A group of high-profile cybersecurity specialists doesn’t want mobile voting firm Voatz to have the last word before the Supreme Court takes up a case with major implications for computer research.
The security practitioners, including computer scientists and vulnerability disclosure experts, on Monday criticized Voatz’s argument that a federal anti-hacking law should only authorize researchers with clear permission to probe computer systems for vulnerabilities. An amicus brief filed by Voatz earlier this month, the security specialists charged, “fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure.”
At issue is the Computer Fraud and Abuse Act (CFAA), a more than 30-year-old law that legal experts say could be abused to target good-faith researchers who break systems while trying to make them more secure. The Supreme Court is set to consider whether corporate terms of service can be considered an inviolable boundary under the CFAA when it resumes in October.
Legal experts and technologists see the decision as a chance, after decades of ambiguity, to clarify just what well-meaning security researchers are allowed to do in probing third-party systems.
“We benefit from security research in nearly every aspect of our lives,” the letter Monday states. “From crucial work exposing vulnerabilities in technologies ranging from election systems to medical devices and automobiles, it is clear security research has tangibly improved the safety and security of systems we depend upon. It is not a given that this vital security work will continue. A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research.”
News that the CFAA was on the Supreme Court docket prompted famous white-hat hackers like Peiter “Mudge” Zatko to urge the court to codify protections for researchers. Voatz, whose voting app has been used in a smattering of U.S. counties in elections since 2018, also felt compelled to weigh in on the CFAA. The firm argued that “no narrowing” of the law was needed to protect researchers.
In their open letter Monday, security specialists fired back, charging that Voatz’s amicus brief refers to “independent good-faith security research as a threat to cybersecurity and glosses over harmful effects to security research from an overbroad CFAA.”
At stake is transparent research into critical systems such as voting software and medical devices, said the letter’s signatories, which included vulnerability disclosure firms Bugcrowd and HackerOne, the cryptologist and election security expert Matt Blaze and numerous other technologists. In March, HackerOne kicked Voatz off its platform, citing the firm’s hostility to researchers.
More and more corporations — and even government agencies — are embracing vulnerability disclosure policies that, in principle, protect researchers from retaliation for probing computer systems. But security specialists say those policies can be abused, and point to Voatz’s own record of clashing with security researchers an example. A narrower interpretation of the CFAA, which doesn’t criminalize research, is a safeguard against that abuse, they say.
A Voatz spokesperson said the firm filed its amicus brief in objection to accusations in a different court filing from security researchers that the firm had reported a student researcher to the FBI.
“We’re not advocating to limit anyone’s freedom – we’re saying it’s difficult to distinguish between good and bad faith attacks in the midst of a live election,” the Voatz spokesperson added. “For everyone’s sake, it’s better to work collaboratively with the organization as bad actors disguise themselves as good actors on a regular basis.”
UPDATE, 4:20 p.m. EDT: This story has been updated with a statement from Voatz.