E-Voting App Maker Voatz Asks The Supreme Court To Let It Punish Security Researchers For Exposing Its Flaws

from the be-the-injustice-you-want-to-see-in-the-world dept

Voatz has decided to weigh in on a Supreme Court case that could turn a lot of normal internet activity into a federal crime. At the center of this CFAA case is a cop who abused his access privileges to run unauthorized searches of law enforcement databases. The end result -- after a visit to the Eleventh Circuit Court of Appeals -- was a CFAA conviction for violating the system's terms of use.

That's why this case is important. If the CFAA is interpreted this broadly, plenty of people become criminals. And it won't just be security researchers risking criminal charges simply by performing security research. It will also be everyone who lies to social media services about their personal info. Lawprof Orin Kerr's brief to the Supreme Court points out what a flat "no unauthorized use" reading would do to him.

Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.

No one should want the law to be read this way. Not even sites that would greatly prefer users to respect the terms of service. The collateral damage of a broad reading would make it far easier to prosecute people who use sites in ways owners don't expect or engage in research efforts that require ignoring the rules. And it would give abusive site owners plenty of ways to harass users and visitors they don't like.

But one developer wants this to happen. And it's a developer of notoriously flawed e-voting systems. Voatz has made plenty of headlines lately. None of them have been flattering. MIT researchers discovered a bunch of flaws in Voatz software. Voatz tried to combat this negative press by hiring outside researchers to perform an independent audit of its systems. This went no better than the MIT study. Voatz is full of holes, which made its accusations that the MIT researchers were only in it for the clicks look even stupider.

Voatz thinks the court should read the CFAA as broadly as possible, which will make it easier for it to punish security researchers for finding flaws in its software. It's literally the only thing it's arguing. Its 16-page brief [PDF] makes this ridiculous claim:

A BROAD READING OF “EXCEEDS AUTHORIZED ACCESS” IN THE CFAA WILL NOT HAVE A DELETERIOUS EFFECT ON COMPUTER SECURITY

That's it. That's the argument. That is all Voatz wants to say.

The brief says researchers won't be harmed because bug bounty programs and controlled access for authorized penetration testing, etc. operate using completely different terms of service. Under these guidelines, researchers are "free" to conduct their research without worrying about CFAA charges.

But that's a very limited view of security research. Lots of security research is ongoing and not limited to hunting bugs for bounties or at the behest of sites and services. That's what would be affected by a broad reading and Voatz's interest in securing a broad reading can be traced back to the MIT research it still claims is incorrect. It's also still very defensive people have accused Voatz of sending the FBI after some freelance researchers. For no apparent reason, it recounts this incident in its brief, submitting as evidence of… something.

The Computer Researchers also cite a news account claiming that Voatz reported two college students to the Federal Bureau of Investigations. (Computer Researchers’ amicus brief, p. 24). That account is at least partially inaccurate, in that Voatz made no report to the FBI or any other federal authority. Rather, Voatz reported the students’ unauthorized attempts to access its systems to its customer, the State of West Virginia, because the students’ ill-advised activity was indistinguishable from a hostile attack and the students did not seek any prior authorization privately or through Voatz’s public bug bounty program. It is a standard practice for technology companies to report attack attempts to their clients and Voatz is contractually required to report such potential attacks during live elections – the same way an electric company would be required to report an attack on an electric grid to state and federal authorities, or a dam operator would be required to report an attack on software that monitors and operates dams to authorities such as the Army Corps of Engineers. Officials in West Virginia, in their discretion and independent of Voatz, then chose to refer the matter to the FBI. To Voatz’s knowledge, no one was prosecuted.

Following Voatz's argument to its logical conclusion, a broad reading would result in more prosecutions because there's very little security research that doesn't involve violating terms of service agreements. It would allow everything to hinge on "discretion." This might mean something if entities caught with their security pants down were more reasonable in their responses. Unfortunately, shooting the messenger is still the most popular response.

And the less said about the supposed "discretion" of prosecutors the better. Prosecutors pursue convictions, not justice. And the DOJ has not shied away from pursuing very questionable CFAA prosecutions in the past.

Voatz wants messengers shot. It's that simple.

While the Computer Researchers portray themselves as under threat of being victimized for inadvertently tripping over a restriction, the reality is different: they wish to be free to deliberately infiltrate a live system in violation of readily accessible terms, openly publish any results obtained, and be immune from being intercepted or reported for doing so.

Voatz thinks the law should aid and abet its antagonism towards researchers who've uncovered flaws in systems it hopes to sell to government agencies. If the Supreme Court decides to side with Voatz, it will be open season on researchers. This is what Voatz wants. And there are others like Voatz out there that would welcome the chance to punish people for exposing problems they're not interested in fixing. But only Voatz has put it in writing.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, e-voting, security research, supreme court
Companies: voatz


Reader Comments

Subscribe: RSS

View by: Thread


  • icon
    That One Guy (profile), 4 Sep 2020 @ 9:48am

    'They'd never ignore our 'pretty plase don't hack us' sign.'

    Given how black-hat hackers always respect TOS' and licensing terms it seems entirely reasonable to limit white-hats/security researchers to the same, as if the white-hats can't compromise a system(especially one running something as trivial and unimportant as voting software) while working entirely within the limitations set forth by the manufacturer/seller then obviously black-hats won't be able to either.

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 4 Sep 2020 @ 10:04am

    Otherwordingly

    Voatz: Those holes in our system were not supposed to be revealed. Without those holes, how else could we convince the proletariat that their use of our system in this election was on the up and up, even with the predetermined outcomes contracted for. It is a contractual matter, but those portions of our contract are Trade Secrets and under NDA agreements with those officials in West Virginia who arranged our appointment and may not be disclosed. So researchers who attack our system to expose holes in our system should be executed (strikethrough protocol disabled), um, erm, prosecuted to the fullest extent of the most expanded interpretation of the most holy CFAA law.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Sep 2020 @ 10:34am

    The eternal struggle

    Laws of men vs. Laws of Math

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Sep 2020 @ 10:42am

    This would be a godsend for Trump...

    Who would immediately make 'terms of service' for US citizens, that include things like:
    Must praise the Great Leader at least once a day in public (where at least 5 others can hear you)
    May not disparage or denigrate the Great Leader in any way (including looks or gestures)
    May not comment on the Great Leader's new clothes...
    Must stay at a Trump Resort or Golf Course at least once per year (regardless of income level)

    If you do not agree to these new US Terms of Residence, you will be deported to a 3rd world country of your choice (depending on availability and acceptance, if we can't find a country to take you, you will be held in 'border containment' facilities in perpetuity).

    Thank you for making the Great Leader feel like he should...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Sep 2020 @ 10:44am

    If Voatz gets what it wants, many more flaws will made made public anonymously, putting companies in a race with the black hats to develop a fix before the black hats develop an attack. That is a race the black hats will usually win.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 4 Sep 2020 @ 10:55am

      Re:

      That's what makes the 'shoot the messenger' tactic so incredibly stupid, in that companies spend so much time threatening and attacking the people who don't have malicious intent they completely ignore the ones that do, along with forcing the former to make their findings anonymously public rather than letting the company have warning ahead of time to fix a flaw.

      If the white-hats don't find a particular flaw the black-hats will, and unlike with the white-hats the first time a company is likely to know that black-hats have found a flaw is after it's been exploited, potentially for a long time before discovery.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Sep 2020 @ 1:45pm

        Re: Re:

        They don't care.

        It's never about the intent of researchers, it's the fact that their holes were found period. After all, it costs time and money to:

        1. Hire people to fix those holes.
        2. Hire other people to review the work and make sure the holes were actually fixed.
        3. Hire lobbyists to reassure regulators that all is well, and that they should continue paying them for their services.
        4. Hire lawyers / pay off officials to convince AD placement services to give them more AD revenue and not ban / demonetize them.
        5. Hire PR firms to reassure the general public that all is well, and that the public should continue using their services.

        Why would a business do any of that when Capitalism dictates to take the most efficient and cheapest option: Shoot the messenger to make sure the dirt doesn't get out, and make an example so others will think twice about doing it themselves. After all, It's just good business.

        Sadly given enough time, in the Hyper-crony capitalism US, it's more or less a matter of time before such rulings are handed down. Or legislated by Congress out right.

        reply to this | link to this | view in chronology ]

  • icon
    JoeCool (profile), 4 Sep 2020 @ 12:06pm

    In other words

    they wish to be free to deliberately infiltrate a live system in violation of readily accessible terms, openly publish any results obtained, and be immune from being intercepted or reported for doing so.

    In other words, they wish to do their job without getting sued. Yeah, it's funny how Voatz makes out the entire point of security audits to be illegal because they don't like the results.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 4 Sep 2020 @ 12:29pm

      Re: In other words

      Yeah, it's funny how Voatz makes out the entire point of security audits to be illegal because they don't like the results.

      Pure coincidence I'm sure, I've little doubt that their stance would be just the same if their product was actually secure and could withstand security audits and it's just a happy little accident that they're so vehemently against something that exposes how utterly terrible their product is.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Sep 2020 @ 2:17pm

        Re: Re: In other words

        I've little doubt that their stance would be just the same if their product was actually secure and could withstand security audits ...

        I used to believe that software could be "actually secure" too. Then I became a software engineer...

        reply to this | link to this | view in chronology ]

  • icon
    z! (profile), 4 Sep 2020 @ 1:06pm

    For some reason, this harks back to the apocryphal compiler message:
    "Too many errors on one line (make fewer)"

    Perhaps instead of griping about how many bugs people find, they'd make fewer instead. Could work. Or maybe even hire some professional QA engineers to look for them first.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 4 Sep 2020 @ 1:30pm

    HOw hard is it.

    To protect a system from Hacking and being used in away that they dont want?
    I think the idea from FB is abit severe, in telling everyone ALL our data on 1 location. And they have been hacked more then 1 time. 90% of security problems tend to come from Human interaction, rather then Hacking the systems. Another part is placing MAIN system with direct access to the internet.(which is really stupid) If you want to do that you need a Front system that allows Full security and monitoring.

    As to Amazon and google. They are the 2 largest Corps supplying system on the internet. cool. so whats the problem here? Where are the competitors? Do these folks understand the MINIMUM setup to connect to direct access to the internet? #1 call up ATT and ask them if they can run a full speed fiber line to your site. you will be paying about $2000 per Foot from the main line.(wherever that is.)(how many miles away?) And they wont tell you that you are "this far" from another fiber line, for some strange reason.(and yes, In my town of 2600ppl, there are 3 fiber lines running around it).
    Being NICE as a corp has gone away. Helping people or smaller companies has gone away. Taking advantage of others to forward your OWN corp, has gone away. Sorry to say, this is not Capitalism anymore.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Sep 2020 @ 4:32pm

    QA costs money, first vages for the people, then for the people who have to fix the issues, which might lead to a delay in publication, which in turn might lead to delayed revenue or statutory damages.

    Not knowing of issues doesn't put any liability on you (except for some areas like drug manufacturer, which have to have QA).

    Or as Adobe once put it:"Stop finding bugs in our software, otherwise we have to fix them."

    reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 4 Sep 2020 @ 8:11pm

    "We reserve the right to refuse service to anyone for any reason we choose."

    reply to this | link to this | view in chronology ]

  • icon
    GHB (profile), 2 Nov 2020 @ 5:36pm

    They wanted zero-day attacks

    By keeping these secret, that is assisting bad people out there to exploit it.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.