EFF reports that U.S. District Court Judge George O'Toole has lifted the temporary restraining order that the court had issued against the three MIT students who had planned to present their research on the security vulnerabilities in the Massachusetts Bay Transportation Authority's (MBTA) transit fare payment system at DEFCON, a highly-regarded conference for hackers. The students' research grew out of a project that they had worked on for a network security class at MIT, and they had offered to share their results with the MBTA before presenting their findings at DEFCON. You can read more about the background of the case here.
In response, the MBTA brought suit against the students under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, a federal computer intrusion law. (Interestingly, this is the same statute that is at issue in the Lori Drew fake MySpace profile case.) The lawsuit alleged that if the students presented their research at DEFCON, they would violate the CFAA by helping others to escape paying MBTA transit fares. Judge O'Toole disagreed with this interpretation of the statute, and held that the CFAA does not apply to those who research security issues. Accordingly, the court found that the MBTA was not likely to prevail on the merits of its claim under the CFAA, and dissolved the gag order.
Kudos to EFF for this important First Amendment victory! Hopefully, the MBTA will drop the rest of the lawsuit and work instead with the students to make the necessary corrections to the transit fare payment system.