New Jersey Court Says Independent Investigators Can Review E-Voting Machines

from the protect-the-vote dept

Last month, e-voting firm Sequoia threatened both independent researchers and New Jersey election officials if those independent researcher were allowed to inspect Sequoia's e-voting machines. This seemed like a very odd threat for a variety of reasons. Why wouldn't Sequoia want its machines inspected? The very fact that it was threatening legal action seemed like grounds to simply never use Sequoia e-voting machines. Sequoia claimed that existing inspections were enough, despite a history of problems in those inspections. Furthermore, Sequoia's own explanations for the problems with its machines in the primary elections this year were wrong. Ed Felten found that Sequoia's explanations didn't actually explain many of the problems. Unfortunately, though, with the threat of legal action, New Jersey agreed not to have Felten test the machines.

However, a New Jersey state judge has now ruled that it's perfectly reasonable for independent inspectors to review the machines. Unfortunately, she pushed back the date for such inspections until September, meaning that it won't affect this year's presidential election -- which will still use machines that may have problems. So while Sequoia didn't succeed in stopping independent examination of its machines, it did stall the process long enough so that the existing machines will stay in use for this year's elections -- despite the long list of problems that have been discovered with them. Apparently, we're still in beta when it comes to democracy.

Filed Under: e-voting, ed felten, inspections, new jersey
Companies: sequoia

Turns Out New Jersey E-Voting Problems Even Worse Than Originally Thought

from the care-to-explain dept

You may recall that last month, the state of New Jersey asked some top notch computer security researchers, including Ed Felten, to do an independent study of Sequoia's e-voting machines. That's because there were some worrisome discrepancies in the voting totals that the machines released. When Sequoia found out about this it threatened to sue, which seems fairly odd. If the company were confident in the quality of its e-voting machines, why wouldn't it want well-respected security researchers to take a look? However, Sequoia's legal threats worked, and the state of New Jersey nixed plans for that independent review. Sequoia also offered an explanation, claiming that it was all a minor bug, where the machine merely got mixed up about party affiliation -- but the vote totals would match up in the end. Guess what? That turns out to not be true.

Ed Felten has received a bunch of "summary tapes" from the last election in New Jersey, and while many of them do have the vote totals matching up correctly at the end at least two of the summary tapes simply don't add up, meaning that Sequoia's explanation of what went wrong is incorrect. Given how often the company has denied or hidden errors in its machines, despite a ton of evidence, we shouldn't be surprised that it was inaccurate in explaining away this latest problem as well. However, we should be outraged that the company refuses to allow third party researchers to investigate these machines. It's a travesty that any government would use them when they've been shown to have so many problems and the company is unwilling to allow an independent investigation.

Filed Under: e-voting, ed felten, intimidation, new jersey
Companies: sequoia

More On Sequoia's Legal Threats Against Ed Felten: The Intimidation Worked

from the freedom-to-threaten-lawsuits dept

Yesterday we covered the threats that e-voting firm Sequoia had sent to Ed Felten and to various officials in New Jersey. Unfortunately, it appears those threats worked: the election officials have backed down and agreed not to send Felten the machine to test. News.com has more details on both the reason for the test and Sequoia's response to the whole mess. The reason? Shockingly enough, Sequoia's e-voting machines malfunctioned during the primary in a way that should scare you: it gave two different vote counts. You would think that's a pretty good reason for allowing a qualified, well-respected researcher like Felten to check out the machines. No such luck. Sequoia has tried to explain it away as a bug, but that doesn't explain why the machines shouldn't be tested by a third party.

Sequoia's response to that question is disingenuous, claiming that the company "supports third party reviews and testing of its election equipment." If that's so, then why not Ed Felten? Well, because Sequoia says that the machines have already been through a "rigorous" independent review from an accredited Voting System Test Labs. Ah? Would that be one of the accredited Voting System Test Labs that was barred from further testing for not having proper controls in place and having no evidence that tests were actually conducted? Most of those tests have very limited real-world applicability -- which is what Felten is good at testing. Sequoia also lists out some independent tests in other states that the company was forced into accepting, as if it willingly took part in them. Yet, what the company doesn't explain is what it's so scared of in having Felten test its machine. If the company is confident in the machines, then where's the problem? As a last resort, Sequoia appeals to the fact that such a test would break a licensing agreement, noting that "Licensing agreements are standard practice in the technology industry." That's clearly a cop out. While it may be legally correct, it's no reason not to let a researcher try to figure out if there are any problems with its machines. This isn't some random technology here. This is the technology we're trusting with providing a free and fair election. Sequoia should be ashamed of pulling out legal threats and weak excuses.

Filed Under: e-voting, ed felten, intimidation, new jersey
Companies: sequoia

E-Voting Firm Threatens Ed Felten If He Reviews Its E-Voting Machine

from the well-that's-comforting dept

Many of the folks around here are surely aware of the name Ed Felten, the Princeton professor who runs the fantastic blog Freedom To Tinker, and who has been involved in a number of important technology news stories over the years. One of the first that brought him to much wider attention in the tech community happened back in 2001. The recording industry had set up a contest, asking anyone to try to hack its SDMI DRM offering. The idea was to prove that SDMI was a perfectly good DRM. But, of course, like every other DRM, it had its faults, and Felten and some of his researchers figured them out. That's where things got ridiculous. Despite the fact that the recording industry had told people to try to hack SDMI, when Felten went to present the paper, he was threatened with a lawsuit for breaking the anti-circumvention clause of the DMCA. Eventually, after a ton of public pressure, the recording industry backed down, but Felten's name was cemented in the minds of many in the tech industry as a fighter for freedom of speech and, more importantly, the freedom to tinker.

It would appear that the folks at Sequoia, one of the big three e-voting firms out there, is somewhat unaware of this aspect of Felten's past. In the past few years, Felten has been one of a few top computer science experts who have been picking apart the problems with e-voting machines. His freedom to tinker with such machines has broken numerous stories revealing serious problems with the machines that many suspected, but were unable to confirm, since the e-voting firms kept the machines so under wraps. In publicizing these flaws, Felten has become one of the go-to guys when various governments are reviewing e-voting machines, so it should come as no surprise that election officials in New Jersey (where Felten lives and works) would be interested in having him run some tests on a Sequoia e-voting machine that they're looking at using in future elections.

This seems perfectly reasonable -- and if you're an e-voting company like Sequoia, it should also be a perfect way to build more trust in your machines, telling people that they've been reviewed by some of the top experts in the field who found nothing wrong with them. Except... that's not how execs at e-voting companies seem to think. Sequoia has, instead, sent a threatening email to Felten, saying that election officials who sent a machine to Felten would be breaking the state's terms of service with Sequoia, and that the company has:

"retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property."

Yes, this is quite reminiscent of the recording industry's threats to Felten in 2001. Hopefully this situation ends similarly -- with Sequoia backing down quite publicly and apologizing. It's disgusting that such a firm would threaten a well-respected researcher with lawsuits just for checking on the security of an e-voting machine. This is worse than the recording industry situation. This is about the sanctity of our democratic elections. For Sequoia, a firm entrusted with our elections, to threaten someone for merely testing its product to make sure it lives up to necessary standards is terribly worrisome. It should call into question any locality that chooses to make use of Sequoia e-voting machines.

Filed Under: copyright, dmca, e-voting, ed felten, intellectual property, new jersey
Companies: sequoia

Ed Felten Defeats Hard Drive Encryption

from the ed-felten-strikes-again dept

Ed Felten, and the various grad students who work for him at Princeton, have done plenty to contribute to the computer security field (and make quite a name for themselves), from breaking the old SDMI encryption that the recording industry insisted was unbeatable (which nearly got Felten sued) to showing just how vulnerable e-voting machines are. However, he may have just broken his biggest story yet. Felten and a group of colleagues have now shown that hard disk encryption is incredibly easy to beat. This should be a huge concern, considering how many people and organizations rely on data encryption to protect important data. In fact, with many of the "lost" hard drive stories over the past few years, many organizations have insisted the risk was minimal, since the data was all encrypted. Yet, as Felten's team shows in this video below, not only is it quite easy to defeat the encryption using a simple can of compressed air, in some cases, there isn't much that can be done to protect against this. As the video notes, this won't work on some systems if the computer is turned completely off and the encryption package opens up before the operating system boots -- but otherwise, most systems are vulnerable. Basically, they've figured out that, despite what many believe, data held in RAM does not disappear immediately when the power is cut. And, if you freeze the chip, you can make the data last a very long time. This is important, because for disk encryption, the key to unlocking the data resides in the RAM. If someone can access that key in the RAM and make a copy of it, then they can unencrypt all of the data without knowing your password.

Filed Under: ed felten, encryption, hard drives, security

GAO Says E-Voting Machines Not The Problem In Florida; E-Voting Experts Not So Sure

from the needs-more-testing dept

In the ongoing saga of the lost votes of Sarasota County Florida in the 2006 election, the Government Accountability Office (GAO) has now come out with a report suggesting that the e- voting machines were not to blame. This comes after another report last year also said the machines weren't to blame. However, that report came under some criticism as it only involved security folks looking at the source code, rather than actually getting to test the software on an e-voting machine itself. Similarly, this new GAO report is coming under some criticism as both David Dill and Ed Felten are questioning the methodology of the GAO's tests -- which do sound rather limited. Felten points out that ES&S (makers of the machines used in Sarasota) are likely to proclaim this a vindication. However, there are still plenty of additional questions -- and, most importantly, the very fact that it's been so difficult to verify how the voting turned out shows just how problematic these machines can be in managing a democratic election that the populace can trust to be both fair and accurate.

Filed Under: david dill, e-voting, ed felten, florida, gao
Companies: es&s

Spot The Unattended, Unguarded E-Voting Machines

from the take-your-time dept

Whenever reports come out about e-voting machine vulnerabilities, a common response from the various e-voting companies is that to exploit any of those vulnerabilities, someone would have to spend a significant amount of time with the e-voting machine, undoubtedly raising suspicions. That might be true on election day, but what about before election day? Back in 2006, Ed Felten randomly noticed that in the days before election day, he came across a bunch of e-voting machines just stored in a hallway, waiting for election day. This should have made people concerned, and convinced them to better protect these machines. Yet, here we are on Super Tuesday, and Ed Felten has a post noting that, once again, it was easy to come across totally unattended e-voting machines. He notes that he stood next to one batch of machines for 15 minutes, plenty of time to have mucked with the machine (not that he did), and not a single person came by. Is it any wonder that these e-voting machines are undermining confidence in our elections?

Filed Under: e-voting, ed felten, super tuesday

The Ownership Metaphor Can Be Misleading In Privacy Debates

from the bad-habits dept

Last week we had a bit of back-and-forth between Julian and Tom over the Scoble/Facebook controversy. I pretty much agree with Tom that it's a good idea to just assume that anything you put online may leak out and become public knowledge, and so I have trouble getting offended about Scoble's actions. Ed Felten makes the excellent point that people have an unfortunate tendency to lapse into talk about ownership when discussing privacy issues, despite the fact that the property rights metaphor doesn't work very well here. As Felten points out, both Scoble and Facebook (not to mention Scoble's Facebook friends) have various interests in the data, but neither of them really "owns" it. Certainly, there's no legal ownership rights: copyright, patent, and trade secret law are all inapplicable. And as Tom pointed out last week, neither Facebook nor Scoble have a practical ability to limit the other's use of the information once it's been put on the site.

This is an issue that comes up over and over again in technology debates: people are so used to thinking about physical objects, which usually need owners, that they tend to assume information needs an owner too. But unlike physical objects, information is infinitely sharable. Mike has written at length about the opportunities that become apparent when you stop thinking about content in terms of scarcity and ownership. Similarly, privacy debates would probably be clearer if people stopped trying to identify "the" owner of a given piece of data and stopped trying to do the impossible by making information un-copyable. Instead, people should assume that any information they give out might become widely available, and educate users about ways to limit information disclosures so that the inevitable data leaks won't be catastrophic. Debating (or passing laws about) who "owns" a given piece of data will only cloud our thinking and give users a false sense of security.

Filed Under: data, ed felten, ownership, privacy

Forget Carrying Around 40,000 Songs; Think Infinite Music Storage

from the it's-in-the-cloud dept

Last month we wrote about how the economics of music were changing so rapidly that it highlighted how out of touch the record labels are when they still think charging $1 per song makes sense, just as Apple is releasing an iPod that can hold 40,000 songs. Of course, that's only looking at the present. We all know technology is rapidly changing, and Princeton computer science professor Ed Felten notes that it won't be long until anybody can carry all music ever recorded in their pocket. In fact, everyone will be able to do that. At that point, the economics of the industry are totally out of whack with what the recording industry still believes. Felten notes that if anyone can buy a bit of storage that contains all music ever recorded, just think how impossible it will be to shut down file trading operations. All of the music will be out there available to everyone. As long as one of your friends has access to all that music, you just need to create a private sharing network with them -- and the RIAA's goons will never know about it. Felten suggests this leads to a world where the industry is finally going to need to accept some kind of universal licensing plan -- or they might just realize that letting the music go free has plenty of benefits elsewhere in the music business model ecosystem. Of course, that would take more forward thinking record industry execs... and we may be waiting a long, long time for that to happen.

Filed Under: business models, economics, ed felten, music