Massachusetts Bay Transportation Authority v. Anderson et al
Filing
30
Opposition re 26 MOTION for Reconsideration re 12 Order on Motion for TRO filed by Massachusetts Bay Transportation Authority. (Mahony, Ieuan-Gael)
<![CDATA[
Massachusetts Bay Transportation Authority v. Anderson et al
Doc. 30
UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS MASSACHUSETTS BAY TRANSPORTATION AUTHORITY Plaintiff v. Civil Action No. 08-11364-GAO ZACK ANDERSON, RJ RYAN, ALESSANDRO CHIESA, and the MASSACHUSETTS INSTITUTE OF TECHNOLOGY Defendants
PLAINTIFF'S OPPOSITION TO CROSS MOTION FOR RECONSIDERATION OF DEFENDANTS ANDERSON, RYAN, AND CHIESA MASSACHUSETTS BAY TRANSPORTATION AUTHORITY By its attorneys, Ieuan G. Mahony (BBO #552349) Maximillian J. Bodoin (BBO # 667240) HOLLAND & KNIGHT LLP 10 St. James Avenue Boston, MA 02116 (617) 523-2700 Thomas F.S. Darling III (BBO #558848) MASSACHUSETTS BAY TRANSPORTATION AUTHORITY State Transportation Building 7th Floor 10 Park Plaza Boston, MA 02116 (617) 222-3174 Dated: August 14, 2008
1
Dockets.Justia.com
Table of Contents Introduction......................................................................................................................................3 Factual Background .........................................................................................................................3 I. The Information At Issue. ....................................................................................................4 A. B. C. II. Three Relevant Categories of Information. .............................................................4 The Existence of Non-Public Sensitive Materials. ..................................................4 The Sensitivity of the Three Categories of Information. .........................................5
The Points At Which The Individual Defendants Disclosed Pertinent Information to the MBTA. .......................................................................................................................6 The CFAA Prohibits The Defendants' Conduct. .................................................................7 A. B. The Defendants Would Have Knowingly Transmitted Information That The Defendants Knew Would Cause Damage To Protected Computers. ...............7 The Defendants' Construction Of The CFAA Is Illogical. ......................................8 1. 2. The Statute Covers "Chains" Of Actors And Actions, And Is Not Limited To "Solo" Actors As The Individual Defendants' Argue. ..............8 The Term "Transmission" Includes Verbal Transmissions, And Cannot Be Restricted In The Manner The Defendants Claim. ....................9
Argument .........................................................................................................................................7 I.
II. III.
The TRO Does Not Prevent The Defendants From Engaging In Any Of The Activities They Identify. ....................................................................................................10 The First Amendment Does Not Protect The Individual Defendants' Activities. .............11 A. The Presentation Advocates Violation Of The Law And -- In The Context Of One Largest Hacker Conferences In The World -- Is Directed To, And Likely To Incite Imminent Lawless Action. ..........................................................11 The Presentation And Related Materials Constitute Commercial Speech And, Given Their Advertisement Of Illegal Conduct, Receive No First Amendment Protection. .........................................................................................12
B.
IV.
The Individual Defendants' Formulation Of The "Responsible Disclosure" Doctrine Is Illogical. ..........................................................................................................13
Conclusion .....................................................................................................................................14
2
Introduction The plaintiff, Massachusetts Bay Transportation Authority (the "MBTA"), hereby opposes the Cross Motion for Reconsideration of the defendants, Zack Anderson, RJ Ryan, and Alessandro Chiesa (the "Individual Defendants" or the "Defendants"). The Individual Defendants: (a) Misconstrue the Computer Fraud and Abuse Act (the "CFAA"); (b) Ignore major exceptions to First Amendment jurisprudence; (c) seek to avoid the fact that their Defcon Presentation (i) expressly promises "you now have free subway rides for life"; (ii) expressly admits "THIS IS VERY ILLEGAL"1, and (iii) thus represents black-letter "advocacy to violate the law," directed to incite or produce imminent lawless action; (d) incorrectly assume that the Presentation is "research," where it is at best commercial speech; (e) overlook the fact that their own arguments demonstrate the propriety of the TRO, as they claim they wished only to discuss publicly available information, and would voluntarily withhold key sensitive information;2 all conduct permitted by the TRO, and particularly the TRO as modified by the plaintiff's Motion to Modify; Each of the above points is demonstrated below, and the Cross Motion must accordingly be denied. Factual Background The MBTA relies on its earlier papers for relevant facts with respect to this Cross Motion, supplemented as follows with respect to Responsible Disclosure. As argued previously,
See Compilation of Previously Submitted Exhibits, Now Submitted In Opposition to Defendants' Cross Motion for Reconsideration ("Compilation Ex.") 16 at 109, 129 (emphasis added; capitalizations in original) (the "Presentation"). As noted below, there is no record support for the MIT Undergrads' claims in this regard, as their EFF counsel has chosen not to submit any affidavits from the MIT Undergrads.
2
1
3
Responsible Disclosure requires (i) a disclosure sufficient to correct flaws; and (ii) a period of time sufficient, with reasonable diligence, to correct.3 I. The Information At Issue. A. Three Relevant Categories of Information.
There are three categories of information and data that are relevant to this matter: (i) public domain materials ("Universal Public Domain Materials"); (ii) materials relevant to the MBTA's AFC System that became public domain in connection with the DEFCON conference ("Recent AFC-Related Public Domain Materials"); and (iii) non-public materials that relate to the AFC system and potential security vulnerabilities ("Non-Public Sensitive Materials"). The category "Recent AFC-Related Public Domain Materials" consists of two elements: (i) a four page Report that the Individual Defendants provided to the MBTA on Friday evening, August 8, the night before the initial TRO hearing was to take place (the "Report")4 and (ii) an 87 page PowerPoint slide presentation that the Individual Defendants' EFF counsel refused to provide to the MBTA until 4:38 AM on Saturday morning, August 9, hours before the 11:00 AM Court hearing (the "Presentation").5 Contrary to the Individual Defendants' assertions (unsupported by affidavit testimony), the MBTA after the August 4 meeting made numerous requests for this information B. The Existence of Non-Public Sensitive Materials.
The Individual Defendants seek to argue that no sensitive information remains to be disclosed, and that the protection afforded to the MBTA by the TRO is unnecessary. For example, the Individual Defendants argue that:
3 4 5
See Memorandum in Support of Motion for Temporary Restraining Order [3] at iv-vi. Compilation Ex. 20. See Henderson Decl. [10] ¶¶7-12. Compilation Ex. 16. See Mahony Supp. Decl. [9] ¶¶2-13.
4
most, if not all, of the significant facts known to the students about the Fare Media System are now public, either because they are contained in the slides prepared for and distributed at DEFCON before the TRO issued, or because the MBTA filed research information provided to it by the students on the public docket in this case.6 This claim is inaccurate. First, the Presentation on its face indicates the Individual Defendants' intent to provide additional materials, including software code.7 In addition, the Individual Defendants' EFF counsel state that the Undergrads received an "A" on the paper they prepared for Professor Rivest, a widely known and respected security and encryption expert. The MBTA's internal expert, Scott Henderson, testified in his Declaration, for example, that the Report appeared incomplete, and was "not original work or an original attack."8 Indeed, the Individual Defendants state that the Presentation "does not contain the key information about the flaws."9 It is unlikely that Professor Rivest would award an "A" for the work represented by the Report and the Presentation, indicating that additional sensitive materials exist in the possession of the Individual Defendants. The MBTA notes that the Individual Defendants have been unwilling, to date, to produce the "A" paper they prepared for Professor Rivest. C. The Sensitivity of the Three Categories of Information.
The sensitivity of the three overall categories of materials is as follows:
6 7
Cross Motion [26] at 5 (emphasis added).
Compilation Ex. 17 at 105 ("For updated slides and code, see http://web.mit.edu/zacka/www/subway/"); at 142 ("wrote Python libraries for analyzing magcards"); at 171-172 (examples of code); at 191 ("Wrote code to read and clone MIFARE cards (given the key)").
8 9
Henderson Decl. [10] ¶¶18-22. Cross Motion [26] at 5.
5
Category
Illustrative Materials Kostin Nohls, a UVA PhD candidate : information regarding weaknesses in MIFARE card Industry known-magnetic stripe vulnerabilities. DEFCON Presentation and Report Additional information, to be discussed at the hearing
Sensitivity
Universal Public Domain Materials
None.
Recent AFC-Related Public Domain Materials Non-Public Sensitive Materials
None/Low High, it appears, pending expert review
II.
The Points At Which The Individual Defendants Disclosed Pertinent Information to the MBTA. The MBTA understands that the Individual Defendants first provided the Presentation to
the DEFCON Conference organizers approximately a month before the Conference, or on or about July 5, 2008. Accordingly, when the Individual Defendants met with law enforcement, they knew the Presentation was already "in the pipeline" for the Conference. The timeline for disclosure of the materials can be summarized as follows:
Document First Discloser Recipients DEFCON Administrators Presentation Individual Defendants DEFCON Attendees MBTA Individual Defendants MBTA Court hearing attendees MBTA Public (through docket) Saturday 8/9/2008 at 2:00 PM Date of first receipt Approx. 7/5/2008 Thursday, 8/7/2008 Saturday, 8/9/2008 at 4:38 AM Friday, 8/8/2008 at approx. 6:00 PM Saturday 8/9/2008 at 11:00 AM
Report
6
As can be seen, the Individual Defendants declined providing the MBTA with promised materials,10 even after, in the case of the Presentation, the undergrads knew the information was being publicly distributed.11 Argument I. The CFAA Prohibits The Defendants' Conduct. Courts read a statute in accordance with its plain meaning, and unambiguous statutory language controls. Tobib v. Radloff, 501 U.S. 157, 162 (1991); United States v. Ron Pair Enterprises, 489 U.S. 235, 241 (1989). Courts, moreover, caution against reading limiting words into broad statutory language. Tobib, 501 U.S. at 161-62 (refusing to "engraft" a requirement onto a statute's "plain language"); Maine v. Taylor, 477 U.S. 131, 135 (1986) (refusing to read a limitation into "the straightforward and unambiguous terms of [a] statute"); United Union of Roofers, Waterproofers & Allied Workers v. Meese, 823 F.2d 652, 657 (1st Cir. 1987) (Breyer, J.). The Individual Defendants' interpretation the CFAA violates each of these well settled rules of statutory interpretation. A. The Defendants Would Have Knowingly Transmitted Information That The Defendants Knew Would Cause Damage To Protected Computers.
The CFAA applies to the Individual Defendants' conduct. Judge Woodlock made detailed inquiry into each of the elements of the CFAA, and nothing has changed factually since the Saturday Hearing. For purposes of the Individual Defendants' challenge, only section (a)(5)(A)(i) is relevant.12 This section reads in relevant part: Whosoever ... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct,
10 11 12
See Kelley Decl. [6] ¶¶23-26; Henderson Decl. [10] ¶13-17. See Mahony Supp. Decl. [9] ¶13. Cross Motion [23] at 9.
7
intentionally causes damage without authorization, to a protected computer [violates the statute]13 The provision thus has two operative events: (i) the defendant knowingly transmits information and (ii) as a result of this conduct, the defendant intentionally not inadvertently causes damage to a protected computer. Here, but for the TRO, the Individual Defendants would have transmitted information, in the form of the Presentation and verbal presentation accompanying it, and would have transmitted code, as the Presentation also shows that Individual Defendants planned to provide open source software tools, to enhance attendees' hacking abilities.14 The plain language of the Presentation demonstrates that the transmission of this information and code was knowing. Moreover, the Presentation's plain language demonstrates that the Individual Defendants' conduct would intentionally and not inadvertently cause damage to a protected computer, as evidenced by the Defendants' recognition of the illegal nature of the conduct. The conduct, therefore, falls squarely within the statute. B. The Defendants' Construction Of The CFAA Is Illogical.
The Individual Defendants' construction of the CFAA leads to anomalous results. Due to time constraints, the MBTA addresses the Defendants' two primary arguments. 1. The Statute Covers "Chains" Of Actors And Actions, And Is Not Limited To "Solo" Actors As The Individual Defendants' Argue.
First, the Defendants argue that a single defendant must both (i) transmit the information, and (ii) him or herself damage the protected computer.15 The Defendants thus argue that only "solo" actors are covered by the statute. This is incorrect.
13 14 15
18 U.S.C. §1030(a)(5)(A)(i). Compilation Ex. 16 at 1, 37, 66.
Cross Motion [23] at 9 ("the offender must both transmit information to the protected computer and cause damage to that same computer.")
8
Certain varieties of malicious code do not become effective until an unsuspecting user opens an executable file, such as one attached to an email, that then activates the malicious code. In this situation, the individual who physically damages the computer is the unsuspecting user. Under the Individual Defendants' proposed interpretation, the perpetrator of the malicious code in this scenario would be free from exposure, as the perpetrator did not both "transmit" the information and damage the computer. Congress revised and updated the CFAA in part to handle more sophisticated viruses. Violent Crime and Control and Law Enforcement Act of 1994 - Conference Report, 103rd Cong. (1994) (Statement of Sen. Leahy). By seeking to limit the CFAA to exclude "chains" of actors and actions, the Individual Defendants' improperly limit the statute. 2. The Term "Transmission" Includes Verbal Transmissions, And Cannot Be Restricted In The Manner The Defendants Claim.
Second, the Individual Defendants claim that the term "transmission" in section (a)(5) cannot be read to include verbal transmissions of information. This is incorrect. First, the plain meaning, dictionary definition of "transmit" is as follows: Transmit: 1. to send or cause to go from one person or place to another, esp. across intervening space of distance; transfer; dispatch; convey. ... 4. to communicate (news, etc.) ... 7. to send out (radio or television broadcasts, etc. by electromagnetic waves.... Webster's New World Dictionary (2d Ed) at 1511 (emphasis added). The plain meaning of the term, therefore, requires the interpretation employed by Judge Woodlock. Second, the Defendants own arguments conflict on this point. First, they assert that section (a)(1) includes a term "communicates" and the absence of this term in (a)(5) means verbal transmissions are excluded. Then the Individual Defendants argue that, if "transmissions"
9
includes verbal transmissions, the CFAA would conflict with the First Amendment.16 The Defendants thus argue (i) that inclusion of verbal transmissions in the CFAA creates an improper conflict with the First Amendment, yet (ii) at a minimum section (a)(1) includes verbal transmissions. The argument, therefore, is inconsistent. II. The TRO Does Not Prevent The Defendants From Engaging In Any Of The Activities They Identify. The Individual Defendants' own arguments demonstrate that the TRO does not prevent them from undertaking any activities they had intended. EFF counsel asserts that:17 [T]he students have repeatedly told the MBTA that the students never intended to disclose key details in the public presentation.18 Further, EFF counsel states, in arguing that the Individual Defendants have, and will comply with the EFF's formulation of "Responsible Disclosure": Withholding key information about the flaws one discovers while publishing other information, as the students here did, is responsible.19 Nothing in the original TRO, or in the TRO with proposed modifications by the MBTA, would prohibit the Individual Defendants from publishing or speaking about their project, provided they withheld this "key information" and "key details." The original TRO reads, in operative part, as follows: That the Individual Defendants are hereby enjoined and restrained, in accordance with Fed. R. Civ. P. 65(b)(2), from providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System.
16 17
Cross-Motion [23] at 11 ("the statue would be in tension with the First Amendment"). As with all statements concerning the MIT Undergrads, no MIT Undergrad testimony is presented in Cross Motion [23] at 6 (emphasis added). Cross Motion [23] at 5 (emphasis added).
support.
18 19
10
The phrase "assist another in any material way" excludes the provision of public domain materials. Because the materials are already in the public domain, the discloser is not "materially assisting" the recipient. In any event, in its Motion to Modify [16], the MBTA seeks further to ensure that the Individual Defendants are permitted wide scope, provided they withhold the "key information" and "key details." In sum, the TRO language does not prohibit the Individual Defendants from engaging in any conduct they originally planned. III. The First Amendment Does Not Protect The Individual Defendants' Activities. A. The Presentation Advocates Violation Of The Law And -- In The Context Of One Largest Hacker Conferences In The World -- Is Directed To, And Likely To Incite Imminent Lawless Action.
First Amendment protection does not extend to speech that advocates a violation of law, where the advocacy "is directed to inciting or producing imminent lawless action and is likely to incite or produce such action." Brandenburg v. Ohio, 395 U.S. 444, 447 (1969). See also, Stewart v. McCoy, 537 U.S. 993 (2002) (Justice Stevens' statement accompanying denial of certiorari). The Individual Defendants' conduct falls squarely within this well established zone of no protection. First, unless restrained, the Individual Defendants would have given their Presentation, and related materials (which have not yet been made available) to one of the world's largest hacker conferences. Advocacy in favor of illegal behavior, in this context, is likely to incite or produce illegal behavior. Second, the Presentation, and likely the related code and materials, unequivocally constitute advocacy in favor of a violation of law. The Presentation, standing alone, shows this. For example, the Individual Defendants (i) expressly promise "you now have free subway rides
11
for life";20 (ii) admit "THIS IS VERY ILLEGAL"21; and (iii) recognize the risks of court involvement, stating for example, "what this talk is not: evidence in court (hopefully)."22 Moreover, in the Presentation, the Individual Defendants promise attendees that: "You'll learn how to generate stored-value fare cards; reverse engineer magstripes; hack RFID cards; use software radio to sniff; use FPGAs to brute force; tap into the fare vending network; social engineer; WARCART!23 And they further instruct attendees "to execute these attacks we need to interact with the card."24 As a final example, the Individual Defendants provide a photo of an MBTA network switch, which can only be accessed via a trespass onto MBTA property, and then they visually associate the network switch with "Wireshark," a software application that sniffs and captures data from a network: further illegal activity. In sum, the Individual Defendants are vigorously and energetically advocating illegal activity, and this advocacy, in the context of the DEFCON Conference, is both directed to inciting or producing imminent lawless action, and likely to produce such action. Therefore, the Individual Defendants enjoy no protections under the First Amendment. B. The Presentation And Related Materials Constitute Commercial Speech And, Given Their Advertisement Of Illegal Conduct, Receive No First Amendment Protection.
It is black-letter law that "[t]he Constitution ... affords a lesser protection to commercial speech than to other constitutionally guaranteed expression." United States v. Edge Broadcasting Co., 509 U.S. 418 (1993). Indeed, no protection extends to commercial speech
20 21 22 23 24
See Compilation Ex. at 129 (emphasis added). See Compilation Ex. 16 at 109 (emphasis added; capitalizations in original) (the "Presentation"). Compilation Ex. 16 at 107 (emphasis added). Compilation Ex. 16 at 4. Compilation Ex. 16 at 47.
12
that advertises an illegal product or service. See Central Hudson Gas & Electric Corp. v. Public Service Commission of New York, 447 U.S. at 566 (1980). The Individual Defendants' DEFCON presentation constitutes commercial speech. Commercial speech is any "speech that proposes a commercial transaction." Board of Trustees of the State University of New York v. Fox, 492 U.S. 469,482 (1989) (emphasis in original). Here, the Presentation is full of marketing, and self-promotional statements. It is not a research paper. As commercial speech advertising illegal activity, it receives no First Amendment protection. IV. The Individual Defendants' Formulation Of The "Responsible Disclosure" Doctrine Is Illogical. The Individual Defendant's proposed definition of "Responsible Disclosure" is illogical, and self contradictory.25 Examine Statement (1): "disclosure is necessary in order for the scientific community to understand key details of research." Then examine Statement (2): "Responsible Disclosure means withholding the 'key details' so as not to teach others of the flaw." Specifically, the Individual Defendants state: The "responsible disclosure" norm is not to withhold all details until the vendor or insecure party has a chance to fix, but to take reasonable steps to avoid inadvertently teaching others how to exploit the flaw. ... Withholding key information about the flaws one discovers while publishing other information, as the students here did, is responsible.26 Yet Statement (1) and Statement (2) conflict. If a researcher complies with Statement (2), he or she must necessarily contravene Statement (1). In sum, the MBTA's definition of Responsible Disclosure, employed in industry, is the logical, and proper definition, as the Individual Defendants' is poorly thought-out.
The Professors and others who assented to the "Letter From Computer Science Professors and Computer Scientists" attached as Exhibit A to the Declaration of Marcia Hofmann, fall to the same illogic.
26 25
Cross Motion [23] at 5 (emphasis added).
13
Conclusion Wherefore, the plaintiff, Massachusetts Bay Transportation Authority, respectfully requests that this Court (a) deny the Cross Motion for Reconsideration, (b) set a hearing date for converting the TRO to a Preliminary Injunction; and (c) permit the plaintiff to complete the discovery specified in its related Motion. MASSACHUSETTS BAY TRANSPORTATION AUTHORITY By its attorneys, /s/ Ieuan G. Mahony____________________ Ieuan G. Mahony (BBO #552349) Maximillian J. Bodoin (BBO # 667240) HOLLAND & KNIGHT LLP 10 St. James Avenue Boston, MA 02116 (617) 523-2700 /s/ Thomas F.S. Darling III_______________ Thomas F.S. Darling III (BBO #558848) MASSACHUSETTS BAY TRANSPORTATION AUTHORITY State Transportation Building 7th Floor 10 Park Plaza Boston, MA 02116 (617) 222-3174 Dated: August 14, 2008 Boston, Massachusetts
14
CERTIFICATE OF SERVICE 1. I, Ieuan G. Mahony, Attorney for the Massachusetts Bay Transportation Authority
in connection with the above- captioned proceedings, hereby certify that on this 14th day of August, 2008, I served the foregoing Opposition to Defendants' Cross Motion For Reconsideration by e-mail upon the following interested parties: Party Counsel
Zack Anderson, RJ Ryan, Emily Berger, Esquire and Alessandro Chiesa Email: emily@eff.org (the "MIT Undergrads") Kurt Opsahl, Esquire Email: kurt@eff.org Marcia Hofmann, Esquire Email: marcia@eff.org Jennifer Granick, Esquire Email: jennifer@eff.org Massachusetts Institute of Technology ("MIT") Jeffrey Swope, Esquire Email: JSwope@eapdlaw.com
/s/ Ieuan G. Mahony____________________
# 5542832_v1
15
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
