On 18 July 2008, the Dutch Court in Nijmegen dismissed the initial claim in its preliminary ruling in the case of Chip maker NXP against the publication by the University of Nijmegen of the security problems regarding Mifare Classic Chip, dismissing the initial claim.

NXP had asked the judge to order the University of Nijmegen to stop the publication of its research results on the way to crack the security of cards using the NXP chip, arguing that the publication would allow law infringers to easily break into security systems and to fraudulently use the public transportation. In NXP's opinion, the publication would cause considerable damage and security risks for NXP and users all over the world.

The Rechtbank Arnhem court decided that prohibiting the publication of the University article would violate the researcher's freedom of expression covered by article 10 of the European Convention of Human Rights. Restrictions in such matters are applicable only in order to protect a pressing social need which has to be convincingly demonstrated.

The judge's opinion was that Radboud University Nijmegen had acted with due care and that the publication of the results of scientific research and the information of the public about the serious deficits of the chip serves great interests and helps in taking measures against the risks of the security leak of the respective chip. The potential damage that NXP claims is not a result of the publication of the research results but of the production of a chip that has shown deficiencies, which is the responsibility of NXP itself.

"I don't think anyone truly believes you can prevent reverse engineering techniques from being published," said Karsten Nohl who worked at breaking the algorithm of the chip last year at the Last HOPE hacker conference on 18 July. "I'm very happy that the court upheld the right to open research and freedom of publication. (...) I'm also happy that the court understood that publishing vulnerabilities is a crucial part of the evolution of security and a different court outcome would have slowed down that evolution of smart card security and left too many systems vulnerable" he said to CNET News.

NXP was disappointed at the ruling saying that the changing of the system will not be easy for all users of the system; for some the amendment will take months but for others it is going to take years.

Henri Ardevol, general manager of automatic fare collection for NXP, stated: "Migration to a different format is one option. (...) We introduced Mifare Plus earlier this year, and it is designed to help migrate from Mifare Classic to a higher level of security...We will be developing plans for how to guide these migrations." He also said it was too early to say whether NXP would appeal the ruling.

The article will be published at the beginning of October 2008 during a scientific conference in Malaga, Spain.

Dutch Scientists Can't Be Blamed for Deficient Mifare Chip (18.07.2008)
http://www.jorisvanhoboken.nl/?p=183

Dutch court allows publication of Mifare security hole research (18.07.2008)
http://news.cnet.com/8301-1009_3-9994120-83.html

Oyster hack will be published, rules Dutch court (22.07.2008)
http://www.out-law.com/page-9279

Radboud University Nijmegen Press release - Security Flaw in Mifare Classic (18.07.2008)
http://www.ru.nl/english/general/radboud_university/vm/press_release_j...

EDRIgram - Dutch University sued to stop publishing research on chip technology (16.07.2008)
http://www.edri.org/edrigram/number6.14/dutch-university-chip