Diebold retreats from challenging voting activists

http://www.wired.com/news/evote/0,2645,61243,00.html?tw=wn_polihead_1

Diebold Backs Off Legal Challenge
By Kim Zetter 

02:00 AM Dec. 02, 2003 PT

Diebold Election Systems is withdrawing legal threats against voting 
activists and Internet service providers for publishing copies of internal 
staff e-mails that the company says were stolen from its servers.

The documents pointed to security flaws with Diebold's computerized voting 
machines and suggested the company knew about those flaws long before it 
sold machines to several states, including California, Maryland and 
Georgia.

Beginning in August, Diebold issued cease-and-desist letters to more than 
a dozen individuals who posted the documents or links to sites hosting 
them on the Internet. The company claimed copyright infringement under the 
Digital Millennium Copyright Act, or DMCA, a law designed to guard against 
the improper use of creative works. Diebold said the documents revealed 
proprietary information about the workings of its e-voting system that 
would benefit its competitors.

The nonprofit ISP Online Policy Group and two Swarthmore College students 
sought a court order in October to block Diebold's action. On Monday, 
Diebold reversed itself without explaining its decision, saying only that 
it would not sue over the copyright claims.

In a conference call with U.S. District Judge Jeremy Fogel and a lawyer 
for the Electronic Frontier Foundation, which is representing the Online 
Policy Group and the students, Diebold said it would send letters to the 
ISPs retracting demands that they take down the documents.

Diebold spokesman David Bear said no one should interpret the move as a 
sign that the DMCA did not apply in this case. "We've simply chosen not to 
pursue copyright infringement in this matter," he said.

More than 13,000 internal Diebold e-mails and documents were taken from a 
Diebold staff server last March and delivered to voting activist Bev 
Harris and her publisher, along with a Wired News reporter, in August. 
Harris has written a book based on a year's worth of research into 
companies that make e-voting machines.

After Harris posted the memos on her website, Diebold sent 
cease-and-desist letters to her and her ISP. A Swarthmore student who 
subsequently published the memos also received a letter.

Other Swarthmore students then launched a civil disobedience campaign 
against Diebold calling for greater scrutiny of e-voting machines. 
Students at Harvard, MIT, Carnegie Mellon, Duke University, the University 
of California at Berkeley and numerous other campuses followed suit.

In October, the Online Policy Group and two Swarthmore students filed for 
the court order to prevent Diebold from issuing further legal threats, 
aided by the Electronic Frontier Foundation and the Center for Internet 
and Society Cyberlaw Clinic at Stanford Law School.

They charged Diebold with misusing the DMCA to stifle discussion about the 
reliability of electronic voting machines in general and about the 
insecurity of the company's machines in particular.

The Diebold e-mails consisted of internal correspondence sent by company 
employees to several staff mailing lists related to bug fixes, technical 
support and company announcements.

They detailed information about the internal workings of the electronic 
voting machine maker and pointed to difficulties with the company's 
machines cited by employees and election officials.

Among revelations contained in the memos was information that the 
Microsoft Access database used by the Diebold system to collect and 
calculate votes was not protected by a password. This meant someone could 
alter votes by entering the database through physical access to the 
machine or remotely using the phone system.

The memos also revealed that the audit log, which records any activity in 
the Access database, could be easily altered so that an intruder could 
erase a record of the intrusion.

These security flaws were pointed out to Diebold in 2001, but a Diebold 
engineer responded by saying the company preferred not to password-protect 
the database because it was easier to do "end-runs" in the system -- a 
term that describes when someone changes software to fix or work around 
coding problems.

Other memos indicated that patches were installed in systems after they 
were already certified and delivered to states. In a January 2002 memo, a 
Diebold engineer discussed modifying its machines in California but noted 
that because the state was likely to reject a change so late in the game, 
they'd install it as a bug fix to pass muster with election officials, 
rather than undergo lengthy certification procedures.

Diebold was recently chastised by California Secretary of State Kevin 
Shelley for violating California election law by loading uncertified 
software onto machines used in at least two counties in that state. The 
state discovered the information only after the uncertified software was 
used in at least two California elections. In memos dated January 2003, 
Diebold employees also discussed making the cost of upgrading its machines 
in California "prohibitively expensive" if Shelley decided to require a 
voter-verifiable paper audit trail for e-voting machines, a feature sought 
by voting activists. The memos appeared at the time that Shelley was 
convening a task force to discuss security issues with e-voting.

Two weeks ago Shelley mandated that e-voting machines used in the state 
must produce a paper receipt that voters can use to verify their ballots. 
The machines must comply by July 2006.

Wendy Seltzer, staff attorney for the Electronic Freedom Foundation, said 
publication of the Diebold documents was an important ingredient in the 
growing public debate about electronic voting systems and the companies 
that manufacture them.

"We're pleased that Diebold has retreated and the public is now free to 
continue its interrupted conversation over the accuracy of electronic 
voting machines," she said.

Despite Diebold's retreat, the EFF is still seeking a ruling from the 
judge that states that posting the memos did not violate copyright laws. 
The group also wants Diebold to pay damages to the students and ISPs.

"This tells companies like Diebold who are thinking of doing what Diebold 
has done that it's not free to send out these letters," Seltzer said. "If 
the letters are baseless, there's a price to be paid for that. And there's 
a price to be paid for trying to suppress free speech."

Fogel is expected to rule on EFF's requests in February. Diebold spokesman 
Bear said he hopes to reach a settlement in the matter before Fogel makes 
a ruling.

With regard to anyone who wants to post the memos, Bear said, "They are 
free to do as allowed. We are not going to pursue copyright infringement."