Representatives of the infosec community have signed an open letter in response to an amicus brief that mobile elections platform developer Voatz filed with the U.S. Supreme Court in the case of Nathan Van Buren.
Van Buren is a former cop who was charged under the Computer Fraud and Abuse Act (CFAA) after he was bribed to search for confidential information in a police database. While prosectors say the man violated the CFAA by exceeding authorized access, his defense claims he did not exceed authorized access since he had been given the credentials to access that database. The court’s decision in this case could have far-reaching implications, including for security research.
Security researchers may violate a product’s terms of use when searching for vulnerabilities — companies often ban analysis of their products in the terms of use. If this would be considered “exceeding authorized access” under the CFAA, it allows vendors to more easily take legal action against researchers looking for vulnerabilities in their products.
In the amicus brief it filed, Voatz suggests that only authorized security research should be considered lawful, but not independent security research, even if in good faith. The company opposes an effort to narrow the meaning of the CFAA, which was enacted in 1986, to allow for unauthorized independent research.
“Rather, the necessary research and testing can be performed by authorized parties. These include private consulting firms and participants in organized ‘bug bounty’ programs,” Voatz’s amicus brief reads.
In response to the filing, representatives of the infosec community, including people involved in global coordinated vulnerability disclosure programs, bug bounties, and election security, say that Voatz’s brief “fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure.”
They also add that “the broad interpretation of the CFAA threatens security research activities at a national level,” iterating their support for the petitioner in the case, Van Buren.
An amicus brief was also filed in the case of Van Buren by the EFF.
Security research, the open letter notes, has implications in almost all aspects of life, including systems that humans heavily rely on, such as medical devices and automobiles, and going all the way to industrial and election systems.
“It is clear security research has tangibly improved the safety and security of systems we depend upon. It is not a given that this vital security work will continue. A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research,” the letter reads.
Furthermore, it underlines the benefits of coordinated vulnerability disclosure, which has become a widely adopted practice, encouraging researchers to hunt for and safely report vulnerabilities to vendors. Moreover, organizations are required to provide researchers with a channel for reporting any identified security issues, and even federal agencies are required to adopt these best practices, under a recent Cybersecurity and Infrastructure Security Agency (CISA) directive.
“Vulnerability disclosure policies and bug bounties help mitigate, but do not solve, the broader chilling effects of the law toward security research,” the letter reads, explaining that, despite claiming to offer safe harbor to security researchers reporting vulnerabilities, organizations may still take legal action against them.
The letter also points out that, “under a broad interpretation of the CFAA, a failure to comply with any component of a vulnerability disclosure policy would itself constitute a contractual violation, and hence a CFAA violation, even if the policy specifically authorizes testing,” and that any research that also involves a company’s vendors or third-party services might not benefit from the protection.
From this perspective, the letter notes, Voatz acts in bad faith, especially since the company hasn’t followed rules established by its own policies and took action against a student, although their actions were considered authorized under Voatz’s safe harbor policies. The company later updated the policy to disallow the student’s activity.
“There is great irony in the fact that Voatz’s own interactions with researchers highlight the need for CFAA reform; Voatz’s actions demonstrate how firms are not necessarily incentivized to behave well. A firm acting in bad faith should not subject a good-faith researcher to legal action,” the letter reads.
The signatories of the letter explain how Voatz failed to act in “good faith” towards researchers in the past, which also resulted in March of this year in HackerOne removing the company from its bug bounty platform. Voatz even disputed MIT research that identified vulnerabilities disclosed in collaboration with CISA, further demonstrating its hostility toward security researchers, says the letter.
“To companies like Voatz, coordinated vulnerability disclosure is a mechanism that shields the company from public scrutiny by allowing it to control the process of security research. The fact that the MIT researchers discovered vulnerabilities that reflect poorly on Voatz’s security only underscores the need for public scrutiny — what is simply a hassle to Voatz is a crucial warning flare to the public,” the letter reads.
The letter’s signatories also reaffirmed their support of efforts at strengthened security research, noting that security researchers perform work that is vital to the public interest.
“We must not let Voatz’s distorted arguments overshadow many recent advancements in this space,” the letter reads.
The signatories also point out that CISA has released guidance for election administrators to implement vulnerability disclosure policies, and that six major voting vendors have already committed to launching such policies.
“A broad interpretation of the CFAA risks undoing many of these positive advancements. Voatz’s actions threatening good-faith security research are indicative of what may come should the Court decide that a breach of contractual terms constitutes a criminal CFAA violation. We cannot afford to lose the benefits of security research on our digital and physical safety, and our democracy as a whole. Thus, we urge the Court to adopt a narrow interpretation of the CFAA in support of the petitioner,” the letter reads.
