About 70 members of the computer security community on Monday challenged US voting app maker Voatz's effort to dictate the terms under which bug hunters can look for code flaws.
Earlier this month, Massachusetts-based Voatz filed an amicus brief in Van Buren v. United States, a case being heard by the US Supreme Court that will determine the scope of the US Computer Fraud and Abuse Act (CFAA), a cybersecurity law long criticized for its ambiguity.
The software outfit, stung by a probe in February that found multiple security weaknesses in the app it supplied for West Virginia's 2018 midterm election, asked the supremes to uphold a lower court decision that interprets the CFAA very broadly.
If the US Supreme Court rules that the verdict in the Van Buren case is correct, it will mean companies can decide for themselves, through policy documents, what constitutes criminal behavior with regard to vulnerability research and other online interactions. Disallowing certain kinds of access through a terms-of-service declaration would make such activity potentially actionable as unauthorized access under the CFAA. In other words, an organization can decide what counts as illegal hacking, meaning harmless prodding around a site or service could land you in court.
Those investigating security issues worry that allowing companies to define the parameters of lawful access will have a chilling effect on bug hunting.
Now, dozens of these individuals, such as Matt Blaze, a professor of computer science and law at Georgetown University, and Lorrie Faith Cranor, professor of computer science and engineering and public policy at Carnegie Mellon University, signed an open letter supporting an amicus brief filed earlier this year by the EFF, the Center for Democracy and Technology, and the Open Technology Institute to reverse the Van Buren ruling.
CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in AmericaREAD MORE
The signatories argue that security research is vital and improves the safety and security of systems we depend on for voting, healthcare, transportation, and other aspects of society.
"It is not a given that this vital security work will continue," the letter stated. "A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research."
The letter writers went on to chide Voatz for acting in bad faith toward security researchers and misstating its policies toward them. They cited the company's decision to report a student who uncovered a bug in its app to authorities for failing to seek prior authorization, something granted under the corp's bug bounty program. Voatz disagrees with the letter's characterization of these events.
And they then criticized Voatz for claiming that the MIT researchers who found bugs in the Voatz app did so without authorization. The MIT team, the writers of the letter insist, did not need authorization under America's Digital Millennium Copyright Act's security exemption.
"Voatz’s insinuation that the researchers broke the law despite having taken all precautions to act in good faith and respect legal boundaries shows why authorization for this research should not hinge on companies themselves acting in good faith," the letter stated. "To companies like Voatz, coordinated vulnerability disclosure is a mechanism that shields the company from public scrutiny by allowing it to control the process of security research."
Via Twitter, Mike Spectre, one of the co-authors of the MIT report on the Voatz app, pointed to the company as an example for all the policy arguments they're trying to make about the need for CFAA reform.
"Voatz’s unprofessional behavior toward security researchers is exactly why the CFAA needs reform," he wrote. "Voatz’s use is exactly why election systems need better regulation."
In a statement emailed to The Register, a spokesperson for Voatz told us the following regarding its amicus brief and the subsequent open letter against it... ®
We repeat and make it very clear, we were compelled to file this amicus brief because we were falsely cited in previous filings from July 8th, and the example cited is at the very least inaccurate, in that Voatz made no report to the FBI or any other federal authority and no one who participated in our bug bounty programs has ever been reported or included in any client security bulletins. This letter repeats these misstatements. The University of Michigan student was not a participant in our bug bounty program. This was a failed attempt to tamper with a live system during an election.
We’re not advocating to limit anyone’s freedom – we’re saying it’s difficult to distinguish between good and bad faith attacks in the midst of a live election. For everyone’s sake, it’s better to work collaboratively with the organization as bad actors disguise themselves as good actors on a regular basis. All attempts to break into or tamper with an election system during a live election need to be treated as hostile unless prior authorization was specifically granted. Alternately, researchers can use our publicly available test systems which are true replicas of live systems in terms of functionality.