E-Voting App Maker Voatz Asks The Supreme Court To Let It Punish Security Researchers For Exposing Its Flaws
from the be-the-injustice-you-want-to-see-in-the-world dept
That’s why this case is important. If the CFAA is interpreted this broadly, plenty of people become criminals. And it won’t just be security researchers risking criminal charges simply by performing security research. It will also be everyone who lies to social media services about their personal info. Lawprof Orin Kerr’s brief to the Supreme Court points out what a flat “no unauthorized use” reading would do to him.
Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.
No one should want the law to be read this way. Not even sites that would greatly prefer users to respect the terms of service. The collateral damage of a broad reading would make it far easier to prosecute people who use sites in ways owners don’t expect or engage in research efforts that require ignoring the rules. And it would give abusive site owners plenty of ways to harass users and visitors they don’t like.
But one developer wants this to happen. And it’s a developer of notoriously flawed e-voting systems. Voatz has made plenty of headlines lately. None of them have been flattering. MIT researchers discovered a bunch of flaws in Voatz software. Voatz tried to combat this negative press by hiring outside researchers to perform an independent audit of its systems. This went no better than the MIT study. Voatz is full of holes, which made its accusations that the MIT researchers were only in it for the clicks look even stupider.
Voatz thinks the court should read the CFAA as broadly as possible, which will make it easier for it to punish security researchers for finding flaws in its software. It’s literally the only thing it’s arguing. Its 16-page brief [PDF] makes this ridiculous claim:
A BROAD READING OF “EXCEEDS AUTHORIZED ACCESS” IN THE CFAA WILL NOT HAVE A DELETERIOUS EFFECT ON COMPUTER SECURITY
That’s it. That’s the argument. That is all Voatz wants to say.
The brief says researchers won’t be harmed because bug bounty programs and controlled access for authorized penetration testing, etc. operate using completely different terms of service. Under these guidelines, researchers are “free” to conduct their research without worrying about CFAA charges.
But that’s a very limited view of security research. Lots of security research is ongoing and not limited to hunting bugs for bounties or at the behest of sites and services. That’s what would be affected by a broad reading and Voatz’s interest in securing a broad reading can be traced back to the MIT research it still claims is incorrect. It’s also still very defensive people have accused Voatz of sending the FBI after some freelance researchers. For no apparent reason, it recounts this incident in its brief, submitting as evidence of… something.
The Computer Researchers also cite a news account claiming that Voatz reported two college students to the Federal Bureau of Investigations. (Computer Researchers’ amicus brief, p. 24). That account is at least partially inaccurate, in that Voatz made no report to the FBI or any other federal authority. Rather, Voatz reported the students’ unauthorized attempts to access its systems to its customer, the State of West Virginia, because the students’ ill-advised activity was indistinguishable from a hostile attack and the students did not seek any prior authorization privately or through Voatz’s public bug bounty program. It is a standard practice for technology companies to report attack attempts to their clients and Voatz is contractually required to report such potential attacks during live elections – the same way an electric company would be required to report an attack on an electric grid to state and federal authorities, or a dam operator would be required to report an attack on software that monitors and operates dams to authorities such as the Army Corps of Engineers. Officials in West Virginia, in their discretion and independent of Voatz, then chose to refer the matter to the FBI. To Voatz’s knowledge, no one was prosecuted.
Following Voatz’s argument to its logical conclusion, a broad reading would result in more prosecutions because there’s very little security research that doesn’t involve violating terms of service agreements. It would allow everything to hinge on “discretion.” This might mean something if entities caught with their security pants down were more reasonable in their responses. Unfortunately, shooting the messenger is still the most popular response.
And the less said about the supposed “discretion” of prosecutors the better. Prosecutors pursue convictions, not justice. And the DOJ has not shied away from pursuing very questionable CFAA prosecutions in the past.
Voatz wants messengers shot. It’s that simple.
While the Computer Researchers portray themselves as under threat of being victimized for inadvertently tripping over a restriction, the reality is different: they wish to be free to deliberately infiltrate a live system in violation of readily accessible terms, openly publish any results obtained, and be immune from being intercepted or reported for doing so.
Voatz thinks the law should aid and abet its antagonism towards researchers who’ve uncovered flaws in systems it hopes to sell to government agencies. If the Supreme Court decides to side with Voatz, it will be open season on researchers. This is what Voatz wants. And there are others like Voatz out there that would welcome the chance to punish people for exposing problems they’re not interested in fixing. But only Voatz has put it in writing.