  However, I don’t place all of the blame here on Judge Woodlock.  There was a right and a wrong way for the MBTA to handle this situation.  The right way was to listen to (or read a transcript of) the students’ research into the inherent vulnerabilities of magnetic and RFID systems and to modify their systems to be more robust.  The wrong way was to silence public discourse on the subject and to continue pretending that their system is a good one.

Unfortunately, the MBTA chose the wrong course of action, and –worse — a federal judge let them get away with it.

This weblog is an informational resource only. It is not designed to offer legal advice.

1. An injunction is a judicial decree that orders a party to refrain from taking some action.  ”Enjoin” is the verb form of this term. [↩]
2. A TRO is an injunction that is issued for a short term before an issue is actually decided on the merits.  A judge typically uses this only when it is necessary to avoid some imminent harm to the moving party and the moving party appears likely to prevail on the merits. [↩]
3. Near v. Minnesota, 283 U.S. 697 (1931). [↩]
4. Nebraska Press Association v. Stuart, 427 U.S. 539 (1976), relying on Carroll v. Princess Anne, 393 U.S. 175 (1968) and Bantam Books, Inc. v. Sullivan, 372 U.S. 58 (1963). [↩]
5. New York Times Co. v. United States, 403 U.S. 713 (1971), popularly known as “The Pentagon Papers Case,” striking down a prior restraint by the Nixon administration that purported to rely on the national security exception. [↩]
6. 18 U.S.C. § 1030. [↩]
7. Universal City Studios, Inc. v. Reimerdes, 273 F.3d 429 (2d Cir. 2001). [↩]
8. 17 U.S.C. § 1201(a)(2). [↩]