{"id":4071,"date":"2020-02-07T10:20:10","date_gmt":"2020-02-07T15:20:10","guid":{"rendered":"https:\/\/cointelegraph.com\/magazine\/?p=4071"},"modified":"2020-04-09T10:53:26","modified_gmt":"2020-04-09T14:53:26","slug":"safe-harbor-or-thrown-to-the-sharks-by-voatz","status":"publish","type":"post","link":"https:\/\/cointelegraph.com\/magazine\/2020\/02\/07\/safe-harbor-or-thrown-to-the-sharks-by-voatz","title":{"rendered":"Safe Harbor, or Thrown to the Sharks by Voatz?\u00a0"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In looking to address low voter turnout and the difficulty of in-person voting for veterans and people with disabilities, companies have often advocated for the use of technology. Blockchain has been suggested as a solution to archaic voting systems, which could take the form of improving security by assuring that each vote is counted only one time, and is permanently recorded.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But the use of technology is not a cure-all, as anybody paying attention to the Iowa caucus debacle would know. And blockchain voting isn\u2019t necessarily a perfect fix either.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Voatz, a Massachusetts-based company, has worked with West Virginia; Denver, Colorado; Utah County, Utah; and both <\/span><span style=\"font-weight: 400;\">Jackson and Umatilla Counties in Oregon,<\/span><span style=\"font-weight: 400;\"> to pilot its blockchain-enabled mobile voting app. However, the company has met with criticism due to what Joseph Lorenzo Hall, senior vice president for a strong Internet at the Internet Society and former chief technologist at the Center for Democracy &amp; Technology, described as the company\u2019s \u201ccompletely opaque\u201d approach to security.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although the company has shared an eight-page white paper and claims to have been audited multiple times, it has <\/span><a href=\"https:\/\/slate.com\/technology\/2019\/07\/west-virginia-blockchain-voting-voatz.html\"><span style=\"font-weight: 400;\">provided precious little information<\/span><\/a><span style=\"font-weight: 400;\"> about what tests were conducted; what the auditors had access to; any vulnerabilities discovered; and whether or not they were fixed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Last October, <\/span><a href=\"https:\/\/www.cnn.com\/2019\/10\/01\/politics\/fbi-hacking-attempt-alleged-mobile-voting-app-voatz\/index.html\"><span style=\"font-weight: 400;\">CNN revealed<\/span><\/a><span style=\"font-weight: 400;\"> that a <\/span><a href=\"https:\/\/www.cnn.com\/2019\/10\/04\/politics\/fbi-voting-app-hack-investigation\/index.html\"><span style=\"font-weight: 400;\">student security researcher<\/span><\/a><span style=\"font-weight: 400;\"> was referred to the FBI over what the company says was an intrusion attempt\u2014even though that research appears to have been protected by the safe harbor statement in the company\u2019s bug bounty program. The bug bounty program terms on HackerOne <\/span><span style=\"font-weight: 400;\">were updated<\/span><span style=\"font-weight: 400;\"> soon after the FBI referral made headlines, and first noticed by independent security researcher Jack Cable.<\/span><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Referring researchers following terms of your bug bounty to the FBI isn&#8217;t cool. According to <a href=\"https:\/\/t.co\/OIR3XXB0h8\">https:\/\/t.co\/OIR3XXB0h8<\/a> Voatz director says the &#8220;live election system&#8221; was &#8220;out of scope&#8221;, but this was added to the terms today (<a href=\"https:\/\/t.co\/60b4isZMZZ\">https:\/\/t.co\/60b4isZMZZ<\/a>).<\/p>\n<p>\u2014 Jack Cable (@jackhcable) <a href=\"https:\/\/twitter.com\/jackhcable\/status\/1180306471361269762?ref_src=twsrc%5Etfw\">October 5, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">In a statement to Cointelegraph, a Voatz spokesperson wrote, \u201cAs previously reported, Voatz detected and thwarted an unsuccessful attempt to gain entry to the system during the 2018 midterm election in West Virginia. As an elections company and conforming to the official \u2018critical infrastructure\u2019 designation under the Department of Homeland Security, Voatz reported the information about the incident to the West Virginia Secretary of State\u2019s Office, which subsequently referred the matter to law enforcement agencies.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Voatz CEO Nimit Sawhney\u2019s comment to CNN in October was much more forceful. &#8220;We stopped them, caught them and reported them to the authorities,&#8221; he was quoted as saying.<\/span><\/p>\n<p>The alleged intrusion appears to be activity that\u2019s protected under Voatz\u2019s safe harbor policy, as written in HackerOne, which\u2014at the time of the incident\u2014stated:<\/p>\n<p style=\"text-align: center;\"><em>\u201cAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u201d<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Voatz-Bug-Bounty-History-HackerOne.png\"><img loading=\"lazy\" class=\"aligncenter wp-image-4074 size-full\" src=\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Voatz-Bug-Bounty-History-HackerOne.png\" alt=\"HackerOne Bug Bounty history for Voatz\" width=\"512\" height=\"216\" srcset=\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Voatz-Bug-Bounty-History-HackerOne.png 512w, https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Voatz-Bug-Bounty-History-HackerOne-300x127.png 300w, https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Voatz-Bug-Bounty-History-HackerOne-500x211.png 500w, https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Voatz-Bug-Bounty-History-HackerOne-293x124.png 293w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/a><\/p>\n<p style=\"text-align: right;\"><i><span style=\"font-weight: 400;\">Screenshot: <\/span><\/i><i><span style=\"font-weight: 400;\">https:\/\/hackerone.com\/voatz\/policy_versions?change=3620507<\/span><\/i><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">As Cable pointed out on Twitter, Voatz retroactively changed its policy after news about the FBI referral was public. The policy now reads:<\/span><\/p>\n<p style=\"text-align: center;\"><em>\u201cTo qualify, you MUST only use the test or beta versions of the mobile apps as indicated in the links provided as part of this program (via Apple TestFlight or Google Play Beta). Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Any attempt to disrupt a live election system or tamper with the live versions of the mobile apps will be considered a direct violation of the above policy.\u201d<\/em><\/p>\n<p><span style=\"font-weight: 400;\">On Twitter, Voatz wrote, \u201c<\/span><span style=\"font-weight: 400;\">No one who followed the policy was reported. The policy update&#8230;corresponds to the latest cycle (#3) of our testing. The previous cycle clearly listed the app links which researchers are supposed to use. You can view that in the history.\u201d\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But Voatz\u2019s prior policy, as Cable pointed out, didn\u2019t mention live systems, and simply stated that researchers should make a good faith effort to avoid privacy violations and destruction of data.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Voatz has pointed to voting as \u201ccritical infrastructure\u201d as a reason the company felt it had to report the incident. However <\/span><span style=\"font-weight: 400;\">Kendra Albert, Lecturer on Law at Harvard Law School, <\/span><span style=\"font-weight: 400;\">said \u201cI&#8217;m unaware of anything about the critical infrastructure designation that requires Voatz to report incidents to the FBI even if they thought they were malicious actions, let alone if they&#8217;re individual security researchers.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The best practice for securing modern technology, Albert suggested, is to work with security researchers rather than referring them to law enforcement, which could make people less likely to report information that will help secure the product.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201cVoters would have good reason to be nervous about a voting infrastructure that isn\u2019t cooperating with security researchers who are trying their best to find holes before elections are tampered with,\u201d Albert continued.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In an interview with Cointelegraph, Jack Cable said that bug bounty programs\u2019 safe harbor policies are typically general statements rather than something this specific. \u201cThe fact that they added a sentence, \u2018any attempt to disrupt a wide selection could be considered a direct violation of the above policy,\u2019 that never happens,\u201d he said.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In spite of Voatz\u2019s denial, a reasonable observer might conclude that this change was made after the fact to make the student appear to have committed such a violation. Indeed, then-CNN reporter Kevin Collier wrote, \u201cSawhney told CNN the attempted intrusion he reported to the FBI was on its \u2018live election system\u2019 which was \u2018out of scope\u2019 for the bug bounty program.\u2019\u201d But retroactive updates to HackerOne program terms of services do not apply to research conducted before the change.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Professor <\/span><a href=\"https:\/\/jhalderm.com\/\"><span style=\"font-weight: 400;\">J. Alex Halderman<\/span><\/a><span style=\"font-weight: 400;\">, who teaches an <\/span><a href=\"https:\/\/www.eecs.umich.edu\/courses\/eecs498.009\/\"><span style=\"font-weight: 400;\">election cybersecurity course<\/span><\/a><span style=\"font-weight: 400;\"> at the University of Michigan, has conducted extensive research on voter machine bugs, a subject on which he\u2019s testified to the U.S. Senate Select Committee on Intelligence. Like other election security experts, Halderman <\/span><a href=\"https:\/\/statescoop.com\/west-virginia-may-offer-blockchain-based-ballots-to-all-of-its-overseas-voters-this-november\/\"><span style=\"font-weight: 400;\">has been critical of Voatz<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Is it possible that Voatz wanted to fire some warning shots to prevent University of Michigan students from conducting research about the security of its systems?\u00a0<\/span><\/p>\n<h3><b>A Weak Defense?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Voatz does have its defenders, though the credibility of one of their more voluble advocates doesn\u2019t rise to the standard set by security experts who have discussed the company\u2019s product. One such person is Twitter user <a href=\"https:\/\/twitter.com\/dergen_tyler\">Tyler Dergen<\/a>, whose feed largely comprises pro-Voatz tweets and retweets such as the one illustrated below.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Truly secure voting is in on the way \u2014 <a href=\"https:\/\/twitter.com\/hashtag\/Voatz?src=hash&amp;ref_src=twsrc%5Etfw\">#Voatz<\/a> is grateful to play a part in this important work in making <a href=\"https:\/\/twitter.com\/hashtag\/voting?src=hash&amp;ref_src=twsrc%5Etfw\">#voting<\/a> safer, more secure, and <a href=\"https:\/\/twitter.com\/hashtag\/accessible?src=hash&amp;ref_src=twsrc%5Etfw\">#accessible<\/a> to all: <a href=\"https:\/\/t.co\/gIWfbToVtf\">https:\/\/t.co\/gIWfbToVtf<\/a> (<a href=\"https:\/\/twitter.com\/wroush?ref_src=twsrc%5Etfw\">@wroush<\/a> via <a href=\"https:\/\/twitter.com\/sciam?ref_src=twsrc%5Etfw\">@sciam<\/a>) <a href=\"https:\/\/t.co\/DeoZvek1rR\">pic.twitter.com\/DeoZvek1rR<\/a><\/p>\n<p>\u2014 Voatz (@Voatz) <a href=\"https:\/\/twitter.com\/Voatz\/status\/1224770103805382657?ref_src=twsrc%5Etfw\">February 4, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When Cointelegraph first accessed his LinkedIn account, the only other name under the \u201cpeople who also viewed\u201d section was Voatz CEO Nimit Sawhney.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Tyler-Durgen-LinkedIn.png\"><img loading=\"lazy\" class=\"wp-image-4075 size-full aligncenter\" src=\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Tyler-Durgen-LinkedIn.png\" alt=\"Tyler Durgen Voatz Advocate LinkedIn Profile\" width=\"313\" height=\"512\" srcset=\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Tyler-Durgen-LinkedIn.png 313w, https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Tyler-Durgen-LinkedIn-183x300.png 183w, https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2020\/02\/Tyler-Durgen-LinkedIn-293x479.png 293w\" sizes=\"(max-width: 313px) 100vw, 313px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h3><b>What\u2019s The Point Of A Bug Bounty, Anyway?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Researchers probing a system under a bug bounty are not generally required to register, says Albert. \u201cThe whole point of having a bug bounty program is so that you don&#8217;t necessarily have a conversation in advance with every person who may be doing something on your system,\u201d they explained. \u201cAs long as they&#8217;re following the policy, they know that they&#8217;re in a good place with regards to potential claims regarding unauthorized access.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">And, Albert points out, if the students had read the bug bounty program as it existed from August 21, 2018, to October 4, 2019, they wouldn&#8217;t necessarily have any reason to think that these terms only covered the test app and that testing the live app wasn&#8217;t acceptable.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, Albert said, referring students and researchers to the FBI will mean that nobody wants to test these systems, making them less secure. The referral \u201cbasically tells security researchers who might want to investigate this company&#8217;s product, you can&#8217;t necessarily trust what we&#8217;re going to say about whether your testing is authorized. We may refer you to the FBI anyway.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">No charges appear to have been filed, but Albert said that even contemplating the potential for criminal charges can be a harrowing experience that may require students to retain attorneys and decide how they\u2019re going to respond to an FBI request for information or warrants for their devices. \u201cAn investigation, even if it ends positively without charges, is a life-altering, totally consuming experience,\u201d Albert said. \u201cTurning [students] over to the FBI when there&#8217;s every indication that they&#8217;re doing good-faith security research consistent with your bug bounty policy is just inappropriate.\u201d<\/span><\/p>\n<h3><b>Slow Bug Bounty Response Time<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Cable himself reported what he thought was a fairly severe vulnerability to Voatz through its bug bounty in July. He received an email a few days after he submitted letting him know that the company was reviewing it, but says they didn\u2019t actually confirm the vulnerability until almost a month later\u2014a level of responsiveness that\u2019s unusual, but consistent with Voatz\u2019s secrecy about its app.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201cTheir response also felt insufficient,\u201d Cable said.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The bug he submitted was for the Voatz Lite system, which is used for voting by web at universities, for example.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although he says Sawhney promised to give him access for testing, Cable said that Voatz never followed through.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201cIt seemed like I could just cast the votes with an ID of a different user,\u201d Cable said, \u201cand it seems like it would go through.\u201d The company denied that it would go through, but didn\u2019t provide Cable evidence of that, and did not allow him to test it again. \u201cI have no clue if this would actually work because they didn\u2019t want to verify it. They told me they would give me a way to test it again, but they didn\u2019t,\u201d he said.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Whether apps are being used to tally caucus results or for voting itself, these tools must allow for robust testing and auditing\u2014and yes, bug bounties\u2014to increase the chance of finding and fixing any vulnerabilities before they\u2019re exploited by those seeking to do harm. Companies should welcome security researchers, especially when their apps are utilizing newer technology, such as blockchain.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Promises of freedom to hunt for bugs should never be accompanied by prosecution for doing so\u2014especially when the integrity of elections, and public trust in them, are at stake.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bug bounty hunters help voting apps offer a more secure system. But the FBI has investigated a student researcher searching for bugs in the Voatz app, after the company changed its bug bounty conditions following an &#8216;intrusion&#8217;.<\/p>\n","protected":false},"author":12,"featured_media":4072,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"mc4wp_mailchimp_campaign":[],"_links_to":"","_links_to_target":""},"categories":[157],"tags":[],"yst_prominent_words":[],"_links":{"self":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts\/4071"}],"collection":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/comments?post=4071"}],"version-history":[{"count":3,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts\/4071\/revisions"}],"predecessor-version":[{"id":5071,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/posts\/4071\/revisions\/5071"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/media\/4072"}],"wp:attachment":[{"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/media?parent=4071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/categories?post=4071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/tags?post=4071"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/cointelegraph.com\/magazine\/wp-json\/wp\/v2\/yst_prominent_words?post=4071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}