Massachusetts Bay Transportation Authority v. Anderson
TRANSCRIPT OF HEARING ON
MOTION FOR TEMPORARY RESTRAINING ORDER
BEFORE THE HONORABLE DOUGLAS P. WOODLOCK
UNITED STATES DISTRICT JUDGE
August 9, 2008
For the plaintiff: Ieuan-Gael Mahony, Esquire Scott Donnelly, Esquire Holland & Knight, LLP 10 St. James Avenue, Suite 12 Boston, MA 02116 617-575-5835 email@example.com
For MIT: Jeffrey Swope, Esquire Palmer & Dodge, LLP 111 Huntington Avenue Boston, MA 0199-7613 firstname.lastname@example.org
For individual Defts: Jennifer Stisa Granick, Esq. Marcia Hoffman, Esquire Electronic Frontier Foundation, 454 Shotwell St. San Francisco, CA 94110 415-436-9333 email@example.com
COURT CALLED INTO SESSION THE CLERK:
Calling the case of Civil Action 08-11364, Massachusetts Bay Transportation Authority v. Zack Anderson, et al. Will counsel please identify themselves for the record?
MR. MAHONEY: Ieuan Mahony from Holland & Knight for the plaintiff, MBTA.
MR. DONNELLY: Scott Donnelly for the plaintiff, MBTA. I’m also here with MBTA general counsel, Bill Mitchel, MBTA deputy general manager for Systemwide Monitorization, Joe Kelly, and Jack McGlaughlin, who is MBTA project director for Systemwide Monitorization, which deals with the Automated Fare Collection system and the CharlieCard system.
MR. SWOPE: Good morning, Your Honor, Jeffrey Swope from Edwards, Angell, Palmer and Dodge. With me is general counsel for MIT, Gregory Morgan, and other counsel Jay Wilcox.
THE COURT: Now, I understand as well that we have on the phone three attorneys I guess in Las Vegas, Jennifer Granick Opsahl and Marshal Hoffman.
Ms. Granick, are you here?
MS. GRANICK: Yes, Your Honor, good morning. I’m actually in San Francisco right now--
THE COURT: All right.
MS. GRANICK: --and my colleagues are in Las Vegas.
THE COURT: And are you affiliated with a law firm?
MS. GRANICK: We are from the Electronic Frontier Foundation, which is located in San Francisco.
THE COURT: And are you separately representing the individuals?
MS. GRANICK: We are representing them jointly.
THE COURT: All right. And I want to be sure you understand the ground rules here. I understand that you represent that you’re representing all of the individuals here. Do you understand that as a consequence you are their agents and that any order that I enter here would be understood to have provided notice to your clients. Do you understand?
MS. GRANICK: Yes, Your Honor, I understand that. I believe that our clients, Zack Anderson, RJ Ryan and Allesandro Chiesa are on the call listening in from the Las Vegas end of the conversation.
THE COURT: All right. So--
MS. GRANICK: They are listening to the proceedings in this hearing, Your Honor.
THE COURT: All right. So Mr. Anderson, are you present?
MR. ANDERSON: Yes, I am.
THE COURT: Mr. Ryan, are you present?
MR. RYAN: Yes, I am.
THE COURT: And, Mr. Chiesa, if I pronounce it correctly, are you present? Mr. Chiesa?
UNIDENTIFIED: He stepped out of the room.
THE COURT: Mr. Chiesa?
MS. GRANICK: I think I hear them say he stepped out of the room for a moment.
THE COURT: All right. As soon as he comes back I’d like to have him identify himself, so Mr. Anderson and Mr. Ryan, you’ll tell him to do that when he comes back in the room?
MR. RYAN: Yes, Your Honor.
HE COURT: Do you understand that, Mr. Anderson, Mr. Ryan?
MR. RYAN: Yes, Your Honor.
MR. ANDERSON: Yes, Your Honor.
THE COURT: All right. I’ve been presented this morning with some additional materials filed by the MBTA, in particular a declaration of Mr. Henderson. And in the Declaration of Mr. Henderson at paragraph 15 he states that he received a voice mail from Mr. Anderson at 6:49 p.m. last night stating that his lawyers had advised him not to send the presentation materials in connection with the DEFCON presentation for Sunday.
Is that correct?
MS. GRANICK: Yes, Your Honor. We wanted to, when we realized that the MBTA had filed a lawsuit against our client and wanted to review the materials, we wanted to take an opportunity to go over the materials with our client before providing them to opposing counsel.
THE COURT: Have you done so?
MS. GRANICK: Of course--
THE COURT: Have you done so?
MS. GRANICK: Yes. We have reviewed our materials with our clients and we provided them to opposing counsel late last night by email, and those materials I believe have been attached to Mr. Mahoney’s declaration as Exhibit 7. So I believe they’re currently before the Court as well.
THE COURT: All right. These are the entire materials that you intend for presentation?
MS. GRANICK: Those are the visual materials.
THE COURT: Well, is there anything else that is of substance for the presentation?
MS. GRANICK: No, Your Honor.
THE COURT: There will be nothing beyond what’s shown on these several slides?
MS. GRANICK: No, Your Honor. I think that the slides are visual and do not, they may not completely, I don’t think they’re – the slides are complete, but they do not constitute as many PowerPoint presentations do bullet points of what will be discussed. So, Your Honor, I think what the slides--
THE COURT: Just a moment. Is there anything of substance to the presentation, anticipated for the presentation that is not on the slides?
MS. GRANICK: No, Your Honor.
THE COURT: Mr. Mahony, do you intend to have someone explain what problems, if any, are presented by these slides?
MR. MAHONY: Your Honor, we made numerous requests for these materials.
THE COURT: I don’t want to hear history now.
MR. MAHONY That’s fine. Your Honor, I spoke with Scott Henderson at 6:00 this morning at Logan Airport and with a Daniel Tieran from Shatten Bockman again at 6:00 at Logan Airport before their 8:00 flight to Las Vegas to go over these slides. It was not possible, Your Honor, to obtain any affidavit, declaration for the Court.
THE COURT: What’s the representation?
MR. MAHONY: The representation is I have materials that I can take the Court through on an oral basis and walk through those particular slides that cause concern. I also point out, Your Honor, that my sister has said, and I think this is accurate, that the slides do not provide what will be discussed at the particular presentation.
THE COURT: I don’t believe that’s what she said. What she said, and if you will confirm this for me, Ms. Granick, is that the slides contain the substance of everything that is going to be presented at the hearing, during the presentation of the defendants; is that correct?
MS. GRANICK: Yes, Your Honor, that’s correct. And I can elaborate on that to be more concrete. I want to, Your Honor, you have seen the slides and so as you know many of them are visual depictions which are depictions of what the presentation will contain, but is not a verbatim transcript. That’s the only reason why I’m being a little bit cautious about saying unqualified yet. It’s not a transcript, but those slides are the complete representation of what the talk is about.
THE COURT: Well, and the substance of that talk.
MS. GRANICK: And the substance of that talk, exactly.
MR. MAHONY: Your Honor, if I may as well, just to get assurances, on page 37 of the slides there’s a slide that says demo--
THE COURT: Hold on a second.
MR. MAHONY: Yes.
THE COURT: Okay, go head.
MR. MAHONY: The slide says up at the top, Demo, magcard and reverse engining tool kit. That looks like a demonstration that is outside the four corners of the slides.
THE COURT: All right. So, Ms. Granick?
MR. MAHONY: There’s also a point here, wrote--
THE COURT: Let me do it go step-by-step unless it’s necessary for me to hear more of the various objections you have?
MR. MAHONY: Thank you, Your Honor.
THE COURT: This is the first objection that you
MR. MAHONY: Correct.
THE COURT: That there’s some sort of demo contemplated here?
MR. MAHONY: Correct.
THE COURT: All right, Ms. Granick? What do I make of the demo that suggests can now forge cards?
MS. GRANICK: Yes. I see the slide we’re talking about. It’s entitled Demo Magcard and Reverse Engineering Tool Kit. THE
COURT: So what are they going to do?
MS. GRANICK: They are going to do a demonstration that shows that they had now created a card that is forged. In other words, one that is not issued by MBTA.
THE COURT: All right.
MS. GRANICK: And the important part of this demonstration realizes that this is a demonstration but it is a, the demonstration will be lacking in some critical information which would be required for another person to duplicate this feat and create a card that is a forged card that could be used with MBTA.
So, Your Honor, if I could talk about just terms of these slides, we have provided a declaration by Erik Johanson who is an expert in the field of RFID and transportation security and he has looked at the slides that our clients are intending to present and, so some of his declaration--
MR. MAHONY: Your Honor, if I may--
THE COURT: Just a moment. Mr. Swope, do you have that declaration?
MR. SWOPE: It was sent to Mr. Wilcox with a request that it be printed. MIT is not offering it as its own, but I do have the document which might make this easier.
THE COURT: All right. Mr. Swope is going to pass up to me, Ms. Granick, what I gather was sent along to him which is this declaration, and let me take a look at the declaration first.
MS. GRANICK: Okay. Your Honor, just let me know when you’re ready for me--
THE COURT: Yes.
MS. GRANICK: --to address it.
THE COURT: I will.
MS. HOFFMAN: Your Honor, this is Marcia Hoffman from – [inaudible] - for Alessandro Chiesa.
THE COURT: All right. Mr. Chiesa, are you present? Mr. Chiesa, are you present?
MR. CHIESA: Present.
THE COURT: All right.
THE COURT: All right. I’ve read Mr. Johanson’s affidavit the purport of which I gather is that the presentation of the defendants has nothing knew to add?
MS. GRANICK: I’m sorry, Your Honor, could you repeat what you said?
THE COURT: Mr. Johanson says the slides do not describe any new techniques for breaking cartography used by the CharlieCard.
MS. GRANICK: That’s correct – I’m sorry.
THE COURT: And he indicates that everything is in the public record, so what’s the need for the presentation?
MS. GRANICK: Well, that’s – Your Honor, the – you are correct. It says that the research techniques are in the public domain with the exception of one piece of information which is, and the part of the research which is novel performed by the students and that is an application of the research technique to the CharlieTicket, and the way that the CharlieTicket, that the techniques were applied to the CharlieTicket is widely known. What the students discovered is that there is not adequate additional security on the CharlieTicket to prevent them from being compromised according to these already widely known technique. The critical piece of information that the students have discovered, but which is not included in the presentation and which the students never intended to include in the presentation is the check sum, and the check sum is a security technique that is employed to ensure that the card is, that a card is not in any way tampered with. The slides show the check sum and that the check sum changes when the ticket is tampered with, but they do not describe how to compute the check sum and an attacker would not be able to replicate the novel portion of their research without knowing how to compute the check sum.
So basically what the presentation is is as many academic pieces of work are, is a collection of the materials that are already known in the relevant field and an application of that research to a specific case study in order to learn a little bit more about how security, about how security is implemented and the ways in which security techniques can fail to protect the fare system.
THE COURT: So does this add or not to sum of human knowledge on this subject?
MS. GRANICK: Your Honor, I believe that it does add. I think that--
THE COURT: So it adds some increment of – just a moment. It adds some increment of information not presently available based upon their accessing aspects of the computer system; is that correct?
MS. GRANICK: No, Your Honor, it is a piece of information that was the subject of their research paper with Professor Rivest at MIT, so the professor considered it to be a valid piece of original research. It was accepted by the DEFCON conference so the conference organizers felt that it was a piece of research that was interesting to the security people that attend that conference. It was not obtained through any kind of unauthorized access to computers. It was research that they performed by applying existing commonly used research technique to the mag, to examine the magnetic stripe card and the data that are stored on those cards. But the, one of the things that the students have discovered but a piece of information which they have not planned to and do not plan to reveal publicly is how to calculate the check sum, and without the check sum, the information that they’re going to present cannot be used by an attacker to make fraudulent cards. Which gets me to Your Honor’s question about the slide relating to the demo and what the importance is of the demo.
The demo allows the student to demonstrate that they have figured out how to calculate the check sum without revealing how they’ve done it to the people who attend the presentation. So it’s a demonstration that the security is weak and needs improvement but without providing a critical ingredient for an attacker. So they have tried to be, by tailoring the presentation this way, they’ve presented the existing information in their academic field that relates to this. They have presented what new information they done, or new research that they’ve done that pushes the envelope of the information that existed before. My advisor in college used to call it standing on the shoulders of giants. So they show how they are standing on the shoulders of giants, but they have responsibly decided to withhold a piece of information that would allow anybody, somebody who doesn’t have, you know, any kind of academic background or interest in the field and is simply an attacker to make a fraudulent fare card. So that is their, that was their intention from the beginning and is what they communicated to MBTA when they had their meeting on, you know, earlier in the week.
THE COURT: Why isn’t the addition of this information with the focus on check sum an additional piece of information that focuses a potential hacker on places to conduct that hackers own research?
MS. GRANICK: I think that if you saw this presentation you would know that the card has a check sum function on it, but I think that these are, this is information that is already widely known. In fact, it is information--
THE COURT: I’m sorry, Ms. Granick, but you keep going back and forth between the idea that it’s already widely known and that it adds something. Now, if it’s already widely known, then there’s no particular reason for them to be making the presentation. If it is adding something, what is it adding? It’s adding some piece of information that makes it possible for others to focus their attention on the way in which you can hack into these collection systems. The very next slide says, are they hackable? Yes. So--
MS. GRANICK Well, Your Honor--
THE COURT: --you know, the short of it is that what they’re doing is providing research, maybe not complete research but research that focuses the attention of those who have an interest in this area who are not all academics on the--
MS. GRANICK: Your Honor, that--
THE COURT: Just a moment, may I finish? Which is part of the concern that’s expressed in the Computer Fraud and Abuse Act, which we’ll get to in a moment, but there’s something additional, right or wrong?
MS. GRANICK: There is something additional in the presentation, but the fundamental point that you are relating to which is that there is insecurity in the, MIFARE payment system, that is implemented by MBTA, that information is not new. That information is widely known. There have been news reports about it in the newspaper and it is widely known in the academic world where the students, that’s part of this research paper. So yes, it’s true that this information, that this presentation discusses something new. That something new is that this system is in fact vulnerable and that the security mechanism that they put in place is not working and that does let people know that it is possible to defeat the security of the system. I believe that was already widely known, but what the report adds or what the presentation adds is that they are, that these students have figured out how to do it. I don’t, I respectively disagree that the fact that much of this information maybe, whatever percentage of it, 90% or 95% of it is already known, means that there’s no reason for the presentation, that is part of, you know, presenting your work is that there, as I called it, standing on the shoulders of giants, is that you talk about research that’s relevant to your field, but I do think that--
THE COURT: It does, however, Ms. Granick, go to the question of balance of harm.
MS. GRANICK: Well, I think--
THE COURT: Just a moment, just a moment. I think I’ve understood the position that you’re expressing concerning this. Now I want to hear from the plaintiff on this. So we have this proposed demo which I understand will not be so much a demo as a report that they could demonstrate if they wanted to.
MR. MAHONY: That’s correct, Your Honor, and I think the fact that this demonstration is, will focus attention on the fact that it’s a viable solution that the card is hackable and that these individuals will be up there stating this is possible to do. Your Honor, as the Court said, this is providing that the research that focuses the attention of those who have the interest in doing this who may not be academics. Your Honor, this is a competitive--
THE COURT: Look it, I’m really not interested in the conclusions.
MR. MAHONY: Yes.
THE COURT: I really want to get to the specifics of where you say there’s a problem and let me, and I’m going to afford them an opportunity to respond.
MR. MAHONY: Your Honor, the demo, if we look down in the next line here, on the same slide 37, wrote python libraries for analyzing mag cards. Python is a programming language, it’s open source and in the announcements the Court may recall that the MIT, the undergrads said that they were going to provide open source software tools to accomplish the hacks. So, this is not simply saying we did it, aren’t we inventive? It’s also providing a tool to help accomplish this. Our understanding is that these would likely be software tools that would make it easier to analyze the cards, and I’ll point the Court to analysis component in just a second, but, Your Honor, in terms of, my sister said that it’s just the presentation, it’s just the four corners here. We’ve seen the demo as something in addition. If the Court takes a look at the first page of this presentation, so it says, anatomy of subway hack, the Court can see in the bottom it says for updated slides and code. My reading of that, our reading of that is that’s software code. See this website.
So, Your Honor, it’s not simply this slide presentation. It’s--
THE COURT: All right. Now, let me focus on that issue. Ms. Granick, what’s the reference to code?
MS. GRANICK: The reference to code, Your Honor, relates to the software tools that the students plan to release with the presentation and those software tools are not tools which are targeted for the MBTA system. They are generalized, generalized tools that are for reading magnetic cards, for analyzing information on cards, and for reading, using software or open source radio software to listen to the signals from RFID cards and those sorts of things. They are not tools that a malicious attacker could come along and automatically use to crack the check sum security system, the check sum on the MBTA check sum.
THE COURT: Let me ask – just a moment.
MS. GARNICK: And the - I’m sorry.
THE COURT: Let me ask two questions. One, is there any place in the slides where this code is identified and referenced?
MS. GRANICK: Let me take a look, Your Honor.
MS. GRANICK: Well, they show, they refer to the code that they created, the Python written code that’s on the slide that we’ve been looking, wrote the Python library to integrate with the reader/writer, and I can go through the slides and see where the other tools they use are mentioned, Your Honor.
I think the important thing if I could give it up, the open source tool book, is that they are not tools which standing alone allow an attacker to make fraudulent fare cards. And I think that the idea that this presentation for these tools are the things that are going to focus an attacker on the weaknesses in the security system is mistaken. There’s already been news reports in the Boston Globe, in the Boston Herald and in on-line magazines about the security weaknesses in the CharlieCard and the cards generally used for the T.
THE COURT: Well, I think we can – just a moment, Ms. Granick, we’ve been over that. This is your difficult position of saying there’s nothing new except what’s new and what’s new isn’t new, and that it seems to me is not something that I find particularly persuasive. So--
MS. GRANICK: Well, the a way--
THE COURT: Just a moment, just a moment. I think I’ve heard what I need to hear with respect to that issue; that is, there is something more that they propose to offer those who attend that are not included in the slides. So what else?
MR. MAHONY: And, Your Honor, I just note the Court had a question of where else is their code in the slides and if the Court were take a look at page 66 and 67, that there’s code mentioned here that is for, you know, that focus.
Your Honor, if I may--
THE COURT: Yes.
MR. MAHONY: --refer the Court to the actual magstripe information just for a minute. It’s on page 29. And, Your Honor, if could just do a short visual because 29 just has a lot of letters and numbers along dark black lines. Your Honor, I’ve got just a standard credit card here and that the black line on the back is the magnetic stripe. That’s the magstripe. I have my own CharlieTicket here and the black stripe on the front is a magnetic stripe as well. This information here, the information that’s on the magnetic stripe is not meant to be seen. There isn’t coding on the strip. If the Court were to take a look at page 30, what the MIT undergrads have done is map out the code so that these different codes now associated with bits of data. The Court can look at the very bottom, right-hand corner to see the phrase check sum and that’s what my sister has been referring in part.
THE COURT: I’m sorry, that’s what?
MR. MAHONY: My sister has been referring to--
THE COURT: Right.
MR. MAHONY: --that check sum data.
THE COURT: Yes.
MR. MAHONY: If the Court were to take a look at the next page, which is 31, there’s the statement forging the CharlieTicket. So forging these magnetic stripe cards and in 32 it has that same data that you just looked and 33 gives another example to show methods for analyzing the data on these magnetic stripes.
Now, Your Honor, let me point to another objection. So in other words, Your Honor, the mapping, the specifics, the details of this particular card are exposed so that if the lead time or the investment time, that saves me. If I’m interested in this investment time to find it out for myself and it’s public.
Your Honor, on page 35 if I could call the Court’s attention to another example of disclosures and activity targeted to the card that, as far as we know, are not in the - well, let me explain what’s going on here. You can see in the left, at least what we understand is going on here, in the left hand side, we have a card that’s got an issued value of $1.25 so that the user here or the hacker here or the attacker here has spent the $1.25 on this particular card. The card is then converted using these forging and counterfeiting techniques that are disclosed into a card that is worth $100. Again, that’s our understanding of what this is illustrating and again, my sister stated that even on the face of the slides, additional verbal explanation is required because the slides are visual. This slide here may require a paragraph or 10 pages worth of textural description to make it clear to an audience. We have no control, idea, assurance, comfort about what will be said in that two minutes, 30 seconds, 20 minutes of text that is needed to explain this particular slide as one example.
Now, Your Honor, there are some additional concerns that are more along the lines of concerns we talked about yesterday.
THE COURT: Anything more from the slides?
MR. MAHONY: Yes, but Your Honor, these are more - potentially the Court could view these as puffing or as advertising. We think in this context it is not a prank. It’s not good fun. It is an enticement. It is providing research that focuses the attention on a particular target, us. So for example, page 4, the individual defendants state you’ll learn, you will learn from this conference, you will learn how to generate these stored value fare cards. The reverse engineer, the magstripes, and that’s the coding that we looked at, to pull out, to map that coding, had attacked the RFID cards, and those are the stored value cards, et cetera. It goes on. To tap into the fare vending network, and we have some concerns about that that I’m going to get to very recently, I mean, in just a minute. And on page 5, Your Honor, the statement is, and this is very illegal. So the following materials for educational use only. Your Honor, that appears quite tongue and cheek, at least to us. And if the Court were to look on page 24, and I apologize because there’s two page 24’s, I was not in my memory I, but it’s the first page 24, is value stored on the card. In other words, can the card be used as the equivalent of cash? And it says, if it is, try a cloning attack. In other words, duplicating the cards, counterfeiting the cards. In other words, it’s like printing cash. And then, Your Honor, on the second page 24, it says if yes, in other words, if it’s a stored value card, then you now have free subway rides for life.
Now, Your Honor, let me point the Court to one last objection, specific objection, which is on page 71, actually it starts on page 70. this is talking about network security and this is hacking the network. This is beyond simply the Fare Media, Your Honor, that the AFC network includes credit card information. Now, it’s encrypted with very strong triple encryption, but it’s there on the network. There’s a lot of data, private data, data proprietary to the T that’s on the network. It’s well beyond these counterfeiting and forging activities. This is tapping into the MBTA’s own network. Now you can see the third point down found unguarded network switches. Now, Your Honor, that phrase, unguarded must be taken with salt.
THE COURT: With what?
MR. MAHONY: With salt, Your Honor. These, the network switches are within alarmed areas, high security. If they access them they must be very tricky but they certainly knew they weren’t supposed to be there. Now, we see on page 71, fiber switches in an unlocked room. Your Honor, this is a network switch. This is a hub of the network. It’s core computer equipment with software and data and now, Your Honor, on page 71 there’s nothing underneath these huge servers. There’s no graphic underneath them, but if the Court takes a look at page 72, the Court will see a graphic there and that graphic says wire shark. What is wire shark? Wire shark is a way to snip a network. It’s a way to surreptitiously monitor all network traffic. Now, network traffic on the T system because it is sensitive is encrypted but even so, Your Honor, this type of equipment, this software can pick up IT addresses, in other words, where the data is originating, where it’s going to, who is talking to whom essentially and where this information goes. This is very, this is monitoring.
Your Honor, that is sufficient for current purposes to give the Court our view again since 4:30 this morning of this particular document.
THE COURT: All right. What I think I’d like to do then is to, we’ll work our way through the statute to understand first the jurisdiction here and precisely what it is that you’re asking for.
Let me start here with the, what I consider to be the jurisdictional issue. I assume you had a copy of Section 1030 in front of you.
Ms. Granick, do you have a copy of Section 1030 in front of you?
MS. GRANICK: Yes, Your Honor.
THE COURT: Okay.
MR. MAHONY: Your Honor, I apologize. I unfortunately left some things at home.
THE COURT: Here’s a copy of the Federal Criminal Code, Title 18.
MR. MAHONY: Thank you.
THE COURT: Okay. As I understand the thrust of the argument, and this a federal question case only on the basis of Section 1030.
MR. MAHONY: Correct.
THE COURT: The diversity, if I don’t have federal jurisdiction, then this case has to be remanded.
MR. MAHONY: Correct.
THE COURT: Okay. 1030(e)(2)(B) seems to be the claim that you’re making; that is, a computer which is used in interstate or foreign commerce. In your memorandum you state that it’s in interstate or foreign commerce because the computers are for example used to provide the MBTA services in Rhode Island and Massachusetts and you cite to paragraph 7 of Mr. Kelley’s declaration. Paragraph 21 of Mr. Kelley’s declaration indicates that it is not being used for MBTA services in Rhode Island, out of state.
MR. MAHONY: Your Honor, I should be clear, I’m almost positive that that paragraph says the CharlieCards are not being used but the computers themselves are used throughout the system.
THE COURT: Well, but we’re talking about this particular use, aren’t we?
MR. MAHONY: Well, there’s CharlieTickets and CharlieCards, Your Honor. So the – let me just get – Yeah, 21, Your Honor, states, although CharlieCards are not currently employed on the MBTA’s, and we distinguish between CharlieTickets and CharlieCards--
THE COURT: We’re are the CharlieTickets shown to be used for commuter rail?
MR. MAHONY: Actually, Your Honor, a simple method for this, and I may have this wrong, but, Scott?
MR. DONNELLY: The commuter rail runs out of Providence, Rhode Island and the CharlieTickets are used.
THE COURT: And do you use the same computer for both of them?
MR. DONNELLY: Yes, we do.
THE COURT: It’s not a separate computer system?
MR. DONNELLY: No, the same computer system.
THE COURT: Okay. Now, turning then to the suggestions in ways in which there’s damage, I don’t understand how that works. First you allege damage under (a)(5)(B)(i).
MR. MAHONY: Yes.
THE COURT: And that is loss of $5,000. There’s no indication of a loss of $5,000. No indication of loss at all.
MR. MAHONY: Your Honor, what we have done is state that the CharlieTicket and the CharlieCard account for 68% of the weekday traffic.
THE COURT: You may, but that’s not the damage. Damage, you have to show loss to one or more persons during any one year period resulting from a related use in the course of conduct, aggregating at least $5,000 in value. There is no loss at this point, right?
MR. MAHONY: Your Honor, even – the statute says that a loss can include assessment, remedial efforts, all of what--
THE COURT: Look it, we’re going to have to go very specifically--
MR. MAHONY: Yes.
THE COURT: --because it is a criminal statute and the Rule of Lenity applies in civil proceedings in respect of criminal statutes when they’re used as a basis. So you say that the prospect of loss of at least $5,000 brings it within this provision?
MR. MAHONY: That’s correct and--
THE COURT: Okay. So show me where it says that.
MR. MAHONY: In our papers.
THE COURT: Where? If I refer to Mr. Kelley’s declaration, the first paragraph that’s referenced says the procurement and installation of the automatic fare collection system cost in excess of $180 million.
MR. MAHONY: Yes, that’s correct, Your Honor, but to, but later in Mr. Kelley’s affidavit, we have allegations, I’m sorry, statements that pick up the damages as well, Your Honor.
THE COURT: Well, paragraph 19 is the second one that you reference. You talk about 80% of the users using CharlieCard pass, and CharlieCards accounting for approximately $475,000 of the weekday, per weekday revenues which I recall correctly about $700,000.
MR. MAHONY: Yes, that’s correct, Your Honor.
THE COURT: Okay, but again, where’s the loss? Are you saying that prospectively there’s a loss of some amount that is going to be in excess of $5,000; is that what you’re saying?
MR. MAHONY: Correct, Your Honor. And I’m still – I’m looking for the provision in Mr. Kelley’s affidavit just to make sure that I’ve exhausted that point as well.
MS. GRANICK: Your Honor?
THE COURT: Just a moment while I let Mr. Mahony try to locate it.
MS. GRANICK: Thank you.
MR. MAHONY: Thank you, Your Honor.
THE COURT: You’re welcome.
MR. MAHONY: Your Honor, I do not recall a specific allegation with respect to the $5,000 map. The position is it’s implicit in the statements that this information if disclosed will cause substantial harm to the system. Also implicit in the statements quantifying the proportion of overall passenger trips that are attributed to the CharlieTicket and the CharlieCard and that those sums well exceed, substantially exceed the $5,000 amount.
THE COURT: All right. So the argument is that it comes within the (i)?
MR. MAHONY: That is one basis for the damage, yes, correct.
THE COURT: That’s the only basis for the damage, that prospectively you’re going to have more than five, you’re going to face more than $5,000 worth of damages if this permits people to hack in improperly?
MR. MAHONY: Correct. That’s correct.
THE COURT: Okay. Now, turning to the next grounds that you have, you say that it’s a threat to public health or safety.
MR. MAHONY: Yes.
THE COURT: What’s that?
MR. MAHONY: Your Honor, we go through the volume of traffic that’s provided, the volume of commuter transit that’s provided by the system and the system if destabilized--
THE COURT: Destabilized simply means that people are stealing from it and that’s your theory of public health and safety is that if the system can’t run, it’s a threat to public health and safety?
MR. MAHONY: Correct, Your Honor.
THE COURT: That it?
MR. MAHONY: Well, we have felt that declarant, testimony concerning the funds MBTA receives--
THE COURT: Right, that they can’t keep their fisc, you say threatens public safety and security?
MR. MAHONY: Correct. And that riders lose faith, lose confidence in the--
THE COURT: That’s not enough.
MR. MAHONY: --fare collection system.
THE COURT: That’s not enough for physical injury to me personally. So I don’t find that the (iii) be applicable, or (iv), excuse me.
Now, turning to the next one which is damage affecting, (5) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense and national security. Is this computer system, that is the computer system that deals with the CharlieTicket and the CharlieCard, the computer system that is used by the MBTA in furtherance of the administration of justice, national defense or national security.
MR. MAHONY: The same network that runs AFC also runs the antiterrorism video cameras, and supports the other antiterrorism initiatives at the T, and in paragraph 9 of Mr. Kelley’s affidavit, we point to the Homeland Security investment--
THE COURT: Right. They’ve made an investment. The question is whether or not these computers that we’re concerned about.
MR. MAHONY: Yes.
THE COURT: Oh, you say it’s connected to the network. Can this stand alone? That is, the CharlieCard and CharlieTicket stand alone without it’s networking?
MR. MAHONY: No, it relies on the computer network, Your Honor, to communicate a store value, accept payments, track usage.
THE COURT: Let me put it differently, can the defense in national security dimensions to the MBTA stand alone without connection to the CharlieCard?
MR. MAHONY: No.
THE COURT: Why? Is there an answer to this?
MR. DONNELLY: No, I can’t say that it can’t, it can’t stand alone. Right now it is interchangeable.
THE COURT: When you say interchangeable, you mean it’s part of a network of some sort?
MR. DONNELLY: It goes on the same network that the vending machines and the CharlieCards system goes to. It’s all in the same network.
THE COURT: But if we take the term computer as describing a data storage facility, which is the way it’s described in (e)(i), or communications facility directly related to or operating in conjunction with such a device, does that describe from your perspective the CharlieCard, CharlieTicket computer? I’m sorry, it’s relation to national security and defense?
MR. DONNELLY: The camera system was funded by Homeland Security grants--
THE COURT: I understand that. Here’s what I, I think I understand that. What I’m focusing on is that there is a definition of the term computer for these purposes. It doesn’t really refer to network, but let me read it to you just so you have a sense of it. It’s in (e)(i). It says, “The term computer means an electronic magnetic optical electrochemical or other high speed data processing device, performing logical or mathematic or storage functions. It includes any data storage facility or communications facility directly relating to or operating in conjunction with such device.”
Now, we’re assuming for present purposes that if you didn’t get money from Homeland Security, didn’t have any national security role, that you’d have a stand alone computer that is the object of the interest of the defendants? The question for me is whether or not I assimilate the national security computer that you have to the CharlieCard, CharlieTicket computer and, if so, how I do that.
MR. MAHONY: Just before you – Jack, are you--
MR. McLAUGHLIN: What we have is settlement--
THE COURT: Just a moment. If you’d just identify yourself for the record.
MR. McLAUGHLIN I’m sorry. I apologize, Your Honor. I’m Jack McLaughlin. I’m the project director.
THE COURT: Right.
MR. McLAUGHLIN: What we have is a subcomputer systems that takes into account all of our gates, fare machines and equipment, all come back into the central computer system, which is encrypted, testimony has heard is encrypted. The video system was installed originally on the equipment and in light of September 11th, we expanded that system with Homeland Security funding and that’s a system that goes to various hubs throughout the system. We have five hubs that can actually take over the system, specific lines in case they go – [inaudible] - so they can switch over. For example, the hub at North Station can run the entire Orange Line if the need be, so in that respect, yes.
THE COURT: All right. So if I understand you you are saying that it includes the communication facility, communications facility that’s directly related to or operates in conjunction with, to the degree that we’re talking about, the--
MR. McLAUGHLIN: Your Honor--
THE COURT: Let me just, so I can work my way through this, to the degree that we’re talking about a computer system used by or for a government agency in furtherance of the administration of justice, national defense and national security. So it’s tied together.
MR. McLAUGHLIN: Yes. We have in fact used the video system now that it’s attached to the system in furtherance of investigation by law enforcement agencies--
THE COURT: You say video system attached to the system, meaning, video system attached to the CharlieCard and CharlieTicket?
MR. McLAUGHLIN: That’s right – [inaudible].
MR. MAHONY: Your Honor, if could, just in terms of this connection, if the Court could take a look at page 13 of that slide that you looked at before--
THE COURT: Okay.
MR. MAHONY: --it’s the page that says, state of the art surveillance often unattended. This is the surveillance system that – I’m sorry, page 13.
THE COURT: I’ve got it.
MR. MAHONY: This is the surveillance system that both Mr. Kelley and Mr. McLaughlin had testified to. As can be seen by the slides, this is one of the target hacks because it is the same system of the individual defendants.
THE COURT: Okay. All right. I don’t understand what it is that you precisely said they are doing improperly, and I guess we have to at that go to 130(a) because that’s the grounds for injunctive relief under 130(g).
MR. MAHONY: Yes.
THE COURT: So what particular provisions are we talking about?
MR. MAHONY: 5(a)(1), Your Honor. “Knowingly causes the transmission of a program, information code or command and as a result of such conduct, intentionally causes damage without authorization to protected computer.”
THE COURT: That’s the only one?
MR. MAHONY: No, that’s one. So this is a program, information code or command that encompasses what the defendants have done. Item (ii) – I’m sorry, Item (iii) is the other grounds under 5(a) that refers to intentionally accessing a protected computer without authorization and as a result of such conduct causes damage.
So we have discussed how these are protected computers, this is the system that these cards are part of and these are being accessed in order to, the cards are counterfeited and their unauthorized access to obtain funds. So that’s for 5(a), Your Honor, and then 5(b) we’ve gone through in terms of the 5,000 amount, the health or safety, et cetera.
THE COURT: All right. So, Ms. Granick, if you’re going to be the one speaking to this--
MS. GRANICK: Yes, Your Honor.
THE COURT: --it is narrowed down in my mind in any event to prospective loss under 5(d)(1) and a computer system used by a government agency in furtherance of the administration of justice and national defense under 5(b)(v). Is there any question that there is stated here a claim under the act?
MS. GRANICK: Yes, Your Honor.
THE COURT: Okay. Tell me about it.
MS. GRANICK: Okay. The 5, they plaintiff claimed they need to meet the elements under (a)(5)(A).
THE COURT: Right.
MS. GRANICK: (a)(5)(A)(i) says that they need to prove that the defendants have knowingly caused the transmission of a program, information, code or command and as a result intentionally caused damage without authorization for the computer. I have read the complaint and I don’t know what the transmission they are alleging is.
THE COURT: It’s the talk, right now it’s the talk tomorrow.
MS. GRANICK: Okay.
THE COURT: It may also consist of chit chat in a class in which they disclose to others who might be interested in hacking, but the transmission of this information seems to me to be apparent. The question is whether or not it’s going to be broader than it now is.
MS. GRANICK: Your Honor, the term transmission under (5)(A)(i) is referring to transmission of a program, information, code or command to a computer. It is not a general speech regulation that prevents someone from talking about something--
THE COURT: So we turn to page 1 of the proposed slides which offer the opportunity to access their website and obtain code? So prospectively they’re asking for people to use the web for purposes of obtaining and for them to transmit code?
MS. GRANICK: Your Honor, again, the transmission of code there would have to be the distribution or execution of the code on a computer, not the distribution of code to other people. There is another provision--
THE COURT: Wait a minute. Just a moment, it says programmer information, and code or commands. It covers all of those, program, information, code or command. You tell me that you have to execute the entire code? I don’t know if that’s true but certainly the language information is broad enough to cover this.
MS. GRANICK: Well, I think the transmission has to be, as a result of the transmission, it has to cause damage to a protected computer.
THE COURT: Well, let’s start from there. Let me stop on that for a moment. I’m treating this as prospective damage, although there may be damage already in the discussions within the course work or however this was developed under the supervision of an MIT person.
MS. GRANICK: Let’s look at the definition of damage under the statute, Your Honor.
THE COURT: Okay.
MS. GRANICK: It is subdivision (viii) of section (e), so (e)(viii) and the damage that they must prove is any impairment to the integrity or availability of data, of programs, a system or information.
THE COURT: You mean to tell me that if someone is able to compromise the ability to collect revenue that that is not an impairment?
MS. GRANICK: That is correct, Your Honor. That is not an impairment to the integrity or availability of data, a program, a system or information.
THE COURT: Okay. I reject that. Now, do you have another argument?
MS. GRANICK: Well, Your Honor, if I could just refer you to a previous case that discusses this very issue. This is a case of a federal criminal prosecution brought by the Department of Justice, the U.S. Attorney’s Office out of the Central District of California, and that was, in that case, United States v. McDaniel, I was the defense attorney on that case, the government claimed that transmission of information to customers of a messaging system informing them about an insecurity in the messaging system was an impairment to the integrity of that system. On appeal to the Ninth Circuit, the government was forced to admit that that was erroneous, that you can not impair the integrity of a system merely by communicating truthful information about the security status of that system, and the government had to move the Ninth Circuit to dismiss the criminal conviction of the defendant in that case.
THE COURT: Now, that’s not quite this case. So if someone says we have not provided you with free subway rides for life, that that doesn’t constitute an impairment to the system?
MS. GRANICK: If someone provided software for example with the intent to defraud the system, software that was intended to defraud the system, that could be punished under a different provision. If someone provided the means by which you could get free subway tickets, that could be a school that defrauds the system, but the mere transmission of information telling people that it is possible to circumvent the security of the system--
THE COURT: That’s not what we’re talking--
MS. GRANICK: --in showing how one would do it--
THE COURT: --we’re not talking about that. We’re talking about someone who holds themselves out and logs their presentation by saying we’re going to show you how to have a free subway card for life. That’s what their undertakings do, that your view is that that is not covered by (5)(A)(i).
MS. GRANICK: No, Your Honor, it is not.
THE COURT: Okay. I understand the argument. As I say, I reject it. What else?
MS. GRANICK: Once, if they establish damage to the system, program, information or data, then they have to show that that damage has caused loss and the loss element is a separate question from damage--
THE COURT: What do you do in the context of a preliminary injunction? Are you saying that there has to be loss already experienced or is injunctive relief available to protect against the likelihood of loss?
MS. GRANICK: There must already be loss.
THE COURT: And is there a case that says that?
MS. GRANICK: Because the preliminary injunction or TRO standard requires proof that the plaintiff is likely to prevail on the merits, they have to show the likelihood of every element of the tort or crime charged, and one of the elements of a violation of the CFAA is that there is loss. In the absence of loss as defined under the statute the plaintiff cannot prevail.
THE COURT: Okay. Is there a case that says that because it stands on its head, the idea of the availability of injunctive relief? The purpose of injunctive relief is to prevent loss and so what we’re addressing here is whether or not there is a meaningful likelihood of loss in the future if this activity is not restrained. Now, you say there has to be loss, that is to say the horse has to be outside of the barn before the courts can act under the statute. Is that your view?
MS. GRANICK: Yes, Your Honor. They have to--
THE COURT: Okay. Is there a case that says that?
MS. GRANICK: There are cases on defining loss. I would need to take--
THE COURT: No, I talking about cases that deal with the question of injunctive relief?
MS. GRANICK: No, Your Honor, not to my knowledge.
THE COURT: Okay.
MS. GRANICK: But the statute does say that for a violation involving the loss elements of (a)(5)(A), in other words if the claim is that there’s damage to a computer which provides loss, section (g) of 1030 says that damages for a violation involving only conduct described in Section (a)(5)(D)(i), which is the loss provision, are limited to economic damages. So the statute--
THE COURT: That is money damages. We’re not talking about money damages here. We’re talking about equitable, exercise of equitable powers by the Court to prevent this if it is possible. So I just want to understand if there’s anything else on the question of the equitable dimension of this. You’ve suggested that what the statute means is that the damages and the equitable relief are co-extensive, that you have to have had damages before you can have equitable relief. Why would you have equitable relief if we’ve already got damages?
MS. GRANICK: The equitable relief prevents further loss by the--
THE COURT: So we get one bite at the apple is that it?
MS. GRANICK: No, but there has to be a showing that these defendants have caused the damage or loss that the plaintiffs are complaining about and what the, the problem with the way that they’ve alleged the claim here is that there are no claims that these defendants are causing damage to the integrity or availability of the MBTA system. The claim is basically that by providing this information to the public, some member of the public might and a way to use this information, it would focus their attention in a way that they could use this information to help them get free subway rides.
THE COURT: And isn’t that precisely what they’ve offered to do; that is, to aide and abet those who engage in that kind of activity, except we’re going to, here’s how you learn to get a subway pass for life. They may just--
MS. GRANICK: They have not--
THE COURT: Just a moment. They may think that that was cute at the time that they drafted that up but that’s what they undertook to do and they have to accept the consequences of that because as far as I’m concerned if someone does end up doing this, they are aiders and abettors, yet, they have undertaken to provide this information.
MS. GRANICK: I think that that’s, you know, as you said earlier, this is a criminal statute and that is the question, I think, is it aiding and abetting to provide this information? Would it be aiding and abetting another party, because I think that the focus on aiding and abetting says that there is no claim against these defendants. These defendants have not compromised the MBTA system. These defendants are merely--
THE COURT: We don’t know that at the time, at this time. What I see is documentation that shows that they could if they wanted to. The question of whether or not they have improperly used the T by augmenting the sums is I suppose a matter for discovery, but I have to tell you that I’m not sure that they’ve had adequate adult supervision here. You’ve got lawyers who want to test the outer limits of the statute. We have an institution that has had some great difficulties just this year in what its students think of amusing stunts resulting in criminal prosecutions, and I just wonder if someone ought to be counseling them not to become a test case but rather to think more carefully about what their exposure is.
MS. GRANICK: Your Honor--
THE COURT: Just a moment, I think counsel for MIT has, the defendant I should say not MIT, has something to say.
MR. SWOPE: I’m going to object, Your Honor. Your Honor has heard no evidence whatsoever what MIT’s supervision on this matter was. I’d ask you to just suspend judgment--
THE COURT: I haven’t made any judgment about it. It’s not before me except to say, render some anxious concerns about the idea that someone is drawing these kids close to a violation of federal law and for no particular outside purpose. There is at the end of the memorandum of the MBTA a reference to good practices with respect to the disclosure of vulnerabilities. Now, I suppose that everybody is entitled to their 10 or 15 minutes of fame, even in Las Vegas, but the short of it is that the way in which you address these kinds of things, if you’re really interested in maintaining best practices, is to bring it to the attention directly of the vulnerable entity so that the vulnerable entity can deal with it.
MR. SWOPE: Your Honor, I’m not disagreeing with it. I’m saying we don’t have any evidence that tells you that MIT is not always said--
THE COURT: Well, it may have said it. It may have said it. It also may have put in place a set of circumstances in which this kind of exploitation is encouraged--
MR. SWOPE: Your Honor—
THE COURT: Just a moment, is encouraged by the way in which core structures are set up. The short of it is I don’t know why the advisors to these students aren’t bringing home not merely the potential but the actuality of one of these slides involving a student who was prosecuted in East Boston. I’m looking quickly for the slide, to show that they’re aware of the potential illegality.
MR. MAHONY: Page 84, Your Honor.
THE COURT: And we’ll look at page 84 and we recognize that they are aware that they’re running up against the line. So--
MR. SWOPE: I don’t mean to ask Your Honor to not make a judgment before you--
THE COURT: I haven’t made judgment. It’s not before me. I’m making a set of observations which inform my judgment about whether or not somebody else has to exercise some supervision over these kids.
MR. SWOPE: And if there’s evidence that MIT has already done that, then Your Honor should, it should not be presented before our time.
THE COURT: Is there?
MR. SWOPE: Yes.
THE COURT: Sufficient to get them out of making these kinds of disclosures? Is it MIT’s position that they are not potentially exposing themselves on this?
MR. SWOPE: We don’t have a position about this particular case, Your Honor, but they, I mean, the purpose of an educational institution is to teach. It guarantee their students learn.
THE COURT: But it may not teach them in a fashion that it encourages a violation of criminal law.
MR. SWOPE: Absolutely, Your Honor.
THE COURT: And so if in the course of its course work it encourages people to develop mechanisms for hacking and then to disclose those mechanisms of hacking, it may have some exposure.
MR. SWOPE: If Your Honor could hear the evidence, which is not before you today and not subject of this hearing, there would be a different set of facts that would resolve that in Your Honor’s--
THE COURT: No. All I’m suggesting is that there is a need apparently to address injunctive relief because of a lack of restraint on the part of the defendants, the individual defendants, that has not been restrained by various, sufficiently adequately restrained by various of their advisors. So the short of it is I have some significant difficulty taking the view that I should not issue injunctive relief here. I’ve listened to the discussions which to some degree seem to me quite airy about the inapplicability of the statute, all of them suggesting that the defendants are prepared to go right up to the edge and perhaps beyond in furtherance of their desire to obtain some publicity for their student undertakings, but--
MS. GRANICK: Your Honor, may I address the issue of the statute and the publicity for a moment?
THE COURT: Yes.
MS. GRANICK: Your Honor, I do not think that the statute – well, let me put it this way. This is not something that is testing the outer limits of the statute or seeking to be a test case. The students did not try to create this litigation or do something that in anyway is considered to be risky or edge behavior the scientific discipline in which they are studying or--
THE COURT: Just a moment, address that issue. Why is it that they’re not making available with a reasonable amount of time to the MBTA the products of their research for purposes of permitting the MBTA to take what steps are necessary to protect itself? Why is it that they want to make disclosure first before a hacker’s convention?
MS. GRANICK: Well, what happened here was that they did contact the MBTA and try to give them information about their presentation in advance of the presentation. So on July 25th before this conference, Mr. Ryan emailed his professor to ask him to help set up a meeting with the MBTA to discuss the research that they did before the DEFCON presentation, and what the complaint alleges is that, and then contacted the professor again, Mr. Ryan contacted the professor again on July 20th, again asked for help in setting up that meeting with the MBTA people, and in those emails the professor said that it was not a good idea to write it, that they needed to contact the people directly so that the letter didn’t get, you know, lost in the mail if they sent it to the address that was put on the MBTA website.
Now, according to the complaint, the vendor contacted the MBTA also on July 30th saying that they had noticed that the DEFCON presentation and that they had some concern. So what ended up happening was that Professor Rivest and the students were contacted by Richard Sullivan, the sergeant detective with the MBTA who said he wanted to meet with the students to discuss the presentation. They set up that meeting and had it on Monday, August 4th. So Monday of this past week, and then at meeting Agent Sullivan brought an FBI agent with him, Agent Schafer, and the students did not know and Professor Rivest did not know that an FBI agent was going to be brought along. They did not have counsel present at the meeting, but they continued with the meeting in any case to provide both Mr. Sullivan and Agent Schafer with information about their presentation.
At the end of that meeting on Monday, August 4th, everyone, including Professor Rivest and our students believed that everything was fine, that the MBTA’s concerns had been addressed and that they were to provide the MBTA with a three-page document summarizing the vulnerabilities that they had located. That was the understanding coming out of the meeting on Monday and that they would provide that information some time before the presentation at DEFCON this weekend.
Now, Professor Rivest sent an email to Mr. Sullivan and to Agent Schafer following that meeting and in the email that he sent he said, I’m glad that we had a chance to meet. I am glad that, you know, we’re going to be, the student team is going to provide a summary of their findings and recommendations and we all understand and support the idea that the DEFCON presentation will not provide the technical details that this is for others to defeat the security systems in place at the MBTA. They received an email, friendly email back from Agent Schafer, but he did not hear from the MBTA until there was contact between Mr. Kelley and Professor Rivest, and that was on Wednesday, August 6th. And what I understand from that email exchange is that Mr. Kelley said that the MBTA was not interested in pressing charges, but still had concerns about the talk based upon the abstract that was provided on the DEFCON site.
So the students provided, said that they would finish the report before the weekend and provide their phone numbers so that when the report was received, the MBTA people could contact them. So they did, Your Honor, talk to MBTA in advance. They also talked to the FBI in advance and gave them information about the report, about the presentation and felt that that information they had provided was adequate. It wasn’t until on Friday when they heard that this action had been filed, that we believe that the MBTA’s concerns were not addressed at that meeting on that Monday. So the students did do responsible, however, they did talk to the MBTA first and did believe that what the MBTA was concerned about had been addressed.
THE COURT: Anything further? Anything further?
MS. GRANICK: On that issue or--
THE COURT: Or perhaps on the issue of when it was that these set of slides was provided to the MBTA.
MS. GRANICK: We did not realize that the MBTA was still wanting the slides until Friday after this lawsuit had been filed. At the meeting on Monday they had asked for the slides, the FBI agent asked for the slides so that by the end of the meeting, the agreement was that they were going to provide the three-page report and they did not believe that there was any further interest or request for the slides to be provided.
THE COURT: Okay. Well, is there anything further that we haven’t touched on?
MS. GRANICK: Your Honor, I have not touched on one of the most important issues in this case, which is the issue of the First Amendment, and as you know I disagree respectfully with the Court that the statute prohibits the distribution of pure information that is not targeted at a computer system. One of the reasons why I think the statute must be interpreted that way is because to read it otherwise raises severe First Amendment questions.
THE COURT: Let me understand - so we’ll deal with particular language. There’s particular language in the proposed order that enjoins them from providing information, software code or other materials that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System. You’re saying that’s covered by the First Amendment?
MS. GRANICK: Well, I think we, I’m not sure we’re looking at the same order, so let me just take a moment, Your Honor, and make sure I’m on the same page with you because there was a new proposed order circulated this morning and that’s the one that I’m looking at.
THE COURT: Right. There’s actually two versions, the first provision in one of them is the language I read, it is the second provision in the other.
MS. GRANICK: Okay.
THE COURT: You may assume that that’s the only one that I’m going to consider.
MS. GRANICK: Okay.
THE COURT: That’s the only provision that I’m going to consider. I’m not going to say that they can’t engage in discussions at DEFCON. I’m not going to say that they are prohibited from indicating that there is some potential or compromise already of the CharlieCard or CharliePass, but I am considering enjoining them in providing information, software code or other materials that would assist another in any material way to circumvent or otherwise attack the security in the Fare Media System, and are you contending that that is a potential First Amendment violation?
MS. GRANICK: My argument is twofold, Your Honor. One is that under some circumstances enjoining that would be a potential First Amendment violation because the First Amendment does protect instructional speech except under certain circumstances. My other argument is--
THE COURT: Circumstances in which somebody says that they’re offering to provide people with the information necessary to get a subway card for life?
MS. GRANICK: Your Honor, as you have said, if the information provided constitutes aiding and abetting under the criminal law, then it is not protected speech. Similarly, speech is not protected if it constitutes conspiracy or some other thing like that. We all know that speech can be a crime.
THE COURT: So in this context with the prospect that that is what is going to happen, put to one side whether or not it’s been demonstrated, but if there is a prospect that that is going to happen, is there any question about the First Amendment?
MS. GRANICK: Yes, Your Honor. The First Amendment protects instructional speech unless it is distributed with the intent that the listener use that speech to commit an offense and the intent here is a research and educational intent, not an intent to have the listener go out and use the information for criminal purposes. And, you know, when you look at the aiding and abetting law, even the, you know, the cases that are about providing information to a co-conspirator or to the principle in that criminal case, it is, the cases do not criminalize the pure distribution of information that is truthful without more.
THE COURT: Okay. Anything else?
MS. GRANICK: Yes, Your Honor, the First Amendment is also relevant to the Court’s interpretation of the statute. So in the Doctrine of Constitutional Avoidance says that if there are two interpretations of a statute, two reasonable interpretations of a statute, one which leads to constitutional problems or concerns and one which does not, then you interpret the statute in accordance with the meaning that does not raise the First Amendment question. So looking at the interpretation of (a)(5)(A) under the statute, 1030(a)(5)(A)(i), knowingly causes the transmission of a program, information, code or command and as a result intentionally causes damage without authorization to the protected computer. If that provision of the statute is interpreted as criminalizing the pure distribution of information at a conference, two people who are listeners, then it raises First Amendment concerns. It is this information that is truthful, including instructional information, and including computer code, is protected by the First Amendment.
The reason why (a)(5)(A)(i) is not unconstitutional and does not violate the First Amendment is because what the statute is getting at is sending information to a computer that breaks that computer. It is not targeting discussing information in a public context or academic context or on the street corner or in a newspaper or on a mailing list or in any of the numerous legitimate outlets for security information like this communicated. If it did, that would violate the First Amendment or at the very least raise serious First Amendment considerations. As a result, you have to avoid those serious First Amendment problems by interpreting the statute more narrowly as I suggested.
THE COURT: All right. Anything further?
MS. GRANICK: No, Your Honor, I don’t believe so.
THE COURT: Okay. Well, I’m going to enter temporary restraining order here, limited to the proposal made by the plaintiff to prevent providing certain information, and I’ll take the language from Section (a)(5)(A)(i); that is, I’m going to enjoin the defendants from causing the, or from providing information or program, or code, or command that would assist in a material way to circumvent or otherwise attack the security Fare Media System.
I start as I must with the principal issue which is, is there a likelihood of success on the merits here, and we’re dealing, of course with prospective relief. I take no position whether or not there has at this time in loss to the MBTA. The record doesn’t disclose that, it doesn’t yet support it, but there is of course the prospect that even before the DEFCON meeting that the defendants managed to provide otherwise improperly uncompensated access to the services of the MBTA to themselves or to plaintiffs. But that’s not before me.
What is before me is the prospect that they are intent upon and hold themselves as undertaking to provide information that will make it possible to use their very arresting praise, make it possible for people to get a free subway card for life. What that really means is abuse the computer system of the MBTA for revenue maintenance by their manipulation of various kinds and unauthorized access to various kinds of protected computer facilities. This it seems to me is something that if it comes to fruition is properly within the scope of both (5)(A)(i) and (5)(A)(iii). They are without authorization. They are acting in a fashion that has the prospect of damage well in excess of $5,000. They are accessing a computer system which because of its networking, provides access in addition to national security and law enforcement information. And it is apparent that even in the repeated iterations of their intentions that they maintain the desire to attract people to engage in criminal conduct in the form of free access to MBTA services through their computer system. My view is that there is a likelihood of success on the merits if this were to be affective, and the office of an injunction is not host facto to provide damages afterwards. It is prospective to avoid damages that are very hard to calculate under these circumstances and very hard ultimately to be reduced to some form of judgment.
The distribution of information, even incremental information that makes it easier for those who have criminal intent to make use of this information, it seems to me is something that in the absence of the exercise of the judgment and restraint of the defendants, which I have not seen, must be restrained. So, I find that there is a likelihood of success on the merits unless the defendants are restrained in the fashion that I have indicated; that is, restrained from providing information, program, code or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System of the MBTA.
I look at the balance of hardships. On the one hand I have enthusiastic students interested in calling attention to the work that they have done. In ordinary circumstances, that’s not something to be restricted, perhaps even encouraged, but the harm here to them of restricting this distribution of information under these circumstances in which they have called out and solicited people to come to listen to them for purposes of obtaining illegal access to the MBTA through its computer system strikes me as minimal.
I have been presented with information which suggests that there is a set of standards within the computer industry that encourages full disclosure of vulnerabilities to the vendor or the user before there is distribution of the information regarding that vulnerability and offering a reasonable amount of time for the vendor or the user to take steps to protect against the identified vulnerability. I have been informed of a rather elaborate gavotte, a dance that was undertaken among the university, at least one of its professors, the students, the MBTA and the FBI. I do not find that the students provided all of the information necessary for the MBTA to take the steps that are necessary to guard against the vulnerability.
And so I look at the harm to the students and the harm to the students is perhaps restricting to some degree. Their undertaking to call attention to themselves and their research at a major conference in a fashion that the record before and the submissions of the parties indicate is in contravention of best practices, perhaps standard practices within the industry. The short of it is I see no harm to the defendants in the entry of an injunction, temporary restraining order with respect to this information which is at the core of Section 1030.
Then I look to the harm to the defendant. The defendant, of course, is apprehensive, in fact perhaps even embarrassed by its vulnerability and it would have me for example restrict the defendants from indicating that there has been a compromise to the security or integrity of the Fare Media System. I’m not going to do that. That it seems to me is open to fair comment, and so embarrassment about computer or I guess computer vulnerability or security or integrity within its computer system, is not damage that I weigh. But what I do weigh is the prospect that smart people will be able to find a way for at least a period of time to impose substantial loss upon the MBTA, and that is a matter that in the absence of an injunction that is tailored to restrict disclosure of materials that would be in violation of Section 1030 is cognizable and important.
It causes me then to move over to the final consideration, which is the public interest. It is too much to say that the MBTA because it is a quasi public agency embodies itself in whatever it wants to do as the public interest, but it is fair to say that a compromise which causes loss to the MBTA of revenues which I find would be no less than $5,000 if it were in the hands of the wrong people who would be aided and abetted indeed support it by disclosure at this time of the particulars of the manner in which the defendants have hacked into the system would create costs that are simply unsupportable. I don’t think that I’m unfairly going beyond the record to recognize that the MBTA like most public transportation systems faces real cash issues and someone who opens a mechanism to deprive them wrongfully of their revenues is acting in violation of the public interest and it is in the public interest to enjoin such activity.
So for those reasons I enter this as a temporary restraining order which will last for 10 days. This is not my case. This is Judge O’Toole’s case but in his absence acting as emergency judge I’ve taken it up, but it’ll go back to him, and of course the defendants are free to seek modification even before the end of the 10-day period. I am not going to red pencil the defendants’ presentation to DEFCON if they choose to go forward with it. I’ve stated I think with specificity what it is that they are required to avoid, but they should understand that they face at least three possible avenues of difficulty. The first is because this is a criminal statute the potential for criminal prosecution. The second is that because of their unwillingness to exercise restraint in these areas I’ve outlined they face the prospect of contempt proceedings. And the third, of course is the potential for actual damages for any diversion of revenue from the MBTA as a result of any disclosures that they make in violation of the statute or in violation of this injunction.
I am, where Ms. Granick ended, which I think is a very important point, there are the First Amendment dimensions to this. There is a value in the distribution of research results. There is a value in the distribution of sure information, but there’s a balance that has to be drawn at various points. That balance ultimately reflects a willingness to accept a degree of restraint. A degree of restraint may be reflected in best practices with the industry. It may be reflected in a willingness to avoid hyping a presentation with titillating references to free goods and ways to avoid prosecution with a kind of wink, wink, nod, nod approach. Sometimes we can’t expect people in their early 20’s to have sufficient judgment or experience to avoid causing those clashes of interest between something as broad and as important as the First Amendment and the need to avoid actual criminal conduct of which words are the constituent elements. Words and the transmission and distribution of data are the constituent elements.
We look to others to reinforce and perhaps educate with respect to the exercise of restraint and when that is unsuccessful, whether because the education was insufficient or the defendants, individual defendants were recalcitrant or tenured, then the matter comes to the Court, and on this record I find that there is a likelihood of success on the merits, that there’s no damage cognizable to the defendants, substantial potential damage to the plaintiff and a balance of the public interest, even considering the need and appropriateness for transparency and full dissemination of scholarly materials that justifies the extraordinary intervention under these circumstances to avoid immediate and irreputable harm. And so for those reasons, which I’ve dictated into the record, which is a tape record because of the after hours timing of this making it difficult to bring in anyone but the most diligent of the court employees on a weekend, but I’ve dictated it into the record for the use of the parties and perhaps for Judge O’Toole when the matter comes to him, but the order enters as of 1:30 today and it lasts for 10 days unless further extended by a competent court.
Ms. Granick, yes go ahead.
MS. GRANICK: I’m sorry, Your Honor, for the official record, I would like to just register objections to the state of the language of the TRO. As the Court has enunciated it, the language of the TRO is a prior restraint on speech that does not give the students or the lawyers sufficient information to know what speech or what aspect of the presentation will result in violation of the order and potential contempt sanctions. Your Honor has stated on the record that the concern is the prospect that smart people will be able to use this information to find a way to impose a loss on the MBTA and the students cannot know in advance what information in their potential presentation will be usable by smart people to find a way to impose the law.
That vagueness imposes, and the threat of potential sanctions poses a severe chilling effect and burden on their free speech, one that is substantial enough that as the Court has recognized the reasonable course of action for the students may be to chose not to go forward with the presentation at all, and that is exactly the harm that the First Amendment seeks to avoid.
THE COURT: Well, I think we’ve all been over the relevant discussions here. The language, of course, is drawn from the statute itself and it addresses itself to three individuals who started the issue with a circular that says, “want free subway rides for life?” I suspect that they’re capable of applying the language of the statute and understanding the scope and the injunction, and for that reason I don’t consider it to be vague.
So, your clients, I understand have been listening in, Ms. Granick, but in any event they have now received notice. We’ll reduce the order to a particular writing, but it will be essentially the, it will be the language that I’ve identified here and the parties are free to take whatever steps they consider to be appropriate under the circumstances.
Is there anything further?
MS. GRANICK No, Your Honor.
THE COURT: Okay. I’d ask that the MBTA provide a copy of the draft order so that I can revise it this afternoon. You can send it over by email to--
MR. MAHONY: I think we may be able to send it over.
THE COURT: --Mr. Lovett and get it entered in a written form. All right. We’ll be in recess.