Downvoted: Security Researchers Slam Voatz Over Stance on White-Hat Hackers

A pending U.S. Supreme Court case has the potential to fundamentally change white-hat hacking. The case looks at the Computer Fraud and Abuse Act (CFAA) and could determine whether good-faith security researchers, also known as white-hat hackers, could be subject to criminal penalties for researching vulnerabilities in systems. 

If a broad interpretation of the CFAA is decided on, it would impact not just blockchain technology, exchanges, and crypto, but the field of security research as a whole. 

And then blockchain voting company Voatz waded into the discourse. 

The Supreme Court is currently hearing Van Buren v. United States, in which a former Georgia police officer was convicted under the CFAA for looking up a license plate in a law enforcement database in exchange for money. The charge under the CFAA centered around the law’s definition of what "exceeds authorized access," which is notoriously vague. 

The CFAA is an anti-hacking law that went into effect in 1986.  If the court sides with a broad interpretation of the law (as the government is arguing for) it could have a chilling effect on important security research, according to experts. 

A broad interpretation would allow companies to lay out what “authorized access” means in their terms of service, rather than implementing a technical barrier (like a password) in a system that would alert security researchers when they’ve gone too far. 

Voatz has repeatedly been the subject of critical security research, which CoinDesk has previously documented. In one instance, MIT students reverse-engineered the Voatz app and found security vulnerabilities. Voatz initially refuted these findings, though some of the issues were later confirmed by Trail of Bits, a security firm hired by Voatz. The company even went so far as to refer the student security researcher to state authorities for alleged “unauthorized activity” under the CFAA. 

The Electronic Frontier Foundation (EFF) criticized Voatz by name in a brief filed with the court, as an example of a company that takes an aggressive approach to good-faith security researchers. Voatz also reported a University of Michigan student to the Federal Bureau of Investigation “because the student conducted research into Voatz’s mobile voting app for an undergraduate election security course,” according to the brief.

Voatz has since filed an amicus brief in the Van Buren case (to which it is not a party) making the case for keeping the CFAA’s scope broad. It suggested that white-hat hackers should conduct their investigations into potential vulnerabilities only once they have alerted the company they are evaluating and received its blessing. 

Such practices are not common in the security community, though white-hat hackers do alert companies to vulnerabilities if they’re found. 

In response to Voatz’s filing, a bevy of security researchers and organizations penned an open letter to publicly correct the record. 

The letter was spearheaded by Jack Cable, one of the world’s top ethical hackers. Cable is also an undergraduate at Stanford University “doing incredible work” in the cybersecurity and elections space, according to Reed Loden, Chief Open Source Security Evangelist at HackerOne, a platform that previously cut ties with Voatz, and whose founder was a signatory to the letter. It was the first time HackerOne has removed a company who used it to host a bug-bounty program.

“We wanted to make it clear that Voatz’s position is not supported by the cybersecurity and security researcher community, emphasize that security researchers contribute greatly to the security of our digital society, and underscore that a broad interpretation of the CFAA, which is what Voatz is advocating for, threatens security research activities at a national level,” said Loden in an email. 

The letter lays out the ways that Voatz’s filing was allegedly self-serving, and an indicator of how companies like Voatz might use a broad interpretation of the CFAA to further crack down on critical security researchers. 

Voatz did not respond to CoinDesk’s requests for comment.

The Center for Democracy and Technology’s (CDT) is one of the signatories to the open letter. Stan Adams, the CDT’s deputy general counsel and Open Internet counsel, broke the case down into two arguments in a phone call with CoinDesk. 

According to Adams, if a broad ruling is made on the CFAA, security researchers would likely be discouraged from conducting research for fear of violating the “exceeds authorized access” part of the law. 

A broad interpretation would allow companies to lay out what “authorized access” might mean in their terms of service, which can be easily changed and altered, putting security researchers at greater risk. 

“Vague laws like the CFAA can kill security research,” said Adams. “The United States government wants access to be able to be limited by things like terms of use and other written expressions of access limitations, rather than what we would prefer, which is some sort of technical barrier.”

The idea is that a researcher, if governed by a technical barrier such as a password or encryption device, would know they’ve reached the limits of their authorized access. Laying out the limits of authorized access in a hard-to-find and even harder-to-read terms of service would leave security researchers guessing and create a chilling effect on research overall, he added. 

The impact on research doesn’t just apply to companies like Voatz, though one would be hard pressed to argue that a company engaging in digital voting doesn’t warrant intense scrutiny. 

Tech across the board would be impacted. Matt Hill, CEO of open-source, privacy-tech startup Start9 Labs, said white-hat hacking is key for any kind of tech. Without it, simple software bugs could become systemic infections, ones that could be exploited by malicious actors. The cryptocurrency world has seen such actors empty exchanges and steal people’s cryptocurrencies. 

“An honest organization determined to build secure products will encourage white-hat attacks, no matter how bad the results, because that is the only way for their system to become secure,” said Hill. 

“An organization trying to sell a lump of clay packaged as security, also known as vaporware, or a scam, will do everything it can to prevent attacks – to maintain the internal delusion and external illusion for as long as possible.”

Jason Gottlieb, a partner at Morrison Cohen LLP and Chair, White Collar and Regulatory Enforcement Practice Group, said that in his view, until Congress amends the CFAA to clarify what “unauthorized access” means, the CFAA should be interpreted in a way that provides a safe harbor for white-hat hacking. 

To be clear though, he said the hacking must be truly white hat and the burden should lie with the white hats to demonstrate that their intentions were to help rather than harm.    

“White-hat hacking is a key component of any data security program implementation, and has been for a very long time,” said Gottlieb. “Given the increasing importance of cybersecurity in the blockchain and cryptocurrency industries, we should be encouraging transparent white hat hacking as a way to make all systems better.”

Adams confirmed a broad ruling could encourage fintech companies and crypto exchanges to come down hard on white-hat hackers, given “they have strong incentives to not be perceived as flawed.” That being said, he also recognized that companies could also want to be secure, given it’s the public’s money on line at the end of the day. 

“Regardless, security by obscurity is not the way forward,” said Adams. “The CFAA is a pretty heavy hammer to wield.”

Update: (October 7, 2020, 18:32 UTC) CEO and co-founder of Voatz, Nimit Sawhney, has responded, stating, "We’re not advocating to limit anyone’s freedom – we’re saying it’s difficult to distinguish between good and bad faith attacks in the midst of a live election. For everyone’s sake, it’s better to work collaboratively with the organization as bad actors disguise themselves as good actors on a regular basis. All attempts to break into or tamper with an election system during a live election need to be treated as hostile unless prior authorization was specifically granted. Alternately, researchers can use our publicly available test systems which are true replicas of live systems in terms of functionality." [emphasis his]

Sawhney also clarified that Voatz filed its amicus brief because it was "falsely cited in previous filings from July 8." He maintained that that Voatz made no report to the FBI or any other federal authority, and that "no one who participated in our bug bounty programs has ever been reported or included in any client security bulletins."

Sawhney also asserted that the University of Michigan student was not a participant in the Voatz bug bounty program; rather that his action was "a failed attempt to tamper with a live system during an election."