A plea by a blockchain voting company for the US Supreme Court to consider good-faith security researchers a threat to cybersecurity has been opposed by industry leaders.
The plea was put forward by the company Voatz in the form of an amicus brief submitted to the court in Nathan Van Buren v. United States on September 3.
Amicus briefs are legal documents filed in appellate court cases by non-litigants with a strong interest in the subject matter. The briefs advise the court of relevant additional information or arguments that the court might wish to consider.
The brief submitted by Voatz argues in favor of a broad interpretation of the Computer Fraud and Abuse Act (CFAA) and positions independent security researchers seeking to detect vulnerabilities and bring them to the attention of vendors as "a threat"’ to cybersecurity.
Today, cybersecurity leaders from the private and public sector signed a formal letter in opposition to the amicus brief from Voatz.
The letter urges the US Supreme Court, Congress, regulators, and election officials to discount Voatz’s arguments and instead adopt a narrow interpretation of the CFAA. This alternative perspective is supported by the Electronic Frontier Foundation, Professor Orin Kerr, Atlassian, Mozilla, and Shopify, among others.
Those in favor of a narrow interpretation believe that a broad interpretation could jeopardize security research at a national level and cause legal prohibitions to impede what they see as a societal obligation inherent in such work.
The letter was submitted by leading security researcher Jack Cable on behalf of a coalition of key members of the cybersecurity community.
"Hackers are here to defend every aspect of our lives. From finding vulnerabilities in social networking software housing precious data to searching for security holes in elections systems, our democracy directly depends on those who can preserve our information and our votes from being abused," said Alex Rice, CTO and co-founder of HackerOne and one of the letter's signatories.
"This work is vital—even required for federal civilian agencies under CISA’s Binding Operational Directive 20-01—and we must establish the proper protections for those who do it."