The Supreme Court is considering whether to adopt a broad reading of the Computer Fraud and Abuse Act that critics say could criminalize some types of independent security research and create legal uncertainty for many security researchers. Voatz, an online voting vendor whose software was used by West Virginia for overseas military voters in the 2018 election, argues that this wouldn’t be a problem.
“Necessary research and testing can be performed by authorized parties,” Voatz writes in an amicus brief to the Supreme Court. “Voatz’s own security experience provides a helpful illustration of the benefits of authorized security research, and also shows how unauthorized research and public dissemination of unvalidated or theoretical security vulnerabilities can actually cause harmful effects.”
As it happens, we covered a recent conflict between Voatz and an independent security researcher in last Thursday’s deep dive on online voting. And others involved in that altercation did not see it the way Voatz did.
This reminds me of TurboTax in the United States, who lobbies aggressively to keep filing taxes as difficult as possible as to protect its business.
I am sure there was a scientific name for this, but the issue is a small group having a large stake in the issue, while the other side is diffused in the entire population.
A major example was the “corn subsidies”. The farmers will fight tooth and nail to keep them alive, since each of them has a big benefit (millions$$) to lose. But each taxpayer only contributes a small amount to keep this alive. So they would not individually show up in Washington, DC to fight against it.
What is worse, showing down “high fructose corn syrup” into the collective throats is not healthy. In the long term the stuff is poison, and causes obesity, hearth disease, liver issues, diabetes, and whatnot. Actually I think if you consider US healthcare costs, it probably causes thousands of dollars worth of damage to us all.
Ok, I got sidelined. But the analogy stands. The voting machine manufacturer have a lot to lose if their ineptitude is exposed. On the other hand individual researchers can always work on another topic. So I don’t foresee a union of academics lobbying congress on the issue.
(Or the tax thing. As long as TurboTax offers a free option for majority, people would not complain).
Great idea!! /s
Then, instead to have reputable independent security researchers finding flaws ahead of a state sponsored rival nation or mega corp, USA will be at the mercy of a “sanctioned” researcher to find a hole on a critical infrastructure, or to be exploited to hell and beyond by his rivals and only learn about decades later.
Worse, given that some “consumer oriented” companies invest between zero to nothing in actual security research, and only move a finger when someone points a flaw and shit hits the fan, all American software will become dangerous exploit riddled time bombs.