Information about http://www-tech.mit.edu/V128/N30/subway/30-mbta-oppositiontoTROreconsider.pdf
UNITED STATES DISTRICT COURT …
Pages: 15Language: english
Created: Thu Aug 14 10:13:08 2008
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
UNITED STATES DISTRICT COURT
DISTRICT OF MASSACHUSETTS
MASSACHUSETTS BAY
TRANSPORTATION AUTHORITY
Plaintiff
v.
Civil Action No. 08-11364-GAO
ZACK ANDERSON, RJ RYAN,
ALESSANDRO CHIESA, and the
MASSACHUSETTS INSTITUTE OF
TECHNOLOGY
Defendants
PLAINTIFF'S OPPOSITION TO CROSS MOTION FOR RECONSIDERATION OF
DEFENDANTS ANDERSON, RYAN, AND CHIESA
MASSACHUSETTS BAY TRANSPORTATION
AUTHORITY
By its attorneys,
Ieuan G. Mahony (BBO #552349)
Maximillian J. Bodoin (BBO # 667240)
HOLLAND & KNIGHT LLP
10 St. James Avenue
Boston, MA 02116
(617) 523-2700
Thomas F.S. Darling III (BBO #558848)
MASSACHUSETTS BAY TRANSPORTATION
AUTHORITY
State Transportation Building
7th Floor
10 Park Plaza
Boston, MA 02116
(617) 222-3174
Dated: August 14, 2008
1
Table of Contents
Introduction......................................................................................................................................3
Factual Background .........................................................................................................................3
I. The Information At Issue. ....................................................................................................4
A. Three Relevant Categories of Information. .............................................................4
B. The Existence of Non-Public Sensitive Materials. ..................................................4
C. The Sensitivity of the Three Categories of Information. .........................................5
II. The Points At Which The Individual Defendants Disclosed Pertinent Information
to the MBTA. .......................................................................................................................6
Argument .........................................................................................................................................7
I. The CFAA Prohibits The Defendants' Conduct. .................................................................7
A. The Defendants Would Have Knowingly Transmitted Information That
The Defendants Knew Would Cause Damage To Protected Computers. ...............7
B. The Defendants' Construction Of The CFAA Is Illogical. ......................................8
1. The Statute Covers "Chains" Of Actors And Actions, And Is Not
Limited To "Solo" Actors As The Individual Defendants' Argue. ..............8
2. The Term "Transmission" Includes Verbal Transmissions, And
Cannot Be Restricted In The Manner The Defendants Claim. ....................9
II. The TRO Does Not Prevent The Defendants From Engaging In Any Of The
Activities They Identify. ....................................................................................................10
III. The First Amendment Does Not Protect The Individual Defendants' Activities. .............11
A. The Presentation Advocates Violation Of The Law And -- In The Context
Of One Largest Hacker Conferences In The World -- Is Directed To, And
Likely To Incite Imminent Lawless Action. ..........................................................11
B. The Presentation And Related Materials Constitute Commercial Speech
And, Given Their Advertisement Of Illegal Conduct, Receive No First
Amendment Protection. .........................................................................................12
IV. The Individual Defendants' Formulation Of The "Responsible Disclosure"
Doctrine Is Illogical. ..........................................................................................................13
Conclusion .....................................................................................................................................14
2
Introduction
The plaintiff, Massachusetts Bay Transportation Authority (the "MBTA"), hereby
opposes the Cross Motion for Reconsideration of the defendants, Zack Anderson, RJ Ryan, and
Alessandro Chiesa (the "Individual Defendants" or the "Defendants"). The Individual
Defendants:
(a) Misconstrue the Computer Fraud and Abuse Act (the "CFAA");
(b) Ignore major exceptions to First Amendment jurisprudence;
(c) seek to avoid the fact that their Defcon Presentation (i) expressly promises "you now
have free subway rides for life"; (ii) expressly admits "THIS IS VERY ILLEGAL"1,
and (iii) thus represents black-letter "advocacy to violate the law," directed to incite
or produce imminent lawless action;
(d) incorrectly assume that the Presentation is "research," where it is at best commercial
speech;
(e) overlook the fact that their own arguments demonstrate the propriety of the TRO, as
they claim they wished only to discuss publicly available information, and would
voluntarily withhold key sensitive information;2 all conduct permitted by the TRO,
and particularly the TRO as modified by the plaintiff's Motion to Modify;
Each of the above points is demonstrated below, and the Cross Motion must accordingly
be denied.
Factual Background
The MBTA relies on its earlier papers for relevant facts with respect to this Cross
Motion, supplemented as follows with respect to Responsible Disclosure. As argued previously,
1
See Compilation of Previously Submitted Exhibits, Now Submitted In Opposition to Defendants' Cross
Motion for Reconsideration ("Compilation Ex.") 16 at 109, 129 (emphasis added; capitalizations in original) (the
"Presentation").
2
As noted below, there is no record support for the MIT Undergrads' claims in this regard, as their EFF
counsel has chosen not to submit any affidavits from the MIT Undergrads.
3
Responsible Disclosure requires (i) a disclosure sufficient to correct flaws; and (ii) a period of
time sufficient, with reasonable diligence, to correct.3
I. The Information At Issue.
A. Three Relevant Categories of Information.
There are three categories of information and data that are relevant to this matter: (i)
public domain materials ("Universal Public Domain Materials"); (ii) materials relevant to the
MBTA's AFC System that became public domain in connection with the DEFCON conference
("Recent AFC-Related Public Domain Materials"); and (iii) non-public materials that relate to
the AFC system and potential security vulnerabilities ("Non-Public Sensitive Materials").
The category "Recent AFC-Related Public Domain Materials" consists of two elements:
(i) a four page Report that the Individual Defendants provided to the MBTA on Friday evening,
August 8, the night before the initial TRO hearing was to take place (the "Report")4 and (ii) an
87 page PowerPoint slide presentation that the Individual Defendants' EFF counsel refused to
provide to the MBTA until 4:38 AM on Saturday morning, August 9, hours before the 11:00 AM
Court hearing (the "Presentation").5 Contrary to the Individual Defendants' assertions
(unsupported by affidavit testimony), the MBTA after the August 4 meeting made numerous
requests for this information
B. The Existence of Non-Public Sensitive Materials.
The Individual Defendants seek to argue that no sensitive information remains to be
disclosed, and that the protection afforded to the MBTA by the TRO is unnecessary. For
example, the Individual Defendants argue that:
3
See Memorandum in Support of Motion for Temporary Restraining Order [3] at iv-vi.
4
Compilation Ex. 20. See Henderson Decl. [10] ¶¶7-12.
5
Compilation Ex. 16. See Mahony Supp. Decl. [9] ¶¶2-13.
4
most, if not all, of the significant facts known to the students about the
Fare Media System are now public, either because they are contained in
the slides prepared for and distributed at DEFCON before the TRO issued,
or because the MBTA filed research information provided to it by the
students on the public docket in this case.6
This claim is inaccurate. First, the Presentation on its face indicates the Individual
Defendants' intent to provide additional materials, including software code.7 In addition, the
Individual Defendants' EFF counsel state that the Undergrads received an "A" on the paper they
prepared for Professor Rivest, a widely known and respected security and encryption expert.
The MBTA's internal expert, Scott Henderson, testified in his Declaration, for example, that the
Report appeared incomplete, and was "not original work or an original attack."8 Indeed, the
Individual Defendants state that the Presentation "does not contain the key information about the
flaws."9 It is unlikely that Professor Rivest would award an "A" for the work represented by the
Report and the Presentation, indicating that additional sensitive materials exist in the possession
of the Individual Defendants. The MBTA notes that the Individual Defendants have been
unwilling, to date, to produce the "A" paper they prepared for Professor Rivest.
C. The Sensitivity of the Three Categories of Information.
The sensitivity of the three overall categories of materials is as follows:
6
Cross Motion [26] at 5 (emphasis added).
7
Compilation Ex. 17 at 105 ("For updated slides and code, see http://web.mit.edu/zacka/www/subway/");
at 142 ("wrote Python libraries for analyzing magcards"); at 171-172 (examples of code); at 191 ("Wrote code to
read and clone MIFARE cards (given the key)").
8
Henderson Decl. [10] ¶¶18-22.
9
Cross Motion [26] at 5.
5
Category Illustrative Materials Sensitivity
Kostin Nohls, a UVA PhD
candidate : information regarding
Universal Public Domain weaknesses in MIFARE card None.
Materials
Industry known-magnetic stripe
vulnerabilities.
Recent AFC-Related Public
DEFCON Presentation and Report None/Low
Domain Materials
Non-Public Sensitive Additional information, to be High, it appears, pending
Materials discussed at the hearing expert review
II. The Points At Which The Individual Defendants Disclosed Pertinent Information to
the MBTA.
The MBTA understands that the Individual Defendants first provided the Presentation to
the DEFCON Conference organizers approximately a month before the Conference, or on or
about July 5, 2008. Accordingly, when the Individual Defendants met with law enforcement,
they knew the Presentation was already "in the pipeline" for the Conference. The timeline for
disclosure of the materials can be summarized as follows:
Document First Discloser Recipients Date of first receipt
DEFCON
Approx. 7/5/2008
Administrators
Individual
Presentation
Defendants DEFCON Attendees Thursday, 8/7/2008
MBTA Saturday, 8/9/2008 at 4:38 AM
Individual Friday, 8/8/2008 at approx. 6:00
MBTA
Defendants PM
Court hearing
Report Saturday 8/9/2008 at 11:00 AM
attendees
MBTA
Public (through
Saturday 8/9/2008 at 2:00 PM
docket)
6
As can be seen, the Individual Defendants declined providing the MBTA with promised
materials,10 even after, in the case of the Presentation, the undergrads knew the information was
being publicly distributed.11
Argument
I. The CFAA Prohibits The Defendants' Conduct.
Courts read a statute in accordance with its plain meaning, and unambiguous statutory
language controls. Tobib v. Radloff, 501 U.S. 157, 162 (1991); United States v. Ron Pair
Enterprises, 489 U.S. 235, 241 (1989). Courts, moreover, caution against reading limiting words
into broad statutory language. Tobib, 501 U.S. at 161-62 (refusing to "engraft" a requirement
onto a statute's "plain language"); Maine v. Taylor, 477 U.S. 131, 135 (1986) (refusing to read a
limitation into "the straightforward and unambiguous terms of [a] statute"); United Union of
Roofers, Waterproofers & Allied Workers v. Meese, 823 F.2d 652, 657 (1st Cir. 1987) (Breyer,
J.). The Individual Defendants' interpretation the CFAA violates each of these well settled rules
of statutory interpretation.
A. The Defendants Would Have Knowingly Transmitted Information That The
Defendants Knew Would Cause Damage To Protected Computers.
The CFAA applies to the Individual Defendants' conduct. Judge Woodlock made
detailed inquiry into each of the elements of the CFAA, and nothing has changed factually since
the Saturday Hearing. For purposes of the Individual Defendants' challenge, only section
(a)(5)(A)(i) is relevant.12 This section reads in relevant part:
Whosoever ... knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
10
See Kelley Decl. [6] ¶¶23-26; Henderson Decl. [10] ¶13-17.
11
See Mahony Supp. Decl. [9] ¶13.
12
Cross Motion [23] at 9.
7
intentionally causes damage without authorization, to a protected
computer [violates the statute]13
The provision thus has two operative events: (i) the defendant knowingly transmits
information and (ii) as a result of this conduct, the defendant intentionally not inadvertently
causes damage to a protected computer. Here, but for the TRO, the Individual Defendants would
have transmitted information, in the form of the Presentation and verbal presentation
accompanying it, and would have transmitted code, as the Presentation also shows that
Individual Defendants planned to provide open source software tools, to enhance attendees'
hacking abilities.14 The plain language of the Presentation demonstrates that the transmission of
this information and code was knowing. Moreover, the Presentation's plain language
demonstrates that the Individual Defendants' conduct would intentionally and not inadvertently
cause damage to a protected computer, as evidenced by the Defendants' recognition of the
illegal nature of the conduct. The conduct, therefore, falls squarely within the statute.
B. The Defendants' Construction Of The CFAA Is Illogical.
The Individual Defendants' construction of the CFAA leads to anomalous results. Due to
time constraints, the MBTA addresses the Defendants' two primary arguments.
1. The Statute Covers "Chains" Of Actors And Actions, And Is Not
Limited To "Solo" Actors As The Individual Defendants' Argue.
First, the Defendants argue that a single defendant must both (i) transmit the information,
and (ii) him or herself damage the protected computer.15 The Defendants thus argue that only
"solo" actors are covered by the statute. This is incorrect.
13
18 U.S.C. §1030(a)(5)(A)(i).
14
Compilation Ex. 16 at 1, 37, 66.
15
Cross Motion [23] at 9 ("the offender must both transmit information to the protected computer and
cause damage to that same computer.")
8
Certain varieties of malicious code do not become effective until an unsuspecting user
opens an executable file, such as one attached to an email, that then activates the malicious code.
In this situation, the individual who physically damages the computer is the unsuspecting user.
Under the Individual Defendants' proposed interpretation, the perpetrator of the malicious code
in this scenario would be free from exposure, as the perpetrator did not both "transmit" the
information and damage the computer. Congress revised and updated the CFAA in part to
handle more sophisticated viruses. Violent Crime and Control and Law Enforcement Act of 1994
- Conference Report, 103rd Cong. (1994) (Statement of Sen. Leahy). By seeking to limit the
CFAA to exclude "chains" of actors and actions, the Individual Defendants' improperly limit the
statute.
2. The Term "Transmission" Includes Verbal Transmissions, And
Cannot Be Restricted In The Manner The Defendants Claim.
Second, the Individual Defendants claim that the term "transmission" in section (a)(5)
cannot be read to include verbal transmissions of information. This is incorrect. First, the plain
meaning, dictionary definition of "transmit" is as follows:
Transmit: 1. to send or cause to go from one person or place to another,
esp. across intervening space of distance; transfer; dispatch; convey. ... 4.
to communicate (news, etc.) ... 7. to send out (radio or television
broadcasts, etc. by electromagnetic waves.... Webster's New World
Dictionary (2d Ed) at 1511 (emphasis added).
The plain meaning of the term, therefore, requires the interpretation employed by Judge
Woodlock.
Second, the Defendants own arguments conflict on this point. First, they assert that
section (a)(1) includes a term "communicates" and the absence of this term in (a)(5) means
verbal transmissions are excluded. Then the Individual Defendants argue that, if "transmissions"
9
includes verbal transmissions, the CFAA would conflict with the First Amendment.16 The
Defendants thus argue (i) that inclusion of verbal transmissions in the CFAA creates an improper
conflict with the First Amendment, yet (ii) at a minimum section (a)(1) includes verbal
transmissions. The argument, therefore, is inconsistent.
II. The TRO Does Not Prevent The Defendants From Engaging In Any Of The
Activities They Identify.
The Individual Defendants' own arguments demonstrate that the TRO does not prevent
them from undertaking any activities they had intended. EFF counsel asserts that:17
[T]he students have repeatedly told the MBTA that the students never
intended to disclose key details in the public presentation.18
Further, EFF counsel states, in arguing that the Individual Defendants have, and will
comply with the EFF's formulation of "Responsible Disclosure":
Withholding key information about the flaws one discovers while
publishing other information, as the students here did, is responsible.19
Nothing in the original TRO, or in the TRO with proposed modifications by the MBTA,
would prohibit the Individual Defendants from publishing or speaking about their project,
provided they withheld this "key information" and "key details." The original TRO reads, in
operative part, as follows:
That the Individual Defendants are hereby enjoined and restrained, in
accordance with Fed. R. Civ. P. 65(b)(2), from providing program,
information, software code, or command that would assist another in any
material way to circumvent or otherwise attack the security of the Fare
Media System.
16
Cross-Motion [23] at 11 ("the statue would be in tension with the First Amendment").
17
As with all statements concerning the MIT Undergrads, no MIT Undergrad testimony is presented in
support.
18
Cross Motion [23] at 6 (emphasis added).
19
Cross Motion [23] at 5 (emphasis added).
10
The phrase "assist another in any material way" excludes the provision of public domain
materials. Because the materials are already in the public domain, the discloser is not "materially
assisting" the recipient. In any event, in its Motion to Modify [16], the MBTA seeks further to
ensure that the Individual Defendants are permitted wide scope, provided they withhold the "key
information" and "key details." In sum, the TRO language does not prohibit the Individual
Defendants from engaging in any conduct they originally planned.
III. The First Amendment Does Not Protect The Individual Defendants' Activities.
A. The Presentation Advocates Violation Of The Law And -- In The Context Of
One Largest Hacker Conferences In The World -- Is Directed To, And Likely
To Incite Imminent Lawless Action.
First Amendment protection does not extend to speech that advocates a violation of law,
where the advocacy "is directed to inciting or producing imminent lawless action and is likely to
incite or produce such action." Brandenburg v. Ohio, 395 U.S. 444, 447 (1969). See also,
Stewart v. McCoy, 537 U.S. 993 (2002) (Justice Stevens' statement accompanying denial of
certiorari). The Individual Defendants' conduct falls squarely within this well established zone
of no protection.
First, unless restrained, the Individual Defendants would have given their Presentation,
and related materials (which have not yet been made available) to one of the world's largest
hacker conferences. Advocacy in favor of illegal behavior, in this context, is likely to incite or
produce illegal behavior.
Second, the Presentation, and likely the related code and materials, unequivocally
constitute advocacy in favor of a violation of law. The Presentation, standing alone, shows this.
For example, the Individual Defendants (i) expressly promise "you now have free subway rides
11
for life";20 (ii) admit "THIS IS VERY ILLEGAL"21; and (iii) recognize the risks of court
involvement, stating for example, "what this talk is not: evidence in court (hopefully)."22
Moreover, in the Presentation, the Individual Defendants promise attendees that:
"You'll learn how to generate stored-value fare cards; reverse engineer
magstripes; hack RFID cards; use software radio to sniff; use FPGAs to
brute force; tap into the fare vending network; social engineer;
WARCART!23
And they further instruct attendees "to execute these attacks we need to interact with the
card."24 As a final example, the Individual Defendants provide a photo of an MBTA network
switch, which can only be accessed via a trespass onto MBTA property, and then they visually
associate the network switch with "Wireshark," a software application that sniffs and captures
data from a network: further illegal activity. In sum, the Individual Defendants are vigorously
and energetically advocating illegal activity, and this advocacy, in the context of the DEFCON
Conference, is both directed to inciting or producing imminent lawless action, and likely to
produce such action. Therefore, the Individual Defendants enjoy no protections under the First
Amendment.
B. The Presentation And Related Materials Constitute Commercial Speech
And, Given Their Advertisement Of Illegal Conduct, Receive No First
Amendment Protection.
It is black-letter law that "[t]he Constitution ... affords a lesser protection to commercial
speech than to other constitutionally guaranteed expression." United States v. Edge
Broadcasting Co., 509 U.S. 418 (1993). Indeed, no protection extends to commercial speech
20
See Compilation Ex. at 129 (emphasis added).
21
See Compilation Ex. 16 at 109 (emphasis added; capitalizations in original) (the "Presentation").
22
Compilation Ex. 16 at 107 (emphasis added).
23
Compilation Ex. 16 at 4.
24
Compilation Ex. 16 at 47.
12
that advertises an illegal product or service. See Central Hudson Gas & Electric Corp. v. Public
Service Commission of New York, 447 U.S. at 566 (1980).
The Individual Defendants' DEFCON presentation constitutes commercial speech.
Commercial speech is any "speech that proposes a commercial transaction." Board of Trustees
of the State University of New York v. Fox, 492 U.S. 469,482 (1989) (emphasis in original).
Here, the Presentation is full of marketing, and self-promotional statements. It is not a research
paper. As commercial speech advertising illegal activity, it receives no First Amendment
protection.
IV. The Individual Defendants' Formulation Of The "Responsible Disclosure" Doctrine
Is Illogical.
The Individual Defendant's proposed definition of "Responsible Disclosure" is illogical,
and self contradictory.25 Examine Statement (1): "disclosure is necessary in order for the
scientific community to understand key details of research." Then examine Statement (2):
"Responsible Disclosure means withholding the 'key details' so as not to teach others of the
flaw." Specifically, the Individual Defendants state:
The "responsible disclosure" norm is not to withhold all details until the
vendor or insecure party has a chance to fix, but to take reasonable steps to
avoid inadvertently teaching others how to exploit the flaw. ...
Withholding key information about the flaws one discovers while
publishing other information, as the students here did, is responsible.26
Yet Statement (1) and Statement (2) conflict. If a researcher complies with Statement
(2), he or she must necessarily contravene Statement (1). In sum, the MBTA's definition of
Responsible Disclosure, employed in industry, is the logical, and proper definition, as the
Individual Defendants' is poorly thought-out.
25
The Professors and others who assented to the "Letter From Computer Science Professors and Computer
Scientists" attached as Exhibit A to the Declaration of Marcia Hofmann, fall to the same illogic.
26
Cross Motion [23] at 5 (emphasis added).
13
Conclusion
Wherefore, the plaintiff, Massachusetts Bay Transportation Authority, respectfully
requests that this Court (a) deny the Cross Motion for Reconsideration, (b) set a hearing date for
converting the TRO to a Preliminary Injunction; and (c) permit the plaintiff to complete the
discovery specified in its related Motion.
MASSACHUSETTS BAY TRANSPORTATION
AUTHORITY
By its attorneys,
/s/ Ieuan G. Mahony____________________
Ieuan G. Mahony (BBO #552349)
Maximillian J. Bodoin (BBO # 667240)
HOLLAND & KNIGHT LLP
10 St. James Avenue
Boston, MA 02116
(617) 523-2700
/s/ Thomas F.S. Darling III_______________
Thomas F.S. Darling III (BBO #558848)
MASSACHUSETTS BAY TRANSPORTATION
AUTHORITY
State Transportation Building
7th Floor
10 Park Plaza
Boston, MA 02116
(617) 222-3174
Dated: August 14, 2008
Boston, Massachusetts
14
CERTIFICATE OF SERVICE
1. I, Ieuan G. Mahony, Attorney for the Massachusetts Bay Transportation Authority
in connection with the above- captioned proceedings, hereby certify that on this 14th day of
August, 2008, I served the foregoing Opposition to Defendants' Cross Motion For
Reconsideration by e-mail upon the following interested parties:
Party Counsel
Zack Anderson, RJ Ryan, Emily Berger, Esquire
and Alessandro Chiesa Email: emily@eff.org
(the "MIT Undergrads")
Kurt Opsahl, Esquire
Email: kurt@eff.org
Marcia Hofmann, Esquire
Email: marcia@eff.org
Jennifer Granick, Esquire
Email: jennifer@eff.org
Massachusetts Institute Jeffrey Swope, Esquire
of Technology ("MIT") Email: JSwope@eapdlaw.com
/s/ Ieuan G. Mahony____________________
# 5542832_v1
15