Voatz wrote in its expert opinion that independent code audits and penetration tests are not authorized measures.
A US Supreme Court case that could lead to changes in the Federal Computer Fraud and Abuse Act (CFAA) to punish “misuse” of technology that is not authorized by the software vendor will hinder security research. This opinion is contained in an open letter signed by nearly 70 security researchers and information security companies, including specialists from the University of Michigan, Johns Hopkins University, Bugcrowd, HackerOne and Trail of Bits.
The open letter comes in response to an expert opinion sent to the Supreme Court by the developer of the Voatz voting application, in which the company claims that testing laboratories, security audits and vulnerability payout programs are authorized forms of security testing, and this is enough to guarantee security. In turn, independent code audits and penetration tests are not authorized measures and should be subject to the CFAA as “exceeding authorized access”.
This is an appeal against a police sergeant from Georgia, Nathan Van Buren, who was found guilty of using the state database for personal gain. Having official access to the database, Van Buren used it to his advantage, which, according to the prosecutor’s office, violated the CFAA.
As cybersecurity experts fear, if the Supreme Court decides that Van Buren really broke the law, this could turn an independent study of vulnerabilities into “unauthorized access” and, therefore, lead to criminal punishment.
In the letter, the signatories indicate that security research is a vital measure and improves the security of systems in the areas of voting, healthcare, transportation, and more.
Experts accused Voatz of bad faith in relation to security researchers, and also recalled the company’s decision to turn over to the authorities a student at the University of Michigan who discovered a vulnerability in its application, citing “unauthorized access.” In turn, Voatz representatives said that the cybersecurity expert did not take part in the company’s bug bounty program, and it was a failed attempt to “make changes to the system in real time during the elections.”