Expert Commentary: Voatz Wrongly Accuses Ethical Hacker

Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary.

To elaborate, if there’s a method of exploiting the system that the organization is unaware of, they cannot possibly provide legal access to test it. In this case, Voatz would be leaving their voting system vulnerable to attack. Unauthorized access is one of the main purposes of security research – by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win.

Congress originally passed the CFAA in response to growing threats from malicious actors. Unfortunately, the law is so broadly written that it criminalizes acts that otherwise violate a website’s terms of services, from lying about your name on a web form to the socially beneficial security testing that ethical security researchers undertake. The purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions. A broader interpretation of \”exceeds unauthorized access\” in CFAA works directly against the goals of a safer and more resilient internet.

Moving forward, security researchers must also pay attention to organizations’ bug bounties to ensure they have safe harbor language.