E-Voting App Maker Voatz Asks The Supreme Court To Let It Punish Security Researchers For Exposing Its Flaws
from the be-the-injustice-you-want-to-see-in-the-world dept
Voatz has decided to weigh in on a Supreme Court case that could turn a lot of normal internet activity into a federal crime. At the center of this CFAA case is a cop who abused his access privileges to run unauthorized searches of law enforcement databases. The end result — after a visit to the Eleventh Circuit Court of Appeals — was a CFAA conviction for violating the system’s terms of use.
That’s why this case is important. If the CFAA is interpreted this broadly, plenty of people become criminals. And it won’t just be security researchers risking criminal charges simply by performing security research. It will also be everyone who lies to social media services about their personal info. Lawprof Orin Kerr’s brief to the Supreme Court points out what a flat “no unauthorized use” reading would do to him.
Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.
No one should want the law to be read this way. Not even sites that would greatly prefer users to respect the terms of service. The collateral damage of a broad reading would make it far easier to prosecute people who use sites in ways owners don’t expect or engage in research efforts that require ignoring the rules. And it would give abusive site owners plenty of ways to harass users and visitors they don’t like.
But one developer wants this to happen. And it’s a developer of notoriously flawed e-voting systems. Voatz has made plenty of headlines lately. None of them have been flattering. MIT researchers discovered a bunch of flaws in Voatz software. Voatz tried to combat this negative press by hiring outside researchers to perform an independent audit of its systems. This went no better than the MIT study. Voatz is full of holes, which made its accusations that the MIT researchers were only in it for the clicks look even stupider.
Voatz thinks the court should read the CFAA as broadly as possible, which will make it easier for it to punish security researchers for finding flaws in its software. It’s literally the only thing it’s arguing. Its 16-page brief [PDF] makes this ridiculous claim:
A BROAD READING OF “EXCEEDS AUTHORIZED ACCESS” IN THE CFAA WILL NOT HAVE A DELETERIOUS EFFECT ON COMPUTER SECURITY
That’s it. That’s the argument. That is all Voatz wants to say.
The brief says researchers won’t be harmed because bug bounty programs and controlled access for authorized penetration testing, etc. operate using completely different terms of service. Under these guidelines, researchers are “free” to conduct their research without worrying about CFAA charges.
But that’s a very limited view of security research. Lots of security research is ongoing and not limited to hunting bugs for bounties or at the behest of sites and services. That’s what would be affected by a broad reading and Voatz’s interest in securing a broad reading can be traced back to the MIT research it still claims is incorrect. It’s also still very defensive people have accused Voatz of sending the FBI after some freelance researchers. For no apparent reason, it recounts this incident in its brief, submitting as evidence of… something.
The Computer Researchers also cite a news account claiming that Voatz reported two college students to the Federal Bureau of Investigations. (Computer Researchers’ amicus brief, p. 24). That account is at least partially inaccurate, in that Voatz made no report to the FBI or any other federal authority. Rather, Voatz reported the students’ unauthorized attempts to access its systems to its customer, the State of West Virginia, because the students’ ill-advised activity was indistinguishable from a hostile attack and the students did not seek any prior authorization privately or through Voatz’s public bug bounty program. It is a standard practice for technology companies to report attack attempts to their clients and Voatz is contractually required to report such potential attacks during live elections – the same way an electric company would be required to report an attack on an electric grid to state and federal authorities, or a dam operator would be required to report an attack on software that monitors and operates dams to authorities such as the Army Corps of Engineers. Officials in West Virginia, in their discretion and independent of Voatz, then chose to refer the matter to the FBI. To Voatz’s knowledge, no one was prosecuted.
Following Voatz’s argument to its logical conclusion, a broad reading would result in more prosecutions because there’s very little security research that doesn’t involve violating terms of service agreements. It would allow everything to hinge on “discretion.” This might mean something if entities caught with their security pants down were more reasonable in their responses. Unfortunately, shooting the messenger is still the most popular response.
And the less said about the supposed “discretion” of prosecutors the better. Prosecutors pursue convictions, not justice. And the DOJ has not shied away from pursuing very questionable CFAA prosecutions in the past.
Voatz wants messengers shot. It’s that simple.
While the Computer Researchers portray themselves as under threat of being victimized for inadvertently tripping over a restriction, the reality is different: they wish to be free to deliberately infiltrate a live system in violation of readily accessible terms, openly publish any results obtained, and be immune from being intercepted or reported for doing so.
Voatz thinks the law should aid and abet its antagonism towards researchers who’ve uncovered flaws in systems it hopes to sell to government agencies. If the Supreme Court decides to side with Voatz, it will be open season on researchers. This is what Voatz wants. And there are others like Voatz out there that would welcome the chance to punish people for exposing problems they’re not interested in fixing. But only Voatz has put it in writing.
Filed Under: cfaa, e-voting, security research, supreme court
Companies: voatz
Comments on “E-Voting App Maker Voatz Asks The Supreme Court To Let It Punish Security Researchers For Exposing Its Flaws”
'They'd never ignore our 'pretty plase don't hack us' sign.'
Given how black-hat hackers always respect TOS’ and licensing terms it seems entirely reasonable to limit white-hats/security researchers to the same, as if the white-hats can’t compromise a system(especially one running something as trivial and unimportant as voting software) while working entirely within the limitations set forth by the manufacturer/seller then obviously black-hats won’t be able to either.
Otherwordingly
Voatz: Those holes in our system were not supposed to be revealed. Without those holes, how else could we convince the proletariat that their use of our system in this election was on the up and up, even with the predetermined outcomes contracted for. It is a contractual matter, but those portions of our contract are Trade Secrets and under NDA agreements with those officials in West Virginia who arranged our appointment and may not be disclosed. So researchers who attack our system to expose holes in our system should be executed (strikethrough protocol disabled), um, erm, prosecuted to the fullest extent of the most expanded interpretation of the most holy CFAA law.
The eternal struggle
Laws of men vs. Laws of Math
This would be a godsend for Trump...
Who would immediately make ‘terms of service’ for US citizens, that include things like:
Must praise the Great Leader at least once a day in public (where at least 5 others can hear you)
May not disparage or denigrate the Great Leader in any way (including looks or gestures)
May not comment on the Great Leader’s new clothes…
Must stay at a Trump Resort or Golf Course at least once per year (regardless of income level)
If you do not agree to these new US Terms of Residence, you will be deported to a 3rd world country of your choice (depending on availability and acceptance, if we can’t find a country to take you, you will be held in ‘border containment’ facilities in perpetuity).
Thank you for making the Great Leader feel like he should…
If Voatz gets what it wants, many more flaws will made made public anonymously, putting companies in a race with the black hats to develop a fix before the black hats develop an attack. That is a race the black hats will usually win.
Re: Re:
That’s what makes the ‘shoot the messenger’ tactic so incredibly stupid, in that companies spend so much time threatening and attacking the people who don’t have malicious intent they completely ignore the ones that do, along with forcing the former to make their findings anonymously public rather than letting the company have warning ahead of time to fix a flaw.
If the white-hats don’t find a particular flaw the black-hats will, and unlike with the white-hats the first time a company is likely to know that black-hats have found a flaw is after it’s been exploited, potentially for a long time before discovery.
Re: Re: Re:
They don’t care.
It’s never about the intent of researchers, it’s the fact that their holes were found period. After all, it costs time and money to:
Why would a business do any of that when Capitalism dictates to take the most efficient and cheapest option: Shoot the messenger to make sure the dirt doesn’t get out, and make an example so others will think twice about doing it themselves. After all, It’s just good business.
Sadly given enough time, in the Hyper-crony capitalism US, it’s more or less a matter of time before such rulings are handed down. Or legislated by Congress out right.
In other words
In other words, they wish to do their job without getting sued. Yeah, it’s funny how Voatz makes out the entire point of security audits to be illegal because they don’t like the results.
Re: In other words
Yeah, it’s funny how Voatz makes out the entire point of security audits to be illegal because they don’t like the results.
Pure coincidence I’m sure, I’ve little doubt that their stance would be just the same if their product was actually secure and could withstand security audits and it’s just a happy little accident that they’re so vehemently against something that exposes how utterly terrible their product is.
Re: Re: In other words
I used to believe that software could be "actually secure" too. Then I became a software engineer…
For some reason, this harks back to the apocryphal compiler message:
"Too many errors on one line (make fewer)"
Perhaps instead of griping about how many bugs people find, they’d make fewer instead. Could work. Or maybe even hire some professional QA engineers to look for them first.
HOw hard is it.
To protect a system from Hacking and being used in away that they dont want?
I think the idea from FB is abit severe, in telling everyone ALL our data on 1 location. And they have been hacked more then 1 time. 90% of security problems tend to come from Human interaction, rather then Hacking the systems. Another part is placing MAIN system with direct access to the internet.(which is really stupid) If you want to do that you need a Front system that allows Full security and monitoring.
As to Amazon and google. They are the 2 largest Corps supplying system on the internet. cool. so whats the problem here? Where are the competitors? Do these folks understand the MINIMUM setup to connect to direct access to the internet? #1 call up ATT and ask them if they can run a full speed fiber line to your site. you will be paying about $2000 per Foot from the main line.(wherever that is.)(how many miles away?) And they wont tell you that you are "this far" from another fiber line, for some strange reason.(and yes, In my town of 2600ppl, there are 3 fiber lines running around it).
Being NICE as a corp has gone away. Helping people or smaller companies has gone away. Taking advantage of others to forward your OWN corp, has gone away. Sorry to say, this is not Capitalism anymore.
QA costs money, first vages for the people, then for the people who have to fix the issues, which might lead to a delay in publication, which in turn might lead to delayed revenue or statutory damages.
Not knowing of issues doesn’t put any liability on you (except for some areas like drug manufacturer, which have to have QA).
Or as Adobe once put it:"Stop finding bugs in our software, otherwise we have to fix them."
"We reserve the right to refuse service to anyone for any reason we choose."
They wanted zero-day attacks
By keeping these secret, that is assisting bad people out there to exploit it.