If the mobile voting firm Voatz actually is interested in working with security researchers who can examine their technology, the company sure has an odd way of showing it.
Massachusetts-based Voatz on Thursday filed an amicus brief to the Supreme Court, arguing that only security researchers with clear permission should be authorized to probe systems for vulnerabilities.
The filing came as part of a Supreme Court case in which justices are poised to reconsider the Computer Fraud and Abuse Act, a 1986 federal law that prohibits access to computers without the owner’s consent. Researchers have said the anti-hacking law is overly vague, and could criminalize activities ranging from innocuous internet habits, like sharing passwords, to important anti-discrimination research. A group of law scholars previously asked the court to allow ethical security tests.
Voatz, which advertises an internet-based voting platform in a market dominated by more established voting machine manufacturers, has clashed with technologists who found flaws in its smartphone app, then tried reporting those issues. Bug bounty provider HackerOne cut ties with Voatz in March, citing the company’s hostility toward researchers.
“No narrowing of the CFAA is necessary in order to ensure the security of computer applications and systems by permitting unauthorized ‘independent research,’” the company wrote in its amicus brief. “Rather, the necessary research and testing can be performed by authorized parties. These include private consulting firms and participants in organized ‘bug bounty’ programs.”
The incident with Voatz marked the first time that HackerOne, an established vulnerability reporting company, severed its relationship with a client. The relationship was doomed when Voatz executives accused researchers from the Massachusetts Institute of Technology of acting in “bad faith,” and participating in “a systematic effort to dismantle any online voting pilots” by searching for vulnerabilities in a Voatz app.
The firm also reported a University of Michigan student who was studying election security to authorities in West Virginia, who turned the case over to the FBI, as CNN first reported. The student was enrolled in a course where participants examined proposed mobile technologies.
The Supreme Court in April agreed to hear a case that could re-define the limits of the Computer Fraud and Abuse Act. The case, Van Buren v. United States, involves a former Georgia police officer who was convicted under the CFAA by searching police records on behalf of someone who paid him $6,000 to search through a law enforcement database.
The next Supreme Court term is scheduled to begin in October.
The amicus brief is available in full below.
[documentcloud url=”http://www.documentcloud.org/documents/7202309-20200903122434600-Voatz-Amicus-Brief.html” responsive=true]