When the National Archives needed new vaults to protect the country’s most precious documents – the Declaration of Independence, the Constitution, and the Bill of Rights – it contracted with the market leader in security solutions to build a customized, high-security storage system. Diebold, Inc., a 145-year-old company based in North Canton, Ohio, specializes in security-related projects ranging from construction of ATMs to the case that holds the Hope Diamond. The same company that safeguards the Bill of Rights came under fire in the fall of 2003 for threatening one of the document’s most basic provisions: freedom of political speech.
The charges against Diebold came from a community on the outskirts of mainstream politics – a community that has attracted attention and political clout in the past six months: weblog writers. With the success of the Dean campaign and their increasing popularity among Internet users, weblogs – or blogs – are a growing web-based phenomenon that has shown a tremendous potential to influence political discourse. News travels quickly among bloggers—sites tend to have loyal followings who read daily postings. Interlinking is also common among bloggers: sites often comment on other blogs and cluster around the same interests. This interconnectedness can create a strong political community – an ideal network to launch a political protest. As it turns out, Diebold, Inc. – the nation’s top manufacturer of electronic voting machines – was a perfect candidate to stir interest and outrage of bloggers.
Diebold has more influence on American elections than almost any other company, though few people are aware of what it does. Ever since the federal government passed the Help America Vote Act in October 2002, many states began modernizing their voting equipment. Armed with $3.9 billion in federal funds and eager to avoid a scandal like Florida’s 2000 election, state election boards turned to Diebold—37 states now use more than 40,000 of Dieobld’s electronic voting machines.
Computer scientists have been grumbling about the transition to electronic voting for years. They have claimed that electronic systems are too unreliable to entrust with the most sacred exercise in a democratic society. But it was Diebold’s systems in particular that generated interest and outrage in July 2003 when a team of computer scientists published a scholarly review of the machines’ software.
The report cataloged hundreds of flaws, which ranged from lack of password protection on central databases to a glitch that would allow holders of a certain “smart card” to vote as many times as they liked. As Avi Rubin, the principal researcher, explained, “We found some stunning, stunning flaws.”
These flaws had not attracted widespread attention prior to Rubin, few people knew how to access Diebold’s source code. As Joe Richardson, a spokesperson for Diebold explained, “We don’t feel it’s necessary to turn [the source code] over to everyone who asks to see it because it is proprietary.”
This lack of access was one of the main objections computer scientists raised about electronic voting. They argued that electronic voting is inherently undemocratic because, when a company’s software cannot be viewed by the public, voters have no way to ensure that it works properly—the public must simply accept the company’s assurance that touching a button on a computer screen registers as a vote for the correct candidate. As critics have explained, the systems are also highly vulnerable to tampering, malfunctions, and problems with voter-privacy because results are aggregated in centralized databases – databases that can easily be altered.
2.0 The Source Code
The controversy with Diebold took root in January 2003 when a woman in Renton, Washington discovered Diebold’s entire source code on an unprotected website. Bev Harris was researching electronic voting for an upcoming book when, as she explained, she found, “on about the 15th page of Google,” a website with user manuals, software patches, and the complete source code for voting machines. Harris has no background in computer science—she runs a public relations firm out of her home, but she recognized the importance of the documents and downloaded them to her computer.
Harris explained via email that the website had been available for years and was even referenced in user manuals. Diebold used the site as "an online filing cabinet," Harris explained, but her investigations into its contents were the catalyst to spark widespread interest in the faulty security systems.
A news service in New Zealand, Scoop, billed Harris' discovery of the security flaws as "Bigger than Watergate!" And Rubin's review of the code compounded attention on the debate.
Soon, Rubin became the center of his own controversy when the news surfaced that he also held a position on the board of a competing company, VoteHere, Inc., and that he held a financial stake in the company. Diebold attacked the report for this potential conflict of interest.
3.0 The Memos
As the Rubin-Diebold controversy appeared in newspapers, more trouble for the company was stirring. In early August, a reporter for WiredNews received a file containing 13,000 internal emails, which Diebold later acknowledged had been obtained in March 2003 with an employee ID. As once-confidential material often does, news of the memos leaked quickly on the web. Harris posted some of the memos, and others, including two student bloggers at Swarthmore College, followed suit.
The files, dated January 1999 – February 2003, contained a range of sensitive information, from personal email addresses to potentially incriminating comments about Diebold’s software. Bloggers posted both the complete archive of emails and special links to the most damning messages. One email refers to a software patch that Georgia’s election board had not certified but that needed to be installed on the new machines. The email advises technicians that, with one exception, “most of the rest of Georgia’s counties probably don’t care whether they’re using a certified release or not.” Another email refers to problems backing up data: “Since we do not have paper ballots to reconstruct the votes cast as the AccuVote unit has if its memory card fails, the Accutouch will be at the mercy of that one memory card without a backup.”
As the memos began to circulate, the public spotlight on Diebold intensified. Newspapers from Seattle to Dublin printed stories in the fall of 2003 about the company’s security problems; the stories also mentioned anomalies in several elections in which Diebold machines were used.
In October, Diebold began fighting back. Hoping to reclaim the stolen memos, the company sent letters to several of the ISPs hosting sites that had posted the memos, notifying them of the infringement on Diebold’s exclusive rights under U.S. copyright law. According to the letter, the ISPs would have to block access to the websites in order to comply with the Digital Millennium Copyright Act – the same statute that record companies use to have pirated copies of their songs removed from websites.
On receipt of the cease-and-desist letter, administrators at Swarthmore notified the students that their Internet access would be blocked if Diebold’s memos were not removed. But the students were not so easily deterred. In collaboration with Swarthmore’s Coalition of the Digital Commons, they organized a resistance – a grassroots cyber-protest: every time a student was disconnected for posting the memos, the files were passed to a different student and posted from another location. The effort spread beyond Swarthmore. By the end of October, because of the work of students and activists like Harris, at least 87 people, ranging from college students to Ohio Congressman and presidential candidate Dennis Kucinich, posted either links to the memos or the documents themselves.
Diebold continued its campaign to suppress the leaked memos by sending more cease-and-desist letters. As wider circles of Internet activists became aware of the students’ fight, the Electronic Frontier Foundation (EFF), a nonprofit legal organization in California, took on their case. According to the EFF, Diebold was misusing copyright law to stifle political speech, and the EFF filed a lawsuit to ask the courts declaration to protect the students from the cease-and-desist letters.
4.0 The Resolution
The stage was set for a DMCA face-off. On November 14, 2003, Diebold and the EFF met in the Northern California District Court of San Jose – Diebold trying to limit the spread of its stolen company property and the EFF defending civil liberties on the web. But an ultimate ruling from the court was not to be—two weeks into the hearing, Diebold announced a withdrawal of its case, citing “widespread availability” of the documents as a reason to discontinue the court battle. “We’ve simply chosen not to pursue copyright infringement in this matter,” said Diebold spokesman David Bear.
The EFF claimed victory. As Wendy Seltzer, an attorney for EFF, explained: “We’re pleased that Diebold has retreated and the public is now free to continue its interrupted conversation over the accuracy of electronic voting machines.”
5.0 The Implications
For the short term, the debate about electronic voting is free to continue both on-line and off, but the future of copyright law and free speech on the Internet are far from clear. The current system for handling a copyright-infringement claim under the DMCA remains extremely controversial. The process involves several basic steps: first, the holder of the copyright claim sends a letter to the ISP alleging copyright infringement. On receipt of the letter, the ISP blocks access to the “infringing material” because doing so can make the ISP eligible for “safe-harbor” protection under the DMCA. After the allegedly infringing material is removed from the Internet, the ISP notifies the owner of the blocked site that the ISP received an allegation of copyright infringement.
This process is troubling to many observers for a few reasons. First, it defaults to an assumption that infringement has occurred. A company needs merely to send a cease-and-desist letter, and the material in question is, at least temporarily, suppressed. This swift process might be appropriate for a company whose top-40 song is being traded illegally online, but when it applies to political speech, the process is more problematic.
Second, the usual standards for suppressing speech are quite high—courts mediate the conflicting claims based on extensive legal precedents. The DMCA’s notice and takedown process short-circuits judicial review by allowing for the suppression of speech with only the interested parties mediating the dispute. These private parties have the power to determine what information is available to the public. The effect can be the suppression of speech in favor of those with access to legal expertise.
Third, the process gives little consideration to the limitations inherent in copyright law. The hundreds of sections of the federal copyright law contain many restrictions: copyright only applies to original works that are “fixed in a tangible medium of expression.” Even when these provisions are met, copyright is still limited according to the “fair-use” defense—a provision that carves out certain protected uses of copyrighted material. For example, “transformative” works – ones that add new expression, meaning, value, or information to an existing copyright-protected work – may be considered legal uses of the copyrighted material. The DMCA leaves little room for the consideration of this defense. As cases like this one continue to emerge and test the reaches of the DMCA, the delicate balance between protecting property rights and safeguarding basic freedoms is likely to become even more difficult.
In the meantime, the bloggers are happy. As part of the court settlement, Diebold agreed to send retractions of its cease-and-desist letters. Derek Slater, a Harvard student whose website was blocked because of such a letter, is delighted about the news: “I can hardly wait to get the retraction. I think I’ll frame it,” he adds, grinning.