I first began looking into Voatz for Slate’s Future Tense blog when an editor asked me to look into whether their blockchain voting pilot experienced any of the issues security researchers had warned about. What was supposed to be a pithy blog post turned into months of research, due in large part to Voatz’s lack of transparency.
I continued my reporting for Cointelegraph after a student security researcher was referred to the FBI over what the company said was an intrusion attempt–even though the research appears to have been protected by the safe harbor statement in the company’s bug bounty program. The bug bounty program terms on HackerOne were updated soon after the FBI referral made headlines.
I further wrote about infosec company Trail of Bits’ independent audit of Voatz, which confirmed many of the same bugs MIT researchers had previously found.
I followed Voatz’ story as it was kicked off of the HackerOne bug bounty program platform.
And, for Coindesk, I wrote about an open letter the American Association for the Advancement of Science’s Center for Scientific Evidence in Public Issues sent to U.S. governors, secretaries of state and state election directors to express concern about the security of voting via the internet or mobile apps.
My Slate piece was linked to by 538, Bloomberg, Fast Company, IB TImes, IETT, QZ, Salon, and the Conversation. It was also cited in a research paper in the Journal of Cybersecurity.
My Cointelegraph piece was cited in two amici briefs to the Supreme Court and linked to by Fortune, Mother Jones, and The Verge. It was also cited in the Federal Communications Law Journal, a report prepared by the OECD Working Party on Security in the Digital Economy, and in a scathing analysis of Voatz’s security by MIT researchers, which was included in the Proceedings of the 29th USENIX Security Symposium. And it’s sometimes required reading in Stanford’s Hack Lab courses on CFAA.
My journey reporting on VPNs started in 2016 when I was supposed to make a list of reliable VPNs for Ars Technica. Turned out the task was complicated, so I pivoted to writing about that.
After that, Wirecutter asked me to take my best shot at review VPNs. By then, the industry had matured a bit, and I did feel that I could make an assessment based on criteria I selected, while including a dizzying array of detail about what we don’t know, which I did for two years.
I continued researching and reporting on VPNs for Consumer Reports’ Digital Lab, which culminated in a 47-page white paper and three companion articles on whether you should use a VPN at all, where many of the VPNs we tested fell short, and the three VPNs that did best in our evaluation.
The Ars Technica piece was quoted in China Digital Times, Computerworld, Haaretz, Lifehacker, Marketwatch, Mental Floss, Techdirt, Sec News Weekly, Slate, Teen Vogue, Verge, Vice, and Yahoo—and has been cited in trainings by the Freedom of the Press Foundation and in comments to the FTC.
While I held the sole byline in late 2019-2020, my “Best VPN Service” piece for Wirecutter was linked to by nonprofit advocacy organizations and news sites alike: Access Now, Bleeping Computer, Center for Democracy and Technology, Daily Dot, EFF, Engadget, Fast Company, Gizmodo, Lifehacker, Malwarebytes, National Cybersecurity Alliance, Popular Science, Slate, Tech Crunch, twit.TV, QZ, Vox, Wikihow, Wired, and Yahoo!, as well as training by the Freedom of the Press Foundation.
My VPN reporting for Consumer Reports was covered by Gizmodo, Tech Times, and the International Association for Privacy Professionals (IAPP), and linked to by NBC. I also spoke about it on the CryptoHarlem Twitch stream, and will be giving a talk abour our results at ShmooCon 2022 in Washington, D.C.