LAS VEGAS--Dutch journalist Brenno de Winter has covered Black Hat and Defcon for years, but he won't be at the security conferences here this week and is hindered in his work after being targeted by Dutch transportation companies for publicizing weaknesses in the new transit chip card.
De Winter, a freelancer who covers security for IDG affiliate WebWereld and other Dutch media outlets, has written articles about the problems with the OV transit chip card and appeared on numerous TV and radio stations in January demonstrating how the OV transit payment system could be defrauded by using software tools available on the Internet. Introduction of the card was temporarily postponed, and the Dutch Parliament skipped a debate on the war in Afghanistan to discuss the matter, he told CNET in a call today.
Trans Link Systems--formed by the five largest Dutch public transportation companies to create a single payment system, dubbed the OV chip card--filed a criminal complaint against de Winter with the public prosecutor's office and in June police questioned him for four hours, he said. No official charges have been filed, but de Winter said he has learned that he potentially faces charges of manipulating a debit card, having the tools to do so, and hacking a system, which could bring a six-year prison sentence.
A Trans Link spokesman said de Winter was questioned as part of an investigation into fraud. "Trans Link Systems filed a criminal complaint with the public prosecutor's office against fraud with OV-chipcards. Not against de Winter," spokeswoman Anita Hilhorst said in an e-mail statement. "The public prosecutor has investigated this fraud and because of this investigation the police questioned de Winter."
De Winter said he did not release technical details and that the European Court of Human Rights and Dutch judges have ruled that journalists are allowed to demonstrate security weaknesses in a system if the issue has considerable impact on society and if breaking the law is the only way to make the point. A Dutch court ruled in 2008 that a university there could publish a paper discussing vulnerabilities in the Mifare Classic wireless smart card chip, after Mifare maker NXP Semiconductors (formerly Philips Semiconductors) tried to stop publication. The OV card also uses Mifare technology.
"They are effectively banning me from doing my job because if I write about this card, I have to think about the consequences," said 39-year-old de Winter, of Ede, The Netherlands. "I'm writing a book and I have to leave whole chapters out."
"I'm scared to leave the country at this point" because of the investigation, he said. "I don't dare go to Defcon because I have spoken there on exactly this issue and cannot oversee the consequences."
After three MIT students were halted by a temporary restraining order from giving their talk at Defcon in 2008 about how to hack the Boston subway system, de Winter gave a talk in their place about how the Dutch and London transit systems, also based on the Mifare chip technology, could also be hacked.
Meanwhile, the case against him is hindering his ability to cover other news cases because the prosecutor's office won't respond to his requests for comment, he said. He also has incurred legal costs that he could not afford to pay if not for citizen donations gathered by media associations to help his defense.
A phone message left with the public prosecutor's after-hours hotline was not immediately returned.Updated August 2 at 7:55 a.m. PT with Trans Link statement saying de Winter was not the subject of the criminal complaint and to correct that de Winter writes for Webwereld, an IDG affiliate.