[Infowarrior] - Globe Editorial: Hacking and free speech

Richard Forno rforno at infowarrior.org
Thu Aug 14 13:36:27 UTC 2008 

http://www.boston.com/bostonglobe/editorial_opinion/editorials/articles/2008/08/14/hacking_and_free_speech/

GLOBE EDITORIAL
Hacking and free speech

August 14, 2008

THREE MIT students claim to have identified ways of hacking the MBTA's  
automated fare-collection system, and they could have spared  
themselves some trouble had they notified the transit agency of any  
security flaws right away. The T found out about their work only after  
they made plans to describe their discoveries last Sunday at DEFCON, a  
conference for hackers. On Saturday, the agency persuaded US District  
Judge Douglas Wood-lock to issue a temporary restraining order against  
the undergrads.

But what the students should have done out of moral obligation and  
what they have the right to do under the First Amendment are two  
different questions. For good reason, US courts have long been highly  
skeptical of prior restraints on what may be said in a public forum.  
Woodlock strayed into dangerous territory by restricting what the  
students could disclose at the conference. At a hearing today, Judge  
George O'Toole will hear motions to modify or lift the order. He ought  
to lift it.

The order had its intended effect, for the students did not give their  
talk. But it would be a mistake to regard them merely as mischief- 
makers bent on helping scofflaws ride for free. Finding security  
breaches in electronic systems is a legitimate, even vital, line of  
inquiry. The students began looking into the T's CharlieCards and  
CharlieTickets in conjunction with an MIT class.

The T says it wants to enforce the principle of "responsible  
disclosure" - the notion that a security researcher who finds a flaw  
in an electronic system should notify the owner and give sufficient  
time to fix the breach before going public.

The students and T officials met for the first time about a week  
before DEFCON. The transit agency argues that the students did not  
offer enough information to judge whether they would behave  
responsibly at the conference. But should the T be the arbiter of what  
constitutes responsible disclosure? The students' lawyer says they met  
the standard, because they planned to withhold from their talk key  
information necessary to cheat the fare collection system.

In any case, responsible disclosure, while a valuable ethical  
standard, is not enshrined in federal statutes, and should not trump  
First Amendment rights. Such rights aren't absolute; if the students  
were to incite others to commit crimes, they could face civil and  
criminal penalties. But if expression can lead to penalties after the  
fact, that is one more reason not to block it in advance.

The MIT undergrads and others in this field surely need to learn that,  
even if they have a First Amendment right to disclose their work at  
their discretion, it doesn't mean they always should. But the MBTA  
should recognize that security flaws are a design problem, not a legal  
one.

More information about the Infowarrior mailing list