Voting app developer Voatz Inc. is backing the Trump administration in urging the Supreme Court to turn down a request to review the wire fraud conviction of a former police officer who accessed a confidential law enforcement database for an improper purpose.
Voatz describes itself in its friend-of-the-court brief filed with the court as “a for-profit company running a mobile election voting application using blockchain technology,” and says its platform “has been designated as critical infrastructure by the United States Department of Homeland Security.”
The company says its app “has been successfully used in 70 elections, including 11 state and municipal elections,” and that its mission “is to make voting not only more accessible and secure, but also more transparent, auditable and accountable.”
The petition for certiorari sought by Nathan Van Buren, who was a police sergeant in Cumming, Georgia, raises questions about cybersecurity law and the federal Computer Fraud and Abuse Act (CFAA). Van Buren argues that if his conviction stands, any trivial breach of a computer system could be treated as a federal crime.
Advocacy groups such as the Electronic Frontier Foundation argue this approach to the CFAA would chill critical computer security research by exposing computer security researchers to criminal and civil liability. Such non-malicious researchers will try to hack into websites to test their security, which places them at risk.
It also, they argue, endangers “bug bounty” programs offered by some websites, organizations, and software developers, in which individuals can receive recognition and compensation for reporting bugs, especially those relating to website security shortcomings.
After a jury trial in federal court, Van Buren was convicted on one count of honest-services wire fraud and one count of exceeding authorized access to a protected computer. He was sentenced to 18 months in prison, to be followed by two years of supervised release.
In his work, Van Buren came to know a man who allegedly paid prostitutes to spend time with him and then often accused the women of stealing the money he gave them. Van Buren borrowed money from the man after becoming friendly with him. The man clandestinely recorded their interactions and gave the recordings to the local police.
The FBI got involved and set up a sting operation in which the man would give Van Buren money in exchange for law-enforcement information. Van Buren took the money and accessed the Georgia Crime Information Center database, which is connected to an FBI database.
The petitioner, Van Buren, now is asking the Supreme Court to review his conviction, arguing that what he did doesn’t actually constitute fraud. The Trump administration opposes the request for review, noting that, among other things, the petitioner hasn’t yet fully exhausted his appeals.
In its brief, Voatz argues that Van Buren’s effort to narrow the meaning of the CFAA is dangerous, because the statute as it stands is sufficient.
Such research and testing should only be carried out by “authorized parties,” such as private consulting firms and organized bug bounty programs, Voatz says. Unauthorized research and public dissemination “of unvalidated or theoretical security vulnerabilities can actually cause harmful effects,” so the Supreme Court should uphold Van Buren’s conviction and “the plain meaning of the CFAA.”
The cybersecurity and research community has locked horns with Voatz over its approaches.
An MIT report earlier this year criticized Voatz for a lack of transparency and vulnerabilities in its internal systems, NASDAQ.com reported. Trail of Bits, a cybersecurity firm later hired by Voatz to audit its systems, confirmed the MIT researchers’ claims.