Earlier this year, after MIT researchers took blockchain-based voting app Voatz to task for alleged security vulnerabilities, Voatz criticized the academics for relying on assumptions instead of asking it for access to the server.
Now, Voatz has told the U.S. Supreme Court that third-party researchers legally shouldn’t be able to poke around on others’ systems at all without the permission of the company being researched—and under its supervision.
At stake in the case under review is the ability of independent security researchers to do their work and alert the public to vulnerabilities that might otherwise quietly get swept under the rug.
When is a computer breach a crime?
Yesterday, Voatz submitted an amicus brief to the US high court in the case of Van Buren v. United States. (Amicus briefs are legal arguments filed from parties that aren’t involved in the trial but have a stake in the outcome.)
The case involves a former Georgia police sergeant named Nathan Van Buren, who allegedly demanded an unnamed person give him money to access a law enforcement database. Van Buren was busted by the FBI during a sting operation and convicted of violating the Computer Fraud and Abuse Act (CFAA), a federal law that broadly prevents people from hacking into computers.
Van Buren argued, however, that the CFAA doesn’t apply because he had access to the database; even though he wasn’t supposed to use it in this manner, he wasn’t just some hacker. That case has now made its way to the Supreme Court, which will rule on “whether a person who is authorized to access information on a computer for certain purposes violates…the [CFAA] if he accesses the same information for an improper purpose.”
However, a slew of civil liberties groups and criminal justice organizations have weighed in, seeing the case as potentially setting a larger precedent. That is: Are independent security researchers really just meddlesome hackers who should be prosecuted, or are they providing a valuable public service and therefore outside the scope of the law?
That prompted Voatz to file its own opinion with the court.
Voatz v. EFF
The pro-privacy Electronic Frontier Foundation, which filed an amicus brief, argued the CFAA as currently construed could be used to convict anyone who “violates a website’s terms of service.”
According to EFF, that would put independent “computer security researchers at legal risk for engaging in socially beneficial security testing through standard security research practices, such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data.”
Pitting itself against EFF, Voatz argued that the scope of the CFAA shouldn’t be narrowed—it works just fine. There’s no need for independent research. Instead, it said:
“The necessary research and testing can be performed by authorized parties. These include private consulting firms and participants in organized ‘bug bounty’ programs.”
According to Voatz, “Unauthorized research and public dissemination of unvalidated or theoretical security vulnerabilities can actually cause harmful effects.”
It’s referring to research published this year by MIT researchers who, it claims, “[analyzed] a version of the Voatz voting application that was several versions out of date at the time, and that was never authorized for use in any election.”
Since the researchers could not access Voatz servers, the blockchain-voting company claims they “fabricated an imagined version of the Voatz servers, hypothesized how they would likely work, and then made assumptions about the interactions between the system components that turned out to be false.”
Had they worked with Voatz, the brief implies, the researchers might have produced relevant findings.
Moreover, even if unsuccessful, this type of research can still cost time and money for the organization on the other end, as well as law enforcement, as it’s difficult to tell an actual attack from harmless research.
Such was the case when a group unsuccessfully tried to breach the West Virginia election system, which has used the Voatz app for several pilots. The FBI got involved, only to discover it was likely the work of Michigan university students as part of a class exercise.
The Supreme Court could hand down an opinion as soon as October 13.