Every three years, the U.S. Copyright Office considers whether the anti-circumvention provision of the DMCA is (or is likely to) make it difficult for people to use copyrighted works in ways that do not infringe copyright. This provision, Section 1201, makes it illegal to bypass the digital locks, sometimes called technological protection measures (TPMs) or access controls, that prevent you from accessing the computer code embedded in everything from DVDs to pacemakers. The trouble is that Section 1201 does not distinguish between circumventing TPMs to break the law and infringe copyright, and circumventing TPMs for lawful and legitimate reasons, such as unlocking a smartphone, repairing a car, or researching security vulnerabilities in voting machines and other software. So the Copyright Office conducts rulemakings to create three-year-long exemptions to Section 1201 so that people can legally access this software.

In this and the two previous rounds of exemptions, CDT joined computer scientists and researchers in asking the Office for a broad exemption for security research. The Office approved the exemption in 2015, paving the way for more beneficial research into the security and safety of many products containing copyrighted computer code. This exemption helped researchers by giving them more legal certainty, which had the added benefit of encouraging manufacturers to work with researchers rather than threatening them with lawsuits.

This week, CDT and others once again asked the Copyright Office to remove many of the limitations and conditions from the previous exemption so that security researchers would enjoy even greater legal clarity in the future. We asked for the removal of these conditions and limitations because they add uncertainty to the legal calculus researchers must do before starting a project, but also because the conditions and limitations do not address copyright concerns.

For example, we asked the Office to eliminate from the current exemption language that makes it unclear whether researchers could, without risking liability under Section 1201, publish their research or warn the public about unpatched security vulnerabilities in software or devices. We also asked the Office to remove a condition that could impose liability under Section 1201 if researchers commit even minor, unintentional violations of “any applicable law” in the US. The Office of course cannot make researchers exempt from other laws, but it should not expand liability under Section 1201 to encompass violations of non-copyright law– especially laws as broad and inconsistently interpreted as the Computer Fraud and Abuse Act (CFAA).

The 8th triennial rulemaking process will run through the spring of 2021. We hope the Office will grant our petition and add some much-needed certainty for researchers working in good faith to improve the security of software and devices we use every day.

Read the full comments here.

The post Once More, With Feeling: Security Research Should Not Be Chilled by Uncertainty in Copyright Law appeared first on Center for Democracy and Technology.

Read the full letter and signatory list here.

The post CDT Join Open Letter in Response to Voatz’s Supreme Court Amicus Brief appeared first on Center for Democracy and Technology.

But more software and hardware bugs come along with the millions of lines of code, and phones aren’t the only computing devices we depend on. As computers and computer programs become more and more complex, their designers face the increasingly difficult challenge of finding and fixing the inevitable flaws that come from building immensely complex systems (often with repurposed chunks of code and hardware from older, but still buggy, systems). Despite the best efforts of the teams that build these systems, many still contain flaws and vulnerabilities when they are deployed. Likewise, even a previously debugged chunk of code can become part of a vulnerability when re-used in a different context, or when new kinds of attacks emerge. 

Finding and fixing flaws in computers and computer programs is a never-ending job, one that requires robust testing and updating. But two federal statutes make this task even harder than it already is: the Computer Fraud and Abuse Act (CFAA), which was designed to prevent malicious actors from accessing government-controlled computers, and Section 1201 of the Digital Millennium Copyright Act (DMCA). The CFAA will be reviewed by the Supreme Court for the first time this year, in Van Buren v. United States. The U.S. Copyright Office will soon begin its triennial rulemaking to authorize exemptions to the DMCA. Both opportunities create an important chance for the Court and the Copyright Office to clarify the legality of much-needed security research.

The Van Buren Case

The CFAA prohibits knowingly accessing a protected computer without authorization, or exceeding authorized access and either obtaining (or altering) information or causing damage. The term “protected computer” is broadly defined, and includes basically any computer connected to the internet. The phrase “exceeding authorized access,” however, has been interpreted to mean different things by various judges. 

On one end of the spectrum, some judges (in the 2nd, 4th, and 9th Circuits) have said that to exceed authorized access requires getting past some kind of technical control, such as a password. On the other end, some judges have said that even unauthorized use of information that a person is authorized to access can be a violation. For example, an employer might authorize an employee to access certain information for some, but not all, purposes, or to use their computers for work-related, but not personal purposes. According to the 1st, 5th, 7th, and 11th Circuits, contravening such use limitations can be considered “exceeding authorized access” and can therefore be a CFAA violation.

The Supreme Court will hear its first ever CFAA case this fall and the facts of the case are primed to resolve these disparate interpretations. In Van Buren v. US, the petitioner, a police officer, used his department-issued computer to access information for a purpose that was not authorized. The 11th Circuit upheld his conviction under the CFAA, but now the Court is set to opine on whether the law applies to such purpose-based limitations, or if “authorized access” is defined by an actual limitation on one’s ability to access a computer or information. 

This case could have significant ramifications for the scope of the CFAA – in particular, addressing whether the bounds of a federal crime should be set by private entities when they write their terms of service. The case has particular significance for white hat security researchers and other academics, for whom the risk of potential criminal liability for violating a website’s service terms has tremendous chilling effects. That’s why CDT, as well as a host of other civil society and professional organizations, have weighed in on the case.

Security Research Under the CFAA

For independent security researchers, the risk of liability under the CFAA (and potential for major fines and prison time) is a major deterrent—many choose to completely avoid research that might involve any “protected computer” rather than take a chance that their work might cause them to exceed authorized access. Under the narrower interpretation (based on one’s authorized ability to access), security researchers have greater certainty that what they do stays on the right side of the law, because some technical barrier lies between them and material they are not authorized to access. 

However, under the broader, purpose-based interpretation of authorization, researchers face significant uncertainty and risk. This interpretation allows computer owners to define the limits of authorized access with things like acceptable use policies, terms of service, or other non-technical mechanisms. Not only does this reading give private entities the power to define criminality, it also lets them leverage the CFAA to threaten any uses of information they deem improper. For security researchers, this means that the rules controlling what they may access (and for what purposes) are not always clearly defined, are subject to change, and often require legal assistance to interpret. 

This uncertainty for researchers has real-world consequences. As a result of the CFAA’s chilling effects, many internet-based or connected systems are never tested by independent researchers, which means that any flaws or vulnerabilities they have are more likely to be found and exploited by bad actors, rather than found by researchers committed to identify vulnerabilities so they may be fixed. In a 2018 report, CDT interviewed 20 academic and independent researchers about their perceptions of the risks associated with their work, and over half of them mentioned the CFAA as a major risk factor. This report was cited in the amicus brief filed by the Electronic Frontier Foundation on behalf of security researchers and CDT this week, which illustrates for the Court the importance of independent security research and the CFAA’s chilling effect.

Why Van Buren Also Implicates the DMCA

If the Court adopts the narrower interpretation of “exceeds authorized access,” it may also improve copyright law. Section 1201 of the DMCA prohibits the circumvention of any effective technological protection measure restricting access to a copyrighted work. If that strikes you as similar to the CFAA’s standard of “exceeding authorized access,” we agree. Section 1201 also has the same chilling effect on security research: many researchers simply avoid circumventing any type of access controls rather than face liability under the DMCA. Notably, the DMCA does not require any actual infringement of copyright for a person to be found liable for a costly legal violation — the act of circumvention is enough. Access controls are ubiquitous, but they do not necessarily indicate whether someone is authorized to access the material the access controls protect: for example, companies use access controls to prevent interoperability of devices like garage door openers and to prevent farmers from diagnosing and repairing their own tractors, but few would argue that garage door and tractor owners are not authorized to access parts of their own purchases.

Although the DMCA grants a few exemptions for things like reverse engineering and “security testing,” these exemptions are so poorly worded that no one relies on them. The statute also creates a process by which the Copyright Office and Librarian of Congress can issue temporary exemptions. CDT and others have worked to obtain and improve a broad temporary exemption for security research since 2015. Unfortunately, both the statutory and temporary exemptions contain a clause saying that violating any other law, specifically including the CFAA, makes one ineligible for the exemption. An overbroad reading of the CFAA thus impedes even research and security activities that the Copyright Office agrees should be permitted in its triennial DMCA rulemaking. In Van Buren, the Supreme Court has a chance to clean up this damaging uncertainty.

Conclusion

Like everyone else, researchers must obey the law. But the standards of criminal liability under the CFAA should not turn simply on the terms of service adopted by private website owners, when those terms of service are often vague, overbroad, and subject to frequent change. Similarly, security researchers shouldn’t face liability under the DMCA—and its threat of significant monetary penalties—for engaging in conduct that the Copyright Office’s triennial rulemaking process expressly recognizes as having a legitimate, non-infringing value.

The world needs more researchers working to improve the security of computers and computer systems, because we all benefit when flaws are fixed rather than exploited. The Copyright Office will soon begin the 8th triennial process for granting exemptions, and CDT will once again ask for a broader, clearer exemption under the DMCA in hopes of creating greater certainty for the security research community. Meanwhile, the Van Buren case creates a crucial opportunity for the Supreme Court to clarify the bounds of the CFAA and, consequently, the DMCA as well.

We hope the Court and the Copyright Office will help researchers feel more certain that they may perform beneficial research without running afoul of the law.

The post The Supreme Court and the Copyright Office Have an Important Opportunity to Shore Up Much-Needed Security Research appeared first on Center for Democracy and Technology.

The Center for Democracy & Technology (“CDT”) is a nonprofit public interest organization that supports laws, corporate policies, and technical tools to protect the civil liberties of Internet users and represents the public’s interest in maintaining an open Internet. CDT supports the clear and predictable application of cybercrime statutes including the CFAA. CDT has filed amicus briefs in several CFAA cases, including United States v. Manning, 78 M.J. 501 (A. Ct. Crim. App. 2018), United States v. Valle, 807 F.3d 508 (2d Cir. 2015), and United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).

Summary of Argument

Congress passed the CFAA in recognition of growing security threats that malicious attackers could pose to computers and networks, especially computers used by the federal government and financial institutions. See hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1001 (9th Cir. 2019). Over the following decades, however, the CFAA has been interpreted too broadly, with the perverse effect of slowing the development of computer security, undermining the very purpose of the law. That is because, in practice, secure computing and software relies heavily on the work of independent researchers in academia, industry, public service, and independent practice to identify and fix flaws that malicious attackers could otherwise exploit. These researchers work to identify serious shortcomings in systems ranging from medical devices to voting machines to cloud services to critical national infrastructure. This research is especially urgent as we find ourselves integrating networked computers into our homes, vehicles, and even our bodies.

Despite widespread agreement about the importance of this work—including by the government itself— researchers face legal threat for engaging in socially beneficial security testing. Under the government’s broad interpretation of the CFAA, standard security research practices—such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data—can be highly risky.

Amici write to inform the Court of the vital role that security researchers play and to demonstrate how the CFAA has hindered their work. They urge the Court to adopt a narrow construction of the law consistent with Congress’s intent and to clarify that contravening written prohibitions on means of access is not a violation of the CFAA.

Read the full brief here.

The post CDT Joins EFF, Cybersecurity Firms in Amici Curiae Brief Defending Security Researchers Against Broad CFAA Interpretation appeared first on Center for Democracy and Technology.

One of the key concerns we face is a limited number of election equipment vendors. For all of the talk about how the decentralized election system in America is a security feature, there is a false sense of diversity. In reality, the top three election system vendors have a combined market share of more than 90%. This high level of concentration is exacerbated by the fact that long-term federal funding has been limited to large infusions once every 15 years. 

Despite the significant barriers to enter the market, the attention that election security has generated due to DEF CON’s Voting Machine Hacking Village is enough to attract some new members to the community. I shared a panel on “Free and Fair Elections in an Internet Era” at BSidesLV with one of them, Tusk Philanthropies. The organization aims to increase voter turnout; one way to do this is to allow voters to use their own mobile device. Tusk is supporting the mobile elections platform Voatz’s work to do just that through a series of pilots in West Virginia, Colorado, and Utah. It is important for alternative voting methods to be explored and, more importantly, have the results of those pilot programs be made available to the public for scrutiny and learning.

Elections technology innovation is also coming from the federal government. The U.S. Defense Advanced Research Projects Agency (DARPA) demonstrated a prototype of high-assurance secure hardware from its System Security Integration Through Hardware and Firmware (SSITH) program. DARPA was not at DEF CON as a traditional vendor with a finished product to promote. Rather, the goal was to get election security researchers to examine the prototype secure voting system, and to better understand what the SSITH program can accomplish in terms of demonstrating secure hardware systems. The prototype system even included built-in vulnerabilities for the researchers to try to find and exploit. Exploring radically different models of voting and protecting those systems using modern technologies is something that the current election systems market discourages because so many resources are focused on maintaining, not disrupting, the status quo.

Some election officials in attendance were able to experience the DEF CON Villages firsthand through a “chaperone” program organized by DHS. Hacker Summer Camp (the colloquial name for the successive Black Hat, BSidesLV, and DEF CON security conferences) can be an intimidating environment for policymakers. Pairing new attendees with DEF CON regulars for an afternoon of visiting other villages showed a pathway toward a mature village with active vendor participation. My group spent valuable time in the BioHacking Village, where representatives from 10 medical device-makers brought their wares for researchers to explore. The researchers weren’t simply picking over the digital carcasses of secondhand equipment. They were engaging with modern devices in an immersive hospital environment while learning responsible research and vulnerability disclosure techniques. The experience highlighted just how much can be accomplished when researchers, vendors, and practitioners work together, especially in critical infrastructure sectors.

There are still challenges. While the election community has matured since the Voting Machine Hacking Village made its DEF CON debut in 2017, when organizers were threatened and criticized by vendors for just having equipment available to be openly hacked, the Voting Village would greatly benefit from direct participation from vendors. This year revealed more vulnerabilities in even more equipment, such as passwords stored in plain text on pollbooks and a scanner that could be opened after the polls closed. Dominion committed to bringing their current line-up of election products but could not come to an agreement with Voting Village organizers on the rules of engagement. It was a small but important step in building trust toward a more productive vendor-researcher relationship that other sector-specific villages, like the Car Hacking Village and Industrial Control Systems Village, have achieved after an equally tumultuous start. 

The hacker ethos is that, if we look closely enough at any system, we can find something that is broken. Elections are no different. But we are improving. It was heartening to see the positive steps that come from the exploration of modern technologies and building relationships with the research community to find and secure vulnerabilities.

The post Everything is Broken—And That’s OK, Because It’s Getting Better appeared first on Center for Democracy and Technology.

What it does:

In terms of concrete actions, the order lays out several steps for agencies to take. Overall, agencies are instructed to consider AI as a research and development (R&D) priority. This includes assessing which programs might or already do involve AI and which will be prioritized, as well as reporting how much money will be spent on those projects. The order instructs agencies to “budget an amount for AI R&D that is appropriate for this prioritization,” but as we’ll discuss later, does not set out additional funds for AI R&D.

Most of the order’s concrete actions center around improving access to federal data and models. The order calls for agencies to review their federal data and models, and identify opportunities to increase access and use by the non-federal AI research community. Agencies are also instructed to improve their data and model inventory documentation. Improving public access to federal data would give researchers a broader, more diverse pool of data with which to build and train machine learning models. Opening federal data sets for public use also allows for more diversity in the uses for that data, potentially leading to applications that might not have been developed by federal agencies. Finally, more publicly-accessible data helps to democratize the development of new AI and machine learning technologies, which should expand opportunities to develop applications that primarily serve public interests.

Additional aspects of the order’s efforts to improve access to and use of federal data require the Office of Management and Budget (OMB) to collect public comments on how agencies can make more data and models available, as well as what kinds of data are most needed. OMB is also instructed to investigate barriers to access or quality limitations of federal data and models that impede AI R&D and testing. We encourage researchers and other interested parties to submit comments once this proceeding officially opens (in 90 days or so).

After the OMB public comment period, agencies are also instructed to consider methods of improving the quality and usability of, and appropriate access to, priority data identified by the AI research community. This may not result in much actual change, but the comment period will at least establish a public record which can help hold agencies accountable. Agencies must also identify barriers to, or requirements associated with, increased access to and use of federal data and models. These include privacy and civil liberty protection for individuals, safety and security concerns, and the interoperability of data and models. This is no small task, and while CDT is glad that the order acknowledges the importance of addressing these concerns with respect to federal data, it gives agencies little guidance as to how to weigh these concerns against other constraints and objectives. More generally, CDT would like to see greater emphasis on and more attention to these concerns as a top-level element of a national AI policy.

Finally, the order instructs the Secretary of Commerce, through the Director of the National Institute of Standards and Technology (NIST), to “issue a plan for Federal engagement in the development of technical standards and related tools in support of reliable, robust, and trustworthy systems that use AI technologies.” Again, while this doesn’t provide much detail or require much more than creating a plan with limited scope, it does require NIST to at least think about what “reliable, robust, and trustworthy systems” might look like and formally engages the Institute in the larger discussion about AI standards and policies.

What it doesn’t do:

Although the order lays out some lofty goals and takes a few preliminary steps toward them, it also lacks several elements that would have resulted in a more substantial addition to AI policy. The most obvious gap is dedicated funding. Granted, federal spending is ultimately up to Congress, but the order could have gone further than asking agencies to consider AI R&D a “priority.” Perhaps the President’s budget proposal will do more to show the administration’s dedication to AI policy.

The order does, in places, call for the consideration of privacy interests and the protection of civil liberties. However, there are no calls to ensure that AI applications serve the public interest, nor any instructions to agencies to even consider what regulatory guardrails might be integral to ensuring that the American AI Initiative primarily benefits the public. The order also fails to call for fairness in AI, even for AI applications developed and used by federal agencies. CDT respectfully suggests that national AI policy should focus on ensuring that technologies benefit human societies and that the underlying technology should fairly and accurately reflect the values of the people it affects. This should be central to, not eclipsed by, the goal of maintaining American leadership in AI. To that end, the order could have been more explicit about the values it intends to promote.

Relatedly, the order seems to be premised on the idea the best AI strategy is to just make more of it as rapidly as possible. The order does little to acknowledge that AI presents both opportunities and risks (other than the risk of falling behind, internationally). Overall, the American AI Initiative moves in the right direction, and CDT looks forward to this and future administrations continuing to engage with AI policy in a detailed, thorough, and balanced manner.

The post The American AI Initiative: A Good Start, But Still A Long Way to Go appeared first on Center for Democracy and Technology.

In this and the previous round of exemptions, CDT joined computer scientists and researchers in asking the Office for a broad exemption for security research. The Office approved the exemption in 2015, paving the way for more beneficial research into the security and safety of many products containing copyrighted computer code. This exemption helped researchers by giving them more legal certainty, which had the added benefit of encouraging manufacturers to work with researchers rather than threatening them with lawsuits.

This time around, CDT and others asked the Office to remove many of the limitations and conditions from the previous exemption so that researchers might work on even more kinds of products and systems and enjoy even greater legal certainty in the future. Although the Copyright Office did not recommend all of our proposals, Acting Register Karyn Temple’s recommendations represent a significant improvement over the 2015 exemption. These recommendations have already been approved by the Librarian of Congress and a final rule will issue in the Federal Register on October 26.

Expanded Scope

The biggest improvement to the temporary exemption for security research is the removal of the so-called “device limitation,” which limited the applicability of the exemption to research performed on devices “primarily designed for use by individual consumers,” “motorized land vehicles,” some implantable medical devices, and voting machines. The new exemption expands the scope to include computer programs operating on devices, machines, computers, systems, or networks. This expansion will allow researchers to test the security of many more types of devices and systems, such as industrial-scale HVAC systems.

Improved Environment

Another limitation in the previous exemption required research to be carried out in a “controlled environment,” which created uncertainty for researchers who feared that research performed outside of a laboratory might not qualify for the exemption. In an effort to clarify this limitation, the Register recommended the removal of the word “controlled,” but preserving the rest of the limitation, which requires research to be carried out in an environment “designed to avoid any harm to individuals or the public.” Although there may still be some uncertainty about the implications of the word “designed,” the Register makes clear her position that testing outside of a lab will be covered by the exemption so long as common sense precautions are taken. This added certainty will allow researchers to test the security of devices and systems in environments that more accurately reflect real-world conditions, while still ensuring that such research will not create safety risks for participants or bystanders.

More Guidance

Although the Register declined to recommend the removal of other limitations, she did include in her recommendations some helpful guidance as to the Office’s interpretation of a few of those limitations. First, the Register clarified that, while any devices on which researchers wish to work must still be “lawfully acquired,” eligibility for the exemption should not be limited by “restrictive contractual terms purporting to limit the use of hardware on which the copyrighted software is running.” This guidance is helpful in terms of clarifying the Office’s intended bounds for the exemption as it applies to things a researcher might “acquire,” such as a mobile device, a car, or a voting machine. To address research on things that are too big or too expensive for a researcher to acquire, like industrial control systems, the Register included a clause allowing such research with the authorization of the owner or operator of the system.

Second, although the Register declined to recommend the removal of the “access limitation,” which requires that research be “solely” for the purpose of “testing, investigation, or correction,” she clarified that activities such as teaching and peer review are not prohibited. This is an important clarification for many researchers in the academic community for whom research without the ability to publish and discuss their results is of little value.

Third, the Register clarified, but did not remove, the “use limitation” which requires that information gained through research “is not used or maintained in a manner that facilitates copyright infringement.” According to the Register, this limitation only applies to the researcher’s use and maintenance of the information and does not depend on the actions of third parties who might use the information to infringe copyright.

Finally, the Register declined to remove the requirement that research must be in accordance with all other laws, specifically including the Computer Fraud and Abuse Act (CFAA). She explained that, to the extent that other laws deter security research, it is those laws and not Section 1201 of the DMCA that inhibit researchers, therefore removing the limitation would not change researchers’ ability to (legally) conduct research. It is true that the 1201 exemptions cannot remove the obligation to comply with other laws; indeed, researchers (and everyone else) will always be on the hook for compliance with the law. It is unclear why a researcher who inadvertently violates an obscure state law in the course of her research should then also be liable under copyright law.

Overall, this round of the 1201 triennial rulemaking has been a great success. CDT applauds the Copyright Office and Acting Register’s efforts to improve both the process and the exemptions. It worked. The streamlined process saved the time and resources of all interested parties and resulted in broader, more useful exemptions. But there is still room for improvement. CDT looks forward to working with the Office and others to reduce Section 1201’s barriers to non-infringing uses of copyrighted works and to providing more legal certainty for the researchers helping to improve the security of computer software, devices, and systems.

The post Getting Better All the Time: Security Research and the DMCA appeared first on Center for Democracy and Technology.

Thanks to the Office’s streamlined process in this round, we were able to suggest improvements to the exemption granted in the last proceeding. Essentially, CDT asked the Office to remove each of the many conditions and limitations built into the previous exemption to create an unambiguous exemption for good-faith computer security research, so that researchers can search for vulnerabilities without fear of copyright liability. Although some interest groups opposed our petition, their concerns were largely unrelated to the rights granted to copyright holders. Some even tried to depict copyright law as the last barrier between civilized society and a world overrun by hackers.

Fortunately the DOJ, which is responsible for enforcing the criminal provisions of the DMCA, has a far more reasonable view on the relationship between the anti-circumvention provisions of the DMCA, computer crime, and security research. To wit:

“As critically important as the integrity of voting machines or the safety of motorized land vehicles are the American public, the DMCA was not created to protect either interest, and is ill-suited to do so. To the extent such devices now contain copyrighted works protected by technological protection measures, the DMCA serves to protect those embedded works. However, the DMCA is not the sole nor even the primary legal protection preventing malicious tampering with such devices, or otherwise defining the contours of appropriate research. The fact that malicious tampering with certain devices or works could cause serious harm is reason to maintain legal prohibitions against such tampering, but not necessarily to try to mirror all such legal prohibitions within the DMCA’s exemptions.”

Well said. CDT has made this point in all of our filings on this subject with the Office, and it is validating to hear it from the top computer crime enforcement agency. The letter goes on to support most of CDT’s requests to remove ambiguous conditions and arbitrary limitations from the existing exemption, while highlighting the importance of independent security research in everything from consumer devices to industrial grade servers and network switching equipment.

To express our appreciation for both the letter and the Copyright Office’s willingness to accept it into the record for this exemption proceeding, we and our colleagues at the Samuelson-Glushko Technology Law & Policy Clinic submitted a response to the letter. We hope the Office will give the CCIPS letter due consideration as it prepares its recommendations for the next round of exemptions.

Security researchers have enough legal parameters to negotiate; copyright law needn’t be one of them.

The post DOJ Writes to Copyright Office: Security Research is Cool. appeared first on Center for Democracy and Technology.

Today, I’m pleased to report that The Sentry – an NGO that works to prevent genocide and mass atrocities in Africa – released a detailed analysis (full report PDF) of the new system slated for use in the upcoming elections in the Democratic Republic of the Congo (DRC). The Sentry worked with Argentinian security researchers Javier Smaldone (@mis2centavos) and Alfredo Ortega (@ortegaalfredo) and myself to examine what little public information is available about this system. The verdict is not good.

These awesome Argentinian researchers, it turns out, had an opportunity to examine an earlier version of this system, also from South Korean company Miru, in 2016. At that time, they were able to show how completely insecure the Miru system was, including: publicly posted cryptographic keys allowing total modification of the system or vote data; radio transmission of each ballot, which was easily intercepted; and using chips embedded in each paper ballot (RFID tags) to load many more than one vote per ballot. Argentina stopped the procurement and legislative authorization process to obtain these machines shortly after the security researchers publicly presented these flaws to Argentinian legislators.

Fast forward to now: DRC has purchased 105,000 of these machines from Miru at a cost of US $130 million for use in their December 18 presidential election. As detailed in the report released today, the DRC machines appear to be the same machines that Miru attempted to sell to Argentina. In addition, this same company provided equipment to Iraq for their recent election, for which there will be a full recount of 11 million votes due to alleged machine irregularities.

In today’s report, we critique the newer version of the machine sold to DRC. The system has since been modified to use 2D barcodes (QR codes) printed on ballots, instead of encoding ballot data onto embedded (RFID) chips on each ballot. We point out that since each of these barcodes includes ballot-specific information to prevent double-voting, this destroys ballot secrecy in a fragile national environment where voter coercion and intimidation are very serious threats to election integrity. We further note that the system has a number of unprotected input ports. For example, a USB stick is inserted into the machine to activate a new voter session, despite the fact that USB sticks are a popular vector for malware to spread (cf. Stuxnet), and there is no indication that a rogue USB stick would be noticed by DRC election workers. Finally, these machines have 2G/3G cellular modems, the use of which is not specified by the DRC government. This means that the machines could be used to transmit official votes from polling locations to election headquarters over cellular connections that can be easily blocked or modified in transit.

In short, we make the case that to use this system safely, there are a lot of unanswered questions that should be addressed before anyone can say it can be used safely in DRC elections. We call on the DRC government to allow independent technical examination of their use of this system and to commit to mitigating any serious vulnerabilities found before such a system is deployed in Congo.

The post New Voting System Vulnerabilities in Congo appeared first on Center for Democracy and Technology.

Security researchers and hackers are the tinkerers of the digital age; they toil among bits and bytes and occasionally come up with new, clever methods to both build and break the increasingly digital infrastructure all around us.

Today, a number of important things are happening in the world of security research that CDT is involved with:

1. DMCA 1201 Hearing: The US Copyright Office is holding a hearing on the security research exemption to the anticircumvention prohibitions of Section 1201 of the Digital Millennium Copyright Act (DMCA);
2. Research Report [here]: CDT’s Stan Adams and myself are releasing a research report that used qualitative interviews of security researchers and hackers to get a better feeling for “chilling effects”; analyzing the forces that can shape the work – both providing incentives and disincentives – of computer, network, and information security; and,
3. Expert Statement [here]: CDT is releasing an expert statement with nearly 60 signatories expressing support for the critical nature of security research.

The Copyright Office (CO) every three years decides if certain technologies should be exempt from the DMCA’s prohibition on circumvention of access controls and, if so, under what conditions. In 2015, the CO allowed an exemption for security research on certain kinds of devices under certain specified limitations. It was a real victory at the time, and has paved the way for increased scrutiny of vehicles, medical devices, and networked consumer devices. However, the limitations imposed by the CO were quite restrictive, limiting the types of devices allowed and limiting investigations to controlled environments, solely for good faith security research, while not violating any other laws, including the Computer Fraud and Abuse Act (CFAA).

CDT and our co-petitioners, Prof. Ed Felten and Prof. J. Alex Halderman – assisted mightily by Blake Reid and the clinical law students Samuelson-Glushko Technology Law & Policy Clinic at Colorado Law – have asked the CO to remove all of these limitations. We’ve effectively asked for the exemption to be simplified to permit all forms of good-faith security research performed on software and software-controlled systems. We think this would go a long way as to removing any ambiguity that the DMCA does not and should not prohibit investigation into these systems’ protections, shortcomings, and potential mitigations. We’ll testify to that effect today at the hearing.

To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all types both contribute to a baseline level of security in our digital environment and, in turn, are shaped themselves by this environment, most notably when things they do upset others and result in threats, potential lawsuits, and prosecution. We’ve published two reports (sponsored by the Hewlett Foundation and MacArthur Foundation) about needed reforms to the law and the myriad of ways that security research directly improves people’s lives. To get a more complete picture, we wanted to talk to security researchers themselves and gauge the forces that shape their work; essentially, we wanted to “take the pulse” of the security research community.

Today, we are releasing a third report in service of this effort: “Taking the Pulse of Hacking: A Risk Basis for Security Research.” We report findings after having interviewed a set of 20 security researchers and hackers – half academic and half non-academic – about what considerations they take into account when starting new projects or engaging in new work, as well as to what extent they or their colleagues have faced threats in the past that chilled their work. The results in our report show that a wide variety of constraints shape the work they do, from technical constraints to ethical boundaries to legal concerns, including the DMCA and especially the CFAA.

What emerges from our interviews is a “risk basis” for security research; a set of activities that can be performed in more or less risky ways. For example, security researchers may engage in an activity called network scanning, which involves iterating over a set of network addresses or communication protocols (or both) to test for a given feature or collect data across a network. We learned from our interviews that security researchers using network scanning can reduce risk by giving notice in the packets they send about the nature of the current project and how a network operator could opt-out of future scans. On the other hand, scanning efforts that do not allow opting-out, or that attempt to greedily consume resources are more likely to receive a legal threat. Our paper contains a number of other examples in the areas of accessing computers, obtaining information, circumventing access controls, disclosing vulnerabilities, and testing live systems.

Finally, today we are releasing an expert statement from nearly 60 security researchers and experts that makes the case for the critical nature of security research – especially now, more than ever. The statement – signed by academic security researchers, independent security researchers, hackers, experts in security, and journalists that work in security – underlines the importance of security research to our modern digital society:

The ability of researchers to find and responsibly report vulnerabilities is more important today now that traditionally unconnected devices are being connected to the Internet and more of people’s lives are mediated by data, computation, and networking. Compromised systems and devices have been used to launch attacks all over the world. Vulnerability research, discovery, and disclosure are critical features of the modern digital society; the US National Institute of Standards and Technology has recognized in its Cybersecurity Framework that vulnerability disclosure is an important aspect of any effective cybersecurity program.

The letter closes by urging wide support for security research activities, and renounces those that would oppose these efforts. CDT believes strongly in the value of independent security research and will continue to work to achieve greater legal certainty for researchers and to promote a more robust security research community.

The post Taking the Pulse of Security Research appeared first on Center for Democracy and Technology.