Governance & Risk Management , IT Risk Management , Vulnerability Assessment & Penetration Testing (VA/PT)
Online Voting Startup Wants to Limit Some Security Research
Voatz Files Amicus Brief In Case Headed to the US Supreme CourtIn a new court filing, online voting startup Voatz argues that most security research and ethical hacking should be limited to those who have clear permission from organizations to probe systems and software for vulnerabilities and flaws.
The amicus or "friend of the court" brief was filed Thursday by Voatz's legal team as part of a case headed to the U.S. Supreme Court that could redefine the Computer Fraud and Abuse Act - a 1986 law that makes it a federal crime to access a computer system without permission. The law has been amended several times since it was first passed.
In the case before the Supreme Court - Van Buren v. United States - the justices are being asked to examine the Computer Fraud and Abuse Act (CFAA) and possibly limit its scope, which could have wide implications for ethical hackers who probe IT systems and software looking for vulnerabilities and sometimes run legal risks by conducting this type of research.
In its view, Voatz argues that CFAA should remain the same and that ethical hackers and security analysts should seek permission from an organization before conducting any research, according to the amicus brief.
The startup believes that CFAA does not have a "deleterious" effect on computer security. Instead, Voatz argues that security research and penetration testing programs should be conducted by authorized parties, such as private consultancy firms, and overseen by an organized and official bug bounty programs.
"Voatz’s own security experience shows how unauthorized research and public dissemination of invalidated or theoretical security vulnerabilities can actually cause harmful effects," according to Voatz's legal brief. "The Court should therefore affirm the decision below and uphold the plain meaning of the CFAA."
A Voatz spokesperson could not be immediately reached for comment, but a company representative told Cnet: "Allowing for unauthorized research taking the form of hacks/attacks on live systems would lead to uncertain and often faulty results and conclusions."
Voatz Vs. Hackers
Voatz, which is based in Boston, first created its smartphone voting app for the 2018 elections, when it was deployed for limited use in West Virginia, Denver, Oregon and Utah. The app, which reportedly uses a combination of biometrics, real-time identification and blockchain technologies, was also used by overseas military personnel to record their votes during the 2018 elections.
The startup has argued that its mobile voting app is secure and plans to expand its use during the 2020 U.S. elections and beyond (see: Can Mobile Voting Be Secure?).
Voatz, however, has vigorously pushed back against reports and research that its app contains security flaws. When researchers published a paper in February, the company published a lengthy blog post refuting those claims (see: MIT Researchers: Online Voting App Has Security Flaws).
In addition, CNN reported in October 2019 that Voatz asked federal authorities in West Virginia to investigate a University of Michigan student who was probing the mobile app for security flaws as part of a research project.
Van Buren v. US
Voatz's argument for limiting security research comes as the Supreme Court looks to re-examine the CFAA as part of Van Buren v. United States, which involves a former Georgia police officer convicted of taking money to look up license plate information in a law enforcement database.
In that case, Nathan Van Buren, a former Georgia police officer, was convicted under the CFAA and sentenced to 18 months in prison. And while an appeals court upheld the conviction, the Supreme Court agreed to hear arguments about the case, according to reports.
As part of the Supreme Court case, organizations such as the Electronic Frontier Foundation have argued that the CFAA is written too broadly and puts ethical hackers and researchers in legal danger for disclosing flaws in systems and software.
The EFF and others are now asking for the Supreme Court to limit the CFAA as well as update the nearly 30-year-old law, which was written before the World Wide Web and internet came into popular use by nearly everyone.
Security researchers and ethical hackers have also argued that the CFAA is too broad and arguments such as the one made by Voatz will have a damaging effect on their ability to protect systems against vulnerabilities.
Casey Ellis, CTO and founder of bug hunting firm Bugcrowd, notes that Voatz's claims would limit researchers' ability to probe for vulnerabilities. Ellis also notes that the CFAA can also harm ethical hacking.
"The purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions," Ellis says. "A broader interpretation of 'exceeds unauthorized access' in CFAA works directly against the goals of a safer and more resilient internet."
Alex Rice, founder and CTO bug bounty platform provider HackerOne, also refutes Voatz's claims and wants to limit those CFAA provisions that could undermine security research.
Voatz, an elections platform that is notoriously hostile to security research, claims that the notoriously overbroad Computer Fraud and Abuse Act doesn't undermine computer security—in part because of bug bounty programs like @Hacker0x01's.@Hacker0x01 disagrees—and so do we. https://t.co/3jrtTp46YC
— EFF (@EFF) September 3, 2020