E-Voting App Maker Voatz Asks The Supreme Court To Let It Punish Security Researchers For Exposing Its Flaws

from the be-the-injustice-you-want-to-see-in-the-world dept

Voatz has decided to weigh in on a Supreme Court case that could turn a lot of normal internet activity into a federal crime. At the center of this CFAA case is a cop who abused his access privileges to run unauthorized searches of law enforcement databases. The end result -- after a visit to the Eleventh Circuit Court of Appeals -- was a CFAA conviction for violating the system's terms of use.

That's why this case is important. If the CFAA is interpreted this broadly, plenty of people become criminals. And it won't just be security researchers risking criminal charges simply by performing security research. It will also be everyone who lies to social media services about their personal info. Lawprof Orin Kerr's brief to the Supreme Court points out what a flat "no unauthorized use" reading would do to him.

Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.

No one should want the law to be read this way. Not even sites that would greatly prefer users to respect the terms of service. The collateral damage of a broad reading would make it far easier to prosecute people who use sites in ways owners don't expect or engage in research efforts that require ignoring the rules. And it would give abusive site owners plenty of ways to harass users and visitors they don't like.

But one developer wants this to happen. And it's a developer of notoriously flawed e-voting systems. Voatz has made plenty of headlines lately. None of them have been flattering. MIT researchers discovered a bunch of flaws in Voatz software. Voatz tried to combat this negative press by hiring outside researchers to perform an independent audit of its systems. This went no better than the MIT study. Voatz is full of holes, which made its accusations that the MIT researchers were only in it for the clicks look even stupider.

Voatz thinks the court should read the CFAA as broadly as possible, which will make it easier for it to punish security researchers for finding flaws in its software. It's literally the only thing it's arguing. Its 16-page brief [PDF] makes this ridiculous claim:


That's it. That's the argument. That is all Voatz wants to say.

The brief says researchers won't be harmed because bug bounty programs and controlled access for authorized penetration testing, etc. operate using completely different terms of service. Under these guidelines, researchers are "free" to conduct their research without worrying about CFAA charges.

But that's a very limited view of security research. Lots of security research is ongoing and not limited to hunting bugs for bounties or at the behest of sites and services. That's what would be affected by a broad reading and Voatz's interest in securing a broad reading can be traced back to the MIT research it still claims is incorrect. It's also still very defensive people have accused Voatz of sending the FBI after some freelance researchers. For no apparent reason, it recounts this incident in its brief, submitting as evidence of… something.

The Computer Researchers also cite a news account claiming that Voatz reported two college students to the Federal Bureau of Investigations. (Computer Researchers’ amicus brief, p. 24). That account is at least partially inaccurate, in that Voatz made no report to the FBI or any other federal authority. Rather, Voatz reported the students’ unauthorized attempts to access its systems to its customer, the State of West Virginia, because the students’ ill-advised activity was indistinguishable from a hostile attack and the students did not seek any prior authorization privately or through Voatz’s public bug bounty program. It is a standard practice for technology companies to report attack attempts to their clients and Voatz is contractually required to report such potential attacks during live elections – the same way an electric company would be required to report an attack on an electric grid to state and federal authorities, or a dam operator would be required to report an attack on software that monitors and operates dams to authorities such as the Army Corps of Engineers. Officials in West Virginia, in their discretion and independent of Voatz, then chose to refer the matter to the FBI. To Voatz’s knowledge, no one was prosecuted.

Following Voatz's argument to its logical conclusion, a broad reading would result in more prosecutions because there's very little security research that doesn't involve violating terms of service agreements. It would allow everything to hinge on "discretion." This might mean something if entities caught with their security pants down were more reasonable in their responses. Unfortunately, shooting the messenger is still the most popular response.

And the less said about the supposed "discretion" of prosecutors the better. Prosecutors pursue convictions, not justice. And the DOJ has not shied away from pursuing very questionable CFAA prosecutions in the past.

Voatz wants messengers shot. It's that simple.

While the Computer Researchers portray themselves as under threat of being victimized for inadvertently tripping over a restriction, the reality is different: they wish to be free to deliberately infiltrate a live system in violation of readily accessible terms, openly publish any results obtained, and be immune from being intercepted or reported for doing so.

Voatz thinks the law should aid and abet its antagonism towards researchers who've uncovered flaws in systems it hopes to sell to government agencies. If the Supreme Court decides to side with Voatz, it will be open season on researchers. This is what Voatz wants. And there are others like Voatz out there that would welcome the chance to punish people for exposing problems they're not interested in fixing. But only Voatz has put it in writing.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, e-voting, security research, supreme court
Companies: voatz

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 4 Sep 2020 @ 4:32pm

    QA costs money, first vages for the people, then for the people who have to fix the issues, which might lead to a delay in publication, which in turn might lead to delayed revenue or statutory damages.

    Not knowing of issues doesn't put any liability on you (except for some areas like drug manufacturer, which have to have QA).

    Or as Adobe once put it:"Stop finding bugs in our software, otherwise we have to fix them."

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.