Massachusetts Bay Transportation Authority v. Anderson et al
Filing
61
Transcript of Motion Hearing held on August 19, 2008, before Judge O'Toole. Court Reporter: Marcia G. Patrisso at 617/737-8728. The Transcript may be purchased through the Court Reporter, viewed at the public terminal, or viewed through PACER after it is released. Redaction Request due 9/15/2008. Redacted Transcript Deadline set for 9/23/2008. Release of Transcript Restriction set for 11/21/2008. (Scalfani, Deborah)
Massachusetts Bay Transportation Authority v. Anderson et al
Doc. 61
1
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS
) ) ) ) Plaintiff, ) ) v. ) ) ZACK ANDERSON, RJ RYAN, ) ALESSANDRO CHIESA, MASSACHUSETTS ) INSTITUTE OF TECHNOLOGY, ) ) Defendants. ) ) MASSACHUSETTS BAY TRANSPORTATION AUTHORITY,
Civil Action No. 08-11364-GAO
BEFORE THE HONORABLE GEORGE A. O'TOOLE, JR. UNITED STATES DISTRICT JUDGE MOTION HEARING
John J. Moakley United States Courthouse Courtroom No. 9 One Courthouse Way Boston, Massachusetts 02210 Tuesday, August 19, 2008 11 a.m.
Marcia G. Patrisso, RMR, CRR Official Court Reporter John J. Moakley U.S. Courthouse One Courthouse Way, Room 3510 Boston, Massachusetts 02210 (617) 737-8728 Mechanical Steno - Computer-Aided Transcript
PDF created with pdfFactory trial version www.pdffactory.com
Dockets.Justia.com
2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
AP PEA RAN CES : HOLLAND & KNIGHT LLP B y : I e u a n - G a e l Mahony, Esq. Maximillian J. Bodoin, Esq. 1 0 St. James Avenue - Suite 12 B o s t o n , Massachusetts 02116 ELECTRONIC FRONTIER FOUNDATION B y : C i n d y Cohn, Esq. M a r c i a Hofmann, Esq. 4 5 4 Shotwell Street S a n Francisco, California 94110 - and A M E R I C A N CIVIL LIBERTIES UNION B y : J o h n Reinstein, Esq. 2 1 1 Congress Street B o s t o n , Massachusetts 02110 - and F I S H & RICHARDSON, PC B y : T h o m a s A. Brown, Esq. L a w r e n c e K. Kolodney, Esq. A d a m J. Kessel, Esq. 2 2 5 Franklin Street B o s t o n , Massachusetts 02110-2804 On Behalf of the Defendants Zack Anderson, RJ Ryan and Alessandro Chiesa EDWARDS ANGELL PALMER & DODGE, LLP By: J e f f r e y Swope, Esq. 1 1 1 Huntington Avenue B o s t o n , Massachusetts 02199 O n Behalf of the Defendant MIT A l s o in Attendance: S c o t t Darling III, Esq. M B T A Legal Department Jaren Wilcoxson, Esq. Office of the General Counsel of MIT
PDF created with pdfFactory trial version www.pdffactory.com
3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
PROCEEDINGS THE CLERK: All rise.
This is the United States District Court for the District of Massachusetts. You may be seated. Calling Civil Action 08-11364, Mass. Bay Transportation Authority versus defendant Zack Anderson, et al. Counsel, please state your names for the record. MR. MAHONY: for the MBTA. MR. BODOIN: for plaintiff, MBTA. MR. DARLING: MS. COHN: Scott Darling from the MBTA. Cindy Cohn Max Bodoin from Holland & Knight Ieuan Mahony from Holland & Knight Court is now in session.
Good morning, your Honor.
from the Electronic Frontier Foundation for defendants Anderson, Chiesa and Ryan. MS. HOFMANN: Marcia Hofmann from the Electronic
Frontier Foundation for defendants Anderson, Chiesa and Ryan. M R . REINSTEIN: John Reinstein, ACLU of
Massachusetts, for the individual defendants. MS. COHN: And, your Honor, co-counsel of the
Electronic Frontier Foundation are on the telephone, including Jennifer Granick who could not be here today
PDF created with pdfFactory trial version www.pdffactory.com
4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
d u e to a conflict. MR. SWOPE: Good morning, your Honor. Jeffrey With me
Swope, Edwards Angell Palmer & Dodge for MIT.
is Jaren Wilcoxson of the general counsel's office of MIT. MR. KOLODNEY: Good morning, your Honor.
Lawrence Kolodney, Fish & Richardson, for the MIT students. MR. BROWN: Good morning, your Honor, Thomas
Brown from Fish & Richardson on behalf of the MIT students. MR. KESSEL: Adam Kessel, also from
Fish & Richardson, on behalf of the MIT students. THE COURT: the MIT students? MS. COHN: THE COURT: I am, your Honor. All right. Well, there's been a lot And since I've been Who is going to speak on behalf of
of filings in this case recently.
on the bench for the last hour and a half or so I don't know whether I've missed anything this morning that has come in late. night. Is there anything that has been filed recently that I haven't -- you don't know whether I've seen it or not -- that I might not have seen? I've seen things that were filed last
PDF created with pdfFactory trial version www.pdffactory.com
5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 night. today.
M S . COHN:
Your Honor, we haven't filed anything
THE COURT: MR. MAHONY: THE COURT: memorandum from -MR. MAHONY: THE COURT:
Okay. Nothing, your Honor. So the last thing I remember was the
The MBTA.
That's correct.
-- plaintiffs that was filed last
A VOICE:
Your Honor, may I approach the bench
since I will file some evidence this morning? THE COURT: A VOICE: interested party. THE COURT: A VOICE: THE COURT: Who are you? I'm Dean Chen. I am just an
But I will be filing some evidence. No. Okay. You have no standing here. Thank you.
Well, then if we could refer to
yesterday's filings, the most recent, I think, are the papers with respect to the plaintiff's motion for a preliminary injunction which I understand to be essentially a request to continue the temporary restraining order, perhaps with some slight language change, as a preliminary injunction. Let me just address one matter, which I'm not sure has much significance or not, before we proceed to
PDF created with pdfFactory trial version www.pdffactory.com
6
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h a t because I think the way to address the issue is even though there may be other pending matters, is to go directly to that issue. There seems to be some
understanding, I guess is the way to put it, or "thought" may be better, that this being August 19th, which is ten days after the entry of the TRO, that the TRO would expire as of today. case. Rule 6(a)(2) of the federal rules says that any period less than 11 days excludes weekends, and so on in the computation. And so under that computation the TRO I'm not sure that's the
would continue, of its own force, for the full ten days, I think till Friday. In other words, it would be -- it
was granted on a Saturday, which would be excluded, and the counting would begin on last Monday, that would be five days, and then pick up again yesterday, and it would be another five days. probably expire on Friday. So I think it would But I'm not sure that's of
any moment; it just may affect the timing of this. But anyway, we have the motion now to convert, or extend, the TRO as a preliminary injunction. Mahony, if you want to address that motion. MR. MAHONY: Honor. Your Honor, I would like to make five points in Yes, your Honor. Thank you, your So, Mr.
PDF created with pdfFactory trial version www.pdffactory.com
7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h e argument in support of this motion.
Your Honor, the
discussion -- my points will be driven by the facts here. As one of the commentaries in the articles the Let's see the code.
EFF submitted said, "Talk is talk.
The goal here is to show the facts to the Court." Your Honor, the five points are as follows: First, I'd like to examine, what is the information here that is at issue? Keep in mind that the MIT students
provided last Wednesday night a 30-page security analysis of substantially better quality and quantity than the materials the MBTA had before. With that
security analysis, your Honor, the MBTA, with vendor assistance, has determined that, in fact, the CharlieTicket -- not the CharlieCard, but the CharlieTicket -- system is compromised; that the MIT students know how to clone and counterfeit CharlieTickets. So, your Honor, I would like to examine
the information at issue here. Second: Illegal conduct. Your Honor, illegal This must inform the
conduct, in fact, took place here.
Court's decision-making and all arguments by opposing counsel here. Your Honor, whatever the end of the MIT
students, whether good or bad, it is unequivocally the case that they used illegal means toward that end. Third: I'd like to examine the presentation at
PDF created with pdfFactory trial version www.pdffactory.com
8
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
i s s u e here.
I'd like to examine the face of the
presentation, but also, your Honor, the information behind the presentation: the software code, the
demonstrations that have not been produced in this case despite the Court's instruction to either produce or respond. Your Honor, I will show, I submit, that these materials, from what we can glean, even though they've been withheld presentation materials, are not -- they are not abstract theoretical advocacy but rather specific instructions and demonstrations on the methods for committing crimes under the CFAA. Your Honor, these
are words likely to incite lawless action, and that's a quote from the North American Man/Boy Love case from this very Court. Four: I'd like to address the balancing of
harms and what is responsible -- what is responsible -disclosure in this case under these circumstances. these MIT students responsible? Are they being Were
responsible now in withholding information about security vulnerabilities potentially at the T? And then finally, your Honor, I'd like to talk briefly about the public interest. This is policy
issues concerning security through secrecy, security through open disclosure. And I propose, your Honor,
PDF created with pdfFactory trial version www.pdffactory.com
9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h a t these broad issues -- these broad policy points -do not conflict in these circumstances. The MBTA, with vendor assistance -- and again, based on the security analysis that the students provided last Wednesday -- has concluded that a five-month period of time is needed to mitigate and remedy the threats that the information poses and what the students have discovered. five-month period of time. Your Honor, it's a
There is good public
interest in following through with that. Now, let me turn, then, to the particular points, your Honor. The information at issue: I'd like
to call the Court's attention to Docket No. 56, Exhibit 1, which is the third supplemental declaration that I presented, your Honor, last night. The Court has it? THE COURT: MR. MAHONY: THE COURT: No. Do we have some copies? Well, actually, I can get it.
Gina, can you pull it up? I'll turn to my assistant to do it. MR. MAHONY: this up. MS. COHN: MR. MAHONY: Counsel, do you have a copy for me? It's in the exhibit book; you have Your Honor, if I could just bring
PDF created with pdfFactory trial version www.pdffactory.com
10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
it . MS. COHN: MR. MAHONY: have right there? What book? The courtesy copy. What do you
Yes, it's 56.
So, your Honor, the docketed copy is at 56. THE COURT: MR. MAHONY: Fifty-six, Exhibit 1. And it's Exhibit 1, and it's a And I'll
document Bates-stamped at the bottom MBTA0001.
just call the Court's attention to the very top of that page. It's an e-mail from Zack Anderson to DefCon, and
it states, "Attached is my submission for a talk at DefCon 16 this year." And that's dated May 15, 2008.
Now, your Honor, if we look at the submission itself, you can see that -- the title of the presentation on the first page, "Anatomy of the Subway Hack," and then if we take a look at the second page of the document, it's MBTA0002, under "Presentation Information" -- and again, your Honor, we're talking about what is the information at issue; what are we concerned about? This is the submission that goes to
DefCon that says the full presentation, and I'll point that out to the Court. Up at the top it says "Presentation Information." And then if the Court looks down three or And the
four lines it says "Is there a demonstration?"
PDF created with pdfFactory trial version www.pdffactory.com
11
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
a n s w e r is "Several."
If we look at the next line: So that's a new software
"Are
we releasing a new tool?" tool. The answer is "Yes."
Now, if the Court takes a look a little further down the page it says "Detailed Outline." And if the
Court looks at Item III(B) which says "MIFARE RFID card attacks," under that in item one, line one, it says "Code Release." If we look at Item 2 it says "Possible
demo and code release (possible because as of today the Verilog is not finished)." If we look on the next page, so page 3 of this document, Item 4 says "Algebraic attacks." "Code Release." It says
Your Honor, this code is what the
Court -- is what we ask the Court to ask the plaintiff -- I mean, I'm sorry, the defendants -- to produce. Four: "Algebraic code release." Item C refers
to cloning and forgery attacks on the CharlieTicket. Item 1 refers to automated magstrip reverse-engineering tool release. demo." Item 2 says "Python script release and
So there are a number of various software code
releases and other tool releases that are referenced in this submission. And also, your Honor, I'll note that when the code was not completed, when Mr. Anderson had code that
PDF created with pdfFactory trial version www.pdffactory.com
12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
w a s n ' t done, he informed DefCon, "Oh, the code isn't ready yet," as in Item 2 about the Verilog isn't finished. The reason the MIT students have said they're
unwilling -- or they refuse -- to produce the software code that -- in connection with this presentation is, they say, "Oh, it wasn't ready yet." Now, your Honor, I also point out reference to a white paper on page 4. Up at the very top of page 4 it And then if the
says "Sample slides about this talk."
Court looks to the next paragraph it says "White paper about the material in the talk," and that is a web address. And we believe, your Honor, that that's the
class paper that the students have also refused to produce. with this. There's no password referenced in connection That appears to be openly available to And, again, they refuse to
anyone on the Internet. produce that paper.
Now, your Honor, if the Court were to take a look at the page -- further down this page it says "Legal Stuff," and then it says "Copyright Use Grant." And in that last paragraph down there it says "If I am selected for presentation, I hereby give DefCon Communications, Inc., permission to duplicate, record and distribute this presentation including, but not limited to, the conference proceedings, conference CD,
PDF created with pdfFactory trial version www.pdffactory.com
13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
v i d e o , audio, handouts to the conference attendees for educational, online, and all other purposes." This is an unlimited grant; this is not a grant for educational purposes only. But for non-commercial
[sic] purposes this is an ultimate grant device to DefCon as well as the attendees. Now, your Honor, let me call the Court's attention to the next section which says -- on this same page, page 5, which says "Terms of Speaking Requirements." Your Honor, this is a contract. And
Mr. Anderson, on behalf of MIT students, agreed in Paragraph 1 -- he said, "I will submit a completed and possibly updated presentation, a copy of the tools and/or codes, and a reference to all of the tools, laws, websites and/or publications referenced to at the end of my talk and as described in this CFP submission for publication." So, your Honor, all of the materials that I read to the Court -- the code, the demonstration, all of those tools -- Mr. Anderson agreed to submit to DefCon, and signed this contract to do so. Now, your Honor, where is -- where is this information? Your Honor, during the hearing before
Judge Woodlock, EFF counsel stated that all of the information that was relevant -- all of the
PDF created with pdfFactory trial version www.pdffactory.com
14
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
i n f o r m a t i o n -- was just inside this presentation; nothing outside the presentation, nothing outside the four corners. And the Court asked three times -- the And this is from page 11
Court said, "Just a moment."
of our brief that gives the precise pinpoint cites of that transcript, your Honor. counsel. "THE COURT: Just a moment. Is there anything And this is with EFF
of substance to the presentation, anticipated for the presentation that is not on the slides? "ANSWER: No, your Honor." "All right. These are the
The Court again:
entire materials that you intend for presentation?" "MS. GRANICK: "THE COURT: Those are the visual materials. Well, is there anything else that
is of substance for the presentation? "MS. GRANICK: " T H E COURT: No, your Honor. There will be nothing beyond what's
shown on these several slides? "MS. GRANICK: No, your Honor." Later on after
Your Honor, that's inaccurate.
the Court's pressing, Ms. Granick admitted, "Oh, yes, there are," and counsel is pointing out the reference to the software tools. Oh, there are software tools. "What are these tools?" And
The Court asked:
PDF created with pdfFactory trial version www.pdffactory.com
15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h e response was, well, these tools, they're tools that allow you to carry out these attacks, but they're not malicious. How are we to judge that, your Honor? We don't
have the tools, and we're to take the word of counsel because the tools have been withheld. Now, your Honor, the Court asked at that hearing: "Demonstrations. What are these? What do the
demonstrations do?"
And the response was -- and again,
this is on page 12 of our brief -- the response was, "The demonstrations by the MIT students at the DefCon conference will be designed to show how to create a forged card; in other words, one that is not issued by the MBTA." Now, your Honor, the students have asserted their First Amendment right to withhold demonstration materials and to withhold these software tools. We've
seen, your Honor, that the key information that has been produced so far -- which is compiled in that 30-page document under seal, which I believe is Docket 32 -- the key information here, your Honor, is real; this is not a prank. Honor. So the information has value; it's of concern; it has a real threat. And there is additional They've compromised the CharlieTicket, your
PDF created with pdfFactory trial version www.pdffactory.com
16
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
i n f o r m a t i o n that was designed for this conference that they contractually agreed to present at this conference that they refuse to withhold [sic] on First Amendment grounds. This is the second point: Your Honor, I would
like to call the Court's attention to the presentation. And if I may just approach the bench? are just a compilation of exhibits. to opposing counsel. What we have here We've given these
But the only exhibit -- this was But the only exhibit
done for last Thursday's meeting.
that is really of value for the present purpose is Exhibit 17. And Exhibit 17, your Honor, which looks So Exhibit 7
like this, is the same as Docket No. 9-7. in Docket 9.
The difference, though, your Honor, is
that we've put Bates numbers at the bottom of the pages to make it easier to refer to the specific pages. Now, your Honor, if I could call the Court's attention to Bates No. 140 in the presentation which looks like this. And, your Honor, our surmise from this
document is that it is a way, visually, to indicate how to take a dollar twenty-five CharlieTicket and turn it into a $100 CharlieTicket so it's counterfeit. What T officials did, your Honor, is in this second $100 ticket, there's a serial number. Now, T
personnel took that serial number, linked the image of
PDF created with pdfFactory trial version www.pdffactory.com
17
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h a t CharlieTicket and that serial number to serial numbers of multiple additional CharlieCards. all clones of each other. These are
The officials constructed an
auto trail showing payments, use and other activities. T h e linked tickets, they all were used illegally. Again, your Honor, whatever the end the MIT
students might have had in mind, or have in mind, it's unequivocal in this case that they used illegal means. And let's examine what MIT student -- the MIT students and counsel say about this. Mr. Anderson says
in the press, and now, just as of last night in a declaration, "We never rode the T for free," so it must be okay. Counsel -- EFF counsel says -- and this, We give the cite to Counsel
again, is in our brief at page 13.
the transcript from the original hearing.
claims that the research the MIT students compiled was not obtained through any kind of unauthorized access to computers. Now, your Honor, not riding the T for free is very different than claiming no unauthorized access to computers. So we have the clients saying one thing and Which is it?
we have their counsel saying another.
Your Honor, this is misinformation that the requested deposition was designed to prevent. And I'd
note, your Honor, that while counsel said to this Court
PDF created with pdfFactory trial version www.pdffactory.com
18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
o n Thursday Mr. Anderson is on holiday and he is too busy to appear for a four-hour telephone deposition, Mr. Anderson has been giving press statements, I understand he was on WBZ radio this morning, and he's had time to put together declarations. Your Honor, the
Court asked for a good, factual record before to make this decision. Now, your Honor, let me turn to my third point, which is the presentation itself. And, again, that's
the material in Tab 17 in the handout that I just provided the Court. Your Honor, this document, plus what we believe is the underlying software code and demonstration materials, are not abstract theoretical advocacy, but instead, they're specific instructions for violating the CFAA. If the Court were to take a look at page 105, which is the first page, down at the bottom of that page the Court can see it says "For updated slides and code" see this website. Honor. That's the code we ask for, your
If the Court could take a look at page 107, the Evidence in court,
slide says "What this talk is not: (hopefully)."
It shows an anticipation and realization
that this talk was problematic. Let me look at -- call your attention to the
PDF created with pdfFactory trial version www.pdffactory.com
19
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
n e x t page, which is 108. how to..."
The slide says "You'll learn
Your Honor, this is instructional text.
"You'll learn how to generate stored-value fare cards" -- those are counterfeits -- "reverse engineer magstrips"; "hack RFID cards"; "use software radio to sniff" -- that is to obtain information from computer systems; "use FPGAs" -- so field-programmable gate arrays -- "to brute force"; "tap into the fare vending network"; "social engineer"; and "Warcart." instructional text. Now, your Honor, if the Court would take a look at the next page which states, "And this is very illegal!" And, your Honor, just as a note, at the So this is
bottom it says "So the following material is for educational use only." Well, we've seen in the contract
that the MIT students have granted unlimited rights of their material. page 129. And if the Court could take a look at
After working through a variety of methods on
cloning and counterfeiting cards the text says "You now have free subway rides for life." It doesn't say "you
will have" or "you may have" or "if you follow these instructions," et cetera, it says "You now have free subway rides for life." If I could call the Court's attention to page 142, this is a page that is showing a demonstration to
PDF created with pdfFactory trial version www.pdffactory.com
20
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h e MagCard reverse engineering toolkit.
And it refers
to Python libraries -- again, these are software libraries, an open source for analyzing MagCards. at the bottom it says "Can now forge cards." And then lastly, your Honor, I'd like to call the Court's attention to page 176. And, your Honor, And
this is a photo of network switches in the T's network system. These are sensitive devices, and in order to
get here there would need to be some trespass committed. But that's not the point right now. The point is that: All the It's
Take a look at -- these are network switches. data is running through these network switches.
not just the CharlieCard and the CharlieTicket; it's all ACF data are running through these switches. And then if the Court could take a look at the next page, you would see it's the same photo, but at the bottom there's the addition of a blue rectangle that says "Wireshark." Wireshark is sniffer technology that
allows one to sniff -- in other words, monitor, surveil, intercept -- information over a computer network. Your Honor, these are words -- and again, we don't have the full presentation because they refuse to give it, but these are words likely to incite imminent lawless behavior. This is the DefCon conference. As
commentators have stated, there are the white hats at
PDF created with pdfFactory trial version www.pdffactory.com
21
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h e conference who are out for the greater good, there are the grey hats who are in between, and then there are the black hats who are out to cause problems. We have submitted an affidavit that has a collection of articles about the DefCon conference to give the Court a flavor of the type of audience that this is being presented to. Like the Rice case, which is the case about the book called "Hit Man" -- and the book essentially teaches you how to rough people up and kill them. But
it doesn't do it in an abstract, theoretical matter; it has pictures, it has tools, it has everything -- your Honor, these are instructions and step-by-step directions on how to engage in conduct prohibited by the CFAA; this is not protected speech. Let me point now to balancing of the harms in responsible disclosure. Your Honor, the MBTA does not
claim that the doctrine, or the principle or the concept or whatever you might want to call it, of responsible disclosure is written in the law. injunction motion is acting equity. The Court on the Your Honor,
responsible disclosure should inform this Court, we believe, deeply in terms of the equities. between the parties here? What is fair
What is responsible?
Your Honor, the students posted their
PDF created with pdfFactory trial version www.pdffactory.com
22
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
p r e s e n t a t i o n online -- this document we were just going through, posted it online -- starting June 30. available unpassword-protected. with the T until August 4. It was
There was no meeting
At that meeting the MIT
students and Mr. Anderson told law enforcement that nothing illegal went on. that was untrue. They did not provide the presentation at that time. After that there were numerous contacts between We've seen that's incorrect;
MBTA officials and Professor Rivest who was acting, we view, at least with apparent authority as their agent in setting up the meetings and scheduling the communications with the T. And finally, your Honor, on
Friday, the 8th, they agreed to give the presentation, but then at roughly 6:45 EFF counsel instructed them not to give the presentation to the T, even though the presentation had been publicly available at the conference as of Thursday. So we have a document that's
available publicly that counsel is instructing clients not to provide, and I'm not sure why. that was their responsible disclosure. Now, I want to temper that statement, your Honor, with a clear statement that the security analysis that the students provided to us last Wednesday, that is a very useful document. As I said, from that document And, your Honor,
PDF created with pdfFactory trial version www.pdffactory.com
23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
w e came to the conclusion that the ticket has been compromised. They're able to compromise the ticket.
So, your Honor, when I talk about responsible disclosure, there are spots of great sunlight and then there are spots of great darkness. So I don't want to
be too argumentative in talking about this as unequivocal non-irresponsible disclosure. But, your
Honor, in terms of prior to that security analysis, yes. And now, your Honor, the security analysis is wonderful, but there are additional materials that cause us great concern. Is this responsible disclosure now:
withholding the class paper, withholding the software code, withholding the demonstration materials? Balancing the harms, your Honor? five-month injunction. We ask for a
We've tailored the injunction so We believe that
it only covers nonpublic materials. will preserve the status quo.
Our hope, your Honor, is
that the parties will continue to talk in a constructive manner along the lines of the security analysis to resolve these issues, and at the end of that five-month period they're free to discuss whatever they need to discuss or whatever they feel like discussing. Finally, your Honor, the last: interest. the public
On the one hand, your Honor, the MIT students Despite illegal
claim an unfettered right to disclose.
PDF created with pdfFactory trial version www.pdffactory.com
24
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
c o n d u c t , despite incitement to others to copycat, they say: We should be able to disclose. On the other hand,
your Honor, they claim essentially an unfettered right to withhold. We're not disclosing the class paper,
we're not disclosing the demonstration papers, et cetera. In this vein, your Honor, I would like to point briefly to the letter from the professors -- the 11 professors -- that was submitted to this Court. think that letter is useful, one, in terms of demonstrating that the MBTA's position and the professors' position is not that different; and, two, demonstrating that the professors are addressing a question that does not bear on the facts here. Your Honor, the professors state that they have a firm belief that research and security vulnerabilities and sensible publication of the results of the research are critical for scientific advancement. 1 in the brief, your Honor. That's on page And I
Your Honor, that term
"sensible publication" we agree with strongly. The professors also state, "Generally speaking, the norm in our field is that researchers take reasonable steps to protect the individuals using the systems studied." We agree as well, your Honor. Your
Honor, where we diverge is the professors say that using
PDF created with pdfFactory trial version www.pdffactory.com
25
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h e law to silence researchers is improper. Your Honor, we're not asking to silence these researchers at all; we're asking for a time-limited injunction with respect to nonpublic information that we now know, based on further disclosures, is threatened and poses a real threat to the system. Your Honor, as the professors state on page 4, "It is much better from everyone's perspective if researchers discover the break and publish it than if unscrupulous discoverers of the break exploit it without public notice." Your Honor, we can agree with that
position, but we think better than that position is the responsible disclosure doctrine from industry, not from academia, that we propose, which is researcher finds the flaw, brings it to the target, there's a resolution, and then there's publication. That prevents the harm to the
target and serves the public interest in providing full disclosure of the issue. Now, your Honor, finally, the professors ask that vendors should not be given complete control over the publication of information as it appears that the MBTA sought here. Your Honor, again, with the relief
that we requested, we have not sought complete control over what the students are saying and the point is inaccurate.
PDF created with pdfFactory trial version www.pdffactory.com
26
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Y o u r Honor, a final point on the professors' formulation: The professors' formulation did not
address the situation where the researcher has used illegal means to capture the valuable research. Your
Honor, in that position Mr. Bodoin has hacked into my system and he has committed illegal acts -- but he hasn't hurt anyone -- to get that information. Now,
your Honor, from an interperspective, I want that information so that I can fix my system. Now, who owns the information, whether I should be able to exploit it for someone else or whether Mr. Bodoin should be able to, you know, reap the commercial benefit of that, that's another issue. But,
your Honor, I am going to want that value to know where my flaws are. Mr. Bodoin, however, if he's used illegal
activity to get into that system to discover this valuable flaw, is going to be concerned that I'm going to say to him, "Mr. Bodoin: out. CFAA. You'd better watch
You've got criminal exposure," or civil exposure. The solution to that problem, your Honor, in
other words, in order to get the plum, the prize, the value: I need to commit an illegal act. I need to hack
into someone's system. propose is:
And the solution the professors Don't make that
Narrow the CFAA.
conduct -- or talking about that conduct -- don't make
PDF created with pdfFactory trial version www.pdffactory.com
27
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h a t illegal.
So, in other words, if I've committed
illegal acts like the students here, and I get that plum, that value, and I talk about it to the world at large, that should not be a violation of the CFAA. Your Honor, it proves too much. Narrowing the
CFAA, as is proposed here -- in other words, by reading this term "transmission" to exclude written transmissions like the presentation, code transmissions like the code, verbal transmissions like the verbal presentation -- to narrow the CFAA in that manner will exclude -- sure, it will protect the good guys, but it will exclude a vast range of potential bad guys. If this were a terrorist conference and terrorists were saying: This is the way -- you have
code here to hack the federal court system, or to disrupt the financial institutions, it would be a much easier issue. But it's still the same, your Honor. The
solution should not be to narrow the CFAA; the solution should be to rely on established First Amendment jurisprudence which prohibits words likely to incite imminent unlawful activity and read the CFAA the way it's intended to be written, which it picks up transmissions of information. Now, in sum, your Honor, these broad issues of the public interest we think strongly support the
PDF created with pdfFactory trial version www.pdffactory.com
28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
r e q u e s t e d relief here.
It's time-limited relief.
It
allows the parties to talk, solve the problem, and it leaves the students free to publish research results and continue on or have presentations as they see fit. Thank you, your Honor. THE COURT: MS. COHN: Ms. Cohn? Good morning, your Honor.
I want to first clarify a couple of factual things that I think have become clear as a result of the preliminary injunction papers that were filed late last night. And I do want to apologize in advance: I'm
ready to argue the preliminary injunction today but I will note they were filed while I was on an airplane and I had the two hours after my red eye landed today to prepare. So I apologize if I'm not as polished as I
might be this morning. THE COURT: filings, I noted. M S . COHN: So the first thing is that the MBTA They are quite similar to the other
has now been really clear that there was not a compromise of the CharlieCard in the students' presentation; there was a compromise of the CharlieTicket. So any of the information or allegations
or anything about the CharlieCard are simply irrelevant for purposes of the preliminary injunction because the
PDF created with pdfFactory trial version www.pdffactory.com
29
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
s t u d e n t s were not able to expose a vulnerability in that card. They came up with theoretical information about
possible vulnerabilities but they were not able to demonstrate one. So I think that the CharlieCard issue
should be off the table for purposes of the preliminary injunction because the only information that could cause harm to the MBTA, even under their own analysis, is the information about the CharlieTicket. So now moving to the actual merits of the preliminary injunction hearing, I think that the Court -- you know, the preliminary injunction standard is the likely success on the merits, irreparable harm and the balancing. I don't think your Honor needs to
reach the second two because there is no Computer Fraud and Abuse Act claim here. There simply is not. And
that is the sole basis on which they have asked for this injunction. The Computer Fraud and Abuse Act is a statute that is expressly and intentionally aimed at attackers to computers. It's aimed at viruses and worms and And it is
damage that can happen to computers.
expressly limited to transmission of information to a computer under 1030(a)(5)(A)(i). This is clear and consistent throughout the case law applying this statute. In fact, Judge Posner in the
PDF created with pdfFactory trial version www.pdffactory.com
30
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
I n t e r n a t i o n a l Airport Center case expressly talked about how you can't read "transmit" too broadly because if you did, you know, hitting the delete key would be transmit, and Congress didn't intend for it to reach that. So
while counsel cites the Webster dictionary definition which includes both the definition that we think is appropriate here, which is definition seven about "transmission" meaning transmission to a device or a computer, that's not really what Congress was talking about here. And it's very clear from the legislative history and it's consistent throughout the case law. And they
can cite not a single case that supports the definition of "transmission" as computer -- as communications to people as opposed to communication to computers. And you can see that even in the text of the statute itself. 1030(a) is the provision involving computers that are owned
national security computers:
by the Justice Department, that are actually part of Homeland Security. There Congress said communication of
information could be a violation of the Computer Fraud and Abuse Act. But in the provision of the statute that we're talking about here, which is at (a)(5)(A)(i) which involves the rest of the computers in the world, the
PDF created with pdfFactory trial version www.pdffactory.com
31
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
o n e s that aren't involved in national security, which is what we're talking about here with the transit computers, communication is not included in the definition. And I think that's intentional. I think in
the context of the national security situation and an attack on a national security computer, I think the First Amendment -- there's at least an argument there that the First Amendment might countenance criminalizing the communication. But in the context of every computer that is possibly connected to the Internet, which is what the rest of the CFAA reaches, the definition of "protected computer" under that law, there is no use of the word "communication"; there's only use of the word "transmit." So if you look at the legislative history, if you look at the statute itself, and if you look at the -- all of the case law on the Computer Fraud and Abuse Act, it's clear that "transmission" under the statute means transmission to a computer, not speech to a person. There's also a second -- there are two other problems with the Computer Fraud and Abuse Act claim here that we haven't had a chance to develop more fully but I think are fairly obvious from what we have so far.
PDF created with pdfFactory trial version www.pdffactory.com
32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
F i r s t , entirely -- it doesn't allege the $5,000 jurisdictional minimum for a Computer Fraud and Abuse Act claim has been met here. That's because a computer
must be damaged in an amount; it must be actually damaged by an attack. Again, we're thinking about
viruses and worms and other sorts of direct attacks on computers. And there's no allegation of any damage to any computer through anything that the student did or the presentation. The damage is, to the extent that there
is one, that the MBTA might not make as much money as it might otherwise make. to any computer. There's no allegation of damage
And there's certainly no allegation of It's purely speculative.
loss in excess of $5,000 here.
Their argument turns on the idea that somebody who hears this general information might turn around and do something, and that something may cause damage and that damage might be over $5,000. That is not
sufficient for a CFAA claim, and it's certainly not sufficient for an injunction under the CFAA at this particular point. Secondly, it does appear to be unclear whether this is actually -- the MBTA's claims actually affect interstate commerce. It is not at all clear that there My understanding from
are fare devices in Rhode Island.
PDF created with pdfFactory trial version www.pdffactory.com
33
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
m y local counsel is that the fare devices are all in Massachusetts. And I think there is a threshold-level
question about whether these are protected computers under the CFAA that is worthy of further consideration. So the CFAA just doesn't apply here. And
there's a good reason why it shouldn't apply here, why it shouldn't be expanded in the way that plaintiffs would like you to expand it. the First Amendment. And that, of course, is
If the CFAA was read to reach
speech, truthful speech, on a matter of public importance, then the statute would be in tension with the First Amendment. And of course your Honor is well
familiar with the idea that you should not read a statute to create constitutional problems and that you should avoid reading statutes in such a way, and yet the MBTA urges on you an interpretation of the CFAA that -again, supported by no case law, no legislative history and no significant analysis, and would put the statute in tension with the First Amendment. And I think you
should not consider going in that direction. Now, in the preliminary injunction papers the MBTA -- and in the oral presentation that counsel just made MBTA makes -- brings in new information. these arguments about transmission. have gone back and forth on them. We made
And the parties There's one new piece
PDF created with pdfFactory trial version www.pdffactory.com
34
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
o f information that's MBTA brings to this -- in the preliminary injunction papers. And this is their
conclusory allegation that there may have been some illegal activities by defendants in doing their research. Now, but that conclusory allegation -- first of all, it's unsupported; they don't say what it is the clients -- what it is that the students did, where they did it, how they did it. incontrovertible. evidence. They just assert that now it's
Well, we would like to see that
Certainly their conclusory assertion
shouldn't be the basis upon which this Court makes a finding. B u t in any event, even if it is true that they may have a small claims action for something against -the clients did, or there was some minor infraction along the way to doing their research, that is not a Computer Fraud and Abuse Act claim. It doesn't meet the
jurisdictional minimum, it doesn't appear that there was any transmission -- illegal transmission in this particular incident, and it's simply below the statutory threshold for the Computer Fraud and Abuse Act. So the fact now that they have made a new allegation that there may have been some illegal activity by the students, which we hotly dispute,
PDF created with pdfFactory trial version www.pdffactory.com
35
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
d o e s n ' t provide them a Computer Fraud and Abuse Act claim in this case. So if they don't have it for the
speech and they don't have it for what the students may have done in creating the speech, then they don't have a Computer Fraud and Abuse Act claim and they do not have a likelihood of success on the merits. Even if you were to find that there was a colorable Computer Fraud and Abuse Act claim, the law would not countenance a prior restraint in these instances. Remember that the prior restraint doctrine
is one of the strongest doctrines in constitutional law; it protects truthful scientific speech, it protects speech that was gained illegally, and it protects speech when the publication of that speech would be illegal. And we need look no further than the Pentagon Papers case decided by the U.S. Supreme Court. When
Daniel Ellsberg took the Pentagon Papers out of the Defense Department, he violated federal law clear and unequivocally. And when he sought to publish that
information which was classified, that publication violated public law. The Supreme Court said a prior
restraint shall not issue for this publication and the information -- and the lower court's prior restraint was overturned. Now, in that instance we have both of the things
PDF created with pdfFactory trial version www.pdffactory.com
36
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h a t Mr. Mahony claims that my clients did here.
They
claim that they got the information illegally, or that they broke some law along the way, and they claim that presenting this information to the public, while not itself illegal -- it's one step further removed from the Pentagon Papers case -- might incite other people to lawless behavior. Well, if that was the law, the Pentagon Papers case would have gone the other way. And that's still That's
the controlling Supreme Court authority here.
because the First Amendment and the prior restraint doctrine countenance strongly against prior restraints on speech. speech. There may be subsequent punishment after
And indeed, all of the cases that they cite in
their argument that there's imminent lawless action and aiding and abetting are not prior restraint cases; they are all 201 subsequent punishment cases. The Paladin
Press case is a subsequent punishment, the Rice case that we talked about earlier; NAMBLA -- the NAMBLA case -- the Curley case is a subsequent punishment case; the Brandenburg case is a subsequent punishment case; the Knapp case is a subsequent punishment case. All of the cases that they are using to support their legal theory that a prior restraint is legal here are not prior restraint cases. And there's a very good
PDF created with pdfFactory trial version www.pdffactory.com
37
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
r e a s o n why they're not:
because there aren't any prior
restraint cases that would countenance what they're trying to do to the clients here. The clients are
engaged in academic research, the information they want to publish is truthful and it's important to the public debate. This -- if you issue this preliminary
injunction here you will be setting -- you will be making an unprecedented ruling, and I think that it's the wrong course to go on. I think that we've had a
prior restraint too far -- so far here for far too long. The second -- the next thing I want to talk about is the issue of irreparable harm. Now, they have
not met their burden to show that they will suffer irreparable harm here, especially in the specific context of this situation. While they like to say that
the students want to be free to say everything, the students have never wanted to say everything. always wanted to withhold what they call key information, information that would allow someone to replicate the attacks from what they speak about. But let's be clear. There are three categories They have
of speech here that we're talking about -- and by the way, they even went above and beyond, I think, what they needed to do here and they wrote a paper called "A Security Analysis" that we submitted to you under seal
PDF created with pdfFactory trial version www.pdffactory.com
38
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
a n d gave to them last week to try to capture the universe of what they want to say publicly. They have been very clear, they have been very consistent, and they have told anybody who wants to listen that they never intended to give information necessary to replicate the attack. didn't. And, in fact, they
They have never given the information necessary And to the extent that anyone
to replicate the attack.
in this courtroom gave information that was necessary to replicate the attack on the CharlieTicket, it was the plaintiffs, because they published the first confidential report that the defendants wrote for them even before the presentation on the court docket. And
that included the information that the clients -- that the MIT students did not intend and were not going to present at the DefCon conference. So to the extent that
anyone's been a little laissez-faire here about making sure that nobody can replicate the vulnerabilities that our clients found, I think you have to look at the MBTA. But in any event, they have not met their burden of proving irreparable harm here because the students don't want to give that key information. As I said,
there are three pieces of information or three categories of information: information. There's the public
Everybody agrees that that's outside the
PDF created with pdfFactory trial version www.pdffactory.com
39
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
c a s e -- outside the scope of the injunction.
There is
the key information, the crown jewel that you would need to replicate this attack. The clients do not want to
publish this, they never indicated they want to publish it, and they certainly don't want to publish it now. Then there is the universe of nonpublic materials that is important to understanding what the students did, without allowing replication, but to give context and background to what -- to what it is the students are saying. Remember, it was not until just
this morning that the MBTA admitted that what the students did wasn't a prank. Until we pushed this to
this Court, they were trying to deny that this happened and punish the whistle-blowers. You know, if there's ever been a shoot-the-messenger case, I guess this is it. Our
clients didn't create a vulnerability in the MBTA fare security system; they just discovered one. vulnerability was there. The
Other people would have found
it, or may have found it already, but the -- you know, to the extent, you know, that they are being punished here, they're being punished because they want to speak about a truthful thing that they discovered. So the MBTA has not met their burden that there will be irreparable harm here if the students are
PDF created with pdfFactory trial version www.pdffactory.com
40
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
a l l o w e d to talk about not the key -- crown jewels, because they don't want to talk about that, but the second category of nonpublic information that is contained in the security analysis. Now, we gave this to your Honor very explicitly because we wanted you to take a look at that security analysis, and we felt that if you did, you would agree with this: that there's nothing in that security It's pure protected speech. It's
analysis but speech.
research materials and it's the result of the research, and that's all that's in there. So we have given them the universe of what the clients want to say. And effectively I think what the Well, we want an
MBTA is saying here today is:
injunction because we're scared that they might say something else. on this: But the First Amendment is very clear
You don't get an injunction against speech
based on a speculative fear; you don't get an injunction on speech based on the fact that, well, you don't want to say it anyway so let's just enjoin you from saying it. Those are the things that are off the table in the
context of prior restraints on speech. And it does appear that that's kind of what they want here. They want to enjoin the clients from not --
from saying things that the clients don't want to say,
PDF created with pdfFactory trial version www.pdffactory.com
41
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
a n d they want to enjoin the clients because they're afraid that the clients might say something else other than what the clients have very consistently, both privately and publicly, told the MBTA they want to say. So finally, the balancing, the third prong of the preliminary injunction test: Again, MBTA has not
met its burden -- its very high burden -- to counteract the public interest in the free flow of information here. The status quo under the First Amendment is the And the computer science
free flow of information.
professors and computer scientists agree that the free flow of science could be chilled here. If your Honor issues an injunction preventing the students from presenting their research, you're going to have a ripple effect across the computer research community. You're going to have people afraid
to do research; you're going to have people afraid to talk about their research; you're going to have people afraid to engage in peer review of their research, which, by the way, is what the DefCon conference is about, it's about peer review of scientific research by researchers; and they -- you're going to set an example that's going to cause ultimately all of us to be less secure. Because what security researchers do, while it
may not be popular with vendors and transit authorities,
PDF created with pdfFactory trial version www.pdffactory.com
42
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
o u g h t to be popular for all the rest of us, because it's what keeps us safe from the hackers, from the worms, from the viruses, from the evil people. And I guess
it's what keeps the MBTA safe from people who want to not pay for transit fees. Ultimately -- this is the main point made by the 11 eminent computer security researchers, and I believe that given more time I could have easily gotten triple this number to sign -- is that the dialogue that happens in computer security research is important to the public interest. It's exactly why the First Amendment protects
research and scientific speech to the same level as it protects journalists and their speech and speech on public affairs and speeches on political events. Scientific speech and the ongoing dialogue that scientists widely have, that computer revolution that we have today, as the scientists say, and chilling that, by forcing researchers to come into court and to present to the other side in the court their research, the entire sum body of their research authorities, will endanger us all. Now, I want to talk a little about the TRO language and the specific preliminary injunction language because one of the problems in the language that is most troubling to us -- as I said, there are
PDF created with pdfFactory trial version www.pdffactory.com
43
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h r e e categories:
There's the stuff they don't want to
say, there's the nonpublic stuff that they do want to say and there's the public stuff. But the way that the
TRO is drafted, it says that anything that gives material assistance to anyone in not paying their fare on the T could -- is a violation of the injunction. Well, this is an extremely vague term and I think could easily reach a tremendous amount of ordinary speaking that the clients want to do in order to explain why it is they did what they did and the vulnerabilities that they found. So the injunction language that
they're proposing is actually quite vague and creates a lot of uncertainty for the students even if it were to be adopted by the Court, which we don't think it should be. Now, I want to address a couple of things that counsel said in his presentation. I'm happy to answer The first
questions, however, that the Court may have.
thing I guess I want to talk about a little bit is that, you know, counsel spent a lot of -- well, I guess the first thing -- I'll go in order from the five points. think that's probably the easiest way to do it. The first issue is that -- the idea that the information that's at issue here is that the MBTA still doesn't know what the students know. I think that I
PDF created with pdfFactory trial version www.pdffactory.com
44
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
t h e r e ' s a serious First Amendment problem in ordering the students as a condition of this lawsuit to divulge everything that they may know as part of a preliminary injunction. What -- and there are several cases about this. And I think the Bextra case and the Cusumano case are cases that lay out exactly why such a requirement on the students for providing their research materials and their non-published information about their work would create a chill on First Amendment speech, and that's why Cusumano has to exist, to avoid this kind of free-form inquiry into the research process. I guess the second thing that I want to talk about is the allegation that illegal conduct took place here now. I mentioned it briefly before, but I do want
to point out that that allegation is merely an allegation and they have not provided anyone with any information supporting that allegation. And, indeed,
the allegation is somewhat vague about what it is they think the students did and how it is they think they can prove it. But that is a mere allegation and it is not a basis for a preliminary injunction. And, indeed, even
if it was the basis for a preliminary injunction -- even if it was the case that the clients engaged in illegal
PDF created with pdfFactory trial version www.pdffactory.com
45
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
b e h a v i o r , which we firmly deny, that doesn't have anything to do with the preliminary injunction they're seeking here. The preliminary injunction doesn't ask
that the students not engage in whatever illegal behavior it is under whatever statute they think it is they violated; the preliminary injunction prevents the clients from speaking. And so there's a disconnect between the harm that they said that they found, the illegal behavior, and the relief that they're seeking here with this preliminary injunction. And the First Amendment is very
clear that you should not punish someone for behavior unrelated to speech by stopping their speech. Next, counsel spent a lot of time talking about the presentation materials, but I guess the thing that I think is most important to observe from this is that the DefCon presentation passed. presentation. They did not give the
And they have not stated, nor is there
any indication, that they're going to ramp up and give this presentation any time again. Instead, what they
did was, they provided you with a security analysis that gives the four corners of what they want to say publicly, and that's the analysis that has to be had here, not whether some presentation that didn't happen in the past or some random thing that, you know, was
PDF created with pdfFactory trial version www.pdffactory.com
46
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
p a r t of that presentation that was clearly puffery by 20-year-old students should be the basis for a preliminary injunction. The students have now told you and the MBTA exactly what they would like to say, and the only question here is: plainly is. Is it speech and is it protected? It
So a lot of time was spent on the
presentation and the other materials, but that's not what the students want to do right now, and there's no indication that they do want to do, and an injunction to prohibit them from doing something that they don't want to otherwise do is improper under the case law. Counsel also spent a lot of time talking about the communications between the students and DefCon, and trying to make some intimation that because the students were willing to tell the conference what it is they wanted to say -- and they didn't get to finish it because they didn't provide a lot of things to DefCon because of the perfunkle that happened -- the students -What MBTA is asking here is exactly what the Court rejected in the Bextra case, the case involving New England Journal of Medicine. In submitting articles
to the New England Journal of Medicine, I would bet that a full copyright assignment is given to the New England
PDF created with pdfFactory trial version www.pdffactory.com
47
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
J o u r n a l of Medicine.
I believe that in submitting a
paper to the New England Journal of Medicine, an author provides more information than just the paper itself, but some of the supporting information. And in the Bextra case they talk about the dialogue between the New England Journal of Medicine and the researchers who are submitting their information to be presented, in this particular instance in the journal rather than a conference. analogous. But the situation is directly
The fact that the students were willing to
tell the publisher, or the vehicle for publishing their information -- the information -- doesn't change the research privilege. It didn't change it in Bextra, it
certainly didn't change it in the Cusumano case where clearly a lot of that information was given to the publisher, and it shouldn't make a difference here. The presentation at DefCon was part of the research; it was part of the publication of the research. And the research privilege is not waived by
giving the information to the publisher on your way to publishing the information. So I think that the New
England Journal of Medicine case, the Bextra case, is actually on all fours with the students 'relationship with DefCon here. And just as the research privilege
should have prevented them from having to provide the
PDF created with pdfFactory trial version www.pdffactory.com
48
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
c o n f i d e n t i a l materials there, the same should be the case here. Finally, counsel gave a characterization of the facts that led us to today that I think I don't really want to belabor and go through, but I think there is one important piece of evidence that was presented by the defendants last Thursday without comment, the supplemental Sullivan declaration, that I think is tremendously important because it demonstrates that the MBTA wasn't really straight with Professor Goodlaw -excuse me -- Judge Goodlaw about -THE COURT: MS. COHN: starting to hit. -- about what had happened. What Sergeant Sullivan says in the second declaration, which was omitted from the first declaration that they presented to the judge last week, is two things of tremendous importance. First, he says, Woodlock. Woodlock. Excuse me. Jet lag is
"I told the students that they didn't have to give us anything except for a confidential report which was due in two weeks." The students actually got that report to
them much sooner because they heard through their professor that MBTA wanted the report much sooner than the two weeks.
PDF created with pdfFactory trial version www.pdffactory.com
49
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
B u t the students were asked to do one thing in person by a representative of the MBTA, and they did that one thing. They met with the FBI. They They were asked
communicated with the FBI and the MBTA. to do one thing and they did it.
The other thing that is important is that nobody else from MBTA ever talked to the students. As far as
they knew, after they did this, they heard from their professor that they wanted the paper sooner, they got the paper sooner, and they were good to go. And without
any notice to them, and while clearly on notice that they were out of state, the MBTA came to Judge Woodlock and presented a version of the story that omitted that
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?