back to article Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding

Voatz, the maker of a blockchain-based mobile election voting app pilloried for poor security earlier this year, has urged the US Supreme Court not to change the 1986 Computer Fraud and Abuse Act (CFAA), a law that critics say inhibits security research because it's overly broad. The app maker filed an amicus brief [PDF] on …

  1. Anonymous Coward
    Anonymous Coward

    Voatz meet the Streisand Effect.

    In California at least the changes you want may be thwarted by a simple Anti-SLAPP suit. That's a Strategic Lawsuit Against Public Participation.

    Security researchers discussing your products security or lack thereof is the very definition of that Public Participation part. Not to mention their 1st Amendment Rights to discuss what a shitty company you're being for trying to stop them from publicly discussing your abysmal security.

    And the harder you try to bury the truth the more the internet will keep bringing it to the front of searches on what all the fuss is about.

    "What's this Voatz thing? Oh wow. They wrote a program with such shitty security it took a team of security pros less time to get in than it takes to get into a hookers knickers!"

    1. doublelayer Silver badge

      Re: Voatz meet the Streisand Effect.

      Ah, but it's not the discussion that they mind. If people investigate a system to find that it's a hideous mass of holes, they're violating the trust of the organization that put out the hideous mass of holes. It's important that we respect the rights of places that don't bother doing their own security testing and choose to use untrustworthy and unsafe code to store and process our information to make money. More than that, we must protect those who don't want to bother making good products from people who shamelessly figure out whether something will become a safety risk and, these people have no scruples, have the gall to tell the public about it after they tell the company who doesn't fix it. Consider how you would feel if someone researched the safety of cars and told people about the ones that blow up so you couldn't purchase one of those. Consider how you would feel if there was someone with the audacity to check if the claims of other product's advertisements were true and call out the selfless manufacturers when they were found to be lying through their teeth. These people must be stopped today.

      1. ThatOne Silver badge
        Big Brother

        Re: Voatz meet the Streisand Effect.

        Indeed, whatever a company says or does is god-given law, and should be accepted and respected without questioning, period!

    2. John Brown (no body) Silver badge

      Re: Voatz meet the Streisand Effect.

      "And the harder you try to bury the truth the more the internet will keep bringing it to the front of searches on what all the fuss is about."

      I was thinking along similar lines. If the law stops unauthorised security researchers looking at stuff then the respected security researchers just have to produce regular press releases stating which companies and systems they have been refused authorisation for. If the have nothing to hide, they have nothing to fear :-)

  2. Anonymous Coward
    Anonymous Coward

    Real Life Superhero's

    In my book security researchers/reverse engineers are like real-life modern day Superhero's.

    They are the only ones that keep people safe and secure and in some cases can even save lives by exposing flaws and sh*tty security practices in todays internet connected world.

    I also believe that overly broad and expansive terms and conditions that threaten users about reverse engineering their sh*tty app is usually in place because the developer has either baked in some kind of spyware/malware or has some really sh*tty security/privacy they are trying to hide (like the app in the article).

    I am sure there are many that would disagree with me and would glady support laws that limit securty researchers like say, DLink, Lenovo, Cisco, Linksys, Microsoft etc etc....

    There are many great Hero's out there protecting lives like: Citizen Lab, Kaspersky Labs, SandboxEscaper, etc etc

    With the horrific state of our nations politics ALL voting apps should be completely open-source.

    /rant

    1. DS999

      Security of voting machines

      Is hardly the biggest problem with voting in the US. If you have a paper trail for every vote then I say who cares if the software running the machines is open source. Just have a requirement to conduct random hand recounts of a statistically significant percentage to verify the totals and you know the machines are counting accurately.

      The real problem that needs to be fixed is access to the polls. In Georgia in 2018 the republican secretary of state, who is by law responsible for the election, was running for governor. He used his authority as SOS to order the closing of a bunch of polling places in majority black precincts. As a result, the average wait time to vote in majority white precincts was 6 minutes. The average wait time to vote in majority black precincts was 51 minutes. That is what voter suppression looks like, and is a far greater concern that whether source code for the election machines is publicly available.

      1. theOtherJT

        Re: Security of voting machines

        If you have a paper trail for every vote then I say who cares if the software running the machines is open source. Just have a requirement to conduct random hand recounts of a statistically significant percentage to verify the totals and you know the machines are counting accurately.

        No! No no no no no no no!

        So that machine has to print two copies of that - one for the voter so they can check and one to go in the ballot box for the theoretical recount. The voter obviously needs to be prevented from touching the latter, or they could deliberately vote for the wrong candidate and then tamper with the "log" paper vote to try and get the election invalidated.

        So, now we have 2 paper ballots, and the voter can't see that they're the same - and that's assuming that the voter even bothers to check the one they were given.

        Never trust. Never. EVER.

        I don't disagree that there are way more effective voter suppression tactics already in use - but imagine what happens should those be cracked down upon by some theoretical future honest administration. There's still a massive opening for someone to mass manipulate votes as long as these stupid, wasteful, pointless things remain in use.

        Don't make me post the Tom Scott video again.

        1. DS999

          Re: Security of voting machines

          No, if you have a touchscreen machine have it print a ballot for a scanner with the little bubbles filled in. You can check that it did what you want, then personally place it in the scanner just like if you had manually filled in the little bubbles yourself. There's no need for two copies, or for the touchscreen you use to keep ANY record of what you entered. The scanner, and the paper ballots it read, are the only official record of the vote.

          The only software compromise you need to worry about is in the scanners, or the system the scanners upload their results into. That's what the manual recount of the paper ballots printed by the touchscreens is intended to address, by using statistics to count a small number randomly to be assured that the results match.

          Of course there's no reason to have the touchscreens, it is simpler to just have people fill in the bubbles with #2 pencils, but if people insist on technology...

          1. John Brown (no body) Silver badge

            Re: Security of voting machines

            "Of course there's no reason to have the touchscreens, it is simpler to just have people fill in the bubbles with #2 pencils, but if people insist on technology..."

            Depends. Is this an election where the voter only chooses Trump. Biden, Other or are there 25 other elections on the same ballot at the same time. each with 10 candidates?

            1. DS999

              Re: Security of voting machines

              Like all elections in the US, there will be a bunch of other elections on the ballot as well. Not sure why that would be easier with a touchscreen. It is about the same amount of effort to press "John Smith" or "Jane Doe" as it is to fill a bubble next to the name.

              More importantly, more can go wrong with the high tech solution. The touchscreen machine might break, or the touchscreen get out of calibration so you press one name but get another. With a pencil the worst that happens is the lead breaks, and they can solve that by having spare pencils on hand.

              1. Blank Reg Silver badge

                Re: Security of voting machines

                unless the vote is contested, in which case it will be hanging chads all over again, only now it will be bubbles

    2. Cuddles Silver badge

      Re: Real Life Superheroes

      "In my book security researchers/reverse engineers are like real-life modern day Superheroes."

      Which is exactly where the problems come from. Superheroes are (usually) vigilantes operating outside the law. Their actions are often overlooked because they help people with problems that can't be addressed by the authorities using normal means. But even then they still frequently have trouble with the law, and often require some forgiving authority figure to look the other way or actively cover up for them, because even though their actions may seem right they are still technically illegal. And of course, it's often difficult to draw a line between a hero is forced into a difficult choice, a hero who regularly breaks the rules a bit more than normal, an anti-hero who doesn't care about the rules, and an outright villain.

      All sounds rather like security researchers really. The good ones are usually doing work that is morally right but often legally questionable, and there is often not a clear line between those genuinely acting for good and those who happen to expose bad practices while only doing the hacking for fun, or being otherwise actively malicious. This is why people like Snowden and Assange, for example, aren't exactly universally loved - just because they exposed some bad stuff doesn't mean they're actually good themselves. And similarly the likes of the research groups listed above mostly do seem to be acting for good, but may well be breaking the law in doing so, and since opinions on what is actually good vary they're not universally loved either.

      And as with superheroes, the big problem is that they're all dealing with things that the law can't actually handle. Just as superpowers aren't handled very well by the legal system, laws developed decades or centuries ago don't handle computers and the internet very well. Everyone has an opinion on when vigilantism should or shouldn't be allowed, but even agreeing on whether something does or doesn't break the law is difficult enough before you even start asking about should.

      So yes, security researchers are very much like superheroes. Without them, the internet would be a much less safe place. But relying on vigilantes operating in legal grey areas is far from the best way to deal with real world issues, especially given how difficult it can be to tell the heroes and villains apart, and when they can swap roles from comic to comic.

      1. Falmari

        Re: Real Life Superheroes

        Wow have an up vote, loved it so well argued.

      2. amanfromMars 1 Silver badge

        Re: Some Real Life Superheroes are/can be Extremely Deadly Effective.

        But relying on vigilantes operating in legal grey areas is far from the best way to deal with real world issues, especially given how difficult it can be to tell the heroes and villains apart, and when they can swap roles from comic to comic. ....Cuddles

        The military minded would probably disagree with you, Cuddles, and would also most likely also deny in pleasant company that their spooky special forces are villainous.

        :-) Don't push your luck though and ask active remote agents doing spooky special forces work about any of that. They mightn't give the answers that you want them to.

        And don't you just love those legal grey areas :-)

  3. SmartAlec

    Can someone remind me...

    Why do we want electronic voting again? Just like in general?

    1. don't you hate it when you lose your account Silver badge

      Re: Can someone remind me...

      Inserted advertising is cheaper than printing it on ballots. Simple

    2. jmch Silver badge

      Re: Can someone remind me...

      Because somehow democracy would be destroyed if we know the election results within 48 hours rather than immediately. Remind me how voting used to be counted in the 70s and 80s again?

      And of course the other reason, cost. Because of course we want to save a few hundred million to cut corners on unimportant things like democracy but don't mind throwing billions down the drain in pork barrel 'military' programs that will never be used

      1. Anonymous Coward
        Anonymous Coward

        Re: Can someone remind me...

        The only valid ways of voting should remain in-person and absentee. There's too many risks been shown with electronic and mass postal voting when they've been used.

        Cost really shouldn't be a factor at all.

        1. WonkoTheSane
          Headmaster

          Re: Can someone remind me...

          Absentee voting and postal voting are the EXACT SAME THING!

          1. mrobaer

            Re: Can someone remind me...

            Absentee voting is when a person requests an absentee ballot. The 'postal voting' that is concerning people in my country, is where a ballot is mailed to every registered voter, requested or not. There are millions of people on voting registers who should not be there. Several states are actively being sued to have these names removed. If this is how we're going to vote this year, it's going to take a lot more double-checking to verify that the 800,000 inactive names on the polls in my state aren't voting in more than one location.

        2. davenewman

          Re: Can someone remind me...

          Estonia runs online voting that is as secure as paper voting. Neither is perfect, but they have put the effort in to make it easy to verify. In Nicuaragua they use a voting tablet which saves the vote 3 times - on paper print put in a box, on a memory card and transmitted to the counting centre - so there are 2 ways of checking the vote. The voting tablet has pictures, icons and names of the candidate so that you don't have to read to be able to vote. There is also a button to press to confirm the vote, so until then the voter can correct mistakes.

          1. Phil O'Sophical Silver badge

            Re: Can someone remind me...

            Estonia runs online voting that is as secure as paper voting.

            How does it handle voting secrecy, so that there is a guarantee that the voter was not influenced by anyone else at the time they voted? A one-person curtained booth in a polling station enables that, but I've yet to see a postal or electronic system which does.

          2. Anonymous Coward
            Anonymous Coward

            Never online

            "as secure as paper voting" Nah:

            https://www.youtube.com/watch?v=iit5WdLYwns&feature=emb_logo

            If you can instantly analyse who has voted, you can create phantom votes for people who haven't on the server.

            Software can tell them one story and tell the tally machine a different story.

            If you can grab that voting database, you can analyse for gerrymandering and disenfranchisement. You have a precise database that's easy to copy.

            As the Russians did to Estonia, attack the servers for areas that don't like the Russian backed candidate to block the voters.

            You have to make elections difficult to rig, paper trails everywhere to check, people, the dumbest, smartest, tech savvy, non-tech savvy people need to be able to verify the vote themselves and see for themselves the vote is correct.

            Auditable paper trial or paper ballots. In sealed boxes, transported with witnesses for the parties being voted on, counted in front of witnesses for the voting parties. It is the one an only truely trusted system, its the one everyone can verify.

            Nothing stops you printing an icon on the ballot for people who cannot read.

            ONCE YOU LOSE DEMOCRACY, it's gone, poof. It never comes back, the dictator in power can always rig the rules to stay in power, and you should realize how quickly the checks and balances crumble. How quickly the cronies will line up around the dictator.

            [Added]

            Also realize that Russia attack US election *roll and record* systems in 2015. Do not assume that doesn't let them rig an election it certainly lets them know who to create phantom votes for.

            But this (below) remains the easiest technique to win elections, simply block voters from voting. Be it students, renters who move around, non-drivers, by refusing lots of ids.

            https://www.usatoday.com/story/news/nation/2019/12/13/wisconsin-voter-registration-judge-orders-234-000-purged-rolls/2643852001/

            1. Anonymous Coward
              Anonymous Coward

              Re: Never online

              Added:

              Given the Republicans have managed to keep Covid 19 going till election time. You need to do mail-in ballots.

              If you can, drop the vote in a voting drop box at the polling station near the day to ensure it arrives.

              If you cannot do that, post it in a mailbox in a rich neighbourhood, or near a banking or investment center.

              If you cannot do that, mail it early so it has plenty of time to arrive.

              Failing that you will have to go to the polling station and vote, I'm sorry but if there is a lot of you, and you have a Republican Secretary of State, a lot of people trying to vote will give them an excuse to close that polling station. You need to insist on getting your vote, even if Bill Barr has his gunmen out, or Trump sends a militia to intimidate and threaten, you need to insist on your right to vote.

              If you need inspiration, see Bellarussia, Putin is sending in plain clothes troops there to secure his puppet there. If you think that could never happen in the US, you are seriously deluded.

              1. Anonymous Coward
                Anonymous Coward

                Re: Never online

                Given the Republicans have managed to keep Covid 19 going till election time. You need to do mail-in ballots.

                It isn't the Republicans that have been flogging and dragging out the COVID-19 response. It's the Democrat-controlled states that have had the worst record on this.

                1. DS999

                  Re: Never online

                  You mean like Texas, Florida, Arizona where there were recently huge outbreaks, and now South Dakota, North Dakota and Iowa where outbreaks are currently raging? All republican controlled.

                  The big surge in New York was early on, but they've controlled it well since. It is in the top 3 or 4 states in terms of the lowest per capita infection rate for the past several months.

                  Sorry but Trump totally screwed the pooch here by leaving it up to the states to do everything, even sourcing PPE was forced to be done by the states leading to states bidding against other states. All because Trump is a paper mache' cliche of a "businessman" who doesn't know how to lead, and certainly doesn't know how to find "the very best people" considering he put his dorky son in law in charge of the federal response.

        3. BigSLitleP

          Re: Can someone remind me...

          Postal, absentee and in-preson voting. Only one of these has ever been proven to be used for fraudulant voting. Can you guess which one?

          In-person.

          You are Trump in disguise and i claim my $5

          1. Someone Else Silver badge

            Re: Can someone remind me...

            Well, there was the guy in South Carolina (IIRC) who was running around collecting "absentee" ballots, and throwing out the ones that came from areas known to be predominately Democrat. Caused the state to throw out the entire election and do a "do-over". Guy got thrown in the hoosegow for it.

            Oh, and yes, the fucker was a Republican operative. Got that, Mr. tRump? The only documented case of active voter fraud in this decade was done by a Republican functionary. Not Democrat. Republican.

          2. DS999

            Re: Can someone remind me...

            There was a woman in Iowa who was convicted of voting twice, both in person and by mail in ballot. She was a Trump voter, and claimed she was concerned her mail in ballot might not be counted. This was back in 2016, now Trump is recommending his followers do the same thing.

            We'll need to build a lot of new jails if they all listen to him.

        4. Pascal Monett Silver badge

          Re: risks been shown with electronic and mass postal voting

          Could you please point us to where these postal voting risks are shown ? Oh, and outside a Fox News page, if you will.

          Don't buy the hype. Postal voting is fine, if, of course, it is properly controlled.

          Electronic voting, on the other hand, has yet to be demonstrated as being fine (ie secure and simple to use but difficult, rather near-impossible to abuse). Until such time as it is proven to be secure, reliable and easy for the voter to understand, it is not fit for purpose and should be avoided at all costs.

          1. mmccul

            Re: risks been shown with electronic and mass postal voting

            Regarding reliable voting, the problem I've seen is not the precinct, but the tallying of multiple precincts for the official reporting of the county results. A little county in Wisconsin had their elected official refuse to allow their Internet connected computer that did all that work to be patched, maintained, or even audited by a 3PAO. (Resulted in a bit of a scandal a decade ago, the individual was an elected official, so couldn't be fired as a result, and argued as an elected official, they were exempt from policies to maintain the security of computers issues by others).

            Take all those per precinct numbers, add them up on one little computer, that just quietly rewrites the final results to the desired number. Tallying any individual machine won't reveal any problem, or any significant percentage of votes. Only when you look at the whole county level can you see that something messed up happened, and it only requires attacking one computer and skewing a few percentage points the final sums.

            1. DS999

              Re: risks been shown with electronic and mass postal voting

              At least around here, the poll workers make a copy of the final tallies in their precinct before communicating them up the chain, and then check them against the reported numbers on the state website the next day. That way neither the county nor the state can cheat, assuming everyone checks them.

              There are also often volunteer representatives of each of the two major parties present for the counting that happens in each precinct, who also note down those numbers and do their own checking. What you describe is theoretically possible, but you'd have to bar representatives of the party you are trying to screw from observing the results in any precinct, and not make per precinct numbers available anywhere in case one of the poll workers wrote down the final tally.

              So it would actually be quite difficult to achieve in practice, with a high likelihood that a discrepancy would be noticed and eventually traced to the guilty party (or at least it would be known someone tried to rig things)

      2. Pascal Monett Silver badge

        Re: if we know the election results within 48 hours rather than immediately

        If it takes 48 hours to get the results, you're doing it wrong.

        France has been using paper ballots for decades now, and on Election Day, we know that we'll get the results for what we call the Metropolitan Area at 20h00 sharp. Results from the External Territories (La Réunion, etc) will obviously come later due to time zone issues, but half the population doesn't live there, so it's not really an issue for anyone.

        1. DS999

          Re: if we know the election results within 48 hours rather than immediately

          I presume you have only the presidential election on your ballot. Google for what typical ballots in the US look like, on Nov 3 people will be voting for president, senator (in 2/3 of the states), congressmen, state senate/congressmen in most states, governor in a few, plus other state positions like SoS, plus various state referendum, plus local positions like city council, sheriff, school board and various local referendum.

          1. Martin an gof Silver badge

            Re: if we know the election results within 48 hours rather than immediately

            Are they all on (physically) the same paper?

            Around here (UK), if there are several different elections on the same day, each one gets its own ballot paper, so counting can be prioritised or can be done in parallel, but in most cases different elections happen at different times.

            M.

            1. DS999

              Re: if we know the election results within 48 hours rather than immediately

              All on one sheet, here and AFAIK everywhere in the US. Sometimes more than one, but only because all the stuff won't fit on a single sheet so you will have multiple double sided sheets with dozens of things you're voting on.

              1. Martin an gof Silver badge

                Re: if we know the election results within 48 hours rather than immediately

                So if you are counting manually (or is *everything* counted mechanically in the US?) you can only count one set of results at a time, then the papers have to be collected and re-counted for the next. Not terribly efficient :-)

                M.

      3. Wayland Bronze badge

        Re: Can someone remind me...

        No we want electronic voting to take the count out of the hands of ordinary people and put it in the hands of a few techies who are more easily bought. That way the desired outcome can be ensured.

    3. Alumoi

      Re: Can someone remind me...

      To err is human, but to really foul things up you need a computer.

      Paul R. Ehrlich

  4. Warm Braw Silver badge

    Allowing tech companies to threaten criminal action...

    I can think of a number of tech companies that would be overjoyed if they could actually prosecute people for failure to comply with their tracking requirements. It's simple "law & order" - they buy the law, you follow their orders...

  5. You aint sin me, roit Silver badge
    Coat

    Simple solution...

    Just leave it to the Russians to test the security of your voting software for you.

    You know they are going to in any case...

  6. LazLong

    'Cause spys respect EULAs, right?

    Yeah, because of course the Nork's, Russia's, Iran's, and China's security agencies respect EULAs, so we don't need software to actually be written securely.

    Fucking idiots.

    1. Wayland Bronze badge

      Re: 'Cause spys respect EULAs, right?

      Better to have real criminals find and exploit the bugs than white hats who simply warn you and don't tell the criminals. Which one provides the most motivation? Clearly when your system is under heavy attack by criminals you are more inclined to fix bugs.

  7. Doctor Syntax Silver badge

    I can't see anything wrong with Voatz position - providing, of course, that they're* then on the hook for consequences, civil and/or criminal, if the product gets hacked in ways that the unauthorised testing could have brought to their attention.

    * They including the management in person as well as the company.

    1. doublelayer Silver badge

      I get that you're trying to be conciliatory, but that approach is extremely unacceptable. They shouldn't just be liable after their travesty causes massive problems. That way would help, but it's a lot like saying that I'm responsible after my non-IAEA approved nuclear reactor spreads radioactive waste over the local area. When things are this important, they need to be responsible before anything happens. That means that, when there are sufficient amounts of consumer information involved, when the government is going to use it, or when a malfunction could cause injury or death, the law should require that they do testing with independent testers and they should either have to implement the fixes to any bugs the testers find or appeal the decision not to. Having researchers who test systems simply helps this process and makes it cheaper. We require it of people making medicines or medical devices. We require it of people making cars and aircraft. We require it of people growing or manufacturing food. We can require it of people using the public's data, too.

      1. Doctor Syntax Silver badge

        "I get that you're trying to be conciliatory"

        Moi?

        1. doublelayer Silver badge

          Yes, it seemed to me as if you were trying to be conciliatory. Statements that start like "I can't see anything wrong with Voatz position - providing" sound as if you think there's a possibility where their recommendations can be accepted. You clearly hedge against that with the recommendation you provided, and that limitation is useful, but in my opinion you've already given up too much by giving them anything. My reasons for that opinion are stated above.

    2. DS999

      On the hook for consequences?

      So if the product gets hacked by someone in another country and a president is elected who should not have won based on the true vote count, how would even the most extreme penalty of being able to bankrupt the company with a big fine and execute its management come close to compensating the populace for that?

      The only remedy is to have enough checks and balances that it is completely impossible for software bugs or hacks to change the result. There is simply no room AT ALL for trusting ANYONE in something this important to a democracy.

  8. Anonymous Coward
    Anonymous Coward

    Talk Talk

    A friend of mine discovered how to get into Talk Talk routers through WiFi by activating WPS remotely.

    He did the moral but illegal thing of warning Talk Talk about the vulnerability.

    He was arrested and punished.

    So as not to get into trouble with the law he should have published his findings anonymously and widely on back hat forums. Then with routers being breached all over the UK the vulnerability would have got fixed. The way he did it the vulnerability is still there.

  9. Eclectic Man Bronze badge

    Democracy is in the counting*

    *According to a quote I saw attributed to the playwright Tom Stoppard.

    When I was a practicing IT security person I got annoyed at the relatively intelligent people** proposing 'cryptographic voting schemes' which, when analysed did nothing to prevent cheating.

    I devised my own, Socially secure cryptographic election scheme (Electronics Letters, 23rd May 1991, pp955-957 / or digital reference 10.1049/el:19910596), which is hopelessly complicated, but does allow everyone to check all the votes have been counted correctly. Unfortunately I could not find a solution that both allowed for genuine voter secrecy AND restricted each voter to one vote. So there is the problem of coercion and paying for votes (which is why photography in voting stations is illegal, you could be proving to your 'sponsor' that you voted the way they wanted).

    Most of the electronic election schemes I've seen allow whoever programs the machines to cheat with impunity. You don't need to hack machines or deny people in opposition areas the vote if you programmed the machine to misreport the votes. Even if there is a paper trail, unless you are going to use people to count the votes (not entirely accurate, but people are witnesses, which machines are not) the machines that count the votes must not know which candidate they are supporting or the system is open to fraud. Note that almost all of the USA's vote machine manufacturers are or were Republican Party donors.

    The system of putting a cross on a piece of paper that is subsequently counted by humans is actually quite robust, has a nice trail that allows for genuinely independent re-counts, and, importantly, forensic examination of ballots in the event of suspect fraud, ballot box stuffing etc. Creating thousands of fake votes by computer is easy, doing the same for paper ballots is really tricky, and can lead to imprisonment.

    Basically, sometimes the old ways are best.

    As for the law, one hopes there is a defence of 'it being in the Public Interest' to protect democracy, or at least of 'legitimate comment'.

    **(Including surprisingly one from the late, lamented, Prof Roger Needham.)

  10. Neoc

    In other news...

    ...law proposed which makes it illegal for "Choice!" magazine to test products without first gaining approval, in case they find faults with it.

  11. hayzoos

    Twist the law

    I always viewed the "unauthorized use" to be in regards to the owner of the computer in question. If the owner of the computer authorizes a use, then the "unauthorized use" of the CFAA does not apply. I would think the DMCA could be better argued to apply. That's a whole other can of worms. Either law is suitable to be twisted in the manner attempted.

    I don't believe the security research in question was grey area. I think it was bona fide effort. There was no risk of harm to anybody except revealing the poor security of the Voatz app would damage the company's undeserved reputation for building a secure voting app.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020