Temporary Restraining Order Against Crime-Facilitating Speech About Security Vulnerabilities:

Declan McCullagh at c|net News reports:

A federal judge on Saturday granted the state of Massachusetts' request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The undergraduate students were scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

The suit, filed a day earlier, also names the Massachusetts Institute of Technology as a defendant. Neither MIT nor the students — Zack Anderson, R.J. Ryan, and Alessandro Chiesa — could immediately be reached for comment....

The MBTA, which is a state government agency, claims that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety." ...

Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.

Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction was nearly two days late. (On the other hand, the source code to the utilities — not included on the CD — was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.) ...

The order barred "providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." The ban on "information" appears especially broad, and would restrict even lectures or papers describing the general techniques; this means the broader question about whether communicating code (source or object) is "speech" need not be reached here, because lectures and papers clearly are.

The question is whether, in this context, the speech is constitutionally unprotected, and, even if it is, it can be restrained by a preliminary injunction. If the only argument was that the students' speech was "crime-facilitating" in the sense of helping others commit crimes (or even torts), I'd just rely on the analysis in my Crime-Facilitating Speech, 57 Stan. L. Rev. 1095 (2005). (For whatever it's worth, there's apparently a factual dispute about whether the students warned MBTA of their findings and gave them an opportunity to fix the security problem before going public with their conclusions; that question may be relevant to whether the students behaved properly, but under my Stan. L. Rev. analysis it shouldn't be relevant to whether their speech publicizing the violation is constitutionally protected.)

But here the MBTA argues (see the Complaint and the Memorandum in support of the Temporary Restraining Order) that the student defendants got the information by illegally accessing the material inside the MBTA cards, and other MBTA computer systems, in violation of the Computer Fraud and Abuse Act — a law that neutrally bans the conduct of unauthorized access to others' computer systems. Whether the speech communicating information they learned from their illegal conduct (if it was illegal) may be restricted is potentially a different question.

On the other hand, even otherwise unprotected speech generally can only be restricted after a finding on the merits that the speech is indeed unprotected. It generally can't be restricted via a temporary restraining order or a preliminary injunction that's just based on a preliminary, quick-and-dirty estimate of whether a crime was committed and whether the speech is therefore constitutionally unprotected. That's the best rationalization I could come up with of the "prior restraint" doctrine, which as I understand it means that speech cannot be restrained prior to a merits finding about whether it's unprotected. See this analysis in Mark Lemley's and my Duke article on preliminary injunctions in intellectual property cases, though note that our article responds largely to the fact that the prior restraint doctrine seems to be disregarded (mostly silently) in certain classes of cases, such as copyright cases.

So this is a pretty complex legal question, which is one reason I only offer the tentative framework above. I hope to have more thoughts on the subject in coming days.