Security Researchers Slam Voatz Over Stance on White Hats

Published on by Coindesk | Published on

A broad interpretation would allow companies to lay out what "Authorized access" means in their terms of service, rather than implementing a technical barrier in a system that would alert security researchers when they've gone too far.

Voatz has repeatedly been the subject of critical security research, which CoinDesk has previously documented.

Voatz initially refuted these findings, though some of the issues were later confirmed by Trail of Bits, a security firm hired by Voatz.

The company even went so far as to refer the student security researcher to state authorities for alleged "Unauthorized activity" under the CFAA.The Electronic Frontier Foundation criticized Voatz by name in a brief filed with the court, as an example of a company that takes an aggressive approach to good-faith security researchers.

In response to Voatz's filing, a bevy of security researchers and organizations penned an open letter to publicly correct the record.

"We wanted to make it clear that Voatz's position is not supported by the cybersecurity and security researcher community, emphasize that security researchers contribute greatly to the security of our digital society, and underscore that a broad interpretation of the CFAA, which is what Voatz is advocating for, threatens security research activities at a national level," said Loden in an email.

The letter lays out the ways that Voatz's filing was allegedly self-serving, and an indicator of how companies like Voatz might use a broad interpretation of the CFAA to further crack down on critical security researchers.

According to Adams, if a broad ruling is made on the CFAA, security researchers would likely be discouraged from conducting research for fear of violating the "Exceeds authorized access" part of the law.

A broad interpretation would allow companies to lay out what "Authorized access" might mean in their terms of service, which can be easily changed and altered, putting security researchers at greater risk.

Laying out the limits of authorized access in a hard-to-find and even harder-to-read terms of service would leave security researchers guessing and create a chilling effect on research overall, he added.

x