Posted by Eugene Volokh:
Temporary Restraining Order Against Crime-Facilitating Speech About Security
Vulnerabilities:
http://volokh.com/archives/archive_2008_08_10-2008_08_16.shtml#1218465553
Declan McCullagh at [1]CNET News reports:
A federal judge on Saturday granted the state of Massachusetts'
request for an injunction preventing three MIT students from giving
a presentation about hacking smartcards used in the Boston subway
system.
The undergraduate students were scheduled to give a presentation
Sunday afternoon at the Defcon hacker conference here that they had
said would describe "several attacks to completely break the
CharlieCard," an RFID card that the Massachusetts Bay
Transportation Authority uses on the Boston T subway line. They
also planned to release card-hacking software they had created.
U.S. District Judge Douglas Woodlock on Saturday ordered the
students not to provide "program, information, software code, or
command that would assist another in any material way to circumvent
or otherwise attack the security of the Fare Media System."
Woodlock granted the MBTA's request after a hastily convened
hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.
The suit, filed a day earlier, also names the Massachusetts
Institute of Technology as a defendant. Neither MIT nor the
students -- Zack Anderson, R.J. Ryan, and Alessandro Chiesa --
could immediately be reached for comment....
The MBTA, which is a state government agency, claims that
"disclosure of this information will significantly compromise the
CharlieCard and CharlieTicket systems" and "constitutes a threat to
public health or safety." ...
Every one of the thousands of people here who registered for Defcon
received a CD with the students' 87-page presentation titled
"Anatomy of a Subway Hack." It recounts, in detail, how they wrote
code to generate fake magcards. Also, it describes how they were
able to use software they developed and $990 worth of hardware to
read and clone the RFID-based CharlieCards.
Those CDs were distributed to conference attendees starting
Thursday evening, meaning the injunction was nearly two days late.
(On the other hand, the source code to the utilities -- not
included on the CD -- was removed from
web.mit.edu/zacka/www/subway/ by Saturday morning.) ...
The order barred "providing program, information, software code, or
command that would assist another in any material way to circumvent or
otherwise attack the security of the Fare Media System." The ban on
"information" appears especially broad, and would restrict even
lectures or papers describing the general techniques; this means the
broader question about whether communicating code (source or object)
is "speech" need not be reached here, because lectures and papers
clearly are.
The question is whether, in this context, the speech is
constitutionally unprotected, and, even if it is, it can be restrained
by a preliminary injunction. If the only argument was that the
students' speech was "crime-facilitating" in the sense of helping
others commit crimes (or even torts), I'd just rely on the analysis in
[2]my Crime-Facilitating Speech, 57 Stan. L. Rev. 1095 (2005). (For
whatever it's worth, there's a factual dispute about whether the
students warned MBTA of their findings and gave them an opportunity to
fix the security problem before going public with their conclusions;
that question may be relevant to whether the students behaved
properly, but under my Stan. L. Rev. analysis it shouldn't be relevant
to whether their speech publicizing the violation is constitutionally
protected.)
But here the MBTA argues (see the [3]Complaint and the [4]Memorandum
in support of the Temporary Restraining Order) that the student
defendants got the information by illegally accessing the material
inside the MBTA cards, and other MBTA computer systems, in violation
of the Computer Fraud and Abuse Act -- a law that neutrally bans the
conduct of unauthorized access to others' computer systems. Whether
the speech communicating information they learned from their illegal
conduct (if it was illegal) may be restricted is potentially a
different question.
On the other hand, even otherwise unprotected speech generally can
only be restricted after a finding on the merits that the speech is
indeed unprotected. It generally can't be restricted via a temporary
restraining order or a preliminary injunction that's just based on a
preliminary, quick-and-dirty estimate of whether a crime was violated
and whether the speech is therefore constitutionally unprotected.
That's the best rationalization I could come up with of the "prior
restraint" doctrine, which as I understand it means that speech cannot
be restrained prior to a merits finding about whether it's
unprotected. See [5]this analysis in Mark Lemley's and my Duke article
on preliminary injunctions in intellectual property cases, though note
that our article responds largely to the fact that the prior restraint
doctrine seems to be disregarded (mostly silently) in certain classes
of cases, such as copyright cases.
So this is a pretty complex legal question; I hope to have more
thoughts on the subject in coming days.
References
1.
http://news.cnet.com/8301-1009_3-10012612-83.html?part=rss&subj=news&tag=2547-1_3-0-20
2. http://www.law.ucla.edu/volokh/facilitating.pdf
3. http://cyber.law.harvard.edu/~pmalone/MBTA%20v%20Anderson%20Complaint.pdf
4. http://volokh.com/files/mbtatromemo.pdf
5. http://www.law.ucla.edu/volokh/copyinj.htm#IIB
_______________________________________________
Volokh mailing list
[email protected]
http://lists.powerblogs.com/cgi-bin/mailman/listinfo/volokh
