Nathan Van Buren, Petitioner v. United States
Voatz was named in an amicus brief dated July 8, 2020, advocating on behalf of “good faith” researchers and “white hat” hackers to be allowed the free and unfettered ability to attack live systems without identifying themselves or adhering to guidelines.
Voatz’s response to this brief is an effort to provide the Supreme Court with context and evidence surrounding the Voatz example used in the brief. We also provide our experience on the potential impact of a ruling that would challenge efforts to distinguish between good-faith and malicious attacks on critical infrastructure. During a live election, we should be squarely focused on securing the platform; allowing an unfettered, unannounced ability to attack live critical infrastructure and to distinguish between “good” attackers vs “bad” attackers would be a burden that undermines that focus.
The Voatz platform has benefited greatly from our work with researchers when those researchers have worked collaboratively through consulting arrangements, “bug bounty” programs, and other authorized engagements. We have witnessed first hand the role of collaboration in evolving our platform, and in our mission of making voting secure and accessible for anyone disenfranchised by current methods of voting. We are deeply committed to ensuring that our relationship with researchers is one of mutual respect. It is within this context that technology can be appropriately developed, piloted, and deployed.
Contrary to claims in the amicus brief filed by the Computer Security Researchers, Electronic Frontier Foundation, unauthorized research can be detrimental to innovation in technologies identified as critical infrastructure—in this case, electronic ballot marking and return. Allowing for unauthorized research in the form of hacks/attacks on live systems would lead to uncertain and potentially faulty results or conclusions, would make distinguishing between true researchers and malicious hackers difficult, and would unnecessarily burden the mandate of the nation’s critical infrastructure. Furthermore, there is simply no rationale for such access where, as described above, computer researchers can conduct security research using authorized research processes already in place (such as bug bounty programs and advanced replica systems that mirror live systems) in coordination with organizations or their customers.
- Voatz collaborates with a wide range of credible organizations and individuals as a reflection of its mission to provide a secure mobile voting platform. This includes engagement with independent third-party security firms, and independent white-hat researchers who participate through its bug bounty program, a methodology that is used by a majority of tech companies and secure entities, including the Department of Defense.
- Setting the conditions for access to computer systems that are created and maintained at great expense is just as reasonable as setting conditions for entry onto physical premises. A nuclear power plant may offer tours to the public, but if a member of a tour group goes beyond that limited authorized access and attempts to sneak into the control room, they can be prosecuted for trespassing. The same is true for virtually every other piece of physical critical infrastructure, whether it be banks, airports, or military bases. This logic should be applied to the nation’s computer systems created and maintained for critical infrastructure and in this case specifically, elections.
- While the Computer Researchers portray themselves as under threat of being victimized for inadvertently tripping over a restriction, the reality is different: they wish to be free to deliberately infiltrate a live system in violation of readily accessible terms, openly publish any results obtained without adhering to coordinated disclosure policies, and be immune from being intercepted or reported under contract for doing so. There is simply no rationale for such access where, as described above, computer researchers can conduct security research using authorized research processes already in place (such as bug bounty programs and advanced replica systems that mirror live systems) in coordination with organizations or their customers.