Blockchain voting startup Voatz argued that bug bounty programs concerning cybersecurity should be operated under strict supervision in a "friend of the court" brief before the Supreme Court of the United States (SCOTUS).
Voatz weighed in Thursday on Van Buren v. United States, a Supreme Court case examining whether it is a federal crime for someone to access a computer “for an improper purpose” if that person already has permission to access other files on that computer.
Nathan Van Buren, the petitioner in the case, is a former Georgia police officer who was charged under the Computer Fraud and Abuse Act (CFAA) after looking up a license plate for an acquaintance. Van Buren claims that a lower court ruling that upheld his conviction could be taken to mean that “any ‘trivial breach’” of a computer system could be a federal crime.
The case’s scope appears to have broadened, addressing not just breaches, but how the CFAA itself can be interpreted. The question listed on SCOTUS briefs reads:
The U.S., the respondent, argued the case is “poor vehicle” for examining whether the CFAA is too broad, and said in its brief that SCOTUS review isn’t even warranted.
In its brief, Voatz said the CFAA does not need to be narrowed, and some breaches of computer systems are necessary. However, the firm argues researchers looking into potential vulnerabilities should specifically check with the companies they are evaluating prior to doing so, and should only proceed with authorization from the companies.
“Bug bounty programs are highly effective,” Voatz wrote. “They are extremely widespread in the technology industry, and even outside that industry, one survey in 2019 reported that 42% of companies outside of the technology industry were running a crowdsourced cybersecurity program.”
The brief may come in response to another filed by a group of security researchers who argue the CFAA has indeed “been interpreted too broadly,” which is holding back computer security efforts. This brief criticizes Voatz among its other arguments.
Voatz has notably faced criticism from cybersecurity researchers, including by a team at MIT who published a report in February claiming Voatz had insufficient transparency and that its internal systems faced a number of vulnerabilities. Voatz has disputed the claims in the report.
Trail of Bits, another cybersecurity firm tapped by Voatz to conduct an audit of its systems, confirmed the MIT researchers’ claims in a subsequent report.
Voatz has tussled directly with researchers as well. Late last year, U.S. Attorney Mike Stuart of the Southern District of West Virginia announced the Federal Bureau of Investigation was looking into “an unsuccessful attempted intrusion” into Voatz, which was likely caused by a University of Michigan student or students participating in a security course.
In its brief, Voatz said the “students’ ill-advised activity” was reported to West Virginia officials because the company could not distinguish between their research and an actual hostile attack.
“Regardless of the particulars, however, the West Virginia incident illustrates the harm caused by attacking, or ‘researching,’ critical infrastructure without proper access or authorization especially in the middle of an election,” Voatz wrote.
Non-malicious researchers trying to break into digital tools “imposes significant additional costs” to organizations, the legal brief said, and could harm public confidence.
Jake Williams, who founded Rendition Security, told CNET that a “vast majority” of cybersecurity researchers likely do not have authorization, meaning Voatz’s support for a broad CFAA would “100% make it more difficult” for researchers.
Voatz’s brief comes a day after it published a press statement claiming the Michigan Democratic Party used its app during a recent party convention when voting for a number of positions. The Michigan Democratic Party did not immediately return a request for comment.
Voatz’s arguments aside, its brief makes a number of citations and claims that seem to lack context.
Voatz says it has been used in 70 elections, including state and municipal elections, and claims in the brief that it is considered “critical infrastructure” by the Department of Homeland Security.
The company has said it’s meeting requirements by Pro V&V, a federal Voting System Test Laboratory, but according to Politico cybersecurity reporter Eric Geller, “the report is meaningless” because the standards were set years ago and the evaluation was not objective.
Eddie Perez, the global director of tech development at the Open Source Election Technology Institute, wrote that the Election Assistance Commission (EAC), the federal entity that accredited Pro V&V, doesn’t actually have any national standards for remote voting systems.
The EAC itself released a statement saying “these test reports should not be viewed as implicit approval by either the [voting system test laboratories] or the EAC that the evaluated systems are compliant with the [voluntary voting system guidelines] standard or are equivalent to an EAC-certified voting system.”
"Currently these programs are organized by Voatz itself, but in the past some were conducted through a vendor such as HackerOne Inc.,” the brief said. It did not mention that HackerOne severed ties with Voatz in March.
What’s more, HackerOne founder and CTO Alex Rice said on Twitter that “we support the opposing arguments made by” the Electronic Frontier Foundation (EFF), which calls for a narrowing of the CFAA, unlike Voatz, which cited HackerOne in the brief.
Similarly, Casey Ellis, founder and CTO of crowdsourced security platform Bugcrowd, which Voatz cited a number of times, also wrote that he signed off on and supported the EFF’s brief, and not Voatz’s.
Both Rice and Ellis said Voatz did not contact them prior to filing the brief.